Apr 262023

The Future of UK Open Banking: Joint Regulatory Oversight Committee Issues Recommendations

John M. Casanova, Max Charles Savoie, Tanaan Quek and Paida Manhambara
, ,

The committee of government and regulatory authorities responsible for open banking in the UK has set out its plans and timeframes for expanding and developing infrastructure, standards, and processes for the sector. Central among these are proposals to improve the performance of interfaces among relevant firms, mitigate financial crime risks, and ensure that end users receive sufficient information and are protected if something goes wrong. This Sidley Update summarises the proposals and key points for firms.

On April 17, 2023, the Joint Regulatory Oversight Committee (JROC), published its report (the Report), setting out its recommendations for the future of open banking in the UK. JROC comprises the Financial Conduct Authority (the FCA) and the Payment Systems Regulator (the PSR) as co-chairs and His Majesty’s Treasury (HM Treasury) and the Competition and Markets Authority (the CMA) as members.

The Report builds on the Strategic Working Group’s report on “The Future Development of Open Banking in the UK, the Trustee End of Implementation Roadmap Report, and submissions from multiple stakeholders on the future development and expansion of open banking in the UK.

Open banking refers to the process by which consumers and businesses can provide account information service providers and payment initiation service providers (collectively, TPPs) secure access to their payment accounts, which are held by account servicing payment service providers (ASPSPs), including banks. Based on this access, TPPs are able to provide these consumers and businesses with various services. Account information service providers can provide their customers with information about their payment accounts, including account balance and transaction history, where the ASPSP makes that information accessible online to the customer. Payment initiation service providers can instruct the ASPSP on behalf of the customer to make a payment where the ASPSP enables the customer to do that online. ASPSPs are generally required to provide an interface to enable TPPs to communicate with the ASPSP in order to provide these services to the ASPSP’s customers. Such interfaces often take the form of application programming interfaces (APIs) that enable a TPP’s IT programs to interact with those of the ASPSP.

Open banking was initially launched in the UK in 2017 with the establishment of the Open Banking Implementation Entity (OBIE) following a report from the CMA the previous year that aimed to expand competition in the banking sector. The project was extended in 2018 when the UK transposed requirements on ASPSPs and TPPs under the second EU Payment Services Directive into national law. The Report marks the start of the next stage of expansion and development of the project.

Objectives of the Report

JROC’s vision for the next phase of open banking is based on three priorities:

  1. Ecosystem – developing and upscaling of an economically sustainable open banking ecosystem “while remaining reliable, resilient, and efficient.” The envisaged ecosystem would also aim to expand functionalities for end users.
  2. Payments – releasing the potential for open banking payments, providing consumers and businesses with “greater choice and better services” when making payments. JROC notes in particular that “[o]ne of our ambitions is to enable open banking payments to support retail transactions as an alternative to card payments.”
  3. Data Sharing – promoting methods for data collection and sharing among ASPSPs and TPPs.

To deliver these priorities, JROC plans to establish a new open banking entity (the Future Entity) to replace the OBIE.

JROC also identifies several themes to be developed over the next two years, which underlie its roadmap of actions:

  1. Levelling up API availability and performance – collect, share, and analyse data on API availability and performance and consult on whether additional reporting requirements are necessary.
  2. Mitigating financial crime risks – collect financial crime data and implement prevention tools.
  3. Ensuring effective consumer protection if something goes wrong – assess and, where necessary, expand dispute resolution processes.
  4. Improving information flows to TPPs and end users – implement requirements to ensure consistent error messaging and information regarding the status of payments.
  5. Promoting additional services, using non-sweeping variable recurring payments (VRP) as a pilot – develop a premium API commercial model and extend VRP to non-sweeping use cases (e.g., direct debit bill payments and B2B accounts payable).

These five themes are underpinned by 29 actions requiring active engagement and input from participants across the open banking ecosystem. These will be delivered through a phased approach commencing in 2023 and ending in 2025.

JROC has set out the following criteria against which it plans to measure the success of its proposals:

  • appreciable innovation;
  • reduced prices or costs;
  • improved quality of services;
  • a larger ecosystem with increased numbers of active users;
  • increased reliance on, and investment in, open banking;
  • relatively few and readily resolved incidents/issues with minimal consumer loss;
  • the development, functioning, and take-up of a commercial model and framework for open banking; and
  • the establishment of the Future Entity.

Evolving Regulatory Framework

The Report addresses the plan for the OBIE to transition from the current model (whereby the OBIE is overseen by the CMA) to an “interim state” in which the Future Entity will be overseen by JROC and the CMA prior to the establishment of a long-term regulatory framework for open banking. The interim state began in January 2023 and the transition to the Future Entity is expected to start later in 2023. The interim state is intended to end when the long-term regulatory framework is in place. Open banking participants are expected to provide input on the structure, governance, and funding of the Future Entity.

Ultimately, the Future Entity will be subject to appropriate regulatory oversight under the long-term regulatory framework. The Future Entity will be expected to introduce new standards and guidelines for ASPSPs and TPPs, monitor and collect data on participants in the ecosystem on an ongoing basis, and foster a collaborative environment among stakeholders.

The Report also highlights that the government plans to use powers under the UK Data Protection and Digital Information Bill (currently progressing through Parliament) to create a regulatory framework for data sharing in open banking.

Key Points for Firms

Interaction with other regulatory reforms

HM Treasury’s Review and Call for Evidence on the Payment Services Regulations 2017 (see further our prior update here) asked whether “the existing framework strike[s] an appropriate balance of rights and obligations between: […] [a]ccount servicing payment service providers and payment initiation service providers/account information service providers,” suggesting there may be statutory and other reforms in this area, including to the regulatory technical standards governing the interface arrangements between ASPSPs and TPPs. These are prescribed as a matter of EU law and in the UK are now — post Brexit — primarily the responsibility of the FCA. Given the speed at which the various recommendations set out in the Report are intended to be implemented, it will be important for firms to assess how such implementation interacts with any amendments to the overarching regulatory framework.

One of the FCA’s current priorities for the payments sector is the implementation of its Consumer Duty. Under this new customer protection regime, which generally takes effect from July 31, 2023, payment service providers — including ASPSPs and TPPs — will generally be required to implement additional policies and procedures to monitor, assess, and improve processes that could materially affect consumers and certain small business customers. This includes certain cases where a firm provides payment services to another firm that has a relationship with the consumer or small business. The requirements can apply to firms that provide only B2B payments on this basis. As the Report focuses on consumer protection within the open banking ecosystem, firms within scope of the Consumer Duty will need to consider carefully how the requirements under that regime will interact with any rules or guidance issued by JROC or the Future Entity. We hope and expect that JROC and, particularly, the FCA will issue further guidance on this as the proposals in the Report are developed and implemented.

Firms that operate in the open banking space should also be aware of the PSR’s proposals regarding authorised push payment scams. As payment initiation services involve initiating a push payment from a payment account, the interaction between the PSR’s proposals and the implementation of JROC’s recommendations on mitigating the risks of financial crime will be crucial for firms in designing and operationalising processes relating to this type of payment fraud. In particular, firms should monitor developments in this area to ensure they understand regulatory expectations, and any limitations, on the information sharing processes proposed in the Report.

Data sharing

Data collection and sharing between ASPSPs and TPPs is a central theme of the Report. In the near term, firms should be aware of upcoming requirements to report and share certain data regarding availability and performance of APIs and financial crime risks. Firms should also be prepared to update their existing data collection and reporting processes accordingly. They should also consider carefully how any changes will interact with the firm’s obligations under other data-related regulatory requirements, such as those governing data privacy, cybersecurity, and operational resilience. Any rules issued in relation to this under the UK Data Protection and Digital Information Bill will likely be the lynchpin here.

Future Entity

Given that the transition from the OBIE to the Future Entity is expected to commence later in 2023, firms should keep apprised of developments in this area. In particular, firms should ensure they understand the eventual role, supervisory responsibilities, and enforcement powers of the Future Entity and its expectations as a key authority and stakeholder. Firms should also ensure they understand the hierarchy and interactions among the various regulatory rules, standards, and guidance that will govern open banking in the UK and the role the Future Entity will have within these broader regulatory frameworks.

Governance of the Future Entity is another important area for firms to consider, particularly regarding the question of how the Future Entity will ensure balanced representation of interests, including among ASPSPs, TPPs, and the end users of their services.

Next Steps

JROC intends to continue its work in this area and is planning to host a webinar in May 2023 to summarise its proposals. It also plans to work with participants and users of the open banking ecosystem by organising workshops and strategy “sprints” where appropriate. The Report also states that JROC will engage with participants and users on the design of the Future Entity and its governance framework.

Firms should expect further guidance as JROC implements the proposals set out in the Report. The Report states that JROC intends to monitor progress against all actions in its roadmap regularly, and market participants should expect a first progress report in Q4 2023.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

John M. Casanova

London

jcasanova@sidley.com

Max Charles Savoie

London

msavoie@sidley.com

Tanaan Quek

London

tquek@sidley.com

Paida Manhambara

London

pmanhambara@sidley.com

You might also like
Chambers 2024 Global Practice Guides for Data Protection & Privacy and Cybersecurity
The newest editions of the Chambers Global Practice Guides have been published and, once again, Sidley lawyers have contributed to two guides: Data Protection & Privacy 2024 and Cybersecurity 2024. These publications cover important developments across the globe and offer insightful legal commentary for businesses on issues related to data privacy and cybersecurity, such as regulatory enforcement and litigation, global cooperation to combat cybercrime, international agreement on ‘Software Security by Design,’ a global approach to policy on artificial intelligence, and more. Sidley partner Alan Charles Raul is a contributing editor to both guides in addition to authoring the introductions. The UK chapters of Cybersecurity 2024, covering “UK Law and Practice” and “UK Trends and Development” were authored by Sidley lawyers William Long, Francesca Blythe, Denise Kara, and Eleanor Dodding.
Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.

FinCEN Seeks Input on Banks’ Collecting Partial Social Security Numbers for Customer Identification Programs

On March 28, 2024, the Financial Crimes Enforcement Network (FinCEN), in consultation with the U.S. banking agencies and the National Credit Union Administration, issued a request for information (RFI) regarding the customer identification program (CIP) requirement for depository institutions (referred to herein as banks) to collect tax identification numbers (TINs).Comments are due by May 28, 2024.