Balancing buyer, payer protection and innovation in retail open banking

by Natasha Teja
Woman making ecommerce purchase

Share this post

What is this article about? Protection is required for online e-commerce and open banking transactions covering fraud, dispute of purchases and non-delivery of goods/services.


Why is this important? As retail open banking services are being offered at scale in countries such as Australia, Netherlands, and the UK, the integration of payments in various transactions increases the risk to consumers, which needs to be addressed.


What’s next? Payment firms need to balance offering innovative products in retail open banking with the increased risk of fraud by implementing a rapid response mechanism that prevents fraudulent transactions from spreading to other accounts.

As retail open banking continues to grow, mechanisms should be put in place to balance innovative products for consumers while ensuring adequate fraud protection.

With retail open banking just starting to make strides in most countries beyond the regulatory mandate, the burden of customer protections is falling on merchants. In January 2023 alone, according to Open Banking Limited, seven  consumers and SMEs used open banking services.

However, the integration of payments in various transactions increases the risk to consumers as by exposing their account or card data through application programming interfaces (APIs), it could accelerate cyber-attacks, impersonation, and fraudulent transactions. Without rapid response mechanisms in place, a single compromised account could spread to other accounts.

“The protection must be offered by the payment processor or the provider,” says Nilesh Vaidya, global industry head for retail banking & wealth management at Capgemini.

“Historical data on fraud, disputes, and chargebacks from card providers provide the basis for financial risk estimation. Each company can adjust the financial risk metrics for its own business and cover the outlier costs through custom insurance coverage.”

Protection is required for online e-commerce and open banking transactions for both consumers and merchants that should cover fraudulent transactions and disputes over any purchases, such as the quality or the non-delivery of goods or services.

Upcoming regulatory work

In April 2023, the Joint Regulatory Oversight Committee (JROC), co-chaired by the Payment Systems Regulator (PSR) and the Financial Conduct Authority (FCA) published its recommendations for the next phase of open banking in the UK.

One of the key priorities identified for the next two years is to ensure that effective protections are in place when using open banking products and services.

This means that everyone involved in open banking transactions should act together to minimise any risks and ensure that those who control the risk, are held liable for errors and the right processes are in place to resolve disputes efficiently. It should also enable refunds to be easily initiated.

“We have tasked the variable recurring payments (VRP) working group with looking at the consumer protections and dispute processes that will need to be put in place to ensure payers and buyers are adequately protected, both for simple and potentially less risky use cases and mapping out a blueprint to a wider rollout,” says Andrew Self, senior policy manager at the PSR.

Retail transactions present different challenges to person-to-person payments. For example, a retailer may need to choose when a payment is made or change the transaction amount after the customer has authorised their payment; such as when substitutions are made in an online supermarket order. There are also increased risks associated with goods bought online, or those with a long delivery time such as furniture.

“This means thinking about protection throughout the payment chain, including before things go wrong, for example making sure all parties have the right information to assess risks and make effective decisions to prevent harm,” adds Self at PSR.

The challenges of oversight

One of the key challenges to open banking relates to the prevalence of data misuse, financial crime, and fraud due to the lack of oversight.

Banks traditionally had significant oversight over their customers’ spending habits, which enabled them to form a view of suspicious activities or behaviours. However, open retail banking and the increased number of non-traditional payment instruments and gateways reduce banks’ ability to retain a holistic view of their customers’ transactions.

“This may potentially limit the effectiveness of the banks’ transaction monitoring processes, which is a key line of defence against financial crime,” says Andrew Barber, partner at Pinsent Masons.

In addition, the increase in outsourcing has led to concerns about the impact of technology failures of third parties providing essential services.

“Larger financial institutions typically have systems in place to protect the vast amount of data they hold and transfer to third parties, newer participants in the payments markets may not have such established systems,” says Jessica Cooke, senior associate, regulatory and investigations team at Dentons.

The future of open retail banking

According to Capgemini, banks are looking to incorporate the development of open banking channels as a part of their larger growth strategy. For example, Banco Bilbao Vizcaya Argentaria (BBVA) has an API marketplace for open banking.

JP Morgan Chase and Mastercard have also collaborated to launch Pay-by-Bank, where customers provide permission to pay bills directly from accounts without entering the account number and routing number.

“Open banking, and the move to open finance, presents a huge opportunity for faster, cheaper payments by cutting out intermediaries who control the flow of funds,” says Oliver Irons partner at Simmons & Simmons, a financial services regulatory practice. “Non-sweeping VRP and opening up credit and mortgages are the next opportunities.”

“The Future of Payments Review in the UK and proposals for PSD3 point the way towards the removal of regulatory blockers to greater innovation and growth in this space.”

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Continue reading

This content is only available to members - please see instructions below!

Become a member to continue reading

Member of The Payments Association? Log in to continue reading

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?