Trust frameworks are the cornerstone of a secure and competitive open finance ecosystem, ensuring safe data sharing and fostering innovation across the financial services landscape.
As the financial services industry continues to evolve towards more open and collaborative models, the role of trust frameworks has become increasingly critical. Trust frameworks are the foundation upon which secure and regulated data access can be facilitated, enabling the growth of open banking and open finance ecosystems.
Without a robust trust framework, consumers may hesitate to share their financial data with third-party providers, fearing a lack of security and control. Similarly, data holders such as banks may be reluctant to grant access to their systems and may be concerned about the potential for unauthorised or malicious use of the information.
Trust frameworks help bridge this gap by establishing clear rules, standards, and processes for identity verification and data access. They provide a common set of guidelines and protocols that all participants in the open finance ecosystem must adhere to, ensuring a level playing field and a secure environment for data sharing and utilisation.
According to Tink’s head of industry and wallets, Jan van Vonno, the key to open access is business-to-business (B2B) identity verification. “This allows the party accessing the data to identify themselves to the data holder, enabling the data holder to monitor who is accessing the data,” he explains. “Data holders can distinguish between authorised access by their users, authorised access by third parties, and unauthorised access, such as by potential criminals or unauthorised parties. Therefore, utilising the existing trust framework for the electronic identification, authentication and trust services (eIDAS) or a similar industry-led framework for the UK is essential.” Moreover, trust frameworks can also facilitate innovation and competition within the open finance space.
According to van Vonno, enabling more competition in the trust framework services, policymakers may be able to empower a wider range of fintech providers to enter the market and drive forward the open finance agenda.
According to Payit by NatWest’s Market Development Lead, Tamian Godfrey, trust is central to the success of opening banking initiatives, which incorporate many elements. She explains: “From security to reliability and familiarity. Anything likely to erode trust will drive down adoption, so we need to ensure the journeys are robust, resilient, and safe to use. To gain traction in open banking, payment methods must be self-evidently secure, with consumers trusting their data is safe and seamless to use. Awareness is also key to building trust—if more consumers understand what opening banking is and the benefits, they are more likely to embrace it.”
Government-issued identity certificates are a crucial element of a trust framework. These certificates, embedded with official government identification, allow third-party providers to identify themselves as data holders when accessing customer data properly. This ensures trust and security in the data access process, as the data holder can verify the legitimacy of the accessing party.
Regulated and authorised third-party providers are another essential component. There is a need for third parties to be properly regulated and to only access data with the customer’s consent or under a contractual agreement. This helps prevent unauthorised access and ensures that customer data is handled responsibly.
Directory services enhance the trust framework used for open banking by verifying the registration and authorisation status of the third-party provider (TPP) on an ongoing basis. This gives the account servicing payment service provider (ASPSP) an additional check to verify that the identity certificates used by the TPP are correct, further strengthening the trust and security of the ecosystem.
Finally, the trust framework should enable competition and innovation in providing these trust services rather than relying on a single monopolistic entity. Multiple qualified trust service providers can foster a more dynamic and responsive open finance environment, benefiting consumers and businesses.
The history of data aggregation predates the open banking era. In the past, this data aggregation was often done through a ‘screen scraping’ technology, where third-party providers would access customer data by logging into the customer’s account directly. While this technology has become ‘taboo’ in the financial industry, it is the foundation of how the internet operates, with web scraping being used widely across various industries.
The turning point came in 2010 when a German court ruled that consumers can trust their data with third-party providers, regardless of the bank’s terms and conditions. This landmark decision acknowledged the consumer’s liberty to authorise a third party to access their data, paving the way for PSD2.
According to van Vonno, the payment regulators and policymakers acknowledged the importance of protecting consumer rights and liberties. “They emphasised the need to regulate businesses accessing consumer data, ensure proper identification, and enforce strict security requirements. Additionally, they highlighted the importance of obtaining consumer consent for data usage.” This consumer-centric approach, where the right to share data with third parties is recognised, is a key foundation for developing open banking and open finance ecosystems.
Some believe that the monopoly that Open Banking Limited (OBL) holds on the issuance of qualified certificates presents a significant challenge in the UK’s trust framework. As the only party providing a qualified trust service provider (QTSP) function in the UK, OBL strongly influences this critical component of the open banking ecosystem.
However, this is not a view shared by all, with tell.money Director David Monty telling Payments Review that OBL does not have a monopoly on directory services. “We support over 80 brands who offer PSD2-compliant open banking APIs, and only a tiny fraction has chosen to reside on the OBL directory, with some of those actively moving off the directory as we speak,” he explains.
“The OBL directory is an expensive and complicated option that offers no technical, operational, or regulatory benefit. Following Brexit, OBL was the only entity issuing appropriate certificates. That is no longer the case, although there are a few other options. To that end, they are the cert issuer of choice, which isn’t tied to their directory (from an ASPSP perspective). To my mind, OBL plays no material role in open banking beyond defining and maintaining a standard (specification),” he argues.
Some believe that policymakers could enable more secure open access by establishing a regulatory framework that fosters competition in the trust framework, ensuring multiple qualified entities can issue the necessary identity certificates to enable secure and open access to financial data.
Konsentus’ Chief Commercial Officer, Brendan Jones, tells Payments Review: “As a provider of trust frameworks from an advisory services and technical delivery (i.e. directories) perspective, ideally, we would like to see more competition in this space. However, for this to be achieved, UK regulation and oversight (i.e. Joint Regulatory Oversight Committee) would need to be adapted and changed. As things stand today in the UK, there is little, if any room, for competition in the market space other than OBL.”
According to Godfrey, there is evidence of a need for more consumer familiarity and awareness. She says: “This can be a challenge for merchants trying to implement and build trust in opening banking initiatives. Open banking isn’t recognised by the vast majority of the UK – even the 10 million people who do use it are not able to easily describe what it is.”
In addition to a lack of consumer awareness, Godfrey believes there have also been issues around the number of parties involved in a transaction (the TPP, the tech platform, the ASPSP) and the domino effect if one aspect fails, resulting in a bad customer experience. “If the journey doesn’t work effectively, users will unlikely return. We have seen this with the Samsung default browser issue, customer impact, and ASPSP non-standard API specs,” she explains.
To enable more competition and innovation in trust frameworks, policymakers should focus on three key actions:
Trust frameworks are essential to the success of an open finance ecosystem, serving as the backbone for secure and regulated data access. By ensuring proper identification and authentication through mechanisms like government-issued identity certificates, trust frameworks instil confidence among stakeholders—consumers, data holders, and third-party providers alike. This confidence is crucial in fostering the growth and adoption of open finance initiatives.
However, for these frameworks to truly thrive, competition and innovation within the trust services sector are crucial. Policymakers play a vital role in creating environments that encourage multiple QTSPs to enter the market, preventing monopolies and fostering resilience. Promoting interoperability and incentivising innovation will further enhance the effectiveness of trust frameworks, ensuring they evolve with industry needs. Ultimately, a competitive and well-designed trust framework not only protects consumer data but also drives the broader adoption of open finance, unlocking new opportunities for businesses and consumers alike.
The Payments Association
St Clement’s House
27 Clements Lane
London EC4N 7AE
© Copyright 2024 The Payments Association. All Rights Reserved. The Payments Association is the trading name of Emerging Payments Ventures Limited.
Emerging Ventures Limited t/a The Payments Association; Registered in England and Wales, Company Number 06672728; VAT no. 938829859; Registered office address St. Clement’s House, 27 Clements Lane, London, England, EC4N 7AE.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
