Case Study: Open Banking and Data Portability in Finance

"Open banking is not a technology initiative. It is a power redistribution — taking data control from incumbent banks and giving it to customers." — Imran Gulamhuseinwala, Trustee, Open Banking Implementation Entity

Overview

For decades, banks held a monopoly on their customers' financial data. Your transaction history, your spending patterns, your income and expenses — all of this lived inside your bank's systems, accessible only through the bank's interfaces and on the bank's terms. If you wanted to switch banks, you could transfer your money, but you could not transfer your financial history. If you wanted a third-party app to help you budget, you might resort to "screen scraping" — giving the app your bank login credentials so it could log in as you and copy your data, a practice as insecure as it sounds.

Open banking changed this. By requiring banks to share customer data with authorized third parties (with customer consent), open banking regulations broke the banks' data monopoly and created the infrastructure for a new generation of financial services. This case study examines how open banking works, what it has achieved, and the governance challenges it has created.

Skills Applied: - Analyzing how regulation creates markets and redistributes power - Evaluating the tension between data sharing and data security in financial services - Assessing the effectiveness of consent mechanisms in complex data ecosystems - Comparing regulatory approaches across jurisdictions

The Regulatory Framework

PSD2 and the European Model

The EU's Payment Services Directive 2 (PSD2), effective January 2018, is the regulatory foundation of European open banking. PSD2 requires banks to provide access to customer account data through standardized, secure APIs (Application Programming Interfaces) to two categories of authorized third parties:

Account Information Service Providers (AISPs): Companies authorized to access and aggregate a customer's bank account data for services like budgeting apps, financial dashboards, and creditworthiness assessment. AISPs can read account data but cannot initiate transactions.

Payment Initiation Service Providers (PISPs): Companies authorized to initiate payments directly from a customer's bank account, bypassing the card networks. This enables direct bank-to-bank payments for e-commerce and other transactions.

Both categories require explicit customer consent, regulatory authorization from a national financial authority, and compliance with Strong Customer Authentication (SCA) requirements — multi-factor authentication that ensures the customer genuinely authorized the access.

The UK's Open Banking

The UK's open banking regime predates PSD2 and goes further. In 2016, the Competition and Markets Authority (CMA) ordered the nine largest UK banks to adopt a standardized open banking API, managed by the Open Banking Implementation Entity (OBIE). Unlike PSD2, which sets requirements but allows banks to develop their own API implementations, the UK model mandates a specific API standard — ensuring interoperability and reducing technical barriers for third-party providers.

By 2024, the UK's open banking ecosystem had grown to over 7 million users and 300 authorized providers, making it the world's most mature open banking market.

Other Jurisdictions

Open banking has spread globally, with variations:

  • Australia: The Consumer Data Right (CDR), enacted in 2019, goes beyond banking to create a cross-sector data portability framework. The CDR applies first to banking, then extends to energy, telecommunications, and potentially other sectors.
  • Brazil: Open Finance regulations, effective from 2021, mandate data sharing across banks, insurance, investment, and pension services.
  • India: The Account Aggregator framework enables consent-based financial data sharing through licensed aggregators.

How Open Banking Works in Practice

A User Scenario

Consider a customer — call her Aisha — who banks with a traditional high-street bank but wants to use a fintech budgeting app called BudgetWise.

  1. Consent: Aisha opens BudgetWise and selects "Connect your bank account." BudgetWise redirects her to her bank's authentication interface.
  2. Authentication: Aisha logs into her bank using Strong Customer Authentication (password + mobile verification).
  3. Authorization: The bank presents a consent screen: "BudgetWise is requesting access to: your account balance, your transaction history for the past 12 months, and your standing orders. Do you consent?" Aisha reviews and consents.
  4. Data sharing: The bank's API provides BudgetWise with the authorized data. BudgetWise categorizes transactions, identifies spending patterns, and presents Aisha with a budget dashboard.
  5. Ongoing access: BudgetWise can refresh the data periodically (typically every 24 hours) for the duration of the consent, which must be renewed at least every 90 days under PSD2.

What Data Flows

The data shared through open banking APIs is granular and revealing. Transaction data includes: merchant names, amounts, dates, payment methods, and transaction descriptions. Aggregated over months, this data reveals: income level, spending habits, financial commitments, lifestyle choices (dining, travel, subscriptions), and financial health (savings patterns, overdraft usage, debt repayment).

Governance Achievements

Power Redistribution

Open banking has achieved its primary governance objective: breaking the banks' data monopoly. Customers can now share their financial data with authorized providers of their choice, creating competition on services rather than on data lock-in. This has enabled:

  • Price comparison tools that access real transaction data rather than relying on self-reported estimates
  • Credit assessment innovations that use transaction data to evaluate creditworthiness for individuals without traditional credit histories
  • Automatic savings tools that analyze spending patterns and move surplus funds to savings accounts
  • Small business financial management platforms that aggregate data from multiple accounts

Standardization

The UK's mandated API standard — and PSD2's interoperability requirements — created a level playing field. Small fintech startups can access the same data as large financial institutions, reducing barriers to entry and driving innovation. The standardization also improved security by replacing the dangerous practice of screen scraping with secure, authenticated API connections.

Open banking's consent model is among the most sophisticated in any sector. Customers explicitly authorize specific data access for specific providers for specific purposes, with time-limited consent that must be renewed. The bank's consent interface is required to be clear and granular, allowing customers to understand what they are sharing. This stands in favorable contrast to the "click-through" consent common in social media and advertising.

Governance Challenges

The sophistication of open banking's consent model is also its weakness. As users connect multiple third-party services, managing consent becomes cognitively demanding. A user with a budgeting app, a savings app, a credit monitoring service, and a payment initiation app must track four separate consent relationships, each with different data access scopes and renewal timelines. Studies have found that many users do not remember which services they have authorized to access their bank data.

Data Re-use and Scope Creep

PSD2 requires that third parties use data only for the purpose for which it was shared. But enforcement of this purpose limitation is challenging. A budgeting app that accesses transaction data to provide financial advice might also use that data to refine its recommendation algorithm, sell anonymized insights to financial product providers, or target advertising based on spending patterns. The line between "product improvement" (arguably within scope) and "secondary monetization" (arguably outside scope) is not always clear.

Security and Fraud

Open banking creates new attack surfaces. Phishing attacks targeting bank authentication credentials have increased, as users become accustomed to entering bank credentials on third-party redirect screens. The complexity of the multi-party data flow — customer, bank, third-party provider, API intermediary — creates opportunities for man-in-the-middle attacks and authorization manipulation.

Financial Inclusion and Exclusion

Open banking's benefits are unevenly distributed. The primary beneficiaries are digitally literate, smartphone-owning consumers in urban areas. Older adults, low-income individuals, and those in rural areas may lack the digital literacy or smartphone access to use third-party financial services. There is also a risk that open banking data could be used to exclude rather than include: credit algorithms that analyze transaction data might penalize individuals whose spending patterns reflect poverty rather than poor financial management.

The "Super-Aggregator" Problem

As open banking matures, a small number of large aggregator companies (Plaid, TrueLayer, Yodlee) have emerged as intermediaries between banks and fintech apps. These aggregators handle data from millions of users, creating new concentrations of financial data outside the banking system — and outside the regulatory framework designed for banks. Whether these aggregators should be subject to the same prudential requirements as banks is an open governance question.

Assessment: Is Open Banking Good Governance?

Open banking represents one of the most significant regulatory interventions in financial data governance. It demonstrates that regulation can create markets, redistribute power, and enable innovation — not just restrict harmful practices. The consent architecture, the security standards, and the competitive dynamics it has unleashed are governance achievements.

But open banking also reveals the limits of consent-based governance. As the ecosystem grows more complex, individual consent becomes harder to manage, purpose limitation becomes harder to enforce, and new concentrations of data power emerge. The question is whether the governance framework can evolve as fast as the ecosystem it created.

Discussion Questions

  1. Open banking requires banks to share data that they previously controlled exclusively. Is this a legitimate exercise of regulatory power — forcing private companies to open their data to competitors — or an overreach? What principles should determine when the government can compel data sharing?

  2. Compare open banking's consent model to the GDPR's consent model. Which is more protective of individuals? Which is more practical? Could the GDPR learn from open banking's approach, or vice versa?

  3. The "super-aggregator" problem — Plaid, TrueLayer, and others accumulating vast financial datasets — mirrors the data concentration problem in social media. Should financial data aggregators be regulated as financial institutions? What governance measures would be appropriate?

  4. Open banking's benefits flow primarily to digitally literate consumers. How should regulators ensure that open banking does not exacerbate the financial digital divide?

Your Turn: Mini-Project

Option A: Research one open banking provider (e.g., a budgeting app, a payment initiation service, or a credit assessment platform). Analyze its data practices: What data does it access? How does it use that data? What is its consent interface like? Write a one-page governance assessment.

Option B: Compare open banking APIs in two jurisdictions (e.g., UK Open Banking vs. Australia's CDR). Examine the technical standards, consent requirements, and data scope. Write a 1,000-word comparative analysis.

Option C: Design an "open health data" framework, modeled on open banking, that would allow patients to share their health data with authorized third-party health-tech providers. Address the governance challenges: consent, security, purpose limitation, and the risk of data misuse. How would your framework differ from open banking, given the sensitivity of health data?

References

  • Competition and Markets Authority. "Retail Banking Market Investigation: Final Report." London, August 2016.

  • European Parliament and Council. "Directive (EU) 2015/2366 on payment services in the internal market (PSD2)." Official Journal of the European Union, 2015.

  • Open Banking Implementation Entity. "Open Banking Annual Report." London, various years.

  • Plaid. "The Fintech Effect: Consumer Impact and the Future of Finance." Annual report, 2023.

  • Zachariadis, Markos, and Pinar Ozcan. "The API Economy and Digital Transformation in Financial Services: The Case of Open Banking." SWIFT Institute Working Paper No. 2016-001.

  • Financial Conduct Authority. "Open Banking — One Year On." Insight article, 2019.

  • Australian Competition and Consumer Commission. "Consumer Data Right: Overview." Canberra, 2020.