LSE research identified important gaps in the regulation of Open Banking and customer consent for the use of their data, which resulted in better protections for consumers.
What was the problem?
Open Banking and the European Second Payment Services Directive (PSD2) allow consumers to share access to their bank accounts with third-party providers in new and more secure ways, using application program interfaces (APIs). These enable people to make payments directly from their bank accounts without using a card; they also allow third parties to make use of transaction data, with the aim of improving financial products and services for the consumer.
Open Banking is meant to increase competition in retail and small business banking by driving innovation. However, the banking data it relies on can be used to infer a great deal of information about consumers, raising issues of consumer consent and robust data management.
Open Banking is presented as an exemplar of how consumers’ data can work for them. However, innovation in this area comes at a time of increasing concern about the misuse of data in the wake of the Cambridge Analytica scandal and continuing examples of data leaks.
This raises important questions about the concept of data-ownership, the nature and forms of consent for data sharing, and the cost – both implicit and explicit – of the service for consumers.
What did we do?
Research led by Dr Edgar Whitley has made important contributions to the agenda of Open Banking and consent. At its foundation is the principle of dynamic consent, whereby individuals can review and control the consents they have given and change them in response to new information. This concept developed out of the “Ensuring Consent and Revocation” (EnCoRe) project, which was a collaboration between Dr Whitley at LSE, HP Laboratories, QinetiQ, HW Communications, and the universities of Warwick and Oxford.
This explored technical, regulatory, and organisational issues associated with making consent – and its revocation – as easy and reliable as turning a tap on and off. The aim of dynamic consent is to provide a transparent, flexible, and user-friendly model for consumers to engage with consent, which is particularly pertinent when data is sensitive, such as health data or financial records. In a world where data protection laws are in flux, dynamic consent is intended to empower individuals to have real control over their privacy preferences and how their data is being used.
Healthcare is a key case for dynamic consent. Whitley, his EnCoRe colleagues at HW Communications and Oxford, and a new team at the University of Manchester, carried out further research on dynamic consent in the context of electronic medical records. They found that participants appreciated the opportunity to review consent decisions over time, and have access to a record of their previous consent decisions. These ground-breaking studies have influenced ethical discussions on consent for healthcare data.
Dynamic consent has been less widely adopted for financial data. In August 2017, Whitley and Dr Roser Pujadas were commissioned to lead a research project for the Financial Conduct Authority’s (FCA) Financial Services Consumer Panel, exploring data governance and security in the context of Open Banking. This included qualitative research with 50 individuals who were already allowing a third-party provider to access their bank account, and a quantitative study with more than 190 people who did not use these products.
The research team found that, even when sharing financial data with third-party providers, consent is frequently neither freely given nor fully informed in the ways required by the 2018 General Data Protection Regulation (GDPR). Over half of participants claimed not to read any terms and conditions for these products, and those that did often didn’t find them useful. A key insight, therefore, is that terms and conditions are not useful for informed consent and are not in line with advances in technology.
Although they valued privacy, participants valued it less than speed of access to goods and services, in part because they assumed that data and financial regulators would ensure their fair treatment. Finally, participants showed a poor understanding of the value of their data and how it can be used to make money for third-party providers.
Based on these results, the research identified important gaps in the regulation of Open Banking by the FCA. Specifically, it demonstrated that not all parts of the Open Banking ecosystem met the requirements of the FCA’s principles for business, including the principle of treating customers fairly.
Whitley and Pujadas’ research has made a significant contribution to ensuring the fair treatment of Open Banking customers. In presenting their research to the FCA’s Financial Services Consumer Panel, Whitley and Pujadas highlighted how customers expect existing regulations to cover the services they sign up to. However, FCA members noted that these assumptions did not at the time apply to all parts of Open Banking, since third-party providers were only regulated under weaker regulations for payment services.
In 2019, the FCA changed its rules in line with the research findings, strengthening customer experience for Open Banking more broadly. As a result, the more than five million customers currently using Open Banking in the UK now enjoy stronger protections and more effective, consent-based controls over the use of their financial data.
Since May 2014, Whitley has also been co-chair of the UK’s Privacy and Consumer Advisory Group (PCAG), which advises the government on data security and trust. In early 2017, several consumer groups raised concerns with PCAG about how industry was driving the development of Open Banking, with little regard for privacy concerns and limited consumer awareness. Whitley discussed these issues with representatives from Open Banking, suggesting that his work on digital consent management and dynamic consent would be particularly helpful to the Open Banking Implementation Entity (OBIE), the organisation with formal responsibility for implementing Open Banking in the UK. Whitley has also contributed to OBIE’s guidance for Open Banking dashboards. The dashboards allow users to see what consents they have given to third-party providers and, potentially, to revoke them. This is a response to the research evidence that people value being able to review consent decisions over time and access an electronic record of their previous consent decisions.
LSE research has also informed aspects of the codification of the Open Banking customer data agreement, which sets out guidelines that cover data usage statements (“how we will and won’t use your data”) and business monetisation statements (“this is how we make money”).
Together, the research’s impact on understanding, guidance, and best practice for consent has led to important reforms in customer protection and consumer control over the use of their financial data. These improvements are essential in allowing more people to access the potential benefits of Open Banking in a safe and secure way.