As data transparency and protection gain prominence across financial services, the market is looking for a definitive global data sharing standard. In Europe, requirements such as the General Data Protection Regulation (GDPR) and the second Payment Services Directive (PSD2) have cracked down on financial data usage. Meanwhile, a market-led approach has been observed in the US, with banks such as JPMorgan committing to a ban on screen-scraping.
Don Cardinal is the managing director of the Financial Data Exchange (FDX), a not-for-profit organisation attempting to create a global standard for data sharing, amassing a membership of 82 organisations since its inception in September 2018. Cardinal talked to bobsguide about getting members on board with a common API standard, the role of regulators and how the US-based FDX fits into global regulations.
Who are the laggards or the groups that have been hesitant to adopt FDX?
To see more ubiquity in the US we will need the core processors to get on board with this. Now Fiserv is on our board and they’re very active, we’ve had talks with the other core processors. But clearly we need the core processors who host millions of small bank accounts on behalf of small banks and credit unions to get on board with this because most credit unions and small regional local banks and other [financial institutions] (FIs) are dependent on [core processors].
Do you think there are any fintechs who would see a common API standard as a detriment? For example, if they relied on something like screen-scraping in the past.
The answer is no, longer term. Very short term: perhaps. I'll give you a USB example. If you have a proprietary keyboard extension and it works great for your proprietary terminals, you may not be keen on going to USB. That's great right now for your existing customers. But over time, the ubiquity of being able to plug in any device and being able to expand beyond just a straight keyboard… There’s too much upside to having a common interface.
So short term, yeah. But longer term, having a common interface to any FI, any bank, brokerage, insurance company as a data source, having unified data, having commonly understood data that you don’t have to develop, maintain, care and feed for – overtime that business case is just overwhelming and it will weigh up.
Moving towards an API standard, do you expect regulatory backing of FDX’s industry-led approach?
There’s a difference between regulatory oversight and government control. We talk to regulators and lawmakers on a routine basis, educate them on what’s going on and ask their opinion, so oversight and advice are crucial. They can look astride the entire ecosystem.
What we don’t do is talk about policy, we don’t talk about legislation. But we do educate on the technology and we are able to answer technology Q&As. It's not like working in a vacuum, and we don't want to give that impression. But I will tell you this … governments don’t do a great job picking technologies, because the free market enforces the results of those, so it forces you to be a good chooser.
The UK just announced ‘We have one million consumers on Open Banking’ – we were at eight million in December. We’ll be at 12 million in April. FDX did it voluntarily, because we’re doing what the market demands. No one is as close to the customer as the fintechs and the banks, the people who actually get paid by the customer. By definition, no one can be as close to them as people holding their data sharing screens, right? And because of that, the market requires that you be completely faithful to your consumer. So, following [customers] is why we’ve had so much uptake and been so successful, but we do have regulatory oversight and advice and we certainly have open channels – we talk to them at least once a month.
How do you plan on expanding FDX’s reach, and how does it fit into regulations like the EU’s PSD2?
We have members in the UK and Canada, some in the Middle East, and other places around the world. What’s unique is we’re member driven, so the idea is we can react more quickly and that’s appealing for fast moving firms. It's something that the regulator doesn't have to be in charge of. Because if you have a frank discussion with a regulator, they're saying if we do pick a technology, we kind of own it, right? If you pick something you own the outcomes versus letting the industry do it, giving guidance.
Conceptually, there’s nothing we do that’s contrary to PSD2. I would argue we are PSD2 compliant. If you look at the different specs out there in the space … they're all using OpenID Connect, all using OAuth 2 … So it really comes down to data elements and the strength of the organisation backing it up. We’ve got a large community that can support this. And the larger the community that you have, I think many hands make light work. You see things just being more convenient to use.
Do you see FDX being adopted in the UK for example, where you already have Open Banking?
If you look, the most common use case in the UK is for the redirect flow. And that is your fintech app points you over to your banks, your bank authenticates you, hands you back and says, ‘Great, you are who you are, let’s go back to business’. That redirect flow in the UK uses a spec, a standard called Financial-grade API (FAPI) by the OpenID foundation. FAPI actually uses an older version of the FDX data set, so effectively if you’re using re-direct flow in the UK, you’re already on FDX … you’re already there, so I don’t think the gap is as big as you might think.
The question then becomes, do I want to support and continue to staff and work on a nation by nation specific spec? Or do I want to just use what's out there already available that's free of charge, that’s being done at scale, that’s being developed in a community? It’s just a matter of make or buy, it’s a classic business decision.
FDX doesn’t guarantee compliance with GDPR or other regulations – should you be concerned that you cannot control how companies will leverage the standard?
There's nothing contrary in our spec to the laws, but I don't have a government imprimatur saying ‘Yes, this is cool.’ And similarly, a lot of it depends on the practice of how it is deployed as well because GDPR also included certain consent and operational activities that are outside the technical scope of the data sharing – we’re a tech standards body. But our solution does work because we know FAPI is used in the UK and they’re covered by that, so we do know that this tool set does work for that sort of framework. We just can’t certify someone’s use of it.
There are cases where regulators have started thinking about how to regulate new innovations. Do you think FDX, being industry-led, could one day be regulated in a way that could harm?
Well, if you look at Fast ID Online (Fido) there are technical standards on how to perform non-refutable biometrics and that sort of thing, but the usage is up to the participants and the usage is what eventually gets regulated. If you look at strong customer authentication (SCA) that’s mandated in the EU, they leave it up to the end state on what tools you want to use to comply. They just give you conceptual guidelines … but they don’t specify a hard tech. And I think regulatory bodies have gotten much better in that regard saying, ‘We’re going to describe what it does, you figure out the engineering behind it’. And I think that kind of technical freedom allows the market to innovate and provide appropriate and scalable solutions.