The implications of open finance on data protection

07 Jun 2023

What is open finance?

Open finance is an extension of open banking.

Open banking is a practice that allows third party service providers access to consumers’ financial data from banks and financial institutions using secure application programming interfaces (APIs). This is done with the consumer’s consent.

While open banking enables account information and payment initiation services, open finance works on a much larger scale. It allows consumers to share their financial data with third parties who use that data to develop and offer more personalised products.

Who can participate in open finance?

The Intergovernmental Fintech Working Group (IFWG) noted that South African regulatory bodies have begun investigating open finance in relation to their respective mandates. The IFWG proposes that that a framework with clear guidelines should be put in place in order to give FinTechs and other third-party providers in South Africa the opportunity to offer new services and create new business models. This creates competition by encouraging participation from non-banking financial institutions such as Account Information Service Providers’ (AISPs) and Payment Initiation Service Providers (PISPs) which are currently the two most prominent providers. AISPs are permissioned by consumers to access their bank accounts and use the information to provide a service, whereas PISPs initiate transactions on the consumer’s behalf from an account the consumer holds with another institution.

The implications of data protection on open finance

One of the key areas of concern affecting open finance is that of data privacy and protection. Data privacy and security breaches can expose customers’ sensitive information, leading to identity theft and financial losses. Third parties should ensure that data sharing is within the confines of the Protection of Personal Information Act (POPIA) when implementing the open finance framework.

In terms of POPIA, all personal information must be collected directly from the consumer, subject to certain exceptions which include instances where the consumer has consented to the collection of the information from another source. Consent must be voluntary, specific and informed to ensure that third parties don’t misuse the consumer’s personal information. The consumer should also be able to revoke consent without any adverse consequences.

Responsibilities of third-party providers

Below are some of the recommendations provided by the IFWG that third parties should consider when dealing with data protection:

• Policies and terms and conditions should be visibly displayed to help consumers make informed decisions;
• They should also have disclosure mechanisms in place to keep consumers informed;
• Consumers should be able to view and download their data collected by third parties; and
• Consumers should be able to correct or complete incomplete data held by third parties.

The IFWG further recommends a framework to hold responsible parties accountable for misuse and damage caused by breaching data duties of care.

Closing

While open finance is still in its early development stage in South Africa, proposals for the phased implementation of the open finance framework is expected in early 2024 in Europe and the UK. If you are a Fintech start-up or any other licensed financial services provider and want to know more about the topic or managing the data privacy risks associated with open finance, you can get in touch with our Technology, Media, and Telecommunications team, who can assist you with any queries.

Article sourced from Eversheds Sutherland.

See also:

• Customer and banker relationship
• Regulatory Instruments for the Finance Sector
• Conducting credit checks on customers? You may require prior authorisation
• Popia compliance – Cyber-attacks, ransomware and data breaches

(This article is provided for informational purposes only and not for the purpose of providing legal advice. For more information on the topic, please contact the author/s or the relevant provider.)