The world has witnessed a dramatic shift in how companies handle personal data since the GDPR took effect in 2018. GDPR set a new standard for transparency, accountability, and individual control over data. Its implementation has serious implications for credit scoring and consumer rights in the financial sector.
Updated: Jul 23
Photo by Denys Nevozhai on Unsplash
The first time I heard about Open Banking was in 2015 when the EU rolled out guidelines for PSD2. Many years have passed since, but Open Banking has just recently been implemented in certain parts of Southeast Asia. This article is meant to shed light on developments in Open Banking in Southeast Asia from the point-of-view of regulators, banks, and startups. The lists are by no means exhaustive so please feel free to give me a shout if there are new pieces of information that I should incorporate. If you’re already familiar with Open Banking, please feel free to skip the first section.
Open Banking Overview
Open Banking refers to when banks allow third parties to access their customer data in order to read the data and provide additional financial services using that data or to perform transactions on the customer’s behalf. The underlying idea of Open Banking is that customers are the owner of transaction data, not banks, thus, data should be shared if the customers wish to do so. The data access and exchange take place through Application Programming Interfaces (APIs), software links that allow secure, rapid, and dependable communication directly between two firms. If this sounds alien to you, think about a restaurant reservation application that has Google Maps embedded into it. APIs allow external applications to read data from Google and portray the data on their own applications.
While there’s consensus that Open Banking should bring about innovation in financial services which - in theory - should benefit end consumers, determining how ‘open’ banks should be is a contentious issue. Banks have been reluctant to share customer data as they view such data to be their source of competitive advantage, enabling them to provide customized services to customers and prevent competitors from stealing the customers. To put things into perspective, if two competing banks have the same set of customer’s financial data, they could compete for loans by offering more competitive interest rates. Therefore, allowing other entities to access customer data means banks will face heightened competition and risk losing the customer.
This is where regulations come in. Open Banking has been pushed forward by regulators of leading financial systems, including the EU, the U.K., and Australia, because regulators view that the sharing of data will level the playing field for fintech players, increase customers' access to financial services, and enhance financial innovation.
Approaches to Open Banking vary across countries, and so does the scope of implementation. Australia, the EU, and the U.K. have chosen a regulatory-driven approach, while others have chosen a market-driven approach.
Source: Deloitte
Southeast Asia’s Open Banking Landscape
In Southeast Asia, Open Banking is still in a nascent stage with regulators opting for a ‘market-driven’ approach. Banks are free to pursue Open Banking as they wish. By letting banks take a lead role in designing and implementing Open Banking, different banks opt to use different technical standards for their APIs. This means that third parties that want to connect with banks would need to slowly integrate with one bank at a time and follow different standards or protocols, resulting in a lot of inefficiencies for both banks and third parties.
Some central banks, such as Singapore, Malaysia, and Indonesia, foresee this problem and have proactively launched ‘soft guidelines’ or ‘API standards’ for banks to follow if they wish to open up. Other central banks, such as Thailand, the Philippines, and Vietnam, have not launched any guidelines or reveal their strategies on Open Banking. Nonetheless, these central banks have rolled out payment transformation initiatives, which means that Open Banking could be next on the policy agenda.
While regulators have done an incredible job at setting implementation guidelines, more can be done. Because Open Banking is in essence the sharing of customer’s sensitive data, regulators have a crucial role in screening third parties who can connect with banks and access such data. For example, the U.K. and the EU stipulate that third- party providers (TPP) must be registered and approved by the regulators. This has a few benefits. First, it ensures that customer data will be treated properly. Second, this would free up banks from having to screen TPP, streamline the partner onboarding process, and reduce the bank’s liability since banks are no longer liable if they engage with inappropriate TPP or if TPP mishandles customer data. By regulating TPP, regulators can reap the benefits of Open Banking, while ensuring customer protection and bank adoption.
Open Banking Regulatory Developments
Open Banking Related Regulations
Although regulators are not stepping in to push Open Banking adoption, banks across the region have launched a public API portal, allowing third parties to connect with them and make use of customer data. However, the extent of openness varies widely. Some of the popular APIs available among banks in Southeast Asia are bank product data, account status, payments, and cards. On the other hand, transaction data, loan origination, account opening/closing, customer reference, and authentication are harder to find.
More importantly, the process of onboarding API partners vastly differs from bank to bank with a majority still require lengthy paperwork and manual onboarding process. Say, a payment provider wants to connect with 3 banks in Thailand, it would have to approach each bank individually and file different sets of paperwork, a process which could take months. This opens up an opportunity for API startups, such as Brankas, to serve as a middleman and handle local complexity so that any companies can make payments, transfers, and access customer account information without having to directly engage with banks. It aims to be an API infrastructure that helps banks turn their legacy systems into APIs, and in turn, serve as a unified platform for third parties to connect with banks. So far, Brankas has worked with leading banks, such as UnionBank in the Philippines and the top 3 banks in Indonesia, to create API portals and onboard payment partners.
Open Banking APIs from Banks
Singapore
Rest of Southeast Asia
Startups in Open Banking
Few startups are operating in the Open Banking space in Southeast Asia with a majority being payment providers (PISP) because there is clear regulatory or licensing requirement for payment providers, however, other types of services are lacking. Part of the reason might be due to the inconsistency in Open Banking adoption among banks. For example, startups that want to become an Account Aggregator (AISP) would need to be able to access and display customer data from all banks. However, to date, only 9 banks - out of hundreds of banks in the region - allow third parties to access customer data.
Southeast Asia-based companies working on Open Banking
Note: AISP means Account Information Service Provider. PISP means Payment Initiation Service Provider.
Open Banking might be a hard pill to swallow, but it can bring about many benefits that are not met with today’s financial system, including improving customers' financial health by allowing them to view their financials in one place, to gain insights on their spending habits, to make payments efficiently from one place, etc. To realize this vision, participation from regulators, banks, and startups is a requirement rather than a nice-to-have.
Resources
Regulatory Guidelines
Singapore’s API Playbook
Malaysia’s Policy Document on Publishing Open Data using Open API
Indonesia’s Open API Standards and Banks Interlinkage
Banks' API Portals
Startups in Open Banking