Open Banking: EU v. USA

https://ift.tt/Rf1McxO

Open Banking is a flop, it’s too costly, clunky, and businesses struggle to make money from it.

– Anne Boden, CEO of Starling Bank, to Treasury Committee (Source).

After a regulatory mandate and nearly five years of media buzz, EU Open Banking recently crossed 5 million users. See

Open banking passes five million user milestone
.

On the other hand, US Open Finance has 80 million users, despite lack of regulatory mandate.

MINT pioneered Open Finance in USA by seamlessly accessing banking information to provide personal finance management. Subsequently, the US market for Open Finance has exploded. Today, there are nearly 100 well-known fintechs that provide wealth management
(e.g. Betterment), stock trading (e.g. Robinhood), account-to-account payments (e.g. Venmo) and a wide array of financial services by connecting to consumers’ bank accounts and downloading banking data. A partial list of Open Finance Fintechs in USA is shown
in the following exhibit.

Virtually all American Open Finance fintechs partner with bank account aggregators like Plaid, Yodlee and Finicity, who use friendly phishing to harvest online banking credentials and access customers’ online banking accounts, and scraping to gather bank
account information. (Plaid uses API only to distribute the banking information so collected, not to collect it in the first place.)

As I felt five years ago in
Innovative Fintechs Don’t Need No PSD2 Regulation
, EU Open Banking is based on the flawed premise that bank customers want to unlock the value in their banking data.

On the other hand, US Open Finance is based on the valid premise that bank customers have unmet financial needs that happen to want their banking data.

In other words,

EU Open Banking is obsessed with data and data-related technologies. US Open Finance is obsessed with alleviating consumer pain areas by using data and data-related technologies.

In my opinion, this is the fundamental difference between EU Open Banking and US Open Finance.

As I’ll argue in the rest of this post, all other differences like API v. Phishing & Scraping, Limited Apps v. Unlimited Apps, and 5M v. 80M Users are corollary of this basic difference.

API v. Phishing & Scraping

Purists might argue that the first step of harvesting online banking credentials in US Open Finance is tantamount to phishing.

They wouldn’t be wrong.

When you onboard wealth management app Betterment, there comes a time when you select your bank. Say you choose CHASE. You will see your familiar Chase online banking login screen next. But it’s on Plaid’s website!

As Ben Thompson points out in his essay entitled
Visa, Plaid, Networks, and Jobs
,

That is not an interface for Chase; it is Plaid, effectively training end users (of Betterment) to enter their bank credentials in an app that is not their bank’s!

That’s the canonical definition of phishing!

But who cares?

80 million consumers who have shared their banking credentials with fintechs / Plaid obviously don’t. To paraphrase the old Compaq ad, “When it says Betterment or Robinhood or Venmo on the outside, who cares what’s on the inside?” (H/T Compaq. When the yesteryear
PC market leader decided to replace Intel with AMD CPUs on its range of PCs, it preempted anxiety on the part of its consumers by running a series of ads that took a dig at the then popular “Intel Inside” campaign. The copy proclaimed, “When it says Compaq
on the outside, nobody cares what’s on the inside”.).

The regulator does not seem to care. But I’m not too surprised. As we saw in the case of two factor authentication for online payments, FFIEC announced 2FA guidelines for online payments in 2005 and  reissued them in 2012 but USA still does not have 2FA
for online payments. Ditto no PIN for instore credit card payments. US finserv regulators seem to have a nonchalant attitude towards security-related matters.

But even banks don’t seem to care. As the OP of this Information Security
thread
on Stack Exchange says, “I would think with Plaid using bank logos to make their “fake” bank login forms look legitimate, banks would be after Plaid with lawsuits. But apparently some of them are investors! On Plaid’s website Citi, American Express,
and others are listed as investors. It appears that banks aren’t against this bad practice, and are, in some cases, actually encouraging it.”

I see a parallel with Zoom. Despite entering the video conferencing market comprising 800 pound chimpanzees like Google Hangout, Go To Meeting and WebEx, Zoom literally zoomed past all the incumbents even before the pandemic struck. In the lockdown following
the pandemic outbreak, its user base has shot up by 30X. Now, Zoom has many well-documented issues related to security and privacy. They don’t seem to have mattered in its meteoric rise.

Limited Apps v. Unlimited Apps

Purists contrast the above operating model of US Open Finance with that of secure API access in EU Open Banking. On the face of it, API sounds great. But, as

Byrne Hobart
pointed out in his Diff newsletter:

When you use scraping, you can get all the info that the logged user can access whereas, when you use API, you’re limited to what the bank provides via API.

Let that sink in.

It means sky is the limit for US Open Finance apps that use scraping whereas API chokes the scope of EU Open Banking apps.

By being constrained by the functionality provided by bank APIs, Open Banking has ended up with a limited range of apps.

When I last checked, every second Open Banking app was an A2A payment app.

Nothing wrong with A2A payment apps but there has been a slew of them in EU / UK during the last 10 years e.g. PayByBank, PayM, PingIt, Zapp in UK, iDEAL in the Netherland, and EBA myBank in EU. They were all built without Open Banking. The ones that succeeded
did so without Open Banking. I’m guessing that the ones that failed will continue to fail even with Open Banking.

Because, end of the day, success or failure of products is driven more by their value proposition on the glass rather than by their technology beneath the hood. (In this case, it’s just the data access technology, which is a crucial, but only one, part of
the tech stack of fintech apps.)

This is in sharp contrast with a wide array of apps in US Open Finance spanning automated savings, stock trading, wealth management (apart from A2A payments), as shown in the following exhibit. 

5M v. 80M Users

There are 5 million users of EU Open Banking in a population of nearly 450 million people, and 80 million users of US Open Finance in a population of 330 million people.

This is easily explained by Marketing 101: All other factors being the same, the combination of broader functional coverage and greater number of compelling apps will drive greater adoption.

Whenever I point out that US Open Finance has way more users and apps than EU Open Banking, Open Banking purists pushback, saying US Open Finance uses scraping technologies whereas EU Open Banking uses API.

Whenever I counter that by suggesting that EU fintechs aren’t going to achieve much more with banking data obtained via API in the future than scraping in the past, the same Open Banking purists pushback, saying Open Banking is about much more than scraping
versus API.

Go figure!

Financial Services

Get In Touch