Open banking starts on Saturday. But I think for the time being I’ll be keeping my door firmly shut. Why? Because it’s not absolutely clear who is going to cough up when something goes wrong, which, inevitably it will at some point.
If a fraudster were to hack into, say, Lloyds Bank, or an internal employee accessed systems on behalf of the crooks, it’s pretty clear where the liability lies. Lloyds would have to compensate you for any monies stolen. It also has very, very deep pockets from which to find the money.
Now let’s assume you have given consent to an app to get access to your account data at Lloyds and maybe your savings account at Nationwide building society, and the joint account you have with your partner at NatWest. The idea behind open banking is that apps (which must be FCA-regulated) will be able to “aggregate” everything in one single at-a-glance screen, constantly sweeping your accounts, helping you budget, spotting where you can make more savings, allowing you to more easily switch money from one provider to another, even analysing your gas bill to tell you of a £125 saving and doing all the switching work for you. It sounds great – until it goes wrong.
The new app providers are mostly small “fintech” start-ups (curiously, the likes of Google, Apple, Amazon and so on have not yet jumped in). Given that tech companies with vast IT departments such as Experian have been successfully hacked, we can assume one of these fintechs will be hacked too. But you will have given this fintech consent to access all aspects of your finance. Will your bank pay up for your losses – or will it quite reasonably blame the third party, and expect them to shell out? That £25m or so of start-up finance behind the third-party app provider could pretty quickly shrivel to nothing.
The organisers of open banking have repeatedly assured me that I’ll be OK, using the phrase “you will be made whole”. I have no idea what that means legally. Meanwhile the app providers tell me that their tech and their security is actually far superior to the big banks, which they accuse of running technologically ancient “legacy” systems that are far more vulnerable to fraud.
There are also, I’m told, some pretty big insurance contracts being taken out by the fintech providers, which are designed to cover losses in the event of a major fraud. These will no doubt be robust enough to cover small or even medium-sized frauds. But a major hack, and huge consequential losses? As we know from the great financial crash of 2007/08, only the government has the resources to truly rescue the financial system. An abiding lesson from that period is that we know that the government will step in and rescue systemically important institutions such as RBS or Lloyds. If you’re not systemically important – say, an app with 40,000 users – then you can go hang.
It’s not just hacking that should worry us about open banking. As NatWest warns today, we are likely to see a rash of copycat websites, pretending to be the third-party apps to which you gave consent. They will look like the real thing, and even have a web address very similar to your trusted site or bank.
Then there’s the risk that, with third parties having access to bank accounts, that a scammer will attempt to insert themselves into this relationship, says NatWest. “A scammer could hack into a third party provider to gain access to information held in current account statements or pose as a third party in correspondence to extort information. This could then allow them to fraudulently access customers’ money.”
This is NatWest saying this, not some doddery old luddite frightened of new technology. I’m inclined to believe it.
If I were my 25-year-old self, running an overdraft within a week of being paid, then I might be more relaxed about open banking. But for now I’ll let others take the first-mover risk.