Since Taiwan’s Financial Supervisory Commission (FSC) announced in May 2020 that the second phase of Open Banking would launch in Q3 of the same year, news about Open Banking has been surfacing at a rate of roughly once a month. Setting aside the fact that the original Q3 launch target had already been delayed, the news went from eight banks expressing strong interest in July to just five financial institutions willing to try as of the latest reports. So why has this seemingly hyped-up “Open Banking Phase Two” remained so quiet?

First, there is the matter of information security safeguards. The core premise of Open Banking is sharing financial institution data via APIs with Third-party Service Providers (TSPs), enabling users to access relevant information through third-party services without having to visit the bank’s website or app. The FSC’s planned rollout of Open Banking is divided into three phases:

  1. Non-transactional data: Consumers can look up publicly available bank information without visiting the bank’s website.

  2. Consumer information queries: Consumers can access their personal account data without logging into the bank’s website or app.

  3. Transactional data: Consumers can execute account transactions without logging into the bank’s website or app.

When Phase One covering non-transactional data went live the previous year, more than 26 financial institutions immediately joined the platform. Besides the fact that this was a project championed by the financial regulatory authority, the biggest reason was that the data being shared was essentially “harmless.” This information was publicly available on banks’ own websites regardless of whether they shared it through the platform — simple, easily accessible public data that posed no threat to the banks’ interests.

But Phase Two, covering consumer information queries, is a different story. This is the first time that personal information of bank customers would be shared with external parties. The reason this data requires “login” access is precisely because it involves user privacy and the bank’s commercial information, including account balances, transaction records, credit card limits, and contact details. Moreover, banks would also bear the burden of vetting TSP qualifications and the risk of data breaches. Getting these financial institutions — already sitting on large customer bases — to willingly share their customers’ information with external parties while shouldering the associated risks is an extremely difficult proposition.

What is even harder is demonstrating commercial value. What benefits do banks gain from sharing this information with external TSPs? Once users no longer need to log into the bank’s own online banking or app to access this information, the frequency of visits to the bank’s own platforms would drop significantly, reducing the bank’s opportunities to cross-sell financial products to its own customers. Furthermore, among the 18 APIs currently being opened, there is no substantive data that could help these banks acquire new customers. Financial proof documents, income data, and repayment records — the kinds of information traditionally required when applying for personal credit loans — were not included in this round of data sharing.

Then there is the willingness of TSP providers. To ensure that companies receiving customer data use it properly and maintain robust information security controls, the Phase Two regulations for TSPs added a requirement for obtaining ISO 27001 information security certification. For access to credit card-related information, PCI DSS certification is also required. These certifications are typically expensive to obtain, and the time investment is substantial, which has dampened TSPs’ willingness to participate. After all, who wants to spend six months and hundreds of thousands of dollars on certifications just to help customers view their savings account balances?

Finally, there is the attitude of the regulatory authority itself. The biggest difference between Phase Two and Phase One is that the FSC requires interested banks to apply for a “pilot program.” A pilot program means that when the approach does not violate existing laws but differs from the standards and guidelines set by the Bankers Association, banks can apply for a pilot to obtain “restricted authorization.” However, if the FSC’s own Open Banking policy still requires each bank to submit individual applications independently, this to some degree signals a lack of confidence and concern about Phase Two. The fact that no bank had submitted an application from the time the 18 API specifications were published in May through the end of July is the strongest proof of this.

The challenges Taiwan faces with Open Banking may benefit from examining how other countries have handled it. The UK is the global leader in Open Banking. The UK’s financial regulatory body, the FCA, implemented its Open Banking policy in 2018 and established an independent body to manage it. Similar to Taiwan, the UK categorized data by sensitivity level into non-transactional information, consumer information, and transactional information. However, they made all APIs available at the same time, simply applying different qualification requirements for TSPs based on the sensitivity level of the data. In other words, TSPs could first see what information was available and conduct thorough evaluations before proceeding with product planning and information security certification processes for the relevant data.

As of October 2020, the UK already had 19 financial institutions and over 96 TSPs on the platform, with more than 6 billion API calls in a single month. For TSPs, Phase Three transactional data is what interests them most, but the FSC has yet to provide details on the relevant API content. Therefore, without being able to see what Phase Three will offer, TSPs are unwilling to invest time in product planning and security certification during Phase Two. Perhaps the moment that truly determines whether Taiwan’s Open Banking succeeds or fails will be when the Phase Three APIs are finally disclosed.

Related information: 2020/05/28 - Open Banking Phase Two to launch in Q3, 18 consumer information open APIs and regulatory details finally published: https://pros.is/3arex8 2020/07/26 - Open Banking Phase Two pilot program: 8 banks eager to participate - https://pros.is/3a94rg

2020/09/02 - Wang Li-Ling: Taiwan’s Open Banking Phase Two is the key: https://pros.is/3anfmy

2020/10/19 - Reaching out to TSPs: domestic banks push for Open Banking Phase Two: https://pros.is/393jhy 2020/11/26 - Open Banking Phase Two: TDCC takes the lead: https://pros.is/398jdv UK Open Banking website: https://pros.is/3aw7mt