Open banking through AIS offers obvious benefits but firms should ensure they still meet their regulatory obligations, writes Thistle’s Head of Credit Matthew Williamson.
Customers and providers in the world of finance continue to benefit from a wide range of technological innovations, improving efficiency and driving up service standards. What was once considered radically innovative and labelled ‘fintech’ will soon shake off any sense of novelty and simply find itself absorbed into the broader category of finance. It can only a matter of time now before all firms have adopted ‘fintech’ as a routine part of their operations.
In this article, I want to explore one particular aspect of this wave of financial services innovation: account information services (AIS) – and, in particular, its impact on the consumer credit and mortgage lending markets.
You’re unlikely to need me to point out that AIS is increasingly incorporated into financial services customer journeys today. The ability to analyse income and expenditure data over an extended period and to execute in-depth affordability assessments at the touch of a button has certainly piqued the interest of the credit market.
Not only has this shortened loan application times, it has also reduced the need for underwriting resource. Although, in practice, this resource may often have been reallocated, rather than eliminated – something we’ll come back to later in this article.
The benefits of AIS might be most obvious at origination, but I would argue they can be equally, if not more, beneficial during the loan monitoring phase. With the customer’s consent, lenders can continue accessing affordability data on an ongoing basis. This provides a number of benefits, both to the business and the consumer.
Most importantly, it means flags can be built into the lender’s system so that any issues with affordability can be identified and assessed to forecast potential loan distress. Again, with the customer’s consent, this means lenders can reach out to their customers to discuss any flags that arise. This in turn could allow lenders to structure forbearance measures designed to avoid issues around late payments.
Important benefits can also arise from using AIS for the purpose for which it is regulated: providing the customer with their account data. Lenders enabling borrowers to see a breakdown of their spending – and providing them with relevant tools and information – could help borrowers manage their finances more prudently, limiting the risk of them falling behind on repayments.
The value of improved accuracy, both at origination and monitoring, cannot be overstated. AIS can limit the scope for human error, and, even improve on human performance. But, when firms place greater reliance on technology in the affordability assessment process, it is important they reallocate resource and expertise to the active management of the tech systems themselves.
Failure to do so will inevitably result in impaired business function and – crucially from a regulatory perspective – customer detriment. The need to reallocate resources in this way is clearly evidenced in the increasingly stringent regulatory requirements in this area, particularly around IT security and governance.
Breaking it down, firms registered as account information service providers (RAISPs) will access account information directly from banks, through Open Banking. Becoming an RAISP
requires making an application to the FCA and meeting a number of regulatory requirements, the most important of which concern IT governance and security.
The governance aspect relates to the system owners and authorities who approve and control data flowing through the system. It also requires having clear reporting and escalation channels in disaster scenarios. Typically, this will be handled through access control measures integrated into a firm’s system, along with comprehensive policies outlining operational processes. Satisfying the relevant governance requirements also requires ensuring systems are subject to independent assessment and challenge.
In terms of security, all data should be encrypted to ensure it is protected, with systems required to be fully up to date with anti-viral controls. This should be supplemented with periodic penetration testing, particularly for more ‘at risk’ firms.
All of the above applies equally to firms working with third-party AIS providers, but firms who outsource their open banking connectivity also need to assess their proposed outsourced providers. This involves making a thorough assessment of the provider’s ability to provide AIS, taking account of any platform integration considerations. These assessments should also consider the AIS provider’s business continuity plans, IT and data security policies and controls, to ensure they operate effectively.
As with any other activity with regulatory implications, these assessments should be documented and approved by management – and conducted on a periodic basis. Relevant MI and KPIs should be collated, considered by management as regular part of management meetings, and escalated to board level if and when required.
In summary, while the introduction of AIS is something to be encouraged and celebrated, it is vitally important that lenders – and all those utilising this technology – maintain proper governance and controls to ensure robust and effective business operations and minimise any potential detriment to customers.