[#44] Open Banking: What's missing in India's Account Aggregator framework?
Monetization, data protection laws, and mandated data sharing by banks is still a work in progress.
Open Banking is being highly touted as one of the key themes that will evolve in fintech. That, along with CBDCs, and neobanks, are what are being predicted as the key drivers of growth going forward. But what is open banking? I’ve heard folks confuse it with neobanks, core banking systems and basically bank infra.
Open banking is basically allowing customers to share their data in a secure fashion with consumer facing applications, through licensed third party providers.
Here’s an example: If I want to link my bank accounts to a personal finance app, and get all my information from my bank accounts, this has to be 1) authenticated and 2) shared in a secure fashion. This information is shared through APIs, and the authentication & authorization has to happen through secure interfaces. The third parties providers (TPPs) who are facilitating the authorization and transfer of information through APIs are open banking players. This whole process is what refers to open banking.
Definite value add: Open banking is what powers embedded finance, which is expected to be a $20B market in India in 2029
The benefits are obvious. Banks & financial institutions are not known for their customer experience, but at the end of the day, they are the source of all the key financial data of the customer, which then defines the customers ability to get credit cards, loans, and make investments.
Open banking essentially allows banks to do what they do best, and leaves the parts of information transfer, customer experience, and things like spend & transaction transaction analysis, and personalized recommendations to the consumer applications, who offer this as a core value add.
Globally, open banking is concentrated in UK & Europe, , but monetization is uncertain
There are multiple players who are building out the open banking infrastructure globally. Chief among these are players such as Tink, Plaid, Perfios, & GoCardless, which facilitate the secure transfer of information, and linking of bank accounts through their secure interfaces & APIs.
And while these entities are valued in the billions of dollars (check out the table below), the problem here is that monetization is still very uncertain. Except for Perfios, which reportedly made a profit of $8.5M in FY24, the rest are all making losses in $M. While others have been acquired. Ex: Visa acquired Tink in FY22 for $2B, and tried to acquire Plaid in FY20 for $5.3B but this didn’t go through because of regulatory blockers. Mastercard acquired Finicity for $825M in FY22. And Perfios acquired Karza in FY22 for $80M.
Market consolidation, and loss making companies - there needs to be some sort of official commercial structure set up / benefits given for providing this service
The market consolidation, and the fact that out of all the companies sampled, only one is profitable is a problem. There are definite benefits to open banking: apart from general convenience, what it is really able to solve for is customer access to their own data. By creating infra that allows customers to share their bank & financial data with whoever they want enables way more financial inclusion.
The problem with setting up this infra, is that there is a lot of upfront cost in actually developing these, and there is also a high cost of compliance and maintenance. And while open banking companies are experimenting with monetization: its clear that its not really working. While the standard model is % + some fixed fee per transaction, with some players also trying to play around with subscription based models, usage of this may require some sort of official pricing, or some government subsidies to the open banking players who are providing this service.
Otherwise, it’s only the big players with deep pockets who will actually be able to offer this, case in point being Visa and Mastercard, who have made ~$1B investments in this space. And this is not really a good thing: because it just leads to more concentration of services, and less opportunity for challengers to come in and make their mark. Fintech, in India is a race to the bottom, with decreasing bps being charged, due to a free method such as UPI taking over (which is also an example of open banking).
UPI is a great example of the innovations that open banking brings, and the scale that can be reached by providing these services.
UPI is actually an open banking initiative that was driven by NPCI. While consumer apps handle the customer experience & customer initiated activities, standardized APIs handle the authentication, bank account linking, and payment transactions through secure interfaces, communicating between the bank and the consumer app.
And this again, by the way, is free. UPI is projected to power ~90% of digital payments by FY 2027. The cost of this is being borne by the stakeholders: the payment aggregators, consumer apps, and banks.
UPI hit INR 23 Lac Crore volumes in October ‘24, or ~$280B in terms of value processed through this method. This is massive. The eventual expectation is pricing will come in at some point, and thats when the initial investments will be paid back. And thats probably why folks are building in open banking.
That even though the costs are significant, at SOME point the monetization will be figured out, and the massive scale coming through will reap dividends. But it needs to come soon. There is only so much time that losses can be sustained before challengers bow out, or are bought out. And this has already started happening.
Global regulations seem favourable, with EU, UK, and Australia mandating bank participation
There are regulatory frameworks that have come up across the world: chief of these being PSD2 in the European union. Other countries like UK, Australia, and India have open banking regulations, such as the OBIE in UK, CDR in Australia and the Account Aggregator framework in India. In nations such as EU, UK, and Australia, bank participation is mandated, while in India it is still opt-in.
India guidelines for account aggregators only offer opt-in for banks, and data quality & customer experience still leaves a lot to be desired
Instead of banks being mandated to share information with open banking partners, or in this case account aggregators, India follows more of an “opt-in” structure. Banks can choose to be a part of this system, and choose what data to share. Multiple issues still exist here:
1. Even though the top banks have opted in, they can choose what data to share. The account aggregator system allows sharing of data from bank accounts, fixed deposits, mutual funds, pension funds, insurance, and stocks. That is what is enabled. Banks can choose what they are okay sharing. Example: Fixed deposit data can be shared through the account aggregator network, but banks aren’t okay with sharing this
2. Stock purchase price is not shared: Purchase prices are not shared, just the value of the shares, so there’s not complete transparency on what the actual gains from this stock is, to provide a more accurate reading of the customer profile. Also, it’s dependant on settlement, so can be a 1-2 day lag
3. Lots of gaps in experience, and data quality: Account aggregators report long lag times to actually get the data, and when they do get the data, a lot of the times it is incomplete, so it is tough to classify / do analysis based on this. There are also frequent downtimes, and information in some cases is only shared in a certain time slot, and not during the weekends, so it impacts the value that something like this can bring.
4. Each AA has to individually onboard FIPs. And FIP onboarding on each AA is not mandated. So for the initial AA’s - yes FIPs onboarded. But now because FIPs cannot monetize the information that they are sharing, they have stopped onboarding onto new AA’s, and that was a major reason for PhonePe giving its AA license back. Apparently there is a concept called the Sahamati Router going through a POC, where to simplify this, Sahamati (which is the NPCI equivalent for AA) is building an interoperable layer, where all FIPs can be onboarded. Then, instead of each AA integrating with each FIP, AA’s can connect to the platform and get access to all FIP’s data.
5. The primary use case being solved is lending: limited development has happened for wealth & personal management.
Kniru is a company who’s trying to do this: solve for personal finance, and personal wealth management, through a consumer facing app, using open banking APIs. Their core offering was to offer personalized recommendations based on analysis on spend patterns, and transaction history. Now, monetization is still a question in my mind, but the depth of personalization that they showcased was quite impressive, and really showed the value of that open banking can provide in use-cases other than lending.
And even apart from the current improvements needed in the AA infra, a key piece of the puzzle is missing: India’s consumer data protection act (DPDP)
The open banking directives (PSD2) in Europe work in tandem with their consumer data protection act (called GDPR). The PSD2 plays the role of mandating banks to share information, who all can access the data, authentication, and how the data will be used. While the GDPR gives customers rights concerning their personal data: it puts checks and balances on the usage, and storage of this data.
The key here is customer consent. The rights granted by GDPR to customers, is the right to access their personal data, and get banks to share it to whatever licensed third party they might want, on explicit consent. Another key right is the right to data rectification, and the right to erasure - where if the customer wants, they can withdraw consent on how their data is being used, and also get their data deleted.
The DPDP or the Digital Personal Data Protection Act is not out yet, but ideally both these frameworks should be looked at together. There is also a need for stringent monitoring, and fines on data breaches. Violation of the GDPR Act for example, can lead to fines up to 20M euros, or 4% of annual global turnover. A DPDP breach can cost upto Rs 200 Cr per offence. There still isn’t clarity on how this is monitored though. I’m assuming there will have to be some sort of MIS shared and frequent audits done on parties who are part of the AA system: namely the FIUs (Financial Information Users), such as apps. Monitoring, and reporting on the consent taken, time the data was stored for, will all need to be very stringent. A portal, where customers can report breaches / grievances will also be needed. Otherwise, all this can go downhill very easily.
So open banking has promise. But what’s missing right now could be key in its success or failure.
And until monetization, bank data sharing, customer experience, and customer data protection is not solved for, account aggregation in India will not really drive innovation the way that the market predicts.
Wanted to understand what can TSP do in the AA space to differentiate themselves once Sahamati Router goes live?