Open Banking: EU v. USA

by

Open Banking is a flop, it’s too costly, clunky, and businesses struggle to make money from it.

– Anne Boden, CEO of Starling Bank, to Treasury Committee (Source).

With a regulatory mandate and after five years of incessant media buzz, EU Open Banking recently crossed 5 million users. See Open banking passes five million user milestone.

On the other hand, driven entirely by market forces, US Open Finance has acquired 80 million users.

MINT* pioneered Open Finance in USA by seamlessly accessing banking information to provide personal finance management. Subsequently, the US market for Open Finance has exploded. Today, there are nearly 100 well-known fintechs that provide wealth management (e.g. Betterment), stock trading (e.g. Robinhood), account-to-account payments (e.g. Venmo) and a wide array of financial services by connecting to consumers’ bank accounts and accessing banking data. A partial list of Open Finance Fintechs in USA is shown in the following exhibit.

Open Finance Fintechs in USA (Image courtesy: hbs.edu)

Virtually all American Open Finance fintechs partner with bank account aggregators like Plaid, Yodlee and Finicity, who use friendly phishing to harvest online banking credentials and access customers’ online banking accounts, and scraping to gather bank account information. (Plaid uses API only to distribute banking information but not to collect it.)

EU Open Banking is based on the premise that bank customers want to unlock the value in their banking data. I’d surmised in Innovative Fintechs Don’t Need No PSD2 Regulation five years ago that this premise is shaky.

On the other hand, US Open Finance is based on the valid premise that bank customers have unmet financial needs that can be fulfilled with their banking data.

In other words,

EU Open Banking is obsessed with data and data-related technologies. US Open Finance is obsessed with alleviating consumer pain areas by using data and data-related technologies.

In my opinion, this is the fundamental difference between EU Open Banking and US Open Finance.

As we will see in the rest of this post, all other differences – API v. Phishing & Scraping, Limited Apps v. Unlimited Apps, and 5M v. 80M Users – are corollaries of this fundamental difference.

API v. Phishing & Scraping

Purists might argue that the first step of harvesting online banking credentials in US Open Finance is tantamount to phishing.

They wouldn’t be wrong.

When you onboard wealth management app Betterment, there comes a time when you select your bank. Say you choose CHASE. You will see your familiar Chase online banking login screen next. But it’s on Plaid’s website!

As Ben Thompson points out in his essay entitled Visa, Plaid, Networks, and Jobs,

That is not an interface for Chase; it is Plaid, effectively training end users (of Betterment) to enter their bank credentials in an app that is not their bank’s!

That’s the canonical definition of phishing!

But who cares?

80 million consumers who have shared their banking credentials with fintechs / Plaid obviously don’t. To paraphrase the old Compaq ad, “When it says Betterment or Robinhood or Venmo on the outside, who cares what’s on the inside?” (H/T Compaq. When the yesteryear PC market leader decided to replace Intel with AMD CPUs on its range of PCs, it preempted anxiety on the part of its consumers by running a series of ads that took a dig at the then popular “Intel Inside” campaign. The copy proclaimed, “When it says Compaq on the outside, nobody cares what’s on the inside”.).

The regulator also doesn’t seem to care. But I’m not too surprised because finserv regulators in USA seem to have a track record of being blasé about security concerns. Testimony: (1) FFIEC announced guidelines for two factor authentication for online payments in 2005 and reissued them in 2012 but USA still does not have 2FA for online payments in 2022 (2) Instore credit card payments do not require PIN in USA.

But even banks don’t seem to care. As the OP of this Information Security thread on Stack Exchange says, “I would think with Plaid using bank logos to make their “fake” bank login forms look legitimate, banks would be after Plaid with lawsuits. But apparently some of them are investors! On Plaid’s website Citi, American Express, and others are listed as investors. It appears that banks aren’t against this bad practice, and are, in some cases, actually encouraging it.”

I see a parallel with Zoom. Despite entering the video conferencing market comprising 800 pound chimpanzees like Google Hangout, Go To Meeting and WebEx, Zoom literally zoomed past all the incumbents even before the pandemic struck. In the lockdown following the pandemic outbreak, its user base shot up by 30X. Now, Zoom has many well-documented issues related to security and privacy. They don’t seem to have mattered in its meteoric rise.

Limited Apps v. Unlimited Apps

Purists contrast the above operating model of US Open Finance with that of secure API access in EU Open Banking. On the face of it, API sounds great. But, as Byrne Hobart pointed out in his Diff newsletter:

When you use scraping, you can get all the info that the logged user can access whereas, when you use API, you’re limited to what the bank provides via API.

Let that sink in.

It means that sky is the limit for US Open Finance apps that use scraping whereas API chokes the scope of EU Open Banking apps.

Constrained by the functionality provided by bank APIs, EU Open Banking has ended up with a limited range of apps. The constraint is particularly severe in the case of banks with legacy technologies, which crimp the type and number of services that can be exposed via API.

When I last checked, every second Open Banking app in EU was an A2A payment app.

Nothing wrong with A2A payment apps but there have been a slew of them in EU / UK during the last 10 years e.g. PayByBank, PayM, PingIt, Zapp in UK, iDEAL in Holland, and EBA myBank and SEPA SCT Inst in EU. They were all built without Open Banking. The ones that succeeded did so without Open Banking. I’m guessing that the ones that failed will fail even with Open Banking.

Because, end of the day, success or failure of products is driven more by their value proposition on the glass rather than by their technology beneath the hood. (In this case, it’s just the data access technology, which is a crucial, but only one, part of the tech stack of fintech apps.)

This is in sharp contrast with a wide array of apps in US Open Finance spanning automated savings, stock trading, wealth management (apart from A2A payments), as shown in the following exhibit.

Open Finance Fintechs in USA. Image courtesy: digital.hbs.edu

According to Wall Street Journal article titled Plaid Co-Founder Takes Aim at Rickety Banking Tech, there are 6000 apps just on Plaid.

5M v. 80M Users

There are 5 million users of EU Open Banking in a population of nearly 450 million people, and 80 million users of US Open Finance in a population of 330 million people.

The drastic difference in adoption is easily explained by Marketing 101: All other factors being the same, more apps and broader functional coverage will drive greater adoption.

Whenever I point out that US Open Finance has way more users and apps than EU Open Banking, Open Banking purists pushback, saying US Open Finance uses scraping technologies whereas EU Open Banking uses API.

Whenever I counter that by suggesting that EU fintechs aren’t going to achieve much more with banking data obtained via API in the future than they have with banking data obtained via scraping in the past, the same Open Banking purists pushback, saying Open Banking is about much more than scraping versus API.

Go figure!

But numbers don’t lie.

 

* Some readers have pointed out that Big Tech companies like Unisys offered account aggregation services well before MINT launched in 2007. It’s just that, being bank-facing fincumbents aka B2B, they didn’t get much visibility in the mainstream market unlike MINT, which was a consumer-facing fintech aka B2C.