The Financial Sector Conduct Authority (FSCA) has published a draft position paper on “open finance” and how it views the industry trend in a South African context – including the pitfalls it faces and what needs to be done from a regulatory point of view to get it to work.

Open Finance refers to the “practice of consent-based financial data sharing and payment initiation, with
suitably authorised third parties, safely and ethically”.

The concept is an evolution of Open Banking which enables frameworks for third-party services to safely access a customer's banking information to provide additional services. Some examples include tools like 22Seven, or the host of in-app services from the country's biggest banks that are handled through third parties.

Open Finance wants to take this concept a step further by allowing consensual access to wider finance information to provide customers with more customised services, while also opening the finance market to more competition.

According to the FSCA, these are some of the benefits of Open Finance that support its wider objectives – however, they also come with some pitfalls.

Because some third-party providers fall outside of its scope (ie, they are not licenced financial service providers) there is a lack of regulation for open finance. In addition to this, with more access to data, there is a greater risk of data breaches which could negatively impact customers who have given consent for certain data to be shared in limited contexts.

Going through the FSCA's document, legal experts at law firm Webber Wentzel identified six key regulatory proposals made by the FSCA to mitigate these risks.

1. A regulated Open Finance Regime

The FSCA recognises the importance of regulating Open Finance because of the demographics of South African financial consumers. The lack of digital literacy requires regulatory intervention to ensure consumer outcomes and market trust.

The FSCA is exploring the potential for a phased mandatory regulatory regime for Open Finance, in which relevant financial institutions would be required to participate by developing the necessary infrastructure to share data with TPPs with the consent of financial customers.

The Draft Position Paper notes that a mandatory regime may be more appropriate in jurisdictions where policies are geared towards promoting financial inclusion or increasing competition in the financial sector.

A mandatory regulatory regime offers several benefits. It drives competitive behaviour and encourages financial institutions to develop Application Programming Interface (API) communication solutions.

However, the FSCA acknowledges the necessity of assessing the complexities and costs involved in adopting a mandatory regime.

2. Tailored and proportionate regulatory oversight over participants

The FSCA has identified four types of participants that will require regulatory oversight: financial institutions, TPPs, fintechs and other service providers. The level of regulatory oversight over each participant will be proportionate to the risk that it poses to Open Finance.

Currently, TPPs and APIs are not licensed as financial institutions and operate outside the FSCA's regulatory ambit. The financial institutions already participating in Open Finance are not governed by a regulatory framework.

Some of the oversight mechanisms contemplated include imposing data standards or conduct requirements on financial institutions and introducing licensing requirements on entities that utilise APIs to access customer accounts to provide financial services. 

3. Informed consent for the use of customer data

Adopting comprehensive consent requirements is integral to Open Finance, as it will prevent the unauthorised collection and use of consumers' data.

The Draft Position Paper sets out proposed principles for obtaining and maintaining customer consent, including that consent to use customer data should be unbundled rather than aggregated with other consent agreements or permissions.

Consent must also not be conditional on obtaining other bundled products and services.

The Protection of Personal Information Act, 4 of 2013 already alludes to many of the principles in respect of consent proposed in the Draft Position Paper. The FSCA intends only to strengthen the existing regulatory framework to close any gaps.

4. Protecting customers by implementing appropriate risk management and disclosure frameworks

The FSCA supports the adoption of risk management frameworks that will mitigate risks such as fraud and unwanted data breaches, as well as a disclosure framework that addresses the risks emanating from vulnerable customers who lack the necessary data literacy levels to give informed consent.

5. Ensuring data protection and data sharing standards

The Open Finance regime covers three types of data: generic services, customer and transactional. The FSCA believes that setting data-sharing standards is important to prevent fragmented specifications and practices in the Open Finance regime.

The FSCA will engage its fellow regulators on proposals relating to data protection and data sharing to ensure regulatory and supervisory alignment.

6. Providing complaints and dispute resolution mechanisms

The Draft Position Paper sets out the importance of a statutory complaints framework to mitigate the risks of harm to consumers.

The FSCA acknowledges that financial institutions have existing obligations to manage complaints, which it believes to be sufficiently developed to accommodate an Open Finance regime. It proposes that, depending on the activity, the existing framework would apply.

For example, a licensed Financial Services Provider would apply the requirements of the General Code of Conduct for authorised Financial Services Providers and their representatives under the FAIS Act.

The FSCA intends to conduct further research to better understand how customers utilise Open Banking offerings in South Africa, as well as the potential role of data portability to promote financial inclusion, among other things.

The Draft Position Paper notes that the FSCA will be collaborating with other financial sector regulators (including the Prudential Authority and the South African Reserve Bank), the Information Regulator and the Intergovernmental Fintech Working Group to establish the Open Finance regulatory framework.

Comments on the Draft Position Paper must be submitted to fintech@fsca.co.za by 15 August 2023. The FSCA will consider the comments received before publishing the final position paper. Once the paper is finalised, the FSCA will implement its regulatory proposals in a phased manner.

Commentary by Gabi Richards-Smith, Partner, Lerato Lamola-Oguntoye, Consultant & Analisa Ndebele, Associate from Webber Wentzel