Open Banking: where does responsibility lie — with financial institutions or the services layer?

Luke Massie, VibePay CEO, urges collaboration among regulators, banks, and open banking entities to tackle fraud and scammers, insisting open banking ‘isn’t going away’.
Open Banking: where does responsibility lie — with financial institutions or the services layer?

Earlier this year, VibePay was contacted by the Open Banking Department of Starling Bank, with a message that puts fear into any emerging fintech start-up… “We’ve noticed a number of fraud attempts and we are cutting access to VibePay off for our users. Users of VibePay that have starling banks link will no longer be able to make or receive payments.”

Now before we get into any discussions about whether this course of action was enforceable with VibePay being a FCA regulated entity, the product team at Starling Bank have been great and we all want the same thing outcome, to protect consumers whilst creating the best possible experience of open banking.

However, this whole incident has made us ask the bigger question; 

Where does responsibility sit and how does that tie back into the promise of legislative changes that led to PSD2 (Open Banking) in the first place?

It was inevitable. We knew this day was coming and we knew some banks may use fraud as an opportunity to push back on Open Banking - which for many is seen as a cost and fear of further disintermediation. As Account to Account (A2A) payments become more frequent, fraudsters would try and jump on it. We just didn't anticipate it coming quite this soon. At VibePay, we’d put things in place very early in our journey,  to protect users, such as safety messages every time a payment is initiated. 

*Image of safety messages users of VibePay see every time they make a payment. Since introducing Vibe has seen an 18% drop off - which they believe has contributed to reduced fraud.

But what more can PISP’s do to prevent A2A fraud attempts?  

To answer that question, you need to really understand what it is PISP’s do (and can’t do). Services like VibePay are a new type of enabler: VibePay is not an e-money wallet. We never hold or even touch the users' funds. Every payment happens within the bank's environment and has to be authorised by the end user. By design, our product removes the middlemen (card and wallet schemes).

The promise of Open Banking was that founders and builders like myself could take the payment rails and data-sharing API's and create new experiences, capturing some of that value along the way. As per the legislative ruling, banks were legally obligated to open up and create API’s that would enable innovation in the supply chain. 

In VibePay’s case, we set out to build a new payment network that helped individuals and businesses get paid and unlike others, made the decision early on to become FCA-regulated ourselves so that we could have our own EDIAS certificates and hold users' hand through the bank linkage and payment initiation journeys. From day one we wanted to own the relationship with end users and become the trusted layer above the banks. Become truly bank agnostic. 


*Image one is a screen showing what users see when they are about to link a bank to Vibe. **Image two is an image of what the bank says when handing the user back after successful auth.

Know your customer (KYC).  

The FCA requires VibePay to carry out its own “KYC”. Although we do additional checks of our users, do our own transactional monitoring and have a monthly call with Open Banking to report any suspicious activity - internally there has always been a view of… what more KYC could we possibly do than a grade one bank could do/has done themselves? 

In order to use VibePay you need to have linked a UK bank account. In order to have a UK bank account you will have had to go through vigorous KYC process; go into the branch with physical documents or provide digital evidence and signatures. Questions like these have fundamental effects on product experiences but also bottom lines.

Additional steps in onboarding affect conversion rate, which impacts CaC, and using third parties means each user onboarding can become costly to serve. (industry standard costs for KYC is £5 per consumer and £25 for a business). Scaling to a million plus users can become very expensive and sometimes mean the unit economics are not viable. This can deter innovators in the space. 

The responsibility falls on us all.

VibePay as a PIS/ AIS service provider, despite not holding user funds or being the environment where payments take place, should still shoulder some of the responsibility, and I believe that is mostly through education and prevention. We should not enable fraud but minimise it and we want to keep doing more to ensure that. Here is how we see others playing there part. 

FCA - legal framework; open to input from those operating in the industry.

Open Banking - guidelines, support and networking. 

Banks - Product collaboration and better API’s (transaction enrichment and payment reliability being the two key). 


The two key questions that need to be addressed as A2A and Open Banking grows are:

What happens in the event of Fraud? Where does responsibility fall?

Who is responsible for KYC? What more can PIP’s do? 

We have a growing user base and would like to have input as we recognise that all the answers can’t just come from the banks or the regulators. 

Follow the developments in the technology world. What would you like us to deliver to you?
Your subscription registration has been successfully created.