As financial services become increasingly powered by consumer data, open finance is gaining traction in many countries. By allowing people to safely share their financial information with trusted third parties, open finance can unlock better, cheaper, and more diverse products, as well as more tailored services.
Open finance creates a complex web of new partnerships, the sharing of sensitive data, and, in some cases, billions of API calls each year. Consumers, their data, and their money, are at the center of this web, and they risk not knowing who is responsible when something goes wrong (like a fraud attempt or misuse of consumer data). Even worse, the responsible party may be unwilling to help consumers resolve the problem.
Determining who is responsible for what, and how they will make consumers whole, requires special attention if we want open finance regimes to deliver on their promises. Thus, open finance needs clear and comprehensive liability frameworks that hold participants accountable to consumers. Without clear accountability, people may struggle to find solutions when they are victims of unauthorized payments, data leaks, or scams. Providers can also face uncertainty over who must fix problems and compensate users if liability is not well-defined. As countries develop open finance regimes, getting liability right is essential to protect consumers and ensure trust in the financial sector.
Open finance needs clear and comprehensive liability frameworks that hold participants accountable to consumers.
CGAP recently convened members of its Consultative Group on Consumer Protection, an informal group comprising over 50 senior financial consumer protection specialists, to discuss how liability is handled in open finance across the globe.
The session opened with some thought starters based on separate research pieces by two of this blog’s authors, which were followed by a discussion. The first piece of research was on liability models in open finance regimes. It highlighted new risks for consumers created by the proliferation of third-party providers (TPPs) in open finance and increased sharing of consumers’ financial data. Different countries have been testing ways to bring third parties into open finance safely through policies such as compulsory registration, oversight by licensed institutions, or embedding liability clauses in service agreements. The research argued for a shared liability model for open finance that aligns incentives for regulated institutions and TPPs and simplifies redress for customers by allowing them to raise complaints to any involved party. Clear disclosure of TPPs’ involvement at the point of consent, routine reporting on TPPs’ activity, and well-designed indemnity insurance can further strengthen trust and ensure timely compensation when things go wrong. Thus, liability frameworks must be consumer-centric by design, transparent, predictable, and resolve problems quickly.
The second piece of research described in detail how the UK open banking regime is handling liability issues, highlighting the interplay between payments regulation (PSD2) and data protection regulation (GDPR).
In the UK, multiple authorities oversee different aspects of open banking, from payments and data protection to competition and dispute resolution. Typically, the banks reimburse consumers for unauthorized payments and then resolve liability issues with third parties that initiate payments using open banking (Payment Initiation Service Providers - PISPs). For scams, reimbursement is split between sending and receiving banks (PISPs that don’t offer the underlying payment account are not currently liable). Individual redress for loss of data is not generally available under GDPR.
A key challenge is onward data sharing with other organizations, which can make liability harder to trace, especially when data is passed to parties outside the financial sector. In this context, a single dispute management system, a data ombudsman for cross-sector cases, and concurrent powers for financial and data protection regulators would be preferable.
Following the presentation, the participants identified several issues that deserve further exploration to strengthen liability in open finance. Below are our top four.
1. Strengthening consumer consent
Consent is a foundational principle in consumer data protection—and therefore in open finance—but its effectiveness is questionable. Consumers often agree to data sharing without understanding the implications. In an open banking journey, a person consents to share their data (e.g., 'I consent to share my account information for the purposes of an affordability assessment for a loan'). This consent is important because it says, 'I want to share my data', but the company must also communicate how it will process the data. This is a separate legal basis under GDPR, like ‘performance of contract’ or ‘legitimate interests’. Thus, alongside the 'consent' a person gives in the journey, there is also a separate notification explaining how their data will be used—often in a privacy notice (though most people do not read privacy notices).
We all agreed that consent is necessary but insufficient, especially as data moves through multiple parties. CGAP argues that data should only be used for legitimate purposes, regardless of what consumers agree to in lengthy consent contracts or separate privacy notices. We must explore stronger consent models that more clearly explain the implications of data sharing, not just the types of data being shared. Additional safeguards, such as strong dispute resolution, clear escalation pathways, and technologies like data minimization, can also help.
2. Building consumer trust
The relationship between liability frameworks and consumer trust was a central theme: Do robust liability and redress mechanisms actually build trust? The usefulness of services appears to drive adoption more than trust, but effective redress systems are essential for maintaining confidence when issues arise.
3. Watching out for data breaches
The risk of data breaches was a recurring concern. In the UK, there have been regular breaches of payment data at retailers, but none have been reported among UK account information service providers, probably due to strong technical safeguards such as tokenization and API standards. While the group could not identify major open finance breaches globally, in cases where data is shared, the lack of traceability in the data chain means that ‘we don’t know what we don’t know.’
4. Taking a collaborative ecosystem approach
Collaboration between financial sector authorities and data protection authorities is critical to building stronger liability frameworks. Such collaboration is central to CGAP’s vision for responsible digital finance. The group highlighted several promising examples, from joint working groups to multi-stakeholder dialogues, underscoring that progress relies on collective commitment and action. The UK’s approach to regulatory cooperation involves digital regulatory forums and memoranda of understanding. As open finance evolves, ongoing collaboration will be key to building trust, accountability, and resilience in the financial ecosystem.
Our meeting made it clear that as open finance evolves, building consumer trust and providers’ accountability must be at the forefront of the agenda for key actors in the data and financial ecosystems. Regulators, providers, industry associations, and consumer representatives need to work together to ensure that innovation does not outpace consumer protection. CGAP remains committed to fostering research and dialogue on this topic.
Add new comment