Open finance holds immense promise for financial inclusion, but with that great opportunity comes significant risk. As consumers share more of their data to access financial services, safeguarding their rights and security becomes paramount. At a recent open finance workshop by the Financial Stability Institute, The World Bank, and CGAP, experts from nearly 50 countries explored the opportunities and challenges of open finance for financial inclusion and discussed considerations from a recently published paper.
As part of the event, a consumer and data protection panel – composed of Neena Jain from the Reserve Bank of India; Maria Fernanda Tenjo, Colombia’s Financial Superintendence; Faith Reynolds, independent consumer expert; Tommaso Majer from the OECD; and Dietmar Bohmer from Tyme Group – discussed risks in data sharing, solutions for protection, and collaborations to make open finance inclusive.
Some key takeaways emerged, all pointing to the reality that for consumers to harness the benefits of open finance, adopting a comprehensive consumer and data protection regulatory and supervisory framework, putting consumers first, and ensuring proactive collaboration among key actors in the ecosystem is imperative.
1. Risks are real – and accelerating
Open finance offers tremendous potential for financial inclusion but can exacerbate the risk of fraud and consumer data misuse without proper safeguards. As Neena Jain pointed out, “Since multiple third parties have access to consumer data, it increases the likelihood of unauthorized data sharing or leaks.” CGAP global research and three national surveys in West Africa show that these risks have accelerated with the digitalization of financial services, and both IPA’s consumer risks surveys and Consumers International digital finance index show similar results. A global report prepared by The Harris Poll in 2022 showed that 8 in 10 people interviewed were concerned about their data privacy. With this acceleration of risks, protecting consumers and their data is no longer a “good to have” but a “must have.”
While many new segments could access formal financial services by sharing their data, discrimination against women and other groups could continue if data is not representative or if algorithms are not supervised. As Tommaso Majer reflected, “Open finance may create risks of financial exclusion if data held by financial services providers is inaccurate or incomplete and does not reflect consumers’ real situation, or if consumers do not have data or don’t want to share it.”
In Colombia, unfair (personalized) pricing and a lack of transparency on the consent and usage of consumers’ data have caused risks. There are also concerns about complex complaints and redress mechanisms with many third-party providers (TPPs) involved in processing consumers’ data. And while open finance can boost access to digital credit, it also creates risks of harassment and over-indebtedness. Last but not least, the rapid expansion of generative AI could amplify identity theft, fraud through deepfakes, and misuse of personal data. Without robust safeguards, open finance risks undermining its own promise of inclusion by exposing consumers to preventable harm.
2. Vulnerable populations face disproportionate risks
The risks posed by open finance are not evenly distributed. Certain groups – such as older people, women, rural populations, and people in a state of vulnerability – face more risks than others. In South Africa, Dietmar Bohmer pointed out that people over 70 are eight times more likely to fall victim to digital scams or online fraud than those under 50. In Colombia, a national survey found that 32% of women know how to identify data theft on websites, compared to 39.3% of men. Maria Fernanda also emphasized the critical need for data minimization and the protection of sensitive data. “Sometimes financial institutions require consumers to give consent with the aim of consulting sensitive databases for credit rating purposes without explicitly informing the consumers,” she said. “Bad conduct in the usage of this information could lead to discriminatory practices against consumers.” Effective consumer protection frameworks must take an intersectional approach, addressing the unique risks faced by different populations.
3. Regulation can drive trust and security
There are, thankfully, many regulatory solutions to make open finance more responsible. The G20/OECD High-Level Principles on financial consumer protection can help authorities design the appropriate regulatory and supervisory framework. The Principles highlight the need for adequate licensing for all parties involved in the data sharing, clear liability arrangements, privacy by design, and data security, robust redress mechanisms, and effective cooperation among oversight bodies responsible for consumer and data protection. Clear, enforceable regulations not only protect consumers but also build the trust necessary for open finance systems to thrive.
Panelists emphasized the need for regulation to clarify “liability”, especially in the context of TPPs processing consumers’ data. In India, the Reserve Bank increased the security of digital transactions by introducing two-factor authentication. Further, its guidelines on limiting liability entitle customers to zero liability when an unauthorized transaction is due to contributory fraud, negligence, or deficiency on the part of the bank. According to Neena, the implementation of the Digital Personal Data Protection Act in India will significantly push entities to strengthen their data security controls.
In the UK, API standards have increased data sharing security, reducing the potential for data to leak when it is shared. The design ensures greater privacy and facilitates data minimization requirements.
4. Consent must be meaningful and user-friendly
Consent – a central requirement for data sharing – needs to be easy for less literate consumers to understand. “Consent should not be reduced to a mere checkbox on an application form. Instead, it should be an explicit authorization through a trusted third-party source,” said Dietmar Bohmer. A good example of this can be found in the UK, where a consent dashboard enables consumers to view their own consent to share data and easily revoke it. The ability to revoke access easily is particularly important when the consumer no longer believes they are getting value from the product.
5. Putting consumers at the center is essential
The panel called for more consumer-centric design and consumer empowerment. Faith Reynolds said, “Consumer-centric design goes well beyond consumer awareness. The UK requires all payment providers and TPPs to provide evidence that they are creating good outcomes and fair value for them through the introduction of the Consumer Duty. Firms must act in good faith towards their customers, avoid foreseeable harm, and help people meet their financial objectives.” When it comes to consumer empowerment, financial education can empower consumers to safely share their data, including through TV commercials, as it is practiced in India, but measuring the impact of such campaigns can be challenging, especially its long-term impact on consumer behavior. In South Africa, Tyme has successfully used civil society ambassadors to help customers protect themselves against fraud and other risks – another strong effort at raising consumer awareness.
6. Collaboration is key to a responsible ecosystem
“Collaboration” and “ecosystem” are two words that came up often throughout the workshop. With a growing number of actors using consumers’ data to deliver digital financial services and many authorities involved – such as financial, data protection, consumer protection, and justice authorities – CGAP argues that collaboration mechanisms become critical to developing more Responsible Digital Finance Ecosystems (RDFE). In open finance regimes, data and financial consumer protection authorities need to ensure that key regulations are available and harmonized for the benefit of consumers. In Colombia, for instance, this requires collaboration between two data supervision authorities and two consumer protection authorities with different scopes. Collaboration with foreign supervisory authorities, the industry, and consumer representatives is also critical. In the UK, an “end users risk committee” composed of banks, TPPs, consumers, and small enterprise representatives was created to consider all the risks associated with open banking and its potential impacts. It categorized risks, discussed mitigating actions, and escalated the biggest risks to the regulator.
The event was a clear reminder of the value of having stakeholders from different countries share their on-the-ground experiences with setting up open-finance regimes. Moving forward, the industry’s focus must be on creating systems that empower consumers, particularly those in vulnerable situations. This includes designing consumer-centric systems that make data sharing safe and accessible, developing regulatory frameworks that clarify accountability, and fostering partnerships across sectors to scale solutions. Open finance has the potential to transform financial inclusion, but only if its risks are addressed with the same urgency as its opportunities.
