The regulation of open banking in South Africa

“Open banking” involves the use of an application programming interface (“API”) and open-source technology to allow third-party developers, such as fintechs, to access data traditionally held by banks and develop applications or services around such data.


It also allows consumers to control their data, by giving them the power to allow the sharing of their financial data with selected third-party providers to offer them services based on their data.


  • Open banking involves various role-players, including:

    Account information service providers (“AISPs”) that can access consumer financial information from multiple financial institutions with the express permission of consumers. AISPs analyse this data to determine a consumer’s spending habits, financial behaviour and financial history. This data is then consolidated into a single overview on the consumer, which can then on request, be shared with third parties who can design services around their specific profile.

  • Payment initiation service providers (“PISPs”) which initiate payments on behalf of PISPs will enable peer-to-peer payments and bill payments without involving a traditional financial institution.

Increased competition for banks, competing PISPs and fewer intermediaries, will result in consumer benefits, including increased payment options at a decrease in cost. The unbanked will be given an opportunity to do away with carrying cash and to access credit, by building a payment record and credit history, through the use of payment solutions that are either inexpensive or free, if supported by advertising revenue.

The regulatory genesis of open banking is to be found in the European Union’s Payment Security Directive 2 (“PSD2”), that came into effect from January 2017. PSD2 aims to increase “transparency, innovation and security in the single market” and create “a level playing field between different payment service providers”. PSD2 obliges several large European and UK banks to allow customers to view and share their personal and financial information with third parties.

To support PSD2 implementation, in January 2018 the UK’s Open Banking Implementation Entity (“OBIE”) released an open banking platform to share financial information in a standardised secure format. The OBIE has also developed prescriptive technical security standards for customer authentication and standards for API specification and encryption.

A number of countries have launched open banking initiatives based on the European and UK models, including Australia where the Government introduced Consumer Data Right in Australia on 26 November 2017.

South Africa currently does not have an equivalent to PSD2.

Open banking and the sharing of data gives rise to several privacy issues.

Banks owe their customers a duty of confidentiality and as a general common law rule, it is an implied term of the contract between a bank and its customer. This duty extends to enquiries made by prospective customers and continues after the person ceases to be a customer and is founded on legislation, contract and the protection of privacy.

This duty is, however, not absolute and there are circumstances justifying disclosure. In South African law (as in English Law) Tournier v National Provincial and Union Bank of England forms the cornerstone of bank secrecy. Tournier, followed by a number of South African decisions like GS George Consultants of Investments (Pty) Ltd V Datasys (Pty) Ltd, recognised four qualifications to this duty:


  • where disclosure is under compulsion of the law;

  • where there is a duty to the public to disclose;

  • where the interests of the bank require disclosure;

  • and where the disclosure is made with the express or implied consent of the customer.

It remains to be seen whether information in the realm of open banking would ever be disclosed without a client’s express consent (ie on any of the grounds justifying disclosure as set out in the Tournier judgment).

The Protection of Personal Information Act, 2013 (“POPIA”) contains strict privacy conditions for the processing (including collection and retention) of personal information and grants substantial data subject rights to individuals and juristic person. These include the right to access personal information, the right to withdraw consent where processing relies on it, and the right to erasure and to be forgotten.

POPIA recognises consent, which must be a voluntary, specific, informed expression of as a lawful justification for the processing of personal information.




Read the original publication at ENSafrica

Subscribe to our newsletter