INFORMATION SECURITY PROTECTION OF FINANCIAL CONSUMERS UNDER OPEN BANKING IN CHINA
Shen Lan
TABLE OF CONTENTS
I. OPEN BANKING FOR FINANCIAL INFORMATION SHARING
A. The Rise of Open BankingB. Information Sharing under Open Banking Mode
II. SECURITY ISSUES OF FINANCIAL CONSUMER INFORMATION CAUSED BY OPEN BANKING
III. COMPARATIVE RESEARCH ON INFORMATION SECURITY PROTECTION SYSTEM FOR FINANCIAL CONSUMERS UNDER OPEN BANKING
A. Current Situation of Information Security Protection System for Financial Consumers in ChinaB. Foreign References of Information Protection of Financial Consumers under Open Banking
IV. BALANCE BETWEEN INFORMATION SHARING AND INFORMATION SECURITY
A. Ensure Information Security Priority for Financial ConsumersB. Construct a Legal Regulation System Combining Civil Liability and Administrative SupervisionC. Construct a System Balancing Information Sharing and Information Security
V. CONCLUSION
The essence of open banking is the information sharing between commercial banks and other financial institutions as well as third-party platforms. While promoting the sharing and utilization of information, there are also potential threats to the information security of financial consumers. Therefore, under the mode of open banking, the information security protection of financial consumers should be emphasized. Legislative departments and financial regulators should establish the concepts of giving priority to information security, giving preferential protection to financial consumers. Financial consumers should be given the right to control personal related information, the security obligations of financial institutions should be clarified, and the behavior of operators to obtain and process financial consumers’ information should be regulated through legislation, so as to balance the conflict between information sharing and information security.The technological trend represented by the development of big data has driven the financial technology. ‘Open banking’ is a typical product in the banking industry affected by big data. Open banking can promote the sharing and utilization of financial information, brings benefits to financial institutions and financial technology companies, and facilitates financial consumers, but it will also increase the information risks faced by financial consumers. Therefore, how to handle the conflict between information sharing and information security has become a problem that open banks must face. This paper intends to address the issue of the information security problems of financial consumers caused by open banks, and discusses how to balance the information sharing and information security in China. I. OPEN BANKING FOR FINANCIAL INFORMATION SHARINGOpen banking is to use and share the financial consumers’ information held or controlled by banking financial institutions on the premise of obtaining the consent of the right holder. In this way, commercial banks, financial consumers and financial regulators shall all be improved.A. The Rise of Open BankingThe concept of ‘open banking’ originated in Europe. In response to the fact that the proportion of financial consumers changing banks was extremely low and the competition between traditional large commercial banks was not sufficient, in order to give a better consumption experience to financial consumers and enable fair competition among banking institutions, the British government proposed the concept of ‘open banking’ in 2016. For example, Barclays Bank has opened 12 types of APIs. Consumers can choose financial products and services provided by different banks based on the API software. The open banks of the US focus on opening the functional services of financial institutions. The financial institutions represented by Citibank shared the API of financial account function with external developers. China’s open banking movement began in 2018. For examples, Industrial & Commercial Bank of China (ICBC) has opened up payment and settlement, investment, financing and other services involving nine categories, more than 40 kinds of business and 400 functions. And Shanghai Pudong Development Bank (SPDB) has opened up traditional banking services such as account management, payment and settlement by embedding APIs into a third-party cooperation platform. Obviously, China’s open banks pay more attention to open up financial products and services, integrating financial products and service functions into a third-party scenario to extend financial services. On the one hand, open banking can reduce the costs of financial consumers switching to different commercial banks. On the other hand, it can promote the innovation and upgrading of financial services. For instance, banks can associate the account opening of class II accounts with the scenarios set up by third-party platforms. When consumers apply for stored-value membership cards, they can open accounts online on a third-party platform and entrust the funds of the card to the bank. This can effectively prevent some business firms from disappearing after receiving membership fees and prepaid fees. And so for a third-party platform with payment function, banks can open up the account opening function as well as payment and settlement function of virtual accounts to the third-party platforms. Besides, the APIs of some commercial banks allow financial consumers to choose the products or services of the same trade institutions while making transactions. In general, open banking is the product of the combination of traditional commercial banks and financial technology. It shares information with a third party by means of financial technology to realize the perfect integration of financial services and business ecology.B. Information Sharing under Open Banking ModeThe core of the emergence and development of open banking is information sharing. By breaking through the shackles existing in the process of information circulation, the optimal allocation of financial resources can be improved, the information disadvantage of financial consumers in the traditional financial market can be partly relieved, as well as the regulatory level and performance of regulatory agencies can be enhanced.1. Mitigate Information Disadvantage of Financial Consumers. — In the traditional mode of financial institutions, financial consumers are scattered in and controlled by different financial institutions. The difference of financial information among same-trade financial institutions is huge, which needs financial consumers’ all-consuming comparison and analysis, and it is impossible to obtain the products or services of different financial institutions on one platform. Therefore, this deteriorates the information asymmetry of financial consumers in the financial market. Under the mode of open banking, financial consumers are allowed to obtain more transparent financial services and products. In addition, they are able to acquire and integrate information of different financial institutions on one platform, making it possible for them to choose and use the products or services of different banks independently and conveniently. As a result, open banking gives financial consumers more independent consumption rights and alleviates the problem of information asymmetry between different market entities in the financial market.2. Improve Utilization Efficiency of Financial Information. — Under the open banking mode, the financial products and services of banks are fully integrated with a third-party ecological scenario, and financial consumers can enjoy ubiquitous financial services. Banks can collect and integrate the information and draw the whole ‘image’ of a financial consumer on the basis of obtaining the authorization and consent. In this way, commercial banks are possible to obtain more comprehensive and complete information about their financial consumers, which allows banks to take more targeted risk management, precision marketing, and increase customer stickiness. Through the way of information sharing, it can maximize the prediction and control of financial risk and improve its risk control ability. In addition, open banking can also break the information barriers among financial institutions or between financial institutions and external business ecology, so as to realize the interconnection and sharing between financial information and external business information. Open banking can extend the financial service function through the Internet technology, which could effectively make up for the ‘blank’ of financial products and services provided by traditional commercial banks, and improve the utilization efficiency of financial information.3. Convenient for Regulators to Obtain Relevant Information. — The development of open banking will realize the establishment of unified algorithms and standards for information data among different financial institutions, or between financial institutions and a third-party, and ultimately realize the sharing and utilization of information. Regulators should play an important role in the transmission, sharing and processing of the information of financial customers. Under the open banking mode, regulators can intervene in the algorithms and standards of financial institutions through regulatory channels, to achieve the online supervision and management of behaviors such as collection, transmission and utilization of financial consumption information by financial institutions, and improve the supervision efficiency.4. Help Solve the Problem of Financial Data Fragmentation. — In China, government departments, traditional financial institutions and third-party institutions hold a lot of citizen’s information. For example, information about financial assets, liabilities and asset transactions are all controlled by financial institutions, and transactions such as daily shopping and online payment are controlled by third-party institutions, while information related to utilities, real estate and tax payment is controlled by government agencies. However, the entities which control the relevant data are lacking in cooperation with each other, objectively separating the market information chain, resulting in a ‘data island’ phenomenon, which makes it impossible to fully depict the image of financial consumers. Under the open banking mode, banks can master the assets, transactions, liabilities, consumption and other information of financial consumers together with the same-trade institutions, third-party platforms and other units or organizations through information sharing, which breaks the ‘data island’ phenomenon of financial consumers’ information and realize the interconnection, exchange and sharing of information among all walks of life.II. SECURITY ISSUES OF FINANCIAL CONSUMER INFORMATION CAUSED BY OPEN BANKINGThe development of science and technology is a double-edged sword. While promoting the circulation and utilization of information, it also brings many problems to personal privacy and information security. In particular, the information sharing of open banks may cause problems like disclosure risk, improper discrimination risk, and improper collection of financial consumers’ information, aggravating information asymmetry risk as well as the financial consumers’ losing control of their own information.1. Disclosure of Personal Financial Information. — The information of financial consumers includes not only financial asset information, debt information and credit information, but also the personal social information and biometric information, such as social relations, family relations, ID card numbers, facial features, communication methods and others. Once the relevant information is improperly used or disclosed, it will cause direct economic losses to financial consumers, as well as trigger other serious legal consequences. Under the open banking mode, banks use API and other technologies to share financial consumers’ information, financial products and services with same trade institutions and third-party partners. The more entities and links involved in information stream, the greater the possibility of information disclosure shall be. The ‘loopholes’ in any link may lead to the information disclosure of financial consumers and cause serious damage to them. In practice, there have been cases when commercial banks cooperate with third-party payment institutions; the cardholder’s personal information has been fraudulently used due to information disclosure. 2. Financial Consumers Lose Information Control Ability. — At present, personal information is no longer limited to the privacy rights of personal interests, but also includes the property rights derived from information. Financial consumers’ information includes not only basic personal information, but also personal financial asset information, transaction information, credit information and others with obvious property rights. Compared with tangible objects, the use of financial consumers’ information is less competitive, that is, the use of financial consumers’ information by one entity will not affect the simultaneous use by other entities. Once the system design lacks information control paying attention to financial consumers, financial institutions will develop and use financial consumers’ information at their will after obtaining it. More seriously, based on the essence of open banking, which is information sharing, financial institutions and third-party partners along with other entities can own, use and even share relevant consumption information again, which makes it difficult for financial consumers to control the scope and extent of opening up relevant information. Although the agreements concluded by financial institutions and financial consumers can restrict the use, development and storage of relevant information, due to the incompleteness of the agreements, it is impossible to effectively respond to the way and consequences of information re-use or information sharing that may occur in the future, and it is also impossible to predict the possible legal consequences. What is more, financial consumers’ information is easy to copy and it is difficult to observe the improper actions. It is also hard for financial consumers to find and prove the violation of law and the breach of contract they are facing. Therefore, under the open banking mode, the financial consumers’ control of their personal information shall be greatly weakened on the original feeble basis. They cannot know how their own information would be used after sharing, and they cannot make accurate decisions based on bounded rationality. If financial consumers are unable to terminate the authorization or stop the reuse of shared information in the subsequent process, financial consumers are likely to completely lose control of their personal information and have to face that their personal information is completely left in the hands of others. 3. Improper Collection of Personal Information. — In the context of the development of financial technology, online banking, digital finance, and mobile banking have become the vigorously developmental direction of various banking and financial institutions, but the problem of improper collection of personal information of financial consumers follows. According to the publicity of punishment released by the People’s Bank of China (PBC), some banks investigated personal information without the consent of financial consumers. Under the background of the development of open banking, some banks even force financial consumers to authorize the collection of personal information. If financial consumers refuse to do so, they cannot normally conduct the main operation on the bank’s app. What is worse, financial consumers may ‘know nothing’ about the situation of commercial banks’ unauthorized collection and use of personal information, and commercial banks can adopt the method of default authorization to collect personal information.4. ‘Precise’ Discrimination against Consumers. — In the scenario of traditional banking mode, financial consumers are already in an information inferior situation. However, open banks, while sharing financial consumers’ information, fail to improve the information inferiority of financial consumers, and they even continue to increase information asymmetry. Under the open banking mode, financial institutions and third-party platforms can integrate their fragmentation of information, obtaining more comprehensive information about financial consumers. Thus, they can more accurately understand the image and behavior preferences of their consumers, to induce customers’ decision-makings and implement differential treatment. For example, third-party institutions can infer the risk preference of financial consumers according to the frequency of credit card use, credit card contribution, asset structure and other information, and implement accurate price discrimination by combining with the behavior of financial consumers they have already known. Similarly, financial institutions also provide product and service design which is more conducive to them because of their understanding of financial consumers’ consumption, travel, and access preferences.Under the open banking mode, financial consumers look like invisible men. They are exposed to the commercial ecology of open banking, facing the risks of information disclosure and information use out of order. The main reason is that the open banking is dominated by commercial banks, while the financial consumers are completely materialized, objectified and depersonalized.First of all, the financial consumers are weak and marginalized. Open banking is mainly to share information of financial consumers. It stands to reason that the main body of rights, the financial consumers, should decide whether the information is open or not, as well as the method and scope of openness and other details. However, financial consumers do not have sufficient right to speak in the open banking movement. Financial consumers are undoubtedly in a weak position in terms of their ability to participate in rule making, their financial strength, or cognitive ability in the operation of open banking. Financial institutions, by virtue of their advantages in capital, technology, risk awareness and risk management, and strong legal team, cannot only easily obtain and control a large number of financial consumers’ information through privacy terms and standardized terms, but also make full use of the information to obtain greater economic benefits. Due to their slow insight into risk and the weakened negotiation ability, financial consumers will not seriously read the privacy terms and information tips provided by financial institutions. Finally, they have to be coerced into the situation where personal information is exposed and abused at any time, and they have to ‘be forced’ to agree or accept the privacy protection provisions and information sharing requirements put forward by financial institutions. Moreover, for the financial consumers’ information sharing, there is still a privacy self-management dilemma of users.Secondly, the open banking movement is excessively efficiency-oriented. The open banking is the product of the continuous development of financial technology in the era of big data. It realizes the opening and sharing of information through scientific and technological means. From the legal point of view, the conflict between financial consumers’ information sharing and information security reflects the different emphasis on efficiency and fairness. Information sharing can save the cost of information collection, improve the efficiency of information utilization, and maximize the property value of information. The system design guided by efficiency tends to facilitate financial institutions to collect and use the information of financial consumers, promoting the rapid development of open banking. However, the rights and interests of human dignity and information security of financial consumers may be infringed. The requirement of fairness priority focuses on the protection of financial consumers’ information rights and information security. The system design guided by this rationale tends to regulate and restrict financial institutions’ collection and utilization of financial consumers’ information. However, excessive right protection will increase the difficulty and cost of open banks’ access to financial consumer information, which may inhibit the development of open banking. If financial consumers are to dominate the design of the open banking system, then the risks of information disclosure, information out of control, and information abuse caused by open banking should be treated more cautiously. But the open banking is dominated by commercial banks rather than by financial consumers, which makes it more oriented to maximize the financial institutions’ interests. That is, open banking pays more attention to the acquisition, sharing and utilization of financial consumption information, while ignoring the needs of financial consumers to protect their personal privacy and prevent information disclosure and abuse.Finally, there is a lack of institutional arrangements on balancing the conflict between information sharing and information security. Judging from the development practice of foreign open banking, most of the open banks are promoted through the top-bottom approach, and the state uniformly formulates standards and scopes to achieve information sharing and security protection. In China, open banking is still in a bottom-top exploration process. Limited by the lag of technology, organization and law, the progress of open banking is relatively slow. At present, the Commercial Banking Law and other laws on financial consumers’ information security regulations are too scattered, and most of them are declarative. They do not provide effective systematic support for financial consumers’ information security, but only require financial institutions to protect their customers’ information in principle. Although with regard to traditional bank operations, the PBC has promulgated the personal financial information protection regulation, its legislative hierarchy is not high enough. As a result, the regulation promulgated by the PBC is difficult to apply to financial consumers’ information sharing protection under the open banking mode.
III. COMPARATIVE RESEARCH ON INFORMATION SECURITY PROTECTION SYSTEM FOR FINANCIAL CONSUMERS UNDER OPEN BANKING
How to deal with the conflict between information sharing and information security protection is not the issue only for China, nor is it just a legal issue faced by open banking alone. Therefore, it is of great benefit to analyze and evaluate the information sharing and legal protection of financial consumers in the process of open banking by investigating the current situation of relevant laws and regulations in China together with the legislative experience abroad.A. Current Situation of Information Security Protection System for Financial Consumers in ChinaTake an overall view of the current legal system of China; there is no special law on the protection of personal information. It is more often to see a number of individual laws, regulations, rules and normative documents.In terms of law, the Tort Liability Law implemented in 2009 protects the privacy right closely related to personal information. The General Provisions of the Civil Law, which was passed in 2017, stipulates principles for the acquisition, collection, use, and processing of personal information, but lacked attention to many legal details. The Part of Personality Rights of the Civil Code, which was approved on May 28, 2020 after deliberation, defines the connotation of personal information in detail, treats personal information as a personality right, and has the same protection as the privacy right. The connotation of the right of natural person to control his own personal information is clarified, and the behavior of the information processor is standardized. In addition to the above-mentioned civil laws, the Law on the Protection of Consumer Rights and Interests and the Cyber Security Law are also involved in the protection of personal information. For examples, the Law on the Protection of Consumer Rights and Interests revised in 2013 stipulates that consumers’ personal information is protected by the law, and defines the information protection obligations and relevant legal responsibilities of operators. And the Cyber Security Law implemented in 2017 also makes corresponding provisions on the basic principles of collecting and using personal information, on the code of conduct, and on the rights of information subject. In addition, the Amendment VII to the Criminal Law and the Amendment IX to the Criminal Law have also stipulated the criminal acts of infringing on personal information, such as selling or illegally providing and obtaining citizens’ personal information, which can also be used to protect financial consumers’ personal information. In addition to the above-mentioned laws, there are some administrative regulations and departmental rules concerning the protection of financial consumers’ personal information. In particular, the Implementation Measures for Protecting Financial Consumers’ Rights and Interests promulgated by the PBC in 2019 stipulates the obligation of financial institutions to protect the financial consumers’ personal information in a special chapter.China’s system supply includes formal legislation and informal legislation. In addition to the above-mentioned laws, administrative regulations and departmental rules, there are also a large number of normative documents on the protection of personal information. For example, in 2015, the Guiding Opinions on Strengthening the Protection of Financial Consumers’ Rights and Interests was issued, requiring financial institutions to take effective measures to strengthen the management of third-party cooperation institutions, strictly prevent and control the risk of financial consumers’ information disclosure, and ensure the information security. In 2019, the Secretary Bureau of the National Internet Information Office and other departments jointly issued the Identification Method of Illegal Collection and Use of Personal Information by Apps, which listed the regulations on infringement of personal information. In addition, the PBC formulated the Notification on Protection of Personal Financial Information by Banking Financial Institutions, which further standardizes the collection, preservation, use and provision of personal financial information to the outside by banking institutions. It particularly emphasizes that banking institutions should follow the principle of legality and rationality in collecting personal financial information. In addition, the document also makes it clear that the relevant regulatory agencies should undertake the supervision obligations to protect personal financial information. The Notification on Strengthening the Management of E-Banking Customer Information issued by the China Banking Regulatory Commission (CBRC) has made special provisions on the management of information of e-banking customer, and strengthened the working norms of banking financial institutions in the sections of electronic fund transfer and payment. Although legislation has put a preliminary regulation on the protection of personal financial information in China, the rise of open banking makes the legislation more and more ‘sluggish’. The harm caused by improper handling of financial consumers’ information is increasing day by day, and the traditional information protection legislation may be difficult to prevent. First of all, in terms of legislation, there is a lack of specific legislation on financial consumers’ information protection, and the current effective normative documents about it are more principled. The Law of the People’s Republic of China on Commercial Banks stipulates in principle the confidentiality obligation of banking institutions to customers, but it is limited to the financial account information and loan information of financial consumers. It does not mention other information of financial consumers. Although the Notification on Protection of Personal Financial Information by Banking Financial Institutions has made more clear and detailed provisions on the protection of financial consumer information, its legislative hierarchy is low, which cannot achieve the purpose of comprehensively protecting financial consumers’ information. The designed and operated protection mechanism cannot be effectively applied, and the protection effect is only passable. Secondly, the regulations on the collection, use and sharing of financial consumers’ information are too general and ambiguous. Judging from the existing normative regulations, obligations and prohibitions on the protection of financial consumers’ personal information are too much. There is a lack of clear and effective institutional norms on the secondary use, transfer and even sharing of personal information of financial consumers by financial institutions. Thirdly, due to the imperfection of the right remedy system, personal information security of financial consumers cannot be safely guarded. The protection of financial consumers’ personal information depends on the financial institutions’ performance of operating obligations and confidentiality obligations, but the remedy system of financial consumers’ personal information infringement still needs to be strengthened and improved. In terms of penal responsibilities, the penalty is relatively weak and the cost of breaking the law is low. In terms of administrative punishment, the administrative enforcement is not strong, and the punishment measures need to be strengthened. Finally, a lack of effective and specialized information protection norms in the civil remedy system exists. Although the Civil Code provides the supports in law for the protection of personal information, it needs to be further perfected with regard to the civil remedy system. Otherwise, the realization of personal information protection in judicial practice shall be difficult. Therefore, it is extremely urgent to speed up the development of personal information protective legislation in the new environment, especially the legislative protection of financial consumer’s personal information.B. Foreign References of Information Protection of Financial Consumers under Open BankingAlthough western scholars dispute whether personal information is property or privacy, there is no doubt that personal information should be protected by law. However, excessive protection of personal information and prohibition of development and utilization would greatly increase transaction costs and inhibit market innovation. Thus, all countries are seeking a balance between the protection and use of personal information. The only difference is whether they prefer information protection or information utilization, and whether they prefer efficiency or rights protection. Different preferences have differentiated the specific system designs regarding information acquisition, collection, development, and utilization.The Payment Service Directive II (PSD II) and the General Data Protection Regulation (GDPR) promulgated by the EU in 2016 are the main institutional basis for the protection of personal information in the development of the EU’s open banking, which has made a good specification between information sharing and information security. Among them, the PSD II requires banking institutions to open the payment function of financial consumers’ bank accounts, and allow the sharing of the bank account information and transaction information with third parties through APIs. At the same time, the PSD II designed the measures for strong customer authentication (SCA), secure communication, risk management and transaction risk assessment to ensure financial consumer the security of their instructions and information. The Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation issued by the Consumer Financial Protection Bureau (CFPB) in 2017 also comprehensively regulates the information sharing and information security in respect of open banking. The following selectively introduces the key points of the above documents and compares with the current relevant systems in China.1. Nature of Financial Consumers’ Information. — The primary problem of personal information protection is to determine whether personal information is the right of privacy or property. To a great extent, the nature of personal information affects the choice of a country’s personal information legislative protection system. Taking the US as an example, the US classifies personal information in the concept of privacy, and pays more attention to how to prevent the infringement from public power, to strictly prevent the possible infringement caused by public power organs in processing personal information. The Right to Financial Privacy Act (RFPA) of the US passed in 1978 stipulates that financial institutions shall not disclose the information of their financial consumers to the public without their consent or legal reasons. The Financial Services Modernization Act (FSMA) of the US clearly stipulates the confidentiality obligations and related legal responsibilities of institutions to financial consumers’ information with the special chapter of ‘privacy’. In the EU, the promulgation of GDPR is the evolution of personal information towards property rights. The EU emphasizes the control of data subjects over personal data information, that is, the individuals enjoy ‘property right’ over their data and have the right to control their personal information.In China, the Civil Code incorporates the personal information into the personality rights to protect. Judging from the legislative style, the privacy right and personal information are protected in parallel. Unfortunately, the Civil Code fails to raise personal information as a kind of civil right, and fails to clarify the boundary between personal information and the right of privacy, which would cause certain difficulties in the practice of how to protect personal privacy and personal information, and how to use the relevant rules. From this we can see that the financial consumer information in China is very difficult to determine as ‘property right’, but as a part of personality right to protect.2. Classification of Financial Consumers’ Information. — The GDPR divides personal information into identified personal information, such as name, ID card number, social security account number, etc., and identifiable personal information such as track, shopping habits, chat records from the perspective of identifiability. In addition, from the perspective of sensitivity, it divides the personal information into general personal information and sensitive information, the latter of which including race or nationality, political complexion or belief, genetic data and biological data, and classifies three kinds of special personal data processing rules based on the degree of sensitivity. The classified protection rules of personal information are also reflected in the personal information protection rules of open banking in EU countries. The Consumer Protection Principles of the US refers to financial consumer information that could be shared and integrated, including all account transactions with the authorization or consent of financial consumers, and other information provided or required to be provided in business dealings with financial institutions. A third party can only obtain the information related to the business contact between the consumer and itself only with the consent of the consumer, and the situation where a third party can keep such data is also limited.At present, there are no clear laws and regulations to classify and protect personal information in China. The Civil Code distinguishes privacy and personal information, and defines the connotation of personal information. However, the boundary between privacy and personal information is quite vague, and it does not distinguish sensitive information from general information. Therefore, the classified protection rules of personal information depend on the promulgation of the Personal Information Protection Law and the Data Security Law.3. Right Subject of Financial Consumers’ Information. — Although financial consumers’ information is shared under the open banking mode, some information is provided by financial consumers, and some is collected and sorted out by financial institutions. Therefore, it is not clear that whether the right of sharing financial consumers’ information under open banking belongs to financial consumers or financial institutions. Once the delineation of rights is not clear, it is bound to produce large transaction costs. If the information belongs to financial institutions, there will be more reasons for these institutions to obtain, collect and use it. If the information belongs to financial consumers, there will be more legal basis for consumers to restrict the information acquisition, collection, use and disclosure of financial institutions. According to the GDPR of EU, the right holders of data are the individuals or the related individuals of the data. The GDPR strictly distinguishes data controller and data processor. In addition, it clarifies the connotation of the rights of individuals to their related data, including access right, right of correction and removal, continuous control right, determination right and data portability rights. In the US, financial consumer information is included in the scope of privacy protection, so the subject of personal information right and the subject of privacy right are consistent.In China, the Civil Code clearly stipulates that personal information ‘is all kinds of information recorded by electronic or other means, which can identify a specific natural person alone or in combination with other information’, and defines the scope of personal information by listing. The right holder of personal information is defined as natural person, and the identification of personal information is emphasized. Generally speaking, the protection of personal information in the Civil Code is consistent with that of EU, but there is still a gap between the Civil Code and GDPR in terms of specific connotation of rights.4. Regulations on Information Disclosure Methods of Financial Institutions. — Based on the definition that financial consumers are the right holders of relevant information ownership, financial institutions and third-party platforms should acquire the consents of financial consumers if they want to obtain, collect, use, release and share the financial consumers’ information. However, there are different modes of how to obtain the consents of financial consumers.Generally speaking, the modes of obtaining financial consumers’ consent can be divided into opt-in and opt-out. The opt-in mode refers to that the information controller must obtain the consent of the subject of information right before collecting, using and sharing personal information. The mode of obtaining consent is represented by the EU countries. The GDPR stipulates that information collectors shall obtain the consent of the subject of information right when collecting, using and sharing information. The opt-out mode means that the right holder of information has the right to withdraw from the collection, processing, utilization and sharing of personal information. If the right holder of information does not exercise the right, it is regarded as the default of the information processor to collect, use and share personal information, and the US adopts the opt-out mode. According to the Financial Services Modernization Act of the US, financial institutions could share financial consumers’ information with a third party, except that financial consumers choose to withdraw from their personal information sharing. In other words, the information collector or processor only needs to provide the consumers the choice of exiting from their personal information being processed.The opt-out mode requires that the information right holder should take the initiative to cancel the collection, use and sharing of personal information by the information collector. If the information right holder does not actively exercise the revocation of consent right, it will be regarded as tacit consent. The opt-out mode is obviously beneficial for financial institutions to obtain the consent of financial consumers to collect, develop, use and share relevant information. On the contrary, the opt-in mode is to give the right of information control to the holder of information, and the holder can effectively control the personal information. To adopt which mode depends on the comparison between the protection of commercial activities and personal rights and interests by legislators. The opt-out mechanism promotes the commercial development by reducing transaction costs and facilitating business activities, while the opt-in mechanism tends to protect personal information and emphasizes the individual’s right to control information. The Civil Code stipulates that the processing of personal information requires the consent of the right holder or the guardian. However, the Civil Code and other relevant laws do not specify the way for operators to obtain personal consent. The lack of legal provisions makes financial institutions generally adopt the opt-out mode, which is conducive to financial institutions to obtain, use, share and use financial consumer information, but it weakens the financial consumers’ control over personal information and increases the risk of financial consumers’ personal information being infringed.Most foreign countries or regions have enacted laws or documents to protect personal data or personal information, and strive to balance information protection and information sharing, including to distinguish different types of personal information, and provide differentiated legal protection for different personal information; to list in detail with regard to the connotation of consent, refusal, access, correction, removal and portability of personal information; and to balance the right protection and industrial development by different designs of the opt-in and opt-out modes. These experiences can be used for reference in China. The Civil Code has strengthened the protective power of personal information in the General Rules of the Civil Law and the Tort Liability Law. Incorporating personal information into the personality rights for protection, to a certain extent, makes the protection of personal information more comprehensive in the system. However, the declarative protection of personal information at the level of civil law is obviously not enough. First of all, personal information belongs to ‘rights and interests’ rather than ‘rights’. Judging from the positioning of personal information in the Civil Code of China, it is positioned in the personal information rights of the personality rights, rather than personal information rights. In other words, personal information is only protected as a civil interest, but not as a civil right. This will affect the exercise of the ‘right’ of personal information. If personal information is set as a ‘right’, the subject of the right can fully exercise the subdivision rights contained in the right. If personal information is only a civil interest, the protection of that interest often depends on whether the counter-party, rather than the subject of the right, abides by the relevant security obligations. Such a distinction is obviously less beneficial for the protection of personal information. Secondly, the protection of personal information needs to be further refined. Differentiated legal protection should be provided based on the sensitivity and identifiability of the information. In particular, special protection rules need to be set up in respect of financial consumers’ information.In summary, the establishment of personal information rights is a ‘fundamental’ system design for protecting personal information, and is the key to the balance between information sharing and information security. In the context of the development of open banking, financial consumers’ control over personal information is becoming weaker, and the risk of their personal information being infringed is increasing. In order to protect the personal information of financial consumers, China needs to step up the promulgation of the Personal Information Protection Law and the Data Security Law, and on this basis, to establish special protection rules for personal information of financial consumers.IV. BALANCE BETWEEN INFORMATION SHARING AND INFORMATION SECURITYEfficiency-oriented open banking movement is booming in the banking industry all over the world. Information sharing and information security are topics that cannot be avoided in the development of open banking. Improper collection, disclosure and abuse of information in the process of information collection, utilization and sharing will damage the property and personal safety of financial consumers. Therefore, while promoting information sharing, open banks should not ignore information security. It is necessary to take the information security protection of financial consumers as a prerequisite issue in the development of open banking, establish the priority principle of information security, and give preferential protection to financial consumers under the institutional norms, and realize the balance between information sharing and information security through specific systems.A. Ensure Information Security Priority for Financial ConsumersThe sharing of financial consumers’ information under the open banking mode needs to solve the legitimacy of the collection and utilization of financial consumers’ related information by financial institutions. Whether the information is regarded as the right of privacy or property, or a kind of civil rights and interests, whether the information is provided by financial consumers on their own initiative or collected by financial institutions or third-party platforms, it should be aimed at facilitating financial consumers and relieving their disadvantages. At least, it should not be at the expense of information security of financial consumers.The essence of the conflict between information sharing and information security is the conflict between efficiency and fairness. How to achieve the balance between efficiency and fairness through system design is a problem that legislators must face. To measure the value of fairness and efficiency, it is of necessity to clarify the relevant interests that each represents, and to lay out and list the specific interests involved. According to Pound’s point of view, the interests protected by law can be divided into different levels and ranks, and the public interests with the characteristics of share ability and income subject universality should be protected more than private interests. As Rawls said, fairness and justice are the prerequisites for achieving and maintaining efficiency, and system designers can only achieve efficiency after ensuring fairness. Therefore, when open banking faces the choice between information sharing and information security, it should take information security as the first value to be realized. Although some scholars believe that excessive protection of information security will lead to huge obstacles to the circulation of personal information, which will harm the public interests and other rights of citizens. However, the ultimate goal of information circulation is to improve social welfare, and the welfare of financial consumers is undoubtedly the core. Especially when infringements on personal information security are common in China and difficult to prohibit, too loose personal information legislation will further aggravate the situation of financial consumers. Some scholars have pointed out that ‘the tort law protection of personal information is not too strong, but too loose in China’. In order to protect the legitimate rights and interests of financial consumers, we must adhere to the principle of priority to information security, and ultimately achieve the goal of preventing and reducing the occurrence of infringements by increasing the cost of improper infringement. China should refer to the European model of information protection rather than that of the US.For a long time, the ‘let the buyer beware’ principle has been widely applied in China’s financial field. Under the premise of symmetry of information, no difference in risk control capabilities, and rationality of financial consumers, it is understandable to let financial consumers take risks as a result of their own actions. However, due to the complexity of financial products and the professionalism of financial risk control, there are great differences between financial institutions and financial consumers in terms of contracting ability, risk control and litigation ability. The risk control ability, information acquisition ability and contracting ability of financial institutions are far better than those of financial consumers. Therefore, the ‘let the buyer beware’ principle based on the concept of absolute equality is difficult to deal with a series of decisions in open banking. Compared with other types of personal information, the information under open banking is sensitive data such as the property and personal identity of financial consumers. Once this sensitive data are disclosed or abused, it will bring extremely serious property and personal damages to financial consumers. In the information sharing process of open banking, since financial consumers who are the main source of information cannot participate in the transaction of financial information and they lack the means and ability to effectively control and supervise in respect of the transaction and the use of personal information, the ‘let the buyer beware’ mechanism will inevitably further stimulate financial institutions to improperly obtain and use financial consumers’ information. At this time, the legal design should strengthen the weakest party in the interest relationship, so as to realize the transformation from ‘let the buyer beware’ to ‘let the seller beware’, such as in information disclosure and risk allocation. Only by giving preferential protection to financial consumers can we prevent the irrational development of finance and commerce and achieve a balance between financial information protection and sharing.B. Construct a Legal Regulation System Combining Civil Liability and Administrative SupervisionAlthough China has enacted a series of laws that can regulate open banking, such as the Civil Code, Consumer Protection Law, and Cyber Security Law, the relevant provisions of these laws are too abstract to be applicable to the actual protection of information security under open banking. Article 127 of the Civil Code stipulates that the law provides for data protection in accordance with its provisions, article 111 stipulates that any organization or individual who needs to obtain the personal information of others shall obtain and ensure information security according to law. The design of these terms means that the acquisition and use of personal information and data need to be refined by relevant supporting legislation.Compared with ordinary e-commerce shopping and other Internet transactions that only involve limited funds, fictitious names and dates of birth, consumption habits, e-mails and other less sensitive information, open banking involves a large amount of sensitive information such as financial consumers’ large capital accounts, ID numbers, the real names and precise addresses. As a consequence, legislators are required to make special regulations on information sharing and information security with regard to open banking. However, China does not currently have legislation in respect of open banking, and the open banking movement is more of independent exploration by commercial banks and financial technology companies. In the absence of laws related to open banking, administrative departments and commercial banks are deeply involved in the provision of open banking rules. Administrative departments and industry associations have formulated a series of regulations and documents related to financial technology and open banking. Although the rule of the market supervision department can be more refined, accurate and flexible, however, with regulatory agencies and commercial banks leading the making of open banking rules, it is difficult to avoid issues such as strong administration over civil affairs, efficiency over fairness, and information sharing over information protection. The importance of regulating financial institutions and technology companies through civil liability is almost neglected. In the supply of rules for open banking, the participation of legislative departments and financial consumers should be strengthened, and a rule system based on law and supplemented by administrative regulations and departmental rules should be established. In addition, the court can also participate in the supply of rules through case guiding and judicial interpretation. As a result, a financial consumer protection model with coexistence of administrative supervision and civil liability can be formed to promote the healthy and orderly development of financial technology.C. Construct a System Balancing Information Sharing and Information SecurityThe current rules of open banking are mainly strengthening supervision, while ignoring the introduction of civil legal thinking. The good rules supply for open banking should not only focus on regulatory issues, but also on fundamental issues such as the confirmation right of financial information and the obligation definition of security guarantee.1. Clarify the Ownership Status of Financial Consumers. — Some scholars believe that establishing data ownership and utilizing order by giving individuals ‘data rights’ in private law do not fully take into account the value of data sharing, so a systematic data public order in public law should be constructed. It is necessary to consider the interest balance between information holder and the entities of technology and business in the legislation of personal information protection. However, ‘the development of technology and commerce is not the only consideration of legislation, and the protection of personal information should not be abandoned because of the development of technology and commerce.’ Open banking needs to consider the development of finance and commerce, while which should not be the most important criterion. Considering that infringing on financial consumers’ information security happens from time to time, the law should give and further clarify the information rights of financial consumers. Only in this way can financial consumers get legal remedies. At the same time, the law should further restate the obligations of confidentiality and security of financial institutions to financial consumers’ information. The obligation of security, especially under the open banking mode, will be more prominent.In the absence of institutional design, the sharing of financial consumer information under open banking will inevitably lead to financial consumers losing their actual control over personal information. If all the information of financial consumers is roughly allocated to financial institutions for the sake of industrial development, it will definitely lead to a situation where financial consumers are completely transparent and manipulated. Of course, if all information related to financial consumers collected by financial institutions and third-party application platforms belongs to financial consumers, the transaction costs will be greatly increased, the development of financial institutions and third-party application platforms and of collecting financial consumer information will be reduced. As a result, a proper way is to classify financial consumers’ information. According to the source and relevance of the information, financial consumers’ information can be divided into three categories: information proactively provided by financial consumers, sensitive information not reported by financial consumers, and non-sensitive information collected by financial institutions. Information such as age, home address, family members, work unit is actively provided by financial consumers, and can be used to identify financial consumers, which is extremely important, and its related rights certainly belong to the financial consumers. Information such as income, asset structure, and account status is not actively reported by financial consumers, but collected by financial institutions in transactions. However, the nature of personalities of this information is very notable; the law cannot authorize financial institutions to allocate this information, but to confirm the status of financial consumers as the holder of rights. As for browsing records and consumption records formed in the process of opening banking, they are actively collected by financial institutions, and their ownership should be allocated to financial institutions or third-party application platforms, but the law should strengthen the obligations of confidentiality and information disclosure.2. Standardize Information Disclosure and Authorization Methods under Open Banking Mode. — Although information related to financial consumers faces disputes over whether it is privacy or tradable property rights, there is no dispute that financial consumers have the right to control and decide whether the information is disclosed or not. This kind of information independent control ‘is not only the symbol and declaration of information holder’s personal information right, but also the core of personal information right and the basis of other powers and functions.’ The core and the basis of information independent control is the informed consent of the information holder. ‘Without informed consent, there will be no independent control, and there will be no specific rights and powers such as withdrawal right, modification right, carrying right, deletion right and so on.’ Data sharing is the collection, storage, utilization and sharing of personal information. Like the collection and utilization of personal information, data sharing should also be authorized by the information right holder. ‘Consulting the user’s consent is exactly what the principle of private autonomy should be in the context of an Internet service contract covering information collection, and it is also a key node for determining whether an enterprise can legally collect user behavior information.’The Cyber Security Law comprehensively regulates the information disclosure of network operators, and the rules for information collection and utilization. No irrelevant information shall be collected without the consent of the person. It is not very controversial to obtain the consent of financial consumers when commercial banks open data, but how to obtain the consent of financial consumers is faced with greater controversy. At present, many commercial banks adopt the opt-out mechanism, setting the implied choice to ‘agree’, and consulting financial consumers through pop-up windows. However, business operators often provide time-consuming and complex privacy clauses, making it difficult for financial consumers to quickly obtain key information about relevant clauses, and they cannot accurately understand the risks associated with the collection and utilization of relevant information. Moreover, although the option of ‘disagree’ is provided, once consumers refuse to agree, the smoothness of the software operation would be greatly affected. The operating software would continue to affect normal use through frequent appearance of pop-up windows, and finally many consumers can only choose to agree. What is more, some operators adopt the strategy of either accepting or refusing to provide services. If consumers do not agree with the privacy and sharing terms, they would not be able to operate continuously.As mentioned above, there are two types of information disclosure and consent mechanism under the open banking mode: opt-in mechanism and opt-out mechanism. The opt-in mechanism is that financial consumers choose to participate in the information collection process through affirmative meaning, and the opt-out mechanism is that financial consumers exit the information collection process through negative meaning. As some scholars point out that only by adopting the opt-in mechanism can we alleviate the information disadvantages of users in the process of behavior information collection, and reduce enterprises’ information rent-seeking behaviors, and promote the social benefit output of user behavior information collection as a whole. The opt-out mechanism deviates from the basic idea of informed consent principle. Of course, some scholars believe that the legal system of ‘one size fits all’ allocation of personal information will excessively restrict the development of the financial industry. They think that different protection methods should be adopted according to different types of information. Therefore, some scholars believe that in the process of open banking, sensitive information and general personal information should be distinguished, and different legal system arrangements should be adopted. The collection and utilization of personal identification information, bank account, deposit information, transaction and consumption records and other information should be more strictly protected, and the consent of financial consumers’ needs to be obtained through opt-in access. For general personal information such as web browsing, opt-out mechanism can be adopted.Considering the limited rationality of financial consumers, commercial banks should be urged to disclose information actively and carefully, and the disclosure method of financial institutions should be limited and the opt-in rule should be adopted. Commercial banks should clearly inform the consumers the subject and purpose of collecting and sharing personal information. Especially in the open banking involving the third party to participate in processing or sharing users’ information, it should be up to the user to determine the further direction of personal information on the premise of fully informed. For example, Baihang Credit hopes to obtain personal information and credit data from Tencent and Alibaba. However, personal credit data is personal privacy, not the property of enterprises. Tencent and Alibaba have no right to provide such information to other commercial organizations without users’ authorization.Although we put more emphasis on adopting an opt-in model to give financial consumers more right to know and have independent choice, and to provide preferential protection to financial consumers however, considering the length and ambiguity of the existing privacy protection policies, it is extremely difficult for financial consumers to obtain and understand the key information, and they cannot have an accurate and comprehensive assessment of the risks. As some scholars point out, it is difficult for individual decision-making under the authorization rules of informed consent to constitute a true expression of meaning, and it is closer to a nominal state. Moreover, the processing of personal information is continuous and periodic. Many commercial banks require individual customers to pay attention to relevant announcements and reminders in time in order to grasp the update of privacy policies, transforming the voluntary notification obligation of financial institutions into the duty of individual customers. As a result, the supervisory authority should set up information notification guidelines, standardize the notification of sensitive information in open banking, and adopt different authorization mechanisms according to different information types and data processing methods. In addition, the processing of financial consumers’ information should be disclosed to financial consumers, and financial institutions should make appropriate information disclosures when using financial consumers’ information to ensure that financial consumers can easily understand the use and the sharing of personal financial information, including but not limited to the scope of sharing information, related institutions, the specific use of shared information, etc.. Financial institutions or third-party entities shall unconditionally cooperate and provide information. For example, when commercial banks use financial consumer information for behavioral positioning, personalized recommendation, automatic decision-making and other purposes, they should inform financial consumers of relevant algorithm logic, expected consequences and possible risks.3. Regulate the Use of Financial Consumers’ Information. — To share the financial consumers’ information under open banking mode, in addition to requiring financial institutions to obtain the consent of financial consumers, commercial banks and third-party institutions are obliged to use the personal information obtained reasonably. Article 1035 of the Civil Code requires information processors to follow the principles of lawfulness, fairness, and necessity when handling personal information, and emphasizes on ‘no excessive processing’. As far as financial institutions and financial technology companies are concerned, when collecting, storing, using, processing, transmitting, and providing personal information, they should also follow the principles of lawfulness, fairness, and necessity in the Civil Code. Since the Civil Code does not clarify the boundary between fairness, necessity, and ‘excessive processing’, it is reasonable to further clarify the types of fair purposes and refine the standards for necessary conditions in the system supply for open banking. More importantly, the relevant system should categorize ‘excessive processing’ through a negative list, and clarify the prohibited behaviors of commercial banks and financial technology companies, such as not using financial consumers’ information for precise discrimination or processing beyond the scope. In order to prevent disclosure, abuse, and unauthorized use of financial consumers’ personal information, the value of establishing financial consumer information internal control and protection systems and risk assessment mechanisms should also not be ignored.4. Reinforce the Security Obligation of Financial Institutions for Personal Information. — The Civil Code constructs the basic rights and obligations framework between natural persons and information processors, and the Consumer Protection Law also stipulates the confidentiality and security obligations of operators. As far as commercial banks are concerned, it is of necessity to ensure the information security of financial consumers.The security obligations of financial institutions are not only the obligations of banks to properly review the identity of users, to remind and inform users of changes in their accounts, the most important one is that financial institutions should bear the risks arising from the open banking. For example, when a bank cooperates with a third-party payment institution, the third party fraudulently swipes. The court pointed out that because the bank has mastered and controlled all information and technologies such as customer’s registration information, capital storage, data exchange and transaction monitor, the bank has the obligations of risk control and security maintenance for account funds, whilst individuals are responsible for keeping the bank card and personal information confidential, etc.. Banks are more capable of protecting financial consumers’ capital safety. As a consequence, in accordance with the principle of fairness and credibility, banks need to bear half of the losses caused by fraudulently swiping.As the participation of other trading entities under open banking will inevitably enlarge the information security issues and weaken the control ability of commercial banks on personal information, financial institutions are likely to refuse to undertake the corresponding security obligations, and will try to avoid their legal liabilities as much as possible through contractual agreements. However, data sharing is caused by commercial banks seeking higher commercial profits. It is not in line with the economic principle of risk prevention and control and the preferential protection principle of consumers based on fairness that financial consumers should bear the risk of data sharing. If the law easily reduces or even ignores the security obligations of financial institutions in order to encourage innovation, then financial institutions will lack incentives to strengthen the protection of information security, and even foster the impulse of abusing and infringing the information security of financial consumers. In the process of open banking, financial institutions master and control all the information of financial consumers in their business. Compared with financial consumers, commercial banks have better risk control ability and more experience to protect financial consumers’ information from disclosure or infringement. In order to encourage commercial banks to improve technology and control the risks caused by open banking, it is necessary to strengthen the security obligations of financial institutions when sharing the relevant information of financial consumers.Open banking legislation should clarify the security obligations of financial institutions for personal information disclosure at the legislative system level, and prevent financial institutions from exempting them from their security obligations through contractual agreements. After the law clarifies that financial institutions have to undertake security obligations, financial institutions shall inevitably weigh the cost of information protection and the profits of information sharing, so as to make the best decision, and will take the initiative to adopt matching protection measures based on the level of data risks. As a result, the law can also encourage financial institutions to continuously improve the financial technology system, financial information protection system, and internal control system for the use of financial consumers’ information.Open banking is the inevitable result of the transformation and development of commercial banks in the era of big data, the development of which will have a profound impact on the financial market. Financial consumer is the main object of information sharing under open banking, as well as the subject of personal information rights. Therefore, the related personal information is protected by a series of laws including the Civil Code. Since data openness exposes financial consumers to risks such as users’ information disclosure, improper use, and personal safety issues, it is of vital importance to strengthen the information security protection of financial consumers. However, information openness and sharing can also bring convenience and benefits to financial institutions and financial technology companies. Excessive information protection will bring about cost increase, competition restrictions, and efficiency damages. The legal and reasonable use of financial consumer information is the due obligation of financial institutions. Based on the limited information processing ability and information acquisition ability of financial consumers, the law should give priority to fairness rather than efficiency, and give preferential protection to the weak financial consumers by clarifying the dominant position of financial consumers’ information right, strengthening the information disclosure obligations and security obligations of financial institutions. To achieve the aforementioned institutional goals, the prudential supervision of the regulatory agencies is definitely important, while the civil remedies granted by the court are also indispensable.
