開放銀行的法律規制

Legal Regulating Open Banking

開放銀行作為一種商業模式創新成為金融市場不可逆的發展趨勢，並逐步進階為開放金融。我國開放銀行的推進應從市場驅動模式轉變為激勵性規制驅動模式。開放銀行規制應解決四個重點問題，即釐清商業銀行共享消費者數據的義務邊界、確定第三方服務提供商的類型及其權義、優化金融消費者行使權利的方式，以及通過合同機制配置數據控制者和數據使用者的義務及責任。為此，開放銀行規制策略的選擇組合應包括：一是規制目標應界定為金融消費者數據權利和金融權利的雙重保護；二是規制取向應保持動態一致性，通過測試與學習機制推動開放銀行向高階發展；三是規制方式應精確調適，靈活運用行政規制和自我規制的工具箱；四是規制依據應分層確立，形成國家立法、部門規章和行業標準相結合的規則標準體系。

Open banking is a set of initiatives by governments and financial industry to implement data portability and improve consumers' access to financial information and services, while preserving privacy and security. As a business model innovation, open banking is facing an evolving trend in many jurisdictions. Most OECD countries have established specific frameworks for open banking. In June 2023, EU legislators released three proposals to be more success in a data driven economy for people and business, which include Proposal for PSD3, Proposal for Regulation on Payment Services, and Proposal for Open Finance. And US financial regulator CFPB issued Required Rulemaking on Personal Financial Data Rights in October 2023. Tllis proposal activates a dormant provision of law enacted by Congress more than a decade ago. For China, the existing market-driven approach is different from EU and US. The promotion of China open banking should be upgraded from market-driven model to incentive-based regulation driven model. The open banking regulation should address four key challenges. (1) clarifying the boundaries of the obligations of commercial banks as data holders to share consumer data. Personal Information Protection Law provides consumer the right to data portability, but data holder's obligation to enable access is ambiguous in existing national financial laws; (2) defining the types of third-party service providers and their rights and obligations. Third-parties accessing to and using financial data should act on behalf of consumers; (3) facilitating the way financial consumers exercise their rights to data portability and financial product and services; (4) allocating the obligations and responsibilities between data controllers and data users through private contract as self-regulation mechanism. In responding to challenges above, open banking regulators should take flexible strategies as follows. First, the regulatory objective of open banking should be defined in Commercial Banking Law clearly. The dual regulatory objectives include protecting both financial consumer's data portability and financial product and services rights. In other words, financial consumers are protected from data laws and financial laws simultaneously which eliminate consumers worry about cybersecurity risks as well as how to protect their data when sharing data. Second, the regulatory orientation and approach should maintain dynamic consistency through testing and learning mechanism. The aim of this approach is to overcome the static, coarse, and backward-looking rules and enable financial regulators to harness and learn from the financial markets. Open banking rules and standards should be adaptive for future open finance. Building on existing open banking frameworks, open finance expands data access and sharing to data sources beyond payment/transaction data, while it also includes other areas of financial activity. Third, the regulation methods should be adjusted precisely with toolbox for administrative regulation and self-regulation. The legal regimes should consist of a collective contractual agreement between data holders and data users with the objective of promoting sharing efficiency and financial innovation to the benefit of consumers. Fourth, the regulatory system should be constructed including public and private rules and standards. Commercial Banking Law should state obligation of data holder to make consumer data available to data user upon request from consumers' express consent. Financial regulators should make a rule on personal financial data rights as well as financial data standards and API technical standards for data holders as well as data users.