Open banking: how not to write an open data licence

Update: 23 July 2018

Open Banking Limited has published Version 2.0 of its "Open Licence". However the licence is unchanged in substance from the original version.

Update: 2 December 2017

The Open Banking Limited site has been redesigned and the data licence discussed in this post seems to have gone missing. I've updated the links below to point to a copy of the licence.

Post: 27 February 2017

Open Banking Limited is a UK banking industry entity set up to support compliance with reforms mandated by the Competition and Markets Authority.

In preparation the Open Banking Working Group has developed an Open Banking Standard framework with input from the Open Data Institute (ODI).

The framework includes an expectation that the banking industry will publish certain open data. Examples include financial product information and reference information such as ATM locations.

Open Banking Limited has recently launched a beta website that includes a copy of its "open data licence".

Unfortunately that licence fails multiple tests of compliance with the Open Definition, the generally accepted minimum criteria for open data.

The UK banking industry has little experience with open data, so it's not clear whether the Open Banking licence is a deliberate attempt at open washing. Possibly the industry has just misunderstood what open data involves.

This post comments on the defects in the Open Banking open data licence. It may be useful to read the licence first, and the Open Government Licence is a good point of reference if you want to know what a compliant open data licence looks like.

image


Calling the API

As Open Banking has published separate terms for API users, there's really no need to link application of the data licence to the method of access. Clause 1.2 could instead be written so that the licence applies irrespective of the legal means by which the re-user obtains the data from the publisher.

Clause 1.3 effectively incorporates the API User Terms into the data licence. Analysis of the API User Terms is outside the scope of this post, but they are incompatible with open data licensing. Licensing for re-use of the data should be decoupled from the terms for use of the API.

The Open Definition requires that rights under the licence apply to all to whom the data is redistributed, with no need to agree to additional legal terms.

Revocable

Clause 2.1 makes the Open Banking data licence "revocable". Open data licences are not revocable by the licensor; they are perpetual provided the licensee complies with the terms. The licensor can decide to stop releasing data under an open licence, but the licensee retains rights to re-use any data obtained prior to that change.

Formats and purposes

Clause 2.1c, which allows the licensee "to adapt the Open Data into different formats for the purposes of data mapping (or otherwise for display or presentational purposes), raises ambiguities particularly when read together with the broader language in 2.1a and 2.1b.

Is the intention to restrict re-use to specific purposes, and if so what purposes? "Formats" and "data mapping" could have more than one meaning.

The Open Definition requires that the licence must allow use, redistribution, modification, and compilation for any purpose.

Changing the content and unfair or misleading analysis

Clause 3.1a prohibits changes to the "content" of the data, and so conflicts with the Open Definition requirement that an open licence must allow modification of the data.

Clause 3.1b prohibits use or analysis of the data in a misleading or unfair way, so conflicts with the requirement that an open licence must allow use for any purpose.

Of course an open data licence does not free the licensee from other legal obligations. In many contexts, and particularly in a regulated sector like financial services, there are already measures in place to discourage use of data in a misleading or unfair way.

Breach of third-party rights or laws or regulations

Clause 3.1c is unnecessary as the licensee is already legally obliged to respect third-party rights and applicable laws and regulations. The part about purposes that are "inconsistent with this Licence or with the API User Terms"; is oddly recursive. 

Read-only vs write access

Clause 3.2 specifies that the licence does not create write access to the data. It's unclear why this clause is in the licence. In its absence there is nothing in the licence that would grant the licensee write access, and anyway this has no obvious connection to re-use of the data. Questions of access rights to the API would fit more naturally in the API User Terms.

Attribution

An attribution clause is normal in an open data licence. However the specific reference in clause 3.3 to "open data" may create difficulty for re-users. The data is not “open data” within the generally understood meaning. Downstream users could misunderstand and themselves re-use the data outside the scope of the terms.

Trade marks and brands

Clauses 4.1-4.3 do not present any particular difficulties because they are separable from the terms that apply to the data, i.e. re-use of the data is not conditional on any of the terms that apply to trade marks and brands.

Existing rights

Clause 4.4 is also fine but it's unclear why it has been placed under the "trade marks and brands" heading. This clause should apply to re-use of the data as well, and I think that is probably Open Banking's intention.

Regulated Activity

Clause 5.2 is another that simply enjoins the licensee to comply with other legal obligations, and has no obvious purpose in the data licence. And why is it placed under the No Endorsements heading?

Data Licensor's Warrant

The warrant in clause 6.1 doesn't create any obvious difficulties for the data licensing. However it's unusual to see this in an open data licence. As the licensee isn't paying for the data and the licence doesn't provide for any penalty if service standards are not met, the licensor usually has no incentive to make such promises in the licence.

Who owns the data?

The data licensor is the API Provider rather than Open Banking. The licence assumes that the API Provider has the necessary rights to offer the data for re-use and seems to contemplate that they will only offer their own data.

However it seems to me that there might be potential for multiple API Providers to offer reference data where third-party intellectual property rights are involved; for example, ATM locations that offer withdrawals from more than one bank. If so, the data licence might need an additional clause to assure licensees that the licensor has the necessary rights.

Summing up

Open Banking's "open data licence" isn't an open data licence. As there is broad consensus on the minimum licensing requirements for open data, there is some reputational risk for banking institutions if they present data as "open" on these non-open terms.

Open Banking should either substantially revise its licence or stop referring to the product information and reference information as "open data".

Image credit: The Data Spectrum: Banking sector table by the Open Data Institute (CC-BY).