API deep dive: Who will thrive in an open banking world? Why meeting regulatory requirements is not enough for banks to remain relevant
by Matthias Kröner, founder and CEO, Fidor
Forthcoming regulatory changes in Europe and UK represent a significant opportunity for banks to implement new digital strategies. With the update to the Payment Services Directive (PSD2) having come into force in January 2018, changes to the way customer data are processed and shared with third parties are underway. Application programming interfaces (APIs), will be the digital tools that usher in this new age of customer convenience. Fidor has leveraged APIs for over six years. This paper shares this experience with banks that wish to become more open. It will look at the role APIs are set to play in the open banking world, and how they will dictate which organisations will prosper.
Application Programming Interfaces (APIs) are relatively simple — they are ‘nothing more than a structure for how software applications should interact’, according to Jim Marous, publisher of the Digital Banking Report.1 They will, however, be at the heart of everything that customers, banks and financial service providers do in the digital world of the future. Fidor has been using APIs for over six years, and while banks already use APIs within their own organisations and with established partners, forthcoming regulations mean that banks in the UK and Europe will need to comply with laws obliging them to create ‘open’ APIs for third parties to build their own — possibly directly competitive — services around. While many banks were initially fearful of the threat this posed to their business model, most have come to realise that open APIs will enable high-quality, customer-centric services that we have never before seen the like of in banking. They represent a massive opportunity for banks to create experiences that not only satisfy their customers’ needs, but excite and delight them as well. To make the most of this opportunity and to ensure that they remain relevant to customers in years to come, banks, however, need to think about how they develop their API strategy to maximise returns and ensure that their branding remains at the front of their customers’ minds. In this paper, we will examine what APIs are, how regulatory changes are pushing banks into adapting their API strategy and, most importantly, what banks need to do to thrive in the open banking world of the future.
BREAKING DOWN APIs
The first step to understanding what an API-powered, open banking world will look like is to understand what an API actually is. APIs are interfaces for electronic data exchange. They allow efficient and secure access to systems and services of organisations in order to connect business processes and thus create value chains across organisations. APIs are nothing new. They have been used within banks and other organisations as a way of sharing data internally for as long as these organisations have had any kind of IT systems. APIs are there to provide contracts for information exchange between programs, ensuring the smooth flow of data in order for the organisation to perform some kind of task. In banking terms, you can think of an API as a doorway to some kind of service or information that needs to be accessed. This could be the data concerning a customer account — transactions, balances and the like — which is held in the central database and needs to be accessed by a bank’s mobile app, in order for the customer to get up-to-date information before making a decision on whether to purchase a certain item. In this case, the API is being used internally, or what we would consider to be a ‘private’ API. But when a bank needs to tap into a function offered by a different organisation — or the other organisation requires access to some of the bank’s data — the API is no longer a private one. For example, a card provider like Mastercard or Visa would also need to use APIs to offer an effective service to customers. These APIs are only available when directly requested from the bank, which will then offer support to its partners in the API’s implementation, as well as a sandbox for testing. This type of API, then, falls into the category of a ‘partner’ API. It is, however, the third category of API — the ‘public’ or ‘open’ API — which is of most concern to banks right now. This is because the forthcoming PSD2 regulations — which we will come to in a moment — dictate that all banks must now be able to provide basic customer account data to any licensed third parties that request it. Of course, these third parties must have the customer’s express consent to do this, but for banks, this is akin to letting competitors have the keys to your jewellery box. But, again, APIs are nothing new. They first hit the web in 2001, through organisations such as Salesforce and eBay, with other big players such as Amazon following suit soon after. Those APIs enabled third parties to plug additional or complementary services into the Salesforce, eBay and Amazon platforms. Since then, APIs have flourished and helped many different web-based services to grow. A plethora of new functions and easy-touse services have been opened up for consumers by APIs. APIs are effectively the glue that holds the Internet together. They allow businesses to push the boundaries when it comes to customer convenience, offering cutting-edge services that inspire loyalty and keep users coming back for more. It, therefore, makes sense to bring open APIs into the world of banking — with most consumers used to the slick, functional services offered by Netflix, Spotify and Uber, they should be able to get the same level of experience from their banks. The simple fact is that API-enabled open banking will make the customer experience much better, and banks should be preparing to take advantage of this. According to the World Retail Banking Report 2017,2 eight out of ten banks realise that APIs are going to help them improve the customer experience — these are the banks that will be most likely to prosper in an open banking world, while the other 20 per cent are at risk of losing relevance. We will move on to what exactly the open banking world will look like later in this paper, but first we need to examine the regulatory and technical challenges that face banks as they move into this world.
The new regulations that affect how banks are going to have to store and grant access to customer data are contained within the second iteration of the Payment Services Directive, better known as PSD2, drawn up by the European Banking Authority (EBA). Within PSD2, the Access to Account provision — again, better known by its acronym, which is XS2A — stipulates that banks must be in a position to grant access to any licensed third party that wants the relevant customer data, provided that the customer has permitted the third party to access it. This means that the bank needs to have an API-based system that is capable of sharing the data with third parties in a way that ensures full security and highest quality. They will also need to ensure that the front-end interface of the APIs that they are using for this is easy for these third parties to understand and plug into. To that end, and because there will be many hundreds of APIs created by the banks, they will need to comply with a set of technical standards to ensure some minimum level of consistency and security within the industry. The only problem with this is that at the time of writing, these technical standards have not yet been finalised. PSD2 entered into force in January 2016, setting 13th January 2018 as the date by which EU member states should have enshrined in national law these new provisions that all banks and other Payment Service Providers (PSPs) have to comply with. An important part of this legislation, however, is the RTS (regulatory technical standards) on strong authentication and secure communication, which is subject to a separate timeline. This document³ is still in the making and is unlikely to become law before mid-2019, which means that there could be an 18-month gap between PSD2 and the RTS legislation. This makes a confusing situation for the banks, with lobbying still going on, calls for changes in the timetable and uncertainty on when or how to begin work on a compliant version of the APIs. One territory where there is more clarity about the technical standards is the UK. The UK’s Competition and Markets Authority (CMA) has developed the open banking standard and has just released Version 1.0.0 of its API specifications.4 While these specifications will be updated and will not necessarily reflect the technical standards issued by the European Commission, they do serve as a useful framework for banks and PSPs currently deciding what to do. Of course, if banks and PSPs are still making these decisions only now, then they are already in a difficult position. Recent research from Ping Identity⁵ suggests that more than half of banks and PSPs are relatively unprepared for PSD2. There are also, however, many banks who subscribe to the principle of open banking and already provide their version of APIs to third parties. These APIs cover functions such as account balances, transaction functions, payment initiation and onboarding — and go well beyond the requirements of PSD2. Rather, they reflect the pro-active strategy these banks are taking in order to put themselves front-and-centre in the open banking world of the future.
WHAT WILL THE OPEN BANKING WORLD LOOK LIKE?
From the consumer’s point of view, the open banking world is very exciting, even if it is somewhat overdue. It is a world where one app can give you information about multiple accounts all in one place — take Fidor’s own Market,6 which is a curated ecosystem created to enable customers to easily browse for financial and insurance products, as well as offering additional convenient tools. Thanks to open banking and APIs, we are able to implement such marketplace-enabling partners to easily plug into our platform in a much shorter time than we would ever have thought possible previously. And with experience, we reduce more and more this time to market. Open banking will inspire a lot more collaboration between banks and innovative FinTech companies as such, both on an official and unofficial level. Overall, the consumer experience will be more positive, with many more customer-centric services available, according to the World Retail Banking Report 2017.7 But more importantly, there will be a number of ways in which banks and PSPs will be able to open new revenue streams and inspire loyalty among their customer base. While the introduction of PSD2 is the catalyst for this open banking revolution, it is a change that has long been coming. Consumers in the modern age are experiencing smooth, efficient digital services in just about every aspect of their lives — transport, entertainment, retail and so on — so it was about time banking caught up. For too long, banks have been allowed to put the interests of their shareholders before the interests of their customers, but this is now changing. Customers expect their banking services — whether they are applying for an account, checking their balance, making a payment or anything else — to be something they can do instantly, on any device, at any time of day. Therefore, when new FinTech innovators began to come along and show customers and the banks just what a customer-centric, slick digital experience was like, the banks had to take notice. And they soon realised that while these innovators did pose a threat to their business model, there was also a massive opportunity that they could take advantage of. PSD2 has served to solidify this threat in the mind of the banks — if they do not respond, they could simply become ‘dumb pipes’, giving nothing but the back end functions, while customers see only the branding of these new market entrants offering a much better experience. In terms of the opportunity, it is very much a case of ‘if you can’t beat them, join them’. Banks have just as much rights as any other player in the ecosystem — new entrant or not — to be creating high quality digital experiences and offering them to anyone and everyone by tapping into the APIs of their competitors. Of course, it is not going to be possible for banks — no matter how many resources they have at their disposal — to create every single kind of digital financial service that customers could desire. Instead, they have to figure out what it is that they can do, and then look to strike partnerships for everything that they cannot do. It is not, therefore, simply a stark choice between competing and collaborating — it is a blended approach that is required. FinTech innovators are more than ready to partner up with banks — after all, it puts them in front of an audience bigger than any amount of marketing spend could generate — while the bank can keep its customers happy by offering a better experience. Banks should be aiming to strike up as many partnerships as possible, so anything that one of their customers wants to do can be done within the bank’s own digital platform. This ensures that the bank will stay at the front of the mind for the customer — so a strong API strategy is required. That is why six years back Fidor management created the rule: ‘API first, APP second’. It is not just these innovative, nimble, but small start-ups that will be more competitive — banks need to realise that there could be some new giants coming into the market as well. Technology companies with massive scale — Google, Amazon, Facebook and Apple — could muscle their way into the market. As well as, they also have the advantage of being the provider of tools that millions of people spend a substantial amount of time using every day. Gmail or Facebook Messenger, for example, allows payments already. Apple already has a mobile payment platform used by millions of people around the world. Should any of these tech giants decide to take advantage of the new regulations to make a significant move into the financial services market, the landscape will change very quickly. Again, if this happens, then a good strategy from the bank could involve collaboration rather than merely seeing them as an out-and-out competitor. It is, however, important that banks make sure that their own offering is as strong as possible. Realistically, though, banks have to face up to the fact that the open banking world means that it will be increasingly difficult for them to ensure that they are the primary interface that their customers use for financial services. There will be more organisations competing for the attention of their customers than ever before — established banks, challenger banks and thirdparty service providers of all shapes and sizes.
THE REQUIRED APPROACH
Banks need to decide which path they should take. Doing nothing is not a realistic option — they do need to at least comply with PSD2 regulations. Simply making sure they do the bare minimum to meet PSD2’s requirements is not enough either. It will not cost much in terms of time and investment, certainly, but it definitely will not make them any money. They need to recognise that the industry is at a crossroads — there are opportunities to open up new revenue streams here, but there is also the very real possibility that they could disappear from the customer’s sight and become ‘dumb pipes’ for a plethora of competitor’s services. Banks, therefore, need to go beyond the reach of PSD2 and create not just the account balance, fund availability check and account verification APIs required of them, but open further APIs too. These include payment guarantees, real-time payments, conditional payments, authentication, age verification and payment status reports. These APIs could be charged for, giving them access to a new revenue stream. They still, however, need to do more to make the most of the new regulations. They cannot just be an account provider, charging third parties for access to their more advanced APIs. They need to become a provider of third-party services too, building their own services to integrate with the open APIs of other banks — again, opening up new revenue streams. On top of this, they can partner with other banks and FinTech providers to create a marketplace where their customers can access all kinds — ideally every kind — of digital financial service available. As well as, partnering with FinTech companies to get new services in front of their customers, it is possible to take these partnerships further. If they make their banking license and their underlying centralised infrastructure available to these FinTech companies, they can benefit as well. This is a true ‘open’ approach to banking, with these innovative FinTech players able to build on the bank’s existing core. The loan of the ‘banking rails’ lets these players serve increasingly niche markets — young people, expats and so on — while the bank can generate revenue. Knowledge-based partnerships should also be considered — as one of the pioneers of open APIs, Fidor has over six years of experience in the open banking world, which it can share with partners, for example. While the strategies that banks follow in the open banking world should have already been decided on — with a degree of flexibility built in, of course — it is also important to remember that this world will be dynamic, so banks must be prepared to experiment, learn and change quickly. The banks that win out will be the ones that put their customers first, as well as remembering that customers can be won and lost quickly. They will need to consistently provide slick and efficient services and ensure that their brand remains in the front of customers’ minds. The losers will be the banks that think mere compliance with PSD2 regulations where APIs are concerned is enough.
- There are seven important things that banks have to remember in order to be a winner in the open banking world. They are:
- Your bank’s API strategy should build upon what you already have. And build APIs in a consistent way.
- While the situation in terms of regulations is complicated, do not use this as an excuse to stand still. Be agile, move now or prepare to lose out.
- Do not simply comply with the regulations — this is not enough to be a winner in the open banking world.
- Build your own digital services to integrate with the open APIs of your competitors.
- Partner with competitors and FinTech companies to offer your customers the best possible range of services.
- Do not stand still — continue to build, partner and improve your offering, putting your customer at the heart of everything.
- And finally: More important than the API might be the data model you are operating with/in.
1. See: https://thefinancialbrand.com/65975/open- banking-api-fintech-partnerships/ (accessed 26th January 2018).
2. See: https://www.worldretailbankingreport.com/ (accessed 26th January 2018).
3. See: https://www.eba.europa.eu/documents/10180/ 1303936/EBA-DP-2015-03+%28RTS+on+SCA+ and+CSC+under+PSD2%29.pdf (accessed 26th January 2018).
4. See: https://www.openbanking.org.uk/read-write -apis/ (accessed 26th January 2018).
5. See: https://www.pingidentity.com/en/company/ press-releases-folder/2017/new-research-reveals- payment-industry-unprepared-for-impending-psd2- regulation.html (accessed 26th January 2018).
6. See: https://www.fidor.com/solutions/bank-as-amarketplace (accessed 26th January 2018).
7. See: https://www.worldretailbankingreport.com/ (accessed 26th January 2018).