Ahead of the FinTech Europe Summit, Peter Smith, Global Head of Industry Policy Liaison, TISA has shared his article on API’s.
Open banking is the idea that UK banks will have to shift from being one-stop-shops for financial services, to open platforms where consumers can start to embrace a more “modular” approach to banking.
This isn’t some far off possibility though, as regulators in the UK and EU are forcing the banks to open up customer data to third parties in the form of secure APIs this year (2017), creating more choice on where and how consumers manage their money. However, real concerns remain around security and data privacy issues created by the new rules.
The Competition and Markets Authority (CMA) has issued its final order to formally implement open banking. Open banking will make a transformational change to banking for personal customers and small businesses. For the first time innovative and secure apps will provide personalised services and information to cover all financial needs in one place, and make it easy for people to find out what bank account & services are best for them.
So, instead of doing all of your banking through one or two firms, customers could have their current account with one provider and then bolt on other financial services like an insurance policy, ISA, mortgage and investments through other providers or brands, all under the user interface of your choosing. This approach is also known as banking as a platform (BaaP). In order for this to happen the banks will have to open up their data through application programming interfaces (APIs). Fortunately for consumers the CMA is forcing the banks to adhere to open banking standards by 13th January 2018.
The new rules state that banks must create open APIs so that customer data can be shared between organisations and be incorporated into third party applications in a common, consistent format. The first stage will be open APIs for what the CMA calls product and reference data. This will allow developers to create price comparison services, or include ATM locations on their maps, for example. This was due to be in place by the end of March 2017 and is something of a test run for the more confidential customer transaction data being opened up by January 2018. This data will allow developers to securely view things like transaction history to aid applying for a mortgage, or to alert users that they are at risk of becoming overdrawn, for example.
An API standard should look like a set of documentation, development code and reference implementations that anyone can use, dramatically bringing down entry barriers for participation in financial services.
The advantage of this would be reliable, personalised financial advice, precisely tailored to a clients particular circumstances delivered securely and confidentially. So the big opportunity or challenge to the big banks and from smaller challenger banks and fintech companies in order to provide customers with the best possible banking experience and digital facilities.
A challenge will be the take-up profile and engagement with consumers, with early adopters waiting to consume this. There will be an adoption curve and the steepness of that will come down to how we as an industry get trust and security right. There are industry groups such as TISA and others currently working on this.
As well as the CMA’s new rules, banks have to also face the overlapping European Commission’s Revised Payment Service Directive (PSD2). This, similarly, forces European banks to open up customer data via a standard set of APIs. In addition to that GDPR which takes effect in May 2018 forms two pieces of regulation that are the fundamental catalysts making open banking happen, effectively “open banking” can be defined as the combination of the two.
The applicability of PSD2 post-Brexit whilst it will be implemented remains unclear but current government has confirmed it to proceed regardless. The directive requires all member states to comply by 13 January 2018, a timetable the CMA is looking to match.
Fintech’s true promise springs from its potential to unbundle banking into its core functions settling payments, performing maturity transformation, sharing risk and allocating capital. This is being made possible by new entrants, payment service providers, aggregators and robo advisors, peer-to-peer lenders, and innovative trading platforms who will challenge or work in partnership with the current incumbent banks.
Aggregators, making use of banks’ Application Programme Interfaces (APIs), are providing customers with ready access to price comparison and switching services. New pro-competition policies are reinforcing this competition.
We will see the disaggregation and disintermediation of banking services, and banking becoming more unbundled, more modular. We are moving from an era of physical banking to a connected bank of digital services. This starts to re-frame banking as much more of a composite where providers both provide services and link to other services becoming a platform for customers to navigate around.
GDPR will be a central challenge to API development which includes the ability to provide customers who have transactions data and money held with banks to easily and securely get access to that data to use with whatever provider they choose.
The UK “challenger banks” could be well placed to thrive in this new open banking ecosystem once they have acquired their banking licenses, possibly becoming the open platform of choice for consumers. The bank of the future will be a marketplace rather than selling dozens of different financial products offering their customers access to the best products and services from across the market.
In a world where the data is freely available and the consumer chooses where to do their digital banking, this raises some interesting questions around accountability? Practically we need to ensure security of that change of data as GDPR rightly ensures the way we get consent for sharing and securing that information is in line with what customers expect.
GDPR poses several important questions around data security and privacy that need to be answered before we can allow developers to publish apps that can access other people’s data. A major concern for the banks here is around accountability and liability in the case of a hack or cyber breach. In short, consumers will have to be very trusting that the APIs are working in a way that doesn’t allow for criminals to embed themselves in-between the banks and the trusted third party apps.
There are already plans to ‘whitelist’ third parties that have appropriate security in place to protect against fraudsters. However fintech companies have already raised concerns that the banks may impose unrealistic criteria for whitelisting in order to limit the number of approved third parties accessing customer data.
Due to the strict timetable set by regulators this year will see banks reckoning with open APIs, the proof will be if the transition is a smooth one and if developers truly embrace these new data streams and create applications that consumers actually want to use. Traditionally UK consumers have been reluctant to switch things like bank accounts, 2017 will be the year we see if open banking can convince them otherwise.
With PSD2 demand will come from the merchants particularly the big merchants operating online or by mobile and physical points of payment channel creating services that buy API’s. The industry needs to know where is the demand going to come from what is the likely take-up rate of payment initiations what should they be doing between the period that PSD2 comes into effect and the strong customer authentication rules which will follow 12 months after that.
Comply or compete will be a huge opportunity for banks to treat API’s as products creating a new revenue stream, interact with third parties and merchants as a distribution channel and also distribute products leading to new customer distribution. Execution will be critical, not only do they need capability to apply API’s that organisationally they will need help to run and go to market and take those API’s to market the ability to execute its critical.
Therefore API’s create third-party products providing more powerful end-to-end experiences for customers. This will effectively mean more power to customers on technology panels. In this where do the Fin Tech’s sit, do they provide what the banks do not want to offer. How many API’s will be loss leaders and how do providers plug into play with customers. Does the financial services market and consumers understand what exactly open banking is? For the banks, do you open up to your competitors or hold the area of customer interest to retain customers and does brand & loyalty have any future value. There is opportunity to radically change the interface with customers. The assets you own could be the customer data only, they will be disaggregated with the customer to plug the data. Balance sheet constraints means that banks do not need things on their balance sheets very much like Uber, with no cars, airBNB etc. Is open platform they answer? Who picks up API’s and how do partners plug in and unlock the provider capability to plug into platforms or the bank? API’s will cover mortgages, savings, credit cards and current accounts. The API doesn’t own the relationship that controls the function or product. Will SME’s which are mainly consumer or corporates be able to operate in this space and where will new entrants go to find customers?
SME’s lending problem is it a tech problem or an appetite issue. Is changing a
Traditional banks are in a position of strength those smart enough will make it a communications channel which will be key to distributions posing the future viability question to continue to use traditional channels.
Does the customer buy all of the brand (loyalty) drawing parallels with the telcos utilising switching deals to drive retention rates would it not just be a pricing play. Where multiproduct holders are the consumer will people buy from one source or mix across an API platforms?