Open banking standards have been on the rise around the world. According to Platformable’s Q3 2020 Open Banking API Trends, there are 423 open banking platforms globally as of Q3 2020. They have released over 2,800 API products. This has shifted the way consumers interact with financial institutions. It has also created new partnership opportunities that weren’t possible just a few years prior.
However, this trend brings about new technology challenges that must be addressed. This article examines the open banking API capabilities, outlines some challenges for financial institutions building an open banking API platform, and then discusses how API management layers can help accelerate their growth.
Regulations around the world
Europe has emerged as the leader in open banking standards with the introduction of Payment Services Directive in 2007 and the amendment in 2013 called Payment Services Directive 2 (PSD2). The PSD2 standard seeks to harmonize digital capabilities, offered via APIs, for Payment Initiation Services (PIS) and Account Information Services (AIS). While most efforts have focused on these two services, some financial institutions have started to expand beyond these minimal requirements with additional digital capabilities.
The API Playbook published by the Monetary Authority of Singapore (MAS) offers the start of an open banking regulation in Singapore. While it does not offer standardisation, it does offer common and useful APIs that should be offered. It also provides best practices for implementing APIs and a registry of open APIs currently available.
Australian open banking initiatives started with a focus on data sharing rights through The Consumer Data Right (CDR). Building upon CDR, the Big Four banks (CommBank, NAB, Westpac and ANZ) were required to deliver the first phase of open banking by 1 July 2020 that includes credit and debit card, deposit and transaction data. Mortgage and personal loan data followed on 1 November 2020. Banks other than the Big Four are required to provide access to open banking data by no later than July 2021.
Other parts of the world, significantly, the US, Japan and Canada, have taken a more hands-off approach by issuing non-binding guidelines, thus allowing industry stakeholders to pave the way forward. In its March brief “Developments in Open Banking and APIs: Where Does the U.S. Stand”, the Federal Reserve Bank of Boston said that the U.S. was the least likely among global governments to enact Open Banking regulation, particularly given its more complex and fragmented bank regulatory system. However, financial institutions (FIs) and technology companies are driving the impetus for open banking in the U.S., as they seek enhanced and expanded digital services for their customers.
Impact of open banking APIs
- Empowering consumers with open banking APIs
Most consumer interactions with a financial institution involve their savings accounts. Customers have been able to quickly and easily obtain account data via a mobile app or website. Partners are able to request permission to access these account details to power personal finance applications for budgeting, reporting and reconciliation.
PSD2 has enabled Europeans to obtain unsecured loans to address immediate needs that range from avoiding overdraft fees to greater buying power. The burden of filling out paperwork has been replaced with digital enquiries that bridge multiple lenders. While consumer understanding of open banking specifically remains low, they remain interested in their practical applications.
- Open banking APIs create new partnerships
One of the challenges of open banking is that financial institutions become commoditised. Brands may lose relationships with their consumers as the marketplace opens up. This is why some financial institutions are moving beyond the capabilities required by these standards to more premium service offerings for partners. This shift of mindset requires more of an ecosystem play with strategic partnerships.
Financial institutions are finding ways to extend their services to other industries through these partnerships. Many banks offer loans to finance the purchase of a new or used vehicle. Before the introduction of PSD2, obtaining a loan required considerable paperwork. Now, loans may be obtained easily from their preferred financial institution or by consenting to share their financial data to other lenders that can compete with additional offers. Financial institutions are able to grow their relationship with the consumer by providing low-friction access to loans.
Partnerships such as these help to differentiate a bank by integrating third-party specialists. Rather than seeking partnership in name only, they become a more profitable union between established banks and emerging fintech startups. This allows the bank to remain relevant while extending their reach to new digital channels that interest consumers.
- Real-Time decision making with open banking APIs
Market analysis based upon API access to multiple internal systems can help drive business decisions in real-time and spot upcoming market trends. Moreover, fraud detection is often powered using a combination of APIs and real-time data streams. When used with APIs that support push notification and freezing an account, consumers can be immediately notified of potentially fraudulent activity and take immediate action to limit its impact.
Role of API management platforms in addressing open banking challenges
APIs enable financial institutions to connect their services to consumers and partners through a variety of digital channels including web, mobile, voice and chat. It also enables workforce automation across internal and third-party systems. This opens a wide variety of opportunities for financial institutions while expanding the role of these businesses across multiple industries. However, financial institutions face several technical challenges when embarking on an API programme.
- The impact of banking standards on API management
Regulatory requirements place a heavy burden on auditing data exposed via APIs. Segmenting their APIs across multiple API gateways is a common solution to address this need. APIs that offer auditable operations are segmented onto a dedicated API gateway, separate from other APIs. This introduces an additional challenge of synchronising API gateway configuration across multiple instances to prevent configuration errors. Financial institutions that select an API management layer (APIM) that synchronises configuration across multiple instances are able to address this issue head-on.
- Data entitlements to protect data
While many vendors are able to benefit from applying role-based access control (RBAC) at the API gateway, financial institutions are required to enforce additional restrictions on data access. Many banks are forced to implement their own data entitlements. These data entitlements require additional checks that can be managed by API gateways or API management platforms through support for customisable permissions. Additionally, API management platforms with support for custom plugins extend and enhance data entitlement checks before they reach the server are able to deliver APIs quickly and safely.
- Limiting outbound data to third-party APIs
Financial institutions must protect all outbound data to enforce privacy and limit data exposure when integrating with third parties. This often requires the introduction of an API reverse gateway to protect all outbound traffic to third-party APIs. These reverse gateways avoid sharing sensitive third-party API access tokens with developers and server infrastructure. They may also be used to detect and decline outbound traffic if sensitive data is released.
Tyk is a leading cloud-native API and service management platform complete with an intuitive dashboard and a simple developer portal, both powered by an open source API gateway. In addition to the capabilities mentioned above, Tyk also provides:
- Support for Open Policy Agent (OPA) which enables the creation of custom permissions for different user roles within the organisation.
- Dynamic Client Registration which enables dynamic registration of clients with the organisation’s existing authorisation server. Whether the organisation is using Keycloak, Gluu or Okta as their external Identity Providers (IdPs), with Tyk 3.2’s Dynamic Client Registration (DCR) capability, they can be integrates with the Tyk developer portal without the need to overhaul the underlying authorisation mechanism.
- Multi-Data Centre Bridge(MDCB) which enables creation of multiple local API gateways in accordance with data sovereignty requirements, being managed through a central control plane.
With API adoption picking up in the banking industry making it easy to access information in a simple yet powerful way, the key to success is the awareness of what standards and regulations apply in your region and choosing the right tools to address the corresponding challenges. Tools like an API gateway or API management platform, coupled with a dynamic and comprehensive API program could further drive growth and innovation in the industry.