CTO Corner is a BITS publication covering emerging trends and technologies in the financial services industry.
CTO Corner: Open Finance Application Programming Interfaces (API) – Why They Matter
Dan Schutzer, Senior Technology Consultant, BITS
With the convergence of mobility and the rapidly advancing landscape of “Internet of Things”, FinTech applications are changing the way financial services and products are built and delivered. New applications increasingly are being developed in open source collaborative communities, using Applications Programming Interfaces (APIs), specifications describing how software components should interact. This CTO Corner discusses the movement towards Open Finance APIs, why they matter, and both the threat and opportunity they pose to legacy financial institutions.
The Opportunity – Standardizing on Open Finance APIs enables innovation, accelerates change and promotes a more competitive position for financial services firms. These APIs enable easy connection of regulated and non-traditional financial services technologies and provides access to an existing critical mass of users. Although Open Finance APIs make it easier for FinTech firms to ride the existing financial service rails it also increases the accessibility to banking accounts and data. If implemented correctly, APIs can assure better security and privacy and promote better customer experiences.
Take-away – Financial institutions should consider collaborating on implementing security-inspired Open API controls. At a minimum, financial institutions should carefully evaluate their API strategy and roadmap, and explore incubating extended communities of developers to augment their digital development teams. .
Financial Application Programming Interfaces (APIs) provide a standard way for software applications to exchange financial data such as user investment portfolios, spending patterns, and risk preferences, and perform requested transactions such as making payments, money and stock transfers and loans, buying insurance, and recording financial documents. For years, financial institutions have successfully electrified core processes. Now they must digitize them, and the difference is crucial.
For example, whereas an electronic loan-processing and fulfillment process at a financial institution largely implies the sharing and processing of PDF files of paper documents, digitizing a mortgage application involves creating and manipulating data fields, such as borrower income and liabilities, in a largely automated manner. APIs make it easier to achieve digitalization and greatly improve responsiveness while eliminating much of the cost of processing a mortgage. APIs also open the door to increased innovation to meet ongoing customer convenience demands.
Why Open Finance APIs are Important
There are two types of APIs: private and open. Private APIs are accessible only to customers and in-house or contracted developers. Open APIs sit on the programmable Web, and a developer or business doesn’t need to log into the provider site or be a customer to access them.
Open Finance APIs provide permissioned access to customer data, allowing transactions to be initiated from third party applications, including mobile. Utilizing Open Finance APIs instantly increases the value and reach of a third party application, allowing it to be implemented with built-in financial capabilities that ride the rails of the existing banking and finance community.
Finance API Proliferation Will Unleash a New World of Increased Connectedness, Ubiquity, and Innovation
Open Finance APIs enable easy embedding of financial services, and a fast way of getting a product to market. Developers and innovators can leverage these APIs to create mobile and web applications that may otherwise be prohibitive for an FI to do alone, particularly for small financial companies. This is already happening with card-linked offers, small business credit, and robo advisors.1 As an example, Wealthfront 3.0 will feature direct integrations with platforms like Venmo, Redfin, Lending Club and Coinbase, as well as bank accounts and external brokerage accounts2. While all of these integrations are possible via “private API” access of these parties, this trend could be accelerated via Open Finance APIs.
APIs Can Extend the Reach of Financial Institutions
APIs will enable traditional financial institutions to more rapidly extend their functions and services to the reach of third party applications, websites, and even devices. This allows FI’s to offer their existing customers functionality, including the ability to conduct financial transactions directly within a FinTech application. It can also allow an FI to offer financial services through Facebook, Google and other applications to users who are not current customers.
Public Open Finance APIs Offer the Potential for Reduced Regulatory Cost and Overhead
Regulatory reporting and exams, suspicious activity monitoring for Anti-Money Laundering (AML), and payment fraud detection can be redesigned to be more effective with APIs and open data sharing among financial institutions and regulators. Traditional credit risk assessments could be replaced by more complete data driven risk assessments that include network analysis and financial projections from thousands of data points available from APIs. This gain in efficiency can not only reduce the aggregate risk but also reduce the cost of managing risk.
Open Finance APIs Can Offer Financial Institutions Revenue Opportunities
There are estimates that as much as $300 billion per year in revenue could be realized from commercialization of data through APIs (across capital markets, commercial banking, consumer finance, and banking and insurance)3. Financial Institutions remain uniquely and systemically important to the economy. They are highly regulated; are the major repository for deposits, credit issuance, and risk-taking; continue to be the gateways to the world’s largest payment systems; and still represent the primary financial relationship for most customers. Providing these services involves acquisition costs, transaction fees, creation of or access to payment networks, assumption of credit and fraud risk, and regulatory overhead, representing risks — costs a FinTech might be just as happy to acquire by partnering with traditional financial institutions. Just as Facebook and other social media giants have become a platform, Simon Redfern, Founder and CEO of Open Bank Project, believes that banks will inevitably become platforms as well4.
Open Finance APIs Could be a Swing Factor in Addressing Regulatory Concerns
Regulation is a key factor in how FinTech disruption could play out. FinTech attackers are largely flying under the regulatory radar today, but they will attract attention as soon as they begin to attain meaningful scale. Regulation could affect the speed and extent of disruption, especially if there are material shocks (cybersecurity, money laundering, or credit-related issues) that warrant stronger regulatory involvement with leading FinTechs.
Examples of how Open Finance APIs can benefit financial institutions include:5
• Allows end-users to be more quickly on-boarded.
• Enables a bank to acquire partners that specialize in niche FinTech services with optimized front-end user interfaces.
• Allows seamless integration with crowdfunding platforms, payment splitting apps, and more.
• Allows a FinTech application to work with multiple technology solutions as they rise and fall out of favor.
• Removes the “hassle” of providing customer account numbers in implementing payment transfer transactions.
Some desirable attributes of an Open Finance API include:
• Protection of customer’s credentials. Use of APIs that do not require customers to divulge their credentials to a third party.
• Permissioning of information. Allow a third party to see some data, such as which restaurants the customer likes to eat at, in order for that third party to provide relevant promotional offers, but redact other more sensitive customer information.
• Controlled access. Ensure only authenticated, approved users and applications obtain authorizations and are able to access sensitive data. Customers authenticate themselves, and are required to give their consent in a simple, informed, and secure way.
o The customer should retain ongoing control and visibility over terms of access to their data (what is accessed and what that data can and cannot be used for) and should be able to revoke permission at any time.
o Security controls, include geo/org fencing, token governance, dynamic access control lists, and advanced rate limiting.
• Satisfy regulatory requirements. External APIs should be able to be used in a way that is consistent with the requirements of the Data Protection Act, and sensitive to privacy concerns, data protection standards and legal requirements.
• Third party vetting process. Third party access to the API should be governed by an industry-wide approach to vetting third party applications. This should include whether they conform to various terms and conditions and could be independently rated so the public knows which applications are safe.
Support for Open Finance APIs is Growing but Concerns Remain
Many financial institutions, service providers and networks are already providing Open APIs6, and some regulators7 are considering requiring this capability as a means of driving innovation in the marketplace such as those under the European Union (EU) Payment Services Directive (PSD2)8. Even without regulatory pressures, financial institutions will increasingly provide customer data to and allow transactions to be initiated from API accessed third party applications.
Culture and Bureaucracy Barriers
In a 2015 survey 9 conducted by Bank Innovation and the Open Bank Project (an open-source API and app store for banks), 37.6% of respondents said their bank is considering the launch of an API in the next 12 months, while 25.6% said their bank already has an API initiative. The survey also found that the primary obstacles preventing legacy FI’s from supporting Open Finance APIs are corporate culture, bureaucracy, and security concerns. More than 62% of the 133 respondents to the survey citied culture and bureaucracy as a problem, followed by 50% of respondents who said security was a concern. Fewer than 25% of respondents called technology an obstacle.
Threat of Disintermediation and Disruption
Today, in the United States alone, 85 million millennials, all digital natives, are coming of age, and they are comparatively more open to considering a new financial-services provider that is “not their parents’ bank” than were the 40 million Gen Xers who came of age during the dot-com boom. Smartphones and a massive increase in the availability of widely accessible, globally transparent data have enabled new payment and authentication paradigms10. They also enable more personalized customer services that emphasize seamless, on-demand access to services or products. Financial institution data accessible by APIs allows innovative technology organizations to build smart applications and increasingly own the financial relationship with the customer.
A McKinsey’s report, The Fight for the Customer: Global Banking Annual Review 201511, suggests that as much as 40% of revenues and up to 60% of the profits in retail banking businesses (consumer finance, mortgages, small-business lending, retail payments, and wealth management) are at risk from FinTech startups. A 2015 Goldman Sachs research report12 similarly estimated that $4.7 trillion out of $13.7 trillion of the traditional financial services’ revenue is at risk from new technology-enabled entrants. This threat exists even without Open APIs, as more agile FinTechs (e.g., PayPal’s Venmo, Ondeck, Wealthfront, etc.) with lower distribution, operational risk, and regulatory costs continue to innovate and gain market share.
Security, Privacy and Performance Concerns
Opening financial services data to third parties raises important security and privacy issues.13
• Open API software development is not centrally managed, which gives the enterprise less control over the security and privacy of an application.
• Widely used Open APIs present attractive new targets for cyber attackers.
• APIs need to be architected and implemented so they do not degrade the performance of an FI’s applications.
• However, implemented with appropriate authentication, authorization, and access controls, can reduce the risk of fraud losses and defaults. Depending on how they are implemented, public Open APIs could improve security and privacy rather than introduce new vulnerabilities.
o While screen-scrapers can provide individuals with a number of useful services, such as adding together how much a customer spends on groceries across all of a customer’s accounts, there are privacy and security concerns with providing secure log-in details to a third party– and in many cases “Terms and Conditions” violations. This issue can be addressed through the use of properly designed APIs that include strong access controls.
o Opening up data and services through secure Open APIs could make it easier for an FI to extend its platform and data in a controlled fashion to a select community of developers. This could create a more level playing field when it comes to innovation.
Explosion of Finance APIs. The proliferation of Finance APIs and their different implementation approaches is contributing to slow adoption.
• Over 1,700 APIs are listed on the Financial Category of the Programmable Web directory, including 1,200 in payments.14
• There are likely to continue to be many overlapping Finance APIs as control over an API can be a competitive advantage.
• It is noteworthy that Xignite, a consortium of 21 companies supporting and connecting developers with best-of-breed Finance APIs,15 launched last September.
• Simple Object Access Protocol (SOAP) and Representational State Transfer (REST) are two leading Finance API implementations. Both have merit and approach API implementations from different philosophical perspectives and for different solutions.
The growth of Open Finance APIs is inevitable and the outcome of this growth is uncertain in terms of security, revenue and control, financial institutions should carefully evaluate their API roadmap and explore incubating extended communities of developers to augment their digital development teams. This includes developing and ensuring adherence to Open Finance API policies for authenticity, consent, and delegation of authority, and to continuously vet, credential and monitor third parties accessing these Open APIs.
6. CapitalOne, BBVA, Visa, Mastercard, First Data and Yodlee
9. http://bankinnovation.net/2015/05/api-initiatives-at-banks-held-back-by-bureaucracy-survey-shows/, http://bankinnovation.net/2016/04/is-your-bank-working-on-an-api-initiative/?goal=0_c7c396d894-fdc53bfac3-38655121