While open banking may promote innovation and competitive offerings, it is also interlaced with privacy and data security-related concerns. ‘Opening up’ does not necessarily mean ‘letting go’.
Open banking involves providing open APIs (Application Protocol Interfaces) to third parties and developers, allowing them access to a bank’s most sacred and fiercely guarded treasure – data.
While the concept of APIs – where a set of commands enable a computer or software application to interact with other software applications seamlessly, without having to connect with them physically – has been in existence for over two decades, usage of open APIs is fairly new and still at an experimentation stage in banking.
Open APIs in Other Industries
Non-financial players, especially travel and hospitality industries, have been leveraging open APIs successfully for quite some time. A restaurant facilitates dinner reservations by calling a reservation API such as “OpenTable”, provides location directions by calling a third-party maps API such as “Google Maps”. When a user books a ride from Uber or Lyft, user location is identified via a third-party maps API; payment is made at the end of the ride via the credit card API.
Online airfare aggregators such as Orbitz, Expedia or Travelocity help the user buy air tickets, travel insurance, make hotel reservations, get details of restaurants, museums and other tourist attractions at the destination, book a rental car, etc., from the same website without having to go to separate providers for each service. Also, each service provides comparative options, allowing the user to make an educated and optimal choice. The process of calling external APIs for each service works in the backend that is completely seamless to the user. This kind of cross-business collaboration has been practically non-existent in the banking industry but probably not for long. While this is more a regulator driven initiative in UK, Asia and Europe, it is purely market-driven in the US.
Open Banking Opportunities
In an open banking scenario, when a bank exposes its proprietary software, independent developers create APIs on top of them which can be leveraged by FinTech partners to link the bank’s products and services to other banks and financial service providers, help design new products, reduce the time to market and create additional access points and distribution channels to enhance customers’ digital experience. The possible outcomes of such linking and aggregation are numerous.
Customers would be able to review the status of their financial goals across all their banking relationships and move monies among accounts to optimize cash flow. Just like air travelers can use Orbitz to check ticket prices of all airlines handled by the aggregator and choose the best fare, banking customers can select the best financial product with the help of the analytical dashboard of product comparison. Customers will be able to interact with their banks, avail services of multiple providers and transact across accounts through a single platform.
“Amazon embedded a handful of credit card APIs such as American Express, Chase, Citi, Discover and Hilton Honors into its website which allows the customer to pay for retail purchases by using credit card reward points”
Such collaboration will not be restricted to banking alone; an open API is available to any firm outside financial services industry also. For example, Amazon embedded a handful of credit card APIs such as American Express, Chase, Citi, Discover and Hilton Honors into its website which allows the customer to pay for retail purchases by using credit card reward points, without having to log into the credit card provider’s website to redeem points. Another example of API partnership between a bank and non-financial service provider is Capital One and Amazon. Instead of investing time and resources to develop a voice assistant, Capital One partnered with Amazon so that customers can manage their accounts by asking Alexa to make payments, track spending, check balance, etc. American Express also has a similar partnership with Amazon Alexa. PayPal now allows iPhone voice assistant Siri to make payments via voice commands.
Open banking has the potential to facilitate a wide and creative array of options for customers which would not be possible otherwise. Open banking is not just leveraging the open API technology, it is a business strategy. An open bank is an omnipresent bank that provides friction-free digital experience to customers which can transform the delivery model into banking as a service (BaaS).
Concerns and Challenges
Using open APIs is not merely providing access to bank’s systems or customer data but a much broader and goal-oriented collaborative relationship among the partners. Open banking involves a paradigm shift in terms of moving away from maintaining absolute control over customer data within the solitary domain of banks to sharing control with diverse partners in a new ecosystem comprising banks, FinTechs, financial and non-financial third parties and software developers. Not an easy move for an industry that thrives on a closed business model and carries the burden of legacy infrastructure.
While advocates of open banking hail the possibilities of innovation, critics are wary of the likelihood of customers transacting directly via third parties, by-passing the bank, which may rend the customer relationship fabric. This may be a farfetched scenario because using a different touchpoint should not be construed as parting ways.
While open banking may promote innovation and competitive offerings, it is also interlaced with privacy and data security-related concerns. ‘Opening up’ does not necessarily mean ‘letting go’. Sharing data is unavoidable but banks can still have control over what data (data for a specific product; sample or live data) can be shared, in which form (encrypted or unencrypted), with who and for what purpose.
“When banks open their systems, it is not ‘open-to-all’ access. For instance, for checking accounts related API, banks may provide ‘read only’ access to third parties to check only account balance but not transaction history”
When banks open their systems, it is not ‘open-to-all’ access. For instance, for checking accounts related API, banks may provide ‘read only’ access to third parties to check only account balance but not transaction history. If data is shared for multiple products, it is possible to ensure customer privacy by encrypting and aggregating data in such a way that the API users cannot trace back the data to the individual customer and recreate the history. This protects against social engineering, third parties bothering bank customers through invasive advertising or predatory lending. In other words, it will be a push model where banks will decide what they are comfortable sharing instead of third parties pulling whatever data they want from banks.
Banks must ensure a robust security system internally and thoroughly vet the API partners, their data security practices, including cloud policy, before allowing them API access, especially if customer data is stored or passes through partner systems. It will be mandatory to comply with local regulation related to data movement if cross-border partners are involved.
“Banks must ensure a robust security system internally and thoroughly vet the API partners, their data security practices, including cloud policy, before allowing them API access, especially if customer data is stored or passes through partner systems”
Customers must be educated about multi-factor authentication coupled with biometrics while using third-party access points to protect against identity theft. Banks must constantly monitor against potential security breaches and have an effective and immediate remediation strategy in case of an actual breach.
The path to open banking is definitely riddled with challenges but the journey is inevitable. Banks must open up but only after ensuring a solid security process – very similar to installing a protective mesh to keep away the insects before opening the windows to your house for fresh air and light and keeping an insecticide inside the house to tackle cunning miscreants which may pass through the mesh.