The bricks and mortar are gone: fintech has broken through the walls that housed the traditional banks, and we are all flooded with data. To labour a metaphor, if Open Banking was the hammer that knocked through the dividing wall of traditional finance, then the Open Application Programming Interface (API) initiative is the wrecking ball that will raze the building to the ground.
That claim might sound a bit melodramatic, but there’s truth at the heart of it: open APIs are going to change everything in banking.
An API enables one piece of software to interact with another piece of software. An Open API is one that’s publicly available and provides developers with programmatic access to a proprietary software application or web service.
The Open API initiative will release a huge raft of information, concerning everything from customer behaviour to market trends, to many more companies than are currently able to access it. Essentially, it will commoditise financial data and push financial services (FS) towards an Android-style open source business model.
The project is based on the belief that creating an open, vendor-neutral description format for API services is critical to accelerating the arrival of a truly connected world. Open Banking has already brought renewed attention to the API model by encouraging a more collaborative, open source model and demanding a need for governance and safeguards in data privacy. With the Open API initiative, these culture shifts stand to reduce the friction in bringing solutions to the market and improve consumer access to labour-saving innovations.
Before long – and we’re talking months rather than years – we’ll be seeing a much wider variety of commoditised FS services that were previously the preserve of the bank manager. And if that sounds like a lot of disruption, it is. With access to the relevant data, nimble, smaller companies stand a good chance of out-manoeuvring the banks. A speedboat will always turn tighter and faster than an oil tanker.
But with more data and more interconnection will also come the potential for more accurate and in-depth customer understanding for those larger, more established players. They’re sitting on a mountain of pertinent data, which means they can target their service development based on what they know about their customers - making informed decisions and then fuelling the new systems with existing data. If they don’t seize this opportunity, it may never present itself to such an extent again.
The potential is far-reaching, but there are also some risks to be navigated if FS institutions are to avoid a Facebook-style backlash over improper data use.
The need for knowledge: what are open APIs?
In the context of banking, and using open APIs, financial data is shared between two or more unaffiliated parties in order to provide improved capabilities. It also supports an approach to business development that fosters new dialogue between customers, suppliers and partners in emerging business ecosystems. In this day and age, collaboration and co-creation are increasingly front-of-mind for both established banks and their fintech counterparts.
For instance, open APIs would allow websites like Amazon and eBay, and payment systems such as PayPal and Venmo, to link their systems and create new services for customers. The recent debut of Amazon Pay is a great example of this, allowing consumers to pay for purchases on non-Amazon sites using their Amazon payment details. I’ve yet to meet anybody who doesn’t like to make payment as quickly and easily as possible online.
As I’ve illustrated, open APIs can be the foundation for some extremely useful innovations – but on the flipside, they also come with heightened security requirements.
Be aware of the risks and challenges
Knowledge is power in the face of the challenges posed by opening up banking APIs. We need to understand that openness brings with it the possibility of security breaches if not treated with proper caution. Banks have already been hit hard by regulatory fines for information security breaches – and they’ll most certainly want to avoid further financial penalties and reputational embarrassment in the future.
As the APIs open, there will be a flood of requests pouring in for access, including from new third party providers who are springing up as a result of PSD2, and who may be an unknown quantity. This will be on top of requests through existing digital channels, already challenged with growing consumer demand for mobile payments. A high velocity of requests exposes their systems to possible fraudulent activity. Therefore banks need to rely on advanced analytics and automation to mitigate this risk. Operating without adequate measures is akin to racing down the road on a motorcycle without a crash helmet.
A major change introduced by PSD2 is access to banks’ data infrastructure and customer accounts through APIs. Any new digital channel carries inherent fraud risks and fraudsters could seize this opportunity to impersonate genuine customers, harvest their information through account information service providers and use it to open fraudulent credit accounts – or in other words, create absolute mayhem.
Access to accounts can also be an attack vector for data breaches where banks could be liable to heavy fines under regulations like the General Data Protection Regulation (GDPR). Standard business rules or even existing predictive models might not be effective against such risks. Banks – you have been warned.
Securing your data stream
Financial organisations need to invest in or upgrade to a holistic fraud prevention platform that uses a range of advanced techniques to mitigate against the early signs of fraud and derive actionable intelligence from data. They need to adopt a proactive strategy and reduce their fraud permeability through a hybrid ecosystem using discovery analytics, layered detection and adaptive authentication. All of these things exist today, so there’s no need for an Archimedes eureka moment – we’re talking about everyday reality.
In other words, they need advanced analytics to help them understand the ever-widening array of data streams for which they are responsible. No human can effectively monitor the data flood that open APIs will generate. This is a game-changing initiative that will help deliver a better customer experience – but it has to be established alongside careful due diligence, aided by automated analysis. Embrace the change – but make sure you have the tools to keep your systems secure.
In September 2019, when SIBOS comes to London, these topics will be discussed and debated widely. SAS will be at the forefront of these conversations as we look to help our clients develop existing capabilities in a world where openness is increasingly familiar – and where fraudsters are trying every trick in the book to get their hands on both sensitive data and funds.
Alex Kwiatkowski is the Principal Industry Consultant, Global Banking Practice, SAS