What’s your bank’s identity API strategy?

It’s important to understand what business a company actually works in—and this might not be as obvious at it seems. Statoil, as the name might suggest, is a mostly state-owned business that was founded to exploit Norway’s oil reserves. However, it is not in the oil business, but in the energy business. With oil demand expected to peak in the 2020s, it has already begun to increase its reliance on hydro and wind power. When oil production is no longer profitable thanks to advances in renewable energy, Statoil won’t be left focused on a dwindling business.

Banks should take heed. Most think that they are in the money business, when they are actually in the trust business. The trust placed in these organisations is hard won thanks to the investments made to keep banking secure and meet banking regulations. This trust placed in banks by consumers, businesses, and governments, is where banking needs to place bets on its future, and PSD2 is one reason it should start thinking now.

The PSD2 “push” to APIs

PSD2 regulation will mean that banks need to provide and open up APIs for third party access. “Screen scraping”, where third parties log on to services in the same way customers do, looks likely to be blocked by the EU, making APIs the only way for this to happen. Banks are quite rightly worried about giving this level of access to third parties: by providing easy access to rivals offering a specialist service with a better user experience, the most profitable parts of their business are under attack.

Banks face a choice. Banks can, if they want to, provide the bare minimum demanded by the regulation, or they can do more. But if they want to stay relevant, they would be best advised to create APIs that are easily accessed and go beyond what the regulation demands. If they do, then this means they can seize an opportunity for a new business model, with new revenue streams. If they do not, they will not prevent disintermediation—customers will simply switch to banks where they third parties can more easily plug in.

Having such an API strategy is not a foolhardy decision that will accelerate banks losing their position in the market. There are already many examples of businesses that make a great deal of money from APIs. Salesforce makes 50 per cent of its revenue via APIs, while eBay makes 60 per cent and Expedia makes 90 per cent. Investing in APIs that make access simple, while also “feeding” value-added services that are hard to commodify makes business sense.

Banks become brokers

PSD2 will create two new categories of business—the AISP and the PISP. AISPs (Account Information Service Providers) will use bank APIs to access customer information and provide a single view of a number of bank products held by the customer. This is initially limited to payments accounts but may be extended in the future. They can then use this information to provide financial advice or to cross-sell products. PISPs (Payment Initiation Services Providers) will be able to initialise payments directly from a bank account, going around the card services usually used for this.

Banks should consider using APIs to become AISPs and PISPs too—providing that single view for their customers of not just their own accounts but accounts held elsewhere, and becoming a one-stop shop for financial services from any of these accounts.

This approach is great in theory, but banks face many obstacles in reaching this goal. Many bank systems are old, potentially dating back as far as the 1970s and siloed from each other. One major point of fragmentation in these systems is in the number of different ID and authentication platforms in use. To be able to provide an API, banks need to clean these up, provide the Strong Customer Authentication also demanded by PSD2 regulation, and embrace digital identity.

The digital identity vacuum

Digital identity is key to banks making a success of PSD2 regulation and the mandate to offer APIs, and is the start of banks becoming trust businesses first and money businesses second. Digital identity is a challenge for many countries today. The EU has attempted to nudge its member nations along with the introduction of eIDAS regulation to provide a framework and standards. But progress has been slow, with only a few nations ‘notifying’ eIDAS of their ID schemes, and the system only available for government and public services so far.

Banks, as trusted parties, need to step up and address this problem as part of digital transformation and to open up new revenue streams. By providing users with a safe way to store identities and offering access through an API, banks can leverage the trust they have fought to establish and defend. Unlike physical identity credentials, such as passports and driving licenses, a bank identity API can expose only the required attributes—a business can ask if someone is who they say they are, where their country of residence is, or prove that they are over 18 without needing access to additional irrelevant information.

Just as PDS2 creates new businesses in the form of PISPs and AISPs, banks can use PSD2 as an opportunity to become DISPs—Digital Identity Service Providers. The identity APIs they provide should be open for any business to use. In Norway, BankID digital identity was successful right from the start thanks to its openness. Swedish BankID, on the other hand was slow to start, thanks to being only available for financial services, and became successful only once it was opened up for any business to use.

Transformation based on trust

Once banks are not just money businesses, but trust businesses, they have a much brighter future. As things stand, fintech providers are attacking their most profitable areas by providing specialist services—leaving banks to provide basic banking services. Just as consumers can log in to certain online services using their Facebook or Google accounts, they will be able to access services that demand more security with their bank identity. “Log in with your bank” will not only be a revenue stream, but will make customers far happier with their banking service overall. This will help reposition banks in the new financial services marketplace.

Finally, the creation of ID APIs will accelerate banks’ digital transformation, ensuring they remain at the heart of financial services but without being relegated to a utility. Banks are seen as too slow and too big to creatively iterate on services as a disruptor might. But by creating their own ‘internal fintechs’ using the bank’s API, they can potentially beat the upstarts at their own game.

Banks need an API strategy not only to survive the fintech revolution, but to thrive within it.

Gunnar Nordseth, Co-Founder, CEO, Signicat
Image Credit:
Centtrip