Application programme interfaces (APIs) have been widely used for over a decade by the likes of Facebook and Google, strategically providing open APIs to increase their dominance and create new markets. However, for the financial services and payments industry, open APIs are still lesser known territory.
We’re now six months away from the second phase of open banking, when customers can digitally access and securely share their bank transaction data to get the most from their finances. The initiative will encourage financial service providers to offer high quality, targeted services, boosting competition, but the industry must embrace the new banking era and see it as more than a ‘compliance chore,’ says Roger Vincent, head of banking and innovation at Equifax.
“The banking industry is set for a huge customer-centric shake-up with the implementation of open banking phase two in January 2018. This exciting development will dramatically change the customer banking experience, helping consumers and businesses to use their financial transaction data to access products more easily and better understand their finances,” Vincent says.
The initiative kicked off earlier this year with stage one, where the ‘CMA9’ (nine banks mandated by the Competition and Markets Authority) provided improved access to information such as ATM locations and product listings.
“The second stage is the real game changer, with bank transaction data made available digitally for consumers and businesses to share securely, and only with their agreed consent, via open APIs. Through the open APIs the data can be used by authorised third parties to build new high quality and targeted services, including new digital offerings, facilitating a more competitive environment.”
“Over the next six months, banks need to embrace the move towards a more transparent banking world. To do this successfully, preparations must focus on meeting the long-term practical benefits of consumer empowered data sharing rather than approaching this change as a tick-box compliance activity,” Vincent says.
According to the Global Payments Innovation Jury report for 2017, the growing use of in-app payments is another reason why it seems increasingly necessary for established firms to provide external developers with easy access to payments systems.
The growing use of in-app payments is another reason why it seems increasingly necessary for established firms to provide external developers with easy access to payments systems.
The ability for transaction data to be used for automated creditworthiness and affordability assessments, fraud detection and product accessibility is endless, Vincent adds. Customers will be able to control how their financial data is shared digitally and provide a deeper picture of the way they manage their money. This could mean a quicker, more secure and fully digital mortgage application process or faster access to finance for a new business venture. “For those currently underserved by the market, for example young people or the self-employed, it could mean the start of a journey to better financial health.”
The jury examined roadblocks to open banking around the world and revealed that security concerns are the main reason that established payments firms are reluctant to publish their APIs. Given the regulatory climate and scrutiny that financial services firms are under, and the media attention given to security breaches, it’s no surprise that security is the top concern.
The importance of security can be seen in the IRS’s recent “Get Transcript” application hack. More than 700,000 consumers had sensitive tax information stolen in 2015 by thieves who hacked into the application, an API aimed at enabling USA taxpayers to more easily obtain records of their previous tax filings.
The Jury believes that the banks themselves would probably be seen as responsible for the security issues even if the problem originates in the third party organisation using the API.
“Cyberattacks and computer fraud remain among the primary concerns of banks today. As money is kept and transacted by banks digitally, modern-day bank robbers use cyberspace to do their work. Cyberspace is a better option for them as it’s typically more difficult to catch them there,” says Greg Day, VP and CSO, Palo Alto Networks.
Ahead of any potentially disastrous cyber incidents, a member of the European Central Bank’s (ECB) executive board recently stated that all banks directly supervised by the ECB’s board will have to report all significant cyber incidents from this summer onwards.
This announcement, coming from a member of the ECB’s board, indicates the priority put on this issue by European regulators. Similar to the data breach notifications under the General Data Prevention Regulation (GDPR), it goes to show that being transparent about the cyberattacks that have affected your financial organisation is perhaps the most important step when it comes to cybersecurity, says Day.
“Security is, at its core, about managing risk. So, if we focus on prevention and we empower the industry to think differently, we can succeed in bringing that risk down to acceptable levels. Banks have already collaborated with financial industry forums like the IS-ISACs on the impact of cybercrime to their industry,” he explains. “Much like the Cyber Threat Alliance has moved the needle on how and why the security industry collaborates, the ECB requirements have the opportunity to improve lessons learnt and identify the common components that make up attackers’ playbooks during incidents to prevent future threats. ”
According to Day, data security is the cornerstone of meeting the ECB’s goals. “Too much of cyber security is legacy technology. But, legacy systems are just not fit for purpose to meet the ECB goals.” But legacy is not just technology, it starts with mindset.
The IT world evolves at a great pace, which requires a rethink of the fundamental goals to be achieved. In cybersecurity businesses are too often caught up in responding to the ongoing attacks. GDPR, and now the ECB announcement, present a rare opportunity to step back and re-examine if the processes, procedures and technology are fit for the current and future requirements, Day adds.
“What’s needed is a system that securely processes sensitive financial data and is able to act before a breach has occurred. Therefore, banks and financial institutions regulated by the ECB must take into consideration more modern technologies and practices when deciding how to mitigate the risks associated with the sensitive data they hold.”