Open Banking’s Open Secret

Tabrez Surve, Regional Director – Gulf, Levant & Turkey at F5 Networks, describes why holistic API management is the key to unlocking open banking’s vast potential.

In the age of digital banking, financial data now stretches way beyond traditional banks.

Last year was rife with hype and speculation about open banking’s disruptive credentials, and it is easy to see why.

Customers are becoming increasingly receptive to alternative payment methods from established technology firms such as Apple Pay, Samsung Pay, Amazon, and Google.

There are already a growing number of people who are transacting mainly via PayPal or bitcoin.

This rapidly advancing technology has taught consumers to demand everyday information instantaneously and with little effort—and now consumers want more control over their money. that is where open banking comes in.

Essentially, it is the practice of sharing financial information electronically, securely, and only under conditions that customers approve of.

Open banking chatter persists because it is can be a significant innovation catalyst, enabling better user experiences, streamlining lending, automating accounting, and pioneering new payment options.

It opens the way to new products and services that could help customers and small to medium-sized businesses get a better deal. It could also give you a more detailed understanding of your accounts, and help you find new ways to make the most of your money.

Here in the GCC, Bahrain is taking an early lead in the introduction of open banking systems, and the rest of the region appears poised to follow.

Pent-up demand for digital banking services also points to a need for open banking in the region. Indeed, recent research from McKinsey on urban consumers in UAE and KSA showed that at least 80 percent of consumers prefer digital banking, yet only 20-25% of them have acquired a product digitally.

Looking elsewhere in the world, Asia is already enthusiastically embracing the concept, buoyed by a slew of countries digitalising in real-time, a large base of tech-savvy consumers and digital payment platform ubiquity.

Europeans are slightly more circumspect. The biggest hurdle to date is consumer sentiment. There is still a reluctance to share personal information, which is partly a cultural mindset but also a reaction to the prevalence of data breaches.

Awareness is another pressing concern. According to a Splendid Unlimited study on the state of open banking, a mere 22% know what it is. Open banking services were used by just 9% of survey participants.

Ernst & Young’s Open Banking Opportunity Index predicts it will take around three to five years to really get going. That can change fast, however. Recently, the Open Banking Implementation Entity (OBIE) – the body set up by the Competition and Markets Authority (CMA) to deliver Open Banking in the UK – said the number of users has doubled in the past six months. More than 1m customers have made use of open banking technology in the two years since the tool came into effect.

Meanwhile, regulations continue to drive the pace of open banking rollout. In Europe, the European Union’s Second Payment Services Directive (PSD2) will continue to resonate. In effect since 14 September 2019, the directive aims to promote innovation, help banking services integrate new technologies, and ensure payments are secure. The UK’s Open Banking Directive is effectively the

country’s implementation of PSD2, though timeframes for full implementation have recently been extended.

Importantly, PSD2 includes new requirements for multi-factor authentication when executing bank operations. The value of EU consumers’ data is further elevated by the EU General Data Protection Regulation (GDPR) that came into effect in May last year. Markets such as Australia, Canada, New Zealand, Mexico, Argentina, Nigeria, Hong Kong, Japan and Taiwan are all monitoring the situation closely and poised for regulatory shifts.

Yet, while regulations clearly play an important role, open banking will only be sustainable if it makes a genuine difference to customers. It is their demands for greater agility and improved user experiences that push service providers to compete and innovate at pace.

Banking on holistic API management

This is where Application Program Interfaces (API) come in.

In simple terms, an API is a set of routines, protocols, and tools for building software applications. An API basically specifies how software components should interact.

In the banking realm, the use of open APIs enables third-party developers to build foundational technologies for applications and web sites that provide greater financial transparency options, ranging from open data to private data, for the financial institution’s account holders.

Notably, Open Banking Europe – operated by European Banking Subsidiary Clearing subsidiary Preta – published a directory last November that intends to list all publicly available bank APIs in the EU. The PSD2 Transparency Directory meets the need of third-party providers (TPPs) and account-servicing payment service providers (ASPSPs) for a repository storing all key information on bank APIs a single place. It currently contains information on over 1,500 bank-related developer portals. Input is expected from additional banks and financial institutions in the coming months.

The onus is now well and truly on infrastructure, operations and DevOps teams to define, publish, secure, monitor, and analyse APIs.

API management solutions enable authors to publish APIs to various environments such as production, test, or staging. This ensures consistency for each environment and prevents misconfigurations. Key examples include:

· API gateways. API gateways secure and mediate traffic between backend API consumers. API gateway functionality includes authenticating API calls, routing requests to appropriate backends, applying rate limits to prevent system overloads. It can also mitigate DDoS attacks, offload SSL/TLS traffic to improve performance, and handling errors and exceptions.

· Microgateways – Traditional API gateways may be inefficient when handling traffic in distributed environments (for example microservices or handling IoT traffic to support real-time analysis). An additional software component – a microgateway – is required to process API calls in these types of scenarios. Microgateways are still API gateways but are more lightweight and suited to microservice architectures.

· Analytics. Today’s solutions can provide deep visibility into operational metrics on a per-API basis, enabling new levels of troubleshooting and performance optimisation.

· Security. There are no shortcuts here. API infrastructure security should encompass authentication, authorisation, role-based access control (RBAC) and rate limiting (imposing a limit on the number of requests a caller can make during a defined period).

· Developer portals. A well-designed developer portal is pivotal to the success of any API program. It should facilitate rapid onboarding of consumers and include a catalogue of external APIs, comprehensive documentation, and sample code. Some solutions also provide a mechanism for developer interaction.

Development and deployment demands are more pressurised than ever, especially as DevOps methodologies start to permeate mainstream operational processes.

Despite some relative regional sluggishness, open APIs are definitively the future and virtually impossible for anyone with open banking aspirations to ignore. Watch this space.