Last year was rife with hype and speculation about open banking’s disruptive credentials, and it is easy to see why.
Open banking is essentially the practice of sharing financial information electronically, securely, and only under conditions that customers approve of.
Chatter about open banking persists because it is can be a significant innovation catalyst, enabling better user experiences, streamlining lending, automating accounting, and pioneering new payment options.
Asia is already enthusiastically embracing the concept, buoyed by a slew of countries digitalising in real-time, a large base of tech-savvy consumers and digital payment platform ubiquity.
Europeans are slightly more circumspect. The biggest hurdle to date is consumer sentiment. There is still a reluctance to share personal information, which is partly a cultural mindset but also a reaction to the prevalence of data breaches.
Awareness is another pressing concern. According to a Splendid Unlimited study on the state of open banking, a mere 22% know what it is. Open banking services were used by just 9% of survey participants.
Ernst & Young’s Open Banking Opportunity Index predicts it will take around three to five years to really get going. That can change fast, however. Recently, the Open Banking Implementation Entity (OBIE) – the body set up by the Competition and Markets Authority (CMA) to deliver Open Banking in the UK – said the number of users has doubled in the past six months. More than one million customers have made use of open banking technology in the two years since the tool came into effect.
Meanwhile, regulations continue to drive the pace of open banking rollout. In Europe, the European Union’s Second Payment Services Directive (PSD2) will continue to resonate. In effect since 14 September 2019, the directive aims to promote innovation, help banking services integrate new technologies, and ensure payments are secure. The UK’s Open Banking Directive is effectively the country’s implementation of PSD2, though timeframes for full implementation have recently been extended.
Importantly, PSD2 includes new requirements for multi-factor authentication when executing bank operations. The value of EU consumers’ data is further elevated by the EU General Data Protection Regulation (GDPR) that came into effect in May 2018. Markets such as Australia, Canada, New Zealand, Mexico, Argentina, Nigeria, Hong Kong, Japan and Taiwan are all monitoring the situation closely and poised for regulatory shifts.
Yet, while regulations clearly play an important role, open banking will only be sustainable if it makes a genuine difference to customers. It is their demands for greater agility and improved user experiences that push service providers to compete and innovate at pace.
Improving transparency with API management
This is where Application Program Interfaces (API) come in.
In simple terms, an API is a set of routines, protocols, and tools for building software applications. An API basically specifies how software components should interact.
In the banking realm, the use of open APIs enables third-party developers to build foundational technologies for applications and websites that provide greater financial transparency options, ranging from open data to private data, for the financial institution's account holders.
Notably, Open Banking Europe – operated by European Banking Subsidiary Clearing subsidiary Preta – published a directory in late 2018 that intends to list all publicly available bank APIs in the EU. The PSD2 Transparency Directory meets the need of third-party providers (TPPs) and account-servicing payment service providers (ASPSPs) for a repository storing all key information on bank APIs in a single place. It currently contains information on over 1,500 bank-related developer portals. Input is expected from additional banks and financial institutions in the coming months.
The onus is now well and truly on infrastructure, operations, and DevOps teams to define, publish, secure, monitor, and analyse APIs.
API management solutions enable authors to publish APIs to various environments such as production, test, or staging. This ensures consistency for each environment and prevents misconfigurations. Key examples include:
- API gateways. API gateways secure and mediate traffic between backend API consumers. API gateway functionality includes authenticating API calls, routing requests to appropriate backends, and applying rate limits to prevent system overloads. It can also mitigate DDoS attacks, handling errors, and exceptions, and offload SSL/TLS traffic to improve performance.
- Microgateways. Traditional API gateways may be inefficient when handling traffic in distributed environments (for example, microservices or handling IoT traffic to support real‑time analysis). An additional software component – a microgateway – is required to process API calls in these types of scenarios. Microgateways are still API gateways but are more lightweight and suited to microservice architectures.
- Analytics. Today’s solutions can provide deep visibility into operational metrics on a per‑API basis, enabling new levels of troubleshooting and performance optimisation.
- Security. There are no shortcuts here. API infrastructure security should encompass authentication, authorisation, role-based access control (RBAC), and rate limiting (imposing a limit on the number of requests a caller can make during a defined period).
- Developer portals. A well‑designed developer portal is pivotal to the success of any API program. It should facilitate the rapid onboarding of consumers and include a catalogue of external APIs, comprehensive documentation, and sample code. Some solutions also provide a mechanism for developer interaction.
Development and deployment demands are more pressurised than ever, especially as DevOps methodologies start to permeate mainstream operational processes. Despite some relative regional sluggishness, open APIs are definitively the future. They are now virtually impossible for anyone with open banking aspirations to ignore. In order to harness their true power, DevOps operatives need to make use of API gateways, analyse their APIs’ traffic, and secure them using up-to-date cybersecurity methodologies. Watch this space.