Joy Macknight examines the reasons behind the rash of financial services firms launching – or in some cases relaunching – open application programming interface developer portals over the past two years.

APIs

Application programming interfaces (APIs), which enable software programs to exchange data in a standardised way, have fundamentally changed the way that software is created and brought to market. Instead of reinventing the wheel each time, developers can reuse applications’ common functionality, strategically integrate with other software and focus on differentiating features.

While the financial services industry has been slow to adopt API technology compared with other industries such as telecommunications, uptake has surged over the past two years. Incoming regulations in Europe and the UK, which aim to make the industry more accessible to new entrants and increase competition, are responsible for much of this interest. 

For example, the EU Payment Services Directive 2, which comes into force in January 2018, requires banks to share customer data with third-party providers. While the directive does not specifically mandate APIs, in general the industry has concluded that they will be the easiest way to comply with the regulation. 

Likewise, the UK’s Competition and Markets Authority (CMA) is pursuing an open banking agenda. In July, the newly formed Open Banking entity released accounts and transaction information and payments initiation API specifications, which will also be live from the beginning of 2018. This follows the mid-March release of branch, ATM and product data APIs from the nine largest business and personal current account providers in the country.

Following the UK’s lead, the Australian government has commissioned an independent review and tasked the Department of the Treasury with developing the best approach for implementing an open banking regime, to report by the end of 2017. 

Digitalisation via APIs

Regulation is not the only factor behind API adoption; many banks see it as part of their digital transformation strategy and key to staying relevant to customers.

Secil Watson, the head of digital solutions for business at Wells Fargo, says: “We – and many of our customers – recognise that people expect and demand more seamless ways of shopping, making payments, exchange currency, qualifying for a product, viewing data, and so on. By taking banking out of the bank and into a native digital experience, we’re providing increased value to our customers and our customers’ customers.”

The process also supports new fintech businesses by giving customers greater control over their data. “APIs are about putting the ownership of customer data back in the customers’ hands, which is revolutionary from a banking perspective,” says Megan Caywood, chief platform officer at UK challenger Starling Bank. “From our perspective, customers own their data and if they choose to share that data with other technology companies, then we will enable them to do that securely.”

Engagement process

The industry shift to open banking has led to a recent wave of banks across the globe launching developer portals, with the purpose of engaging with external fintech and developer communities. 

For example, in February 2017 Standard Chartered launched its open API developer portal, with an initial focus on its transaction banking business, including cash, trade and securities services. Gautam Jain, global head, digitisation and client access, transaction banking, says of the UK bank’s strategy: “We want to create open ecosystems with our clients and fintech partners, to create new value propositions and better integrate with our clients, helping them digitise their own processes as we digitise our business.”

Since the launch, Mr Jain has seen increasing interest from large clients to use this capability to design new value-add propositions, not just with the bank but their own clients as well. Additionally, Standard Chartered is constantly developing new APIs to populate the portal.

Starling Bank launched its developer portal in March. The challenger found it easy to be a first mover in the UK because it is well equipped from both a business model and technology perspective. “We want to be a thought leader and show the way it can be done, effectively, securely and [while] maintaining the integrity of the ecosystem,” says Ms Caywood. Starling Bank ran a hackathon in April, and three developers have already gone live with their APIs, she reports.

In March, Nordea released the first version of its open banking portal – NordeaOpenBanking.com – targeting external developers. In the first weeks, it received more than 700 applicants and the bank temporarily closed the portal to entries in mid-April. The bank is now running a pilot programme to evaluate the developer platform with 22 partners, from start-ups to more established fintechs, large corporates and consultancy houses, as well as other banks.

“We see the opportunity in terms of being able to partner and create better services for our customers, boost innovation, shorten time to market, and address more niche segments in a better way,” says Nordea head of open banking Jarkko Turunen. The platform is expected to officially launch towards the end of 2017.

Next-generation APIs

Wells Fargo has been providing APIs for specific applications, such as enabling e-commerce payments, since the early 2000s, according to Ms Watson, but she believes that these next-generation API-based services have brought transformational change to the industry. 

In September 2016, the US bank began piloting its API-based services through its portal, Wells Fargo Gateway, with corporate customers, and is continuing to add API solutions and new customers to the channel. “We are not serving just one line of business, but the whole of Wells Fargo, with APIs for retail banking, account aggregation, foreign exchange and treasury and cash management areas,” she says.

BBVA’s open APIs story began in 2013, when the Spanish bank launched its ‘Innova challenge’, a hackathon contest that asked external developers to create potentially commercial applications on top of aggregated statistics derived from customer credit card purchases in Spain. After the initiative’s success, it made “perfect sense” to start enriching the catalogue of APIs with additional services, says Raul Lucas, head of BBVA Open APIs Spain.

BBVA’s API Market website initially launched in December 2015, but was limited to a chosen few to better understand the requirements for a successful venture. More than 1500 businesses and developers registered with the experimental portal. On May 24, 2017, the bank made eight of its APIs commercially available to companies, start-ups and developers, enabling the integration of customer banking data with third-party products and services.

“The driver for the programme is that we believe customers own their data, and that they should be able to benefit from it in a way that better suits them,” says Mr Lucas, echoing Ms Caywood’s point. “BBVA will build products and services that do this, but we can’t build everything and it is a great opportunity for third parties to add value to customers’ lives in a way that we can’t.”

Pay to Mobile

National Australia Bank (NAB) also started using API technology in 2013 with the NAB Flik product, now Pay to Mobile in the new NAB mobile banking app. “Over the past three years, we have progressed three streams of API work: transforming our internal technology; developing partnership opportunities where we leverage capabilities to provide great customer products; and most recently becoming the first major Australian bank to launch a developer portal, which allows developers to access certain sets of our data to foster innovation and drive improvements in customer experience,” says Andrew Butterworth, general manager at NAB Labs. 

The NAB portal launched at the end of 2016 with two NAB APIs that host data relating to NAB branch and ATM locations, and NAB foreign exchange rates.

According to Oran Cummins, senior vice-president of APIs at MasterCard, the company launched its first developer portal in 2010. “We were dabbling and [the platform] was viewed as experimental. But it has become more of an imperative to have a dedicated developer platform to make our services available, particularly in the past few years, so we relaunched the platform in September 2016,” he says.

He reports a massive increase in the use of MasterCard’s APIs over the past two years. “The number of developers gets bigger all the time in terms of queries coming in. There is constant interest in using APIs because MasterCard is able to see payment flows in real time. We have many requests to avail of that, either the real-time part or the sophisticated analytics we generate from the payments data,” he says. 

“This is just the very beginning of the journey. Digital is still just a small part of card payments in general and even the services surrounding this area are small, but they are on a steep growth trajectory.”  

A tiered approach

Managing the mass influx of external developers as described by Nordea and MasterCard is challenging. Therefore, most banks have created a tiered approach to access. BBVA, for example, has three access levels.  

The first level is a sandbox, which allows a registered developer to test the bank’s services with fake data. Second is the basic level, giving limited access to real services and data. Basic access is free, but is limited to professional purposes, meaning applicant companies go through a due diligence process in which the legal documentation of the company is validated, anti-money laundering and reputational risk filters are applied, and the business proposal is evaluated. “Only those projects that will create real value for BBVA customers will move ahead,” says Mr Lucas.

Full access, the third level, is unlimited access and controlled by a commercial relationship. “Stronger measures are applied to certify systems security of the company and to guarantee its solvency in the case of any unexpected event that could cause any harm to BBVA customers,” he says.

Starling Bank has five levels, according to Ms Caywood. As with BBVA, it starts with a sandbox, which has all the same functionalities as in production but with read-only basic information, then moves up finally to level five, which entails instructing payments via an API. “We make it very easy to start playing around before getting production access,” she says, adding that the access level will indicate what level of compliance and due diligence the bank must carry out.

Currently, Starling Bank is performing its own due diligence until Open Banking develops a directory of pre-approved entities, expected to go live in 2018. At that time, the bank will give greater access to those entities on the directory, should they request it. 

Likewise, Standard Chartered has a sandbox where the developers can experiment with APIs, but they must present a practical and strong client use case to move into production, according to Mr Jain. “Then they will have to undergo quality controls and security reviews as part of the bank’s robust framework because they will be consuming our data. That process is defined and we are just tweaking around the edges,” he says. Mr Jain agrees with Ms Caywood that having a pre-screened list of organisations banks can work with is a positive step forward.

Beyond its tiered approach, Nordea wants to industrialise the way it works with partners, so that it can manage a greater number in an efficient way. “The efficiency has much to do with the bank’s compliance functions, so we want to develop more efficient processes for ourselves but also for our partners,” says Mr Turunen.  

The Nordic bank is in the process of creating processes for vetting, as well as connecting internal stakeholders with the external developer world. “Although we have done this in the past with individual partners, we are now looking to scale things up by developing generic models to reduce the effort on both sides,” he says.  

Security: no longer an issue?

Security concerns always come to the fore when talking about exposing customer data, but most banks feel confident that open APIs do not pose an extra security risk. Ms Watson points out that, as with all Wells Fargo sites that require a log-in, the Gateway employs a multi-layered approach to authentication and security. “Since the APIs are essentially ‘read-only’ from the developer’s side, any content they download from the site is secure and trusted,” she adds.

BBVA’s Mr Lucas says that there were many security issues that had to be addressed during the process of making the API Market viable and safe prior to going live. “The main security is still in the core systems and as our APIs rely on the same service layer as the rest of the channels – website, mobile app, and so on – all fraud monitoring processes built there will also apply to APIs.”

Using open APIs actually increases security, according to Ms Caywood. “People are already sharing data, but doing it in an insecure way by screen scraping. APIs add a layer of security around that sharing of data,” she says. 

Additionally, Starling Bank provides greater levels of security beyond the OAuth 2.0 authorisation framework for payments, employing other security methods such as message signing with a digital signature, and so on. “We have worked with the regulators to show them how and to help the traditional banks explore other ways to increase security in areas such as payments,” says Ms Caywood.

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter