U.K. Push for Open Bank APIs Makes U.S. Look So Last Century
The Financial Services Information Sharing and Analysis Center is calling attention to the security risks and potential fixes to a common practice: consumers handing over online banking credentials to financial advice sites.
Open Bank Project is looking to partner with banks worldwide in a bid to have them distribute third-party apps to customers. This would give customers more choice in their banking experiences, and let banks offer services to differentiate themselves from the banking herd.
Among other reasons for seeking their own charters, the U.K.'s so-called challenger banks say they need to avoid being beholden to older institutions that can slow down the creative process.
While a handful of U.S. banks are opening their software and data to outside applications, something much bolder is happening in Europe: governments are championing the practice, especially the U.K.
The push for open bank APIs, or application programming interfaces, could transform the way consumers across the Atlantic interact with their banks and increase competition among providers. Switching or opening checking accounts may get easier, for example, since customers could more easily port their transaction history from one institution to another, and comparison services could give them greater insight into the costs of their accounts.
The prospect is both tantalizing and terrifying for banks. On the one hand, traditional products would become more commoditized. But open APIs would allow them to explore new business models, such as running their own app stores.
"The banks have the opportunity to be a marketplace of solutions," said Kristin Moyer, a research vice president at Gartner.
The initiative comes as banks in the U.S. wrangle with account aggregation sites over the practice of screen scraping, considered a less secure way than APIs to share data. The European push for APIs also dovetails with other efforts by the U.K. to become the epicenter of fintech innovation.
The U.K. is continuing its work "toward having more of a leadership role in fintech community," said Moyer. She estimated that top-tier banks in the U.S. are at least three years behind others in Europe in developing APIs. As a result, "in the near term, U.S. banks are at a competitive disadvantage relative to global banks that also play in the U.S. market."
APIs allow one piece of software to talk to another. Open APIs allow third parties to build applications that interact with a bank's data. Importantly, they do so without sharing account credentials, minimizing the exposure of sensitive information.
Screen scraping, on the other hand, requires consumers to entrust their banking logins and passwords to third parties. Despite the risk to customer data from the practice, many recognize there's no going back to a time before Mint.
"Banks, they can't control this Pandora's box," said Alexander Niehenke, a principal at Scale Venture Partners. "Consumers want this."
Screen-scraping is convenient for consumers, but creates a risk for banks, which are required to safeguard consumer data under Title V of the Gramm-Leach-Bliley Act.
"It's a catch-22," said William Nelson, president and chief executive of the Financial Services Information Sharing and Analysis Center, an industry group focused on security threats. "Banks are concerned about the security around it."
The FS-ISAC has published a paper that advocates for a bank API (and a ban on screen scraping). That work has since been passed off to trade associations, including The Clearing House.
In the U.K., HM (Her Majesty's) Treasury commissioned a white paper on bank data sharing in 2014 and assembled an Open Bank Working Group that is getting ready to publish a framework for APIs by yearend. Separately, in October the European Commission issued Payments Services Directive 2, a wide-ranging law that includes XS2A, a rule requiring banks to let apps access their customers' accounts when the customers wish, very likely using APIs, by December 2017.
To be sure, there are good reasons for reluctance to open up via APIs. Beyond the expense, the model not only mandates a new mindset for a risk-adverse industry, but also requires them to open up in a way that could cannibalize their businesses.
"That's really an enormous sea change going," said Moyer. "Culture is really the hardest thing I think to change."
Andy Reiss, a director at the consultancy Fingleton Associates and one of the authors of the open bank report commissioned by the U.K. government, envisions nothing short of a Mint.com-like experience that lets customers choose to share their data with apps that could, say, sweep money out of their checking account and into another institution's savings account with a higher rate, all from a single portal.
"That's the theory," said Reiss. "We will see how it happens."
Just like in the telecom world where the consumer wouldn't care about the suppler of broadband, Reiss says the API model would turn the bank into a hub for transactions where the institution doesn't have a hold on the data for whatever the customer wants. The model could also serve as an opportunity for banks to become a marketplace for apps.
If banks had app stores, Moyer said, they could increase transactions and drive revenue. (Think of it as Apple getting a cut for developers using its platform.)
The Berlin software firm Tesobe's Open Bank Project is among those working with banks toward such a vision.
"There's a lot of appetite" among European banks, said Simon Redfern, chief executive of Tesobe and founder of the Open Bank Project.
APIs, Redfern says, are more reliable than screen scraping and can help put the bank at the center of the platform. He too foresees a day when banks will open their own app stores and customers log in to online banking to pick the ones they want.
But not all are keen on an idea that could create even more distance between their brand and the customer.
David Brear, chief thinker at the consulting firm Think Different Group Ltd., says some institutions see APIs as an opportunity to work closer with startups. Others see it as a threat to their business.
"Banks are reacting in different ways," said Brear.
Starling Bank, which is readying to launch in the U.K., is among those that say they are ready for a more open bank environment.
"We are well positioned to succeed in this new world and have designed our model with this in mind," said Anne Boden, chief executive of Starling, in an email.
As with any bank technology, there are security concerns even in a model perceived as safer than screen scraping.
Fingleton's Reiss says among the many important issues being hammered out is deciding which company is responsible if and when a third-party app clears out somebody's account without permission.
"[Banks] are stepping into the unknown there," said Reiss. "They're basically writing a blank check."
Brear views the API model as "really critical." Without it, innovating is akin to "trying to build a house without bricks," he said.
As such, Brear expects the U.S. government to eventually advocate for a bank API model so the country doesn't lose fintech footing.
"The government and regulators will have to get involved to really push to make this happen," said Brear.