Shamir Karkal was once an outsider trying to change the way people bank. Now, he is an insider trying to change the way banks work with outsiders.

Karkal is a co-founder of the neobank Simple, which BBVA acquired in 2014. Last June he left Simple, which the Spanish banking giant runs as a stand-alone business, but earlier this year he returned to BBVA as the head of open APIs, a newly created role. His job is to shape how the bank implements application program interfaces, a set of routines, protocols and tools that would enable the bank to communicate with other companies, such as marketplace lenders, data aggregators and other fintech players.

Karkal often cites companies like Facebook, with its ubiquitous "Connect with Facebook" button, and Amazon, with its Amazon Web Services division, as models of what APIs could do for banking.

In Karkal's estimation, the industry overall has some major catching up to do.

"Every bank should have had this four or five years ago," Karkal said in a recent interview. "It is amazing to me that we're among the first."

Karkal discussed the various business models banks might use with regard to APIs, how the embrace of such technology will likely compound legacy-tech issues, and the banking industry's fear of cannibalization. The following transcript has been edited for clarity and brevity.

What is banking going to look like in five to 10 years, as it relates to APIs?

SHAMIR KARKAL: I suspect that the API evolution will go the way that the online evolution did. In the mid-1990s, there were a few banks that had websites while everyone was like, "What is this thing? There seems to be a lot of buzz about it, but nobody is really using it." Fast forward 10 years and every bank has to have a website, and online became a huge driver of the business. APIs will go the same way. Right now there is some talk about them, but in five to 10 years they will become a facet of doing business online that everybody has to do or end up being left in the dust.

How does that shape up in the United States versus everywhere else?

[He sighs.] I wish I knew. In most places, including the U.S., there will be a few leaders; the tech-centric banks that go out and build APIs, find partners and create new experiences for customers. It will be a phase of innovation, and two or three stable business models will likely come out of that, and I suspect that everyone else will copy those.

For inspiration, we look at the things from the technology world, like Amazon with its Amazon Web Services, what Facebook has done with APIs and Salesforce. There you see different companies in different sectors doing very different things with the same underlying technology.

The most frequently discussed model is the one where the bank becomes more like an app store, right?

That is definitely one that is often talked about, but also one that looks like the Facebook API. The key is that third parties get access to existing customer data and distribution via the app store to existing customers of Facebook or Apple or even a large bank. I suspect that will definitely happen and will be one of the models that banks will try and will be successful, at least to some extent.

The other one is the Amazon Web Services model, which is purely leveraging Amazon's internal APIs to offer capabilities to third parties. Think of companies like Zulily or Wayfair or a bunch of others. They compete with Amazon, but I bet that several of them use AWS for their cloud infrastructure.

And no end-customer ever cares. That's the other model, which is more about leveraging technology and capabilities but not about distribution at all. I think some banks will try that as well. It will be interesting to see which one succeeds, although banking is a very large industry with many subsectors. You could see both models succeed.

Use an anecdote to describe how the AWS model could work in banking.

In banking the closest analogy would be the way WebBank and Lending Club work together. Ultimately, the bank is providing a service to these online lenders on the back end. It is disclosed, but most customers don't care that their loan was technically made by WebBank, which held it for a period of time before sending it to Lending Club's investors. They care that they came to Lending Club, got a loan and the whole experience worked for them.

So, banking as a service, similar to what SolarisBank is trying to do.

That's a great example. It is not that banking as a service or the app-store model are mutually exclusive. Some banks could do both.

Will the legacy systems issue affect the industry's ability to adopt an open API structure?

When you think about it, banks have been one of the earliest adopters of technology. I believe that one of IBM's first mainframes went to a precursor of Bank of America back in the 1950s. They used it to mainly automate back-end tasks like accounting. Up until the '50s, "computer" was a job description for a human being. Again, no end-customer necessarily knew about it. They knew that they got what they needed in a branch. It has since evolved into the online and then mobile world, and you begin to see the underlying technology problems shine through. As long as there was a branch teller, it didn't matter if the teller needed to open six screens and deal with God knows what kind of technological mess, as long as he or she was friendly and smiling and gave you good service, you didn't care how complicated the back-end mess was.

Once it was website or a mobile app, it mattered a lot more because you keep finding situations where things you think are trivial and should just work, just don't. It gets much, much worse once you have an API because an API is encapsulating the capabilities of the underlying technology in an easy-to-use technical format. If those underlying capabilities are outdated or don't function well, it is very difficult to build an API that works. It might look good, but once you start using it you'll find tons and tons of problems and it is liable to break when you try to scale it. There will be a lot of pressure on banks to take the plunge to really modernize their back-end systems.

One of the reasons AWS is such a huge business is because Amazon understands how to run server farms with hundreds of thousands if not millions of computers. And they learned that from their own business — they just packaged it and sold it to others. If they were running on mainframes, maybe they could get their existing website to function, but they would have never had any success with AWS.

BBVA has taken steps to modernize its core.

We have. After BBVA acquired Compass, they spent $362 million to essentially replace the core banking system with a much more real-time, core-processing platform. And that makes my job and the jobs of all the other technologists much easier.

What will an open API environment mean to the landscape of bank tech vendors, particularly the large ones?

It is likely to force them to move in the same direction as the rest of the technology industry — toward simple, well-documented, easy-to-use public APIs. They'll still have a massive role to play because banks will need some of the key capabilities that they currently provide. There is also an opportunity for them as APIs should lead to an increasing demand for more modern core-processing services.  

What areas of banking are perhaps the easiest places or most natural fit to incorporate open APIs?

The most natural fit is where we are starting — with three-legged OAuth APIs to give third parties access to customer and transaction data. [OAuth, or open standard for authorization, is an authentication protocol that allows users to approve application to act on their behalf without sharing their passwords.] The whole screen-scraping model, which is what many use to power the personal financial management apps out there, is a security risk and is far from ideal. The tech industry has solved this problem with APIs — think the connect with Facebook or Twitter buttons. You click on it, it sends you to Facebook, you tell Facebook to please share your information with this third party and Facebook does that without sending your username and password. Every bank should just do that.

If you look at the PSD2 in Europe, that system is headed in that direction. It requires banks to provide third parties with access to customer data and the ability to transact in some simple fashion. Exactly how that happens hasn't been specified, but I'm hoping and assuming that the industry will gravitate toward what is already the standard in the technology world and that is OAuth.

The security issue is a major one with screen-scraping, but there is also the issue of the data demands from third parties on bank servers. Would APIs address that issue, too?

If APIs are designed well, then the load from third parties should be much, much less. You could still do a bad job, but if done right APIs are a much more scalable and secure than screen-scraping.

Some might say that, as a bank, investing in APIs is essentially investing in cannibalization, since one of the benefits is making it easier to work with fintech companies.

It is quite possible that some of the API customers will end up competing with you. At BBVA, we have no issues with that; in fact we welcome it. We look at the tech sector — the iPhone 6 cannibalized the iPhone 5, which cannibalized the iPhone 4. Apple cannibalizes itself every day. They do that because they know if they don't, someone else will. This whole focus on cannibalization in the banking industry just seems weird coming from the tech world, because the idea that you get a bunch of customers and you hold on to them forever by providing them with increasingly bad customer experiences just sounds silly. If someone else is building a better product, you should partner with them to do that.

So making it easier to connect with fintech companies through APIs put you at the center of the fintech world. A customer could have a Common Bond loan and use TransferWise to send money abroad, but BBVA sits at the center of that equation and the customer has a better off experience overall.

Right, the customer is better off and in the long term, the customer being better off means the service providers and the bank are better off. Customer relationships — things like branding, good customer service — are universal and don't go away. You just have to figure out how to do that in an API world in a fashion that is scalable. It is doable. Companies from the technology world have been doing it. You just have to figure out the model that makes sense for you and your business goals. Sticking your head in the sand is not the best solution.

We've talked mostly big picture about APIs and banking, but let's talk about your new job and your alpha test.

The APIs are public. You can look up the end points, the documentation, etc. For a first try, I think it is pretty decent. There are several things we want to do, and there is a backlog of issues that we are working on to make it better. As I mentioned, what the APIs do is three-legged OAuth, which allows third parties to securely get access to our existing BBVA customers in Spain and in the U.S. It is a no-brainer. Every bank should have had this four or five years ago. It is amazing to me that we're among the first. We are seeing strong interest from the industry, and the goal of the alpha program is for us to learn about how to deal with third-party apps and how best to engage with them because we are heavily regulated and we still have those regulatory duties. So, we're taking baby steps with the alpha to learn from it and then build a model to scale it.

Going forward, we plan to launch many more APIs and expanding the alpha.

If we're talking in a year, what do you hope you're saying about the progress?

I'd love to be able to tell you we have our initial APIs fully launched and maybe a few in alpha or beta. We have a few customers using them and built customer experiences that are large and at scale. And I'd love to see that others in the industry are moving to do the same, especially in three-legged OAuth. In that we are not competing with other banks, we'd love for other banks to be doing it and hoping that OAuth becomes the standard in the banking world as it is in the technology world.