open banking report 2018 - worldline.com€¦ · 3 open banking report 2018 • management summary...
TRANSCRIPT
Open Banking Report 2018Building Trust, Gaining Consent, and Improving Customer Experience
Endorsement partner:
Key media partners:
R29 V22 B59 gradient gradient Ultra
R29 V25 B76
R228 V31 B34
R29 V112 B183
R0 V143 B209
Authors
Oana Ifrim
Mélisande Mual
INNOPAY
Contact us
For inquiries on editorial opportunities please contact: [email protected]
To subscribe to our newsletters, click here
For general advertising information, contact Mihaela Mihaila [email protected]
Open Banking Report 2018RELEASE | VERSION 1.0 | SEPTEMBER 2018 | COPYRIGHT © THE PAYPERS BV | ALL RIGHTS RESERVED
3 OPEN BANKING REPORT 2018 • MANAGEMENT SUMMARY
Management Summary
“Open Banking is an opportunity to serve customers across segments in an even better manner by co-creating services to meet their
needs”, rightfully noted Jarkko Turunen of Nordea in The Papers’ 2017 edition of the Open Banking and API report. Open Banking is
about creating opportunities and helping users achieve their ambitions, further agreed Derek White of BBVA, who indicated that opening
the bank’s platform to third party applications meant “creating synergies with the most innovative tech businesses out there in order to
build a new generation of digital experiences for customers that are as convenient and advantageous as possible”.
Very well received by readers, our comprehensive last year’s edition of our Open Banking report showcased the nascent landscape of
Open Banking in Europe and the issues standing at that moment in the way of universal adoption. We made our best efforts to shed light
on the functional scope of access to account, effective business and operational models, and standardisation in terms of technology,
legal, and operational matters.
Even more, The Paypers gave an overview of the key issues that come with open access, by asking crucial players in the market such as
banks, consultants, merchants, and fintechs to give more insights into the debate and the most relevant topics that need to be addressed
and solved in order to fully leverage the potential of Open Banking. And, of course, we explored the strategic implications this initiative has
for banks and the changes that it will bring for product creation and distribution. Also, we provided a synopsis of what the new regulations
put forward by PSD2 will entail and how can these be adopted and implemented by the banking industry.
And here we are now, September 2018.
What we see is that Open Banking must have kept its promise, as in January 2018, after more than two years of planning, the Payment
Services Directive 2 (PSD2) kicked off in Europe and the Open Banking ecosystem overall has changed a great deal. The rules saying
that banks must allow you to share your financial info with other authorised providers have now come into effect. Since PSD2 became
effective, driven by consumer sentiment, expectations and demand for new banking products and services, forward-looking banks are now
setting up distribution partnerships with third-party platforms, adapting their existing platforms so that they can easily aggregate data from
external sources.
PSD2 facilitates innovation, competition, and efficiency among banks and other payment institutions, especially around Strong Customer
Authentication, mandatory 18 months after the enforcement of the RTS (Regulatory Technical Standards). Once the RTS is published in
the Official Journal of the EU, scheduled for September 2019, payment service providers, including banks, will have sufficient time to
adapt their IT systems and business models to the new security requirements.
Our goalThe Paypers is committed not only to help all players understand the opportunities Open Banking offers, but also to provide a comprehensive
analysis of the global state of play and the most notable initiatives in the European Union (driven by PSD2), the UK (driven by the Competition
and Markets Authority), and even beyond Europe.
The present edition of our Open Banking Report puts particular emphasis on key topics such as new business models, customer experience,
IT challenges, security, privacy, and consent. These topics prove to be the stepping stones in building the strategic thinking of stakeholders,
who will, in the end, find the best path and choose the right partners to travel across Open Banking. ➔
4 OPEN BANKING REPORT 2018 • MANAGEMENT SUMMARY
Management Summary
The story until nowThe ability to exploit and offer more innovative and more individually tailored propositions is paramount to Open Banking. This initiative
will be the enabler to build new products that enhance the customer experience, notes Nadish Lad from Volante Technologies. For this
to happen, mandated and non-mandated players need to engender a shift in culture towards an agile way of working that encourages
innovation, explains Imran Gulamhuseinwala, trustee of the Open Banking Implementation Entity.
Both in the EU and the UK, Open Banking encourages the entry of new banking and payments competitors in markets perceived to be
competitively stagnant, driving better pricing and innovation. Agile players are already taking advantage of the Open banking opportunities.
ONPEX, for instance, recognised the gap in the current product offering of traditional banks – the company provides a modular platform with
full banking functionalities and offers this as banking-as-a-service to their clients.
No doubt, banks will only survive if they calibrate their business model and stay in tune with the changing environment, indicates Pavlo
Sidelov, SDK.finance. What is more, new revenue streams will evolve, and TPPs – be they banks, telcos, retailers, insurers, or any other type
of company – can benefit from this dynamic environment – if they position themselves in a timely and proactive manner, agrees Mathieu
Barthélémy from Worldline.
We are beginning to see some compelling and innovative propositions develop, including initiatives for helping financial institutions reduce
onboarding time, cost, and complexity, all of which will ultimately help customers, adds Imran Gulamhuseinwala. However, Open Banking-
enabled end-user products commonly noted in the EU and the UK today indicate a predominance of personal financial management (PFM)
applications, new valuable services for their customers, which are meant to increase customer satisfaction, loyalty, and boost revenue
generation. In Belgium, for instance, aggregation will be available to BNP Paribas Fortis and Hello Bank! Customers as of late 2018, with a
progressive enrichment of the offer going forward. In order to provide such services, BNP Paribas Fortis has decided to ‘go open’ and enter
a partnership with Tink to allow for a wide range of aggregation-related capabilities. Nordea, also, has made a proof of concept about the
aggregation of data from several banks.
Furthermore, adds Imran Gulamhuseinwala, SMEs enjoy a fair share of opportunities in Open Banking, specifically when it comes to
cash management. Cash flow management is the lifeblood of all businesses - and particularly for SMEs. Fintech is changing the way
small businesses meet cash flow concerns within their business by adopting digital technologies and tools to assist in the diagnosis,
management, and prediction of cash flows. But, ultimately, who stands to benefit most? The end users, thanks to innovations in customer
experience and new institutional business models enabled by Open Banking application programming interfaces (APIs).
The introduction of PSD2 and Open Banking is accelerating digital change, requiring organisations to undertake a fundamental re-assessment
of their business models. And quickly. What options are available to banks looking to get ahead?
According to Mobey Forum, some banks may choose to take a straight compliance approach to PSD2 and retain their existing role. There are
opportunities, though, to explore new approaches. Banks can choose to be ‘distributors’, leveraging third-party services to enhance their
product portfolio. They can also be ‘producers’ and develop their own services to be distributed by third-parties, extending the reach of their
core products. ➔
5 OPEN BANKING REPORT 2018 • MANAGEMENT SUMMARY
Management Summary
However, if the above don’t give the bank the upper hand in this open economy, the bank’s got other tricks up its sleeve: they can also
leverage and capitalise on easier access to data by becoming information ‘aggregators’ or ‘providers ‘.
They can take the opportunity to act as TPPs themselves and they have the ability to understand what their business customers do with
other competitive banks, and fintechs, explain Mark Hartley and Conny Dorrestijn from BankiFi. Open Banking, Open Data, and GDPR, they
continue, “enable banks to offer their customers much more meaningful services built on consensual access to customer data that can be
combined and analysed to help them choose the right products and services. Moreover, banks could truly act on behalf of the business
customer, rather than simply trying to sell them one of their own manufactured products. Thus, banks can generate fair fee-based income by
charging flexible rates for those services, and offering insights to the fintechs that use the bank’s app store as the last mile to the customer.”
Ultimately, with open banking APIs, a bank’s ‘power to authorise’ could extend beyond payments and into digital authentication and ID,
suggests Marten Nelson from Token. ‘KYC-as-a-Service’ has huge revenue potential for banks that reposition themselves as guardians of
customer identity. With the right open banking platform, banks could dramatically increase the security of digital services everywhere by
performing this service based on their KYC-enrolled customer data. Therefore, banks can quickly reposition for new services and generate
new revenues.
UK leads the wayIn the UK, the revolution began in January 2018, sparked by the UK Open Banking standards intended to stimulate innovation and
competition. The Open Banking reforms were prompted by the UK’s Competition and Markets Authority (CMA), which identified competition
concerns in the retail business and consumer current account markets. The Open Banking initiative in the UK was subsequently broadened
in scope to apply to the same types of payment accounts that PSD2 covers.
Since the Open Banking APIs were first made available on January 2018, the CMA adopted a staged approach to Open Banking to allow
for a smoother and lower-risk implementation of a single API standard.
The movement is coordinated by the Open Banking Implementation Entity (OBIE), which calls the initiative “the future of money” and
boasts: “Get ready for a world of apps and websites, where you can choose new financial products and services from
providers regulated by the Financial Conduct Authority (FCA) and European equivalents.”
This was the first change to occur as part of Open Banking in the UK, with nine of the largest current account providers being required
(mandated) to give registered TPPs access to their customer banking data through open API. This enables third-party software developers
to build new apps, services and solutions that plug into online banking platforms and create the potential for innovative services that make
better use of customer data.
The second release came out on the 7th of September 2018, when the OBIE announced the publication of the Open Banking Standards,
version 3. This update builds on the version of the Standards that was launched in March 2018, giving account providers, who implement
them, a solution that complies with the EU’s PSD2. Whilst previous versions of the Standards covered business and personal current
accounts, Version 3 covers all products with payment capabilities (credit cards, pre-paid and e-wallets) in any currency. ➔
6 OPEN BANKING REPORT 2018 • MANAGEMENT SUMMARY
Management Summary
The next one will build out the full Suite or PSD2 functionality in terms of payments. It will cover not just single immediate payments, but
also future data payments, standing orders and so on. In March 2019, Open Banking UK will release the app-to-app redirection, aimed at
simplifying the consumer journey from the point of view of SCA, allowing biometrics to be used for the first time.
What’s happening in Europe and beyondIn Europe, BBVA launched their API marketplaces even before regulatory mandates. These steps were followed by Nordea, one of the first
banks in Europe to see the potential opportunities offered by PSD2 regulations, which require banks to open up to third parties to offer
services to account holders. Since the launch of Open Banking, more than 2500 developers have registered to test Nordea’s APIs. After the
bank launched nordeaopenbanking.com in 2017, it did not stop there. In June 2017, they invited the first beta testers to their sandbox,
and, since then, there have been hundreds of developers experimenting with their APIs within the sandbox. Furthermore, in November
2017, Nordea published the Open Beta, available for anyone who wants to register to test the APIs and, in December 2017, they connected
the APIs to the production system, which made Nordea the first Nordic bank to offer pilots access to real customer data.
During 2018, the bank has been focusing on improving the developer experience, running a pilot in Finland and, most recently, went live in
Sweden. Nordea’s Open Banking team is now working with APIs beyond PSD2 to introduce a concept where corporate clients would be
able to access their own data via APIs, without a licensed third party being in the middle.
The Dutch ING accelerated this movement by launching its marketplace for SME financing open to external financing providers, thus
expanding its financial asset management services offered to customers.
Furthermore, Rabobank introduced a new Open Banking platform – the RABO Developer Portal, allowing third parties to build on top of the
bank’s digital (API) services and incorporate Rabobank functionality into their propositions. Another new Open Banking initiative of the bank
is Rabo eBusiness, which is a partnership between a traditional bank and a fintech (Signicat). Rabo eBusiness acts as a service aggregator
that provides a distribution channel for new products and services to their customers.
But wait.
Many other markets around the world are also looking to adopt similar principles with the ultimate view of delivering better customer financial
outcomes.
While Europe is at the start of this Open API journey, perhaps some indications of the road ahead can be gained by looking at India’s
digital transformation experience over the past 10 years. The introduction of a digital identity system and an open-API economy have
truly revolutionised India’s payments ecosystem and customer experience and highlighted the transformative potential of Open Banking for
Europe. With Aadhaar, India Stack and UPI, India is now the hotbed of digital innovation and in an excellent position to take forward Open
Banking.
Hot on the heels of Europe, Australia is set to implement Open Banking as early as July 2019. So far, the Treasury Laws Amendment (Consumer
Data Right) Bill 2018 has been tabled in parliament, while USD 44.6 million have been committed over four years by the 2018/2019 Federal
Budget to establish a Consumer Data Right (CDR). Now it is up to the legislators and regulators to decide on the final details, and set up
appropriate data standards. ➔
7 OPEN BANKING REPORT 2018 • MANAGEMENT SUMMARY
Management Summary
Moving in the Asia Pacific, The Monetary Authority of Singapore is pioneering a regulatory framework regime that favours a market-driven
approach, and the API playbook issued by the Authority adds to that claim. On the other hand, Malaysia’s central bank believes that Open
Banking catalyses competition, broadens access, and fosters innovation in the sector. Maybank, for example, has organised hackathons,
and is welcoming fintech companies. Similarly, Thailand enjoys a fintech friendly environment. A local bank, Kasikorn Bank, has recently
launched a +30 million venture fund for startups in the region. Moreover, the Bank of Thailand has encouraged standardisation of a code
payment scheme, initiating a regulatory sandbox environment. In Indonesia, Bank Central Asia has initiated a sandbox environment.
It’s important to point out that...
It’s all fun and games until someone brings standardisation into discussion. PSD2 aims to develop a unified, innovative, pan-European
digital ecosystem for financial products, and uniform processes, systems and interfaces are essential for achieving this goal. However, the
directive leaves open the details of the API that third-parties will use to connect with banks. While the CMA has required British banks to set
up an independent implementation entity called Open Banking Limited, the EBA’s draft RTS for PSD2 specifies only technical framework
conditions and no interface standard.
No doubt, pan-European API (and even cross-bank) standards have yet to be clarified. One thing is for sure, though: the lack of an implemen-
tation entity is a significant gap. To help fill it, multiple standardisation initiatives are aiming to decrease communication complexity between
banks and TPPs. In Europe, several initiatives have been launched to create an open and common API standard for PSD2: the Berlin Group
– consisting of almost 40 banks, associations, and PSPs from across the EU – has defined a common API standard called “NextGenPSD2”
for the use cases specified in PSD2. Initiatives are also being launched in Poland (PolishAPI) and France (STET) by consortia of banks in their
respective countries. In the UK, the OBIE is also working on a common API standard, an initiative mandated by the UK’s CMA in 2016, ahead
of PSD2.
Ultimately and most importantly, the critical success factor for Open Banking is trust and a key driver to building trust is ensuring data is
not lost or stolen, but that it is also only used for the purposes that customers “allow” it to be used for. Consent is a fundamental part of
Open Baking and the key service enabler for trust, point out Mark Hartley and Conny Dorrestijn from BankiFi.
In the context of data processing in Open Banking, consent will need to be explicit, as mandated in PSD2 in accordance with the GDPR.
Banks have to allow your info to be shared, but only if you explicitly give permission to the new provider. However, third-party access to
customer accounts and the associated data will inevitably raise concerns about security and privacy.
As such, privacy, consent, and fraud detection tools will be necessary components of engaging customers and locking in their trust.
As explained by Mike Nathan, ThreatMetrix, banks must ensure the same level of security across all access points including the Open
Banking environment, with the additional check around consent. They also must focus on risk control and put more emphasis on active
risk management and monitoring. ➔
8 OPEN BANKING REPORT 2018 • MANAGEMENT SUMMARY
Management Summary
PSD2 will introduce new waves of fraud in never-before-seen patterns. There will be new attacks on the users of the new payments services,
an increase in “director” and invoice fraud, and new social engineering schemes, explains Richard Harris, Feedzai. Meanwhile, he adds, new
third-party providers (TPPs) will increase transaction volume, and instant payments will decrease the time to make decisions about fraud.
One of the principal concerns around sharing customer data with TPPs is that it can become compromised during transit, at-rest (storage)
or in-use. More significantly, the third-party providers that run their own security controls are now responsible for securely protecting any
shared account-related data they process. If not properly secured, this could lead to potential fraudulent financial activity and reputational
damage for the parties involved. Even worse, for banks, it could severely undermine the trust-based relationships with their customers.
Thus, it is of tremendous importance that any third-party provider that is authorised by the FCA to use Open Banking connections and to
have their business plan, risks, systems, controls, and staff independently reviewed.
Furthermore, it is imperative for organisations to ensure secure communication channels, accurate systems, and “live” data mapping that
enable them to know what data goes out and to whom. Clear and GDPR-compliant processes coupled with appropriate consent explanation
provided for obtaining consent is also becoming a necessity. It is of equal importance that financial institutions ensure that the APIs are secure,
robust, and resilient. Outdated APIs can be an open door to financial fraud; unsupervised machine learning can shut that door, points out Fang
Yu from DataVisor.
Technology for keeping track of consents, its withdrawal, and the right to be forgotten requests, as well as where the information disclosed
goes, is necessary to ensure no one’s information is used without consent, and that data subjects’ rights are enforced appropriately.
ConclusionOpen Banking has arrived, and although it poses challenges for banks to stay competitive, it has also created opportunities for them to bring
their heritage into the modern world. Overall, there is still a long way to go with Open Banking, but a lot of what will help in terms of user
adoption and engagement will be through paying close attention to creating better, efficient, smooth, personalised customer experiences.
Security, a thorough understanding of customers’ needs and, most importantly, trust are essential for banks to survive. It remains to be seen
how the market will evolve, but it certainly is a good time for banks to build on their core strengths, adapt security requirements defined in
PSD2, their IT systems, and business models.
We would like to express our appreciation to Holland FinTech – our endorsement partner who has constantly supported us – and also to our
thought leaders, participating organisations, and top industry players that contributed to this edition, enriching it with valuable insights and,
thus, joining us in our constant endeavor to depict an insightful picture of the Open Banking ecosystem.
Enjoy your reading!
Oana Ifrim
Senior Editor, The Paypers
9 OPEN BANKING REPORT 2018 • TABLE OF CONTENTS
Table of contents
Management Summary
A View on Open Banking in Europe, UK and Across the WorldThe Current State of Play: Working to Implement PSD2 and Towards Open Banking | INNOPAY and Deutsche BankPSD2 API Services – Why Such a Slow Burn? | Tim Richards, Principal Consultant, Consult HyperionBanking Half Open or Half Closed? | Ralf Ohlhausen, Business Development Director, PPRO GroupThe Progress of Open Banking in the UK and the Learning Points So Far | Imran Gulamhuseinwala, Trustee of the OBIE11:FS Point of View: Will PSD2 Deliver on its Promise? | Amanda Boachie, Research Intern, 11:FSDigital India – How Digital Identity and Open APIs are Driving Payments Innovation | Parth Desai, Founder & CEO Pelican and PelicanPay Towards Open Banking in Australia | Erin Taylor, Research Consultant, Holland FinTechIs Asia Ready to Embrace Open Banking? | Zennon Kapron, Founder and Director, KapronasiaHow Banks Are Preparing for Openness in Europe and Asia Pacific | Asli Seven, Research Analyst Intern, Holland FinTech
Opportunities for Banks and Third Party Providers in Open BankingOpen Banking Means Business | Marten Nelson, Co-founder and CMO, TokenThe Revolution of Open Banking and the New Opportunities for Banks | Mathieu Barthélémy, Product Manager of the Digital Banking Platform, WorldlineExclusive Interview on How ONPEX Positions in the Open Banking and Payment Ecosystems | Christoph Tutsch, Founder and CEO, ONPEXInterview with Volante Technologies on how Companies Can Become PSD2 Compliant | Nadish Lad, Head of Payments Products, Volante TechnologiesOpen Business Banking Is Good Business for Banks and Entrepreneurs | Mark Hartley and Conny Dorrestijn, founding partners, BankiFiSpeeding up the API Journey Is Imperative for Banks’ Success | Pavlo Sidelov, CTO, SDK.financeOpen Banking and TPPs Trigger Banks to Innovate their Corporate Onboarding Processes | Esther Groen, Director, Lead Banking & Payments, and Josje Fiolet, Manager, INNOPAY Mastering Open Banking: How the ‘Masters in Openness’ Create Value | Mounaim Cortet, Senior Manager strategy and Lead for PSD2 and Open Banking, INNOPAYPSD2 Payment Initiation Services: Competition for Card Payments? | Ron van Wezel, Senior Analyst for Aite Group’s Retail Banking & Payments practiceProducers, Distributors, Aggregators: Strategic Options for Banks in the Post-PSD2 Age | Elina Mattila, Executive Director, Mobey ForumMoneyMaster – a Customer-Driven Open Banking Service | INNOPAY Maarten
3
11 12
222527
3436
384042
454648
50
52
54
5658
60
75
77
79
10 OPEN BANKING REPORT 2018 • TABLE OF CONTENTS
Table of contents
Open Banking – Securing Access and Locking in Customers’ TrustSharing Transaction Risk Data Leads to Open Banking Success | Milan Kaihatu, Senior Consultant, and Rob van Meijel, Consultant, INNOPAYBehind the API: Managing Third Party Risk under PSD2 | Richard Harris, Head of International Operations, FeedzaiInterview with ThreatMetrix on How Strong Customer Authentication can Create a Framework for Identifying, Detecting, and Responding to Threats in Open Banking | Mike Nathan Senior Director – Solutions Consulting EMEA, ThreatMetrixAPIs: The New Attack Vector | Fang Yu, Cofounder/CTO, DataVisor
Banks’ Quest for Better Customer ExperiencesThe Anatomy of Aggregation Services | Valentina Caruso, Head of Product Management Cards & Accounts within the Retail & Private Banking division, BNP Paribas FortisSeizing Open Banking Opportunities – Rabobank`s Experience | Daan van den Eshof, Product Manager, Rabobank’s identity solutions, Ali Babakhan, Product Manager, Rabobank’s identity solutions, Desiree van der Geer, Product Manager, API development and Open Banking, Tjeerd Tesselaar, Product Manager, API development and Open Banking, RabobankNordea’s Open Banking Journey – Exclusive Interview | Gunnar Berger, Head of Open Banking, NordeaNeobanks Are Setting the Benchmark in Banking | Jeroen de Bel, Founder & Principal Consultant, Fincog
8687
91
93
95
9899
101
103105
A View on Open Banking in Europe, UK and Across the WorldThe UK’s Open Banking regulation made waves in the financial services market, with a particularly powerful effect in the UK and the rest of Europe. Markets beyond European borders are now following closely and looking to adopt similar principles with the ultimate view of delivering better customer financial outcomes. This chapter encompasses the progress of Open Banking around the world.
11
12 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
This article is part of a joined effort from Deutsche Bank and INNOPAY, titled Unlocking opportunities in the API economy, focused
on how corporates, financial institutions, and fintechs may prosper on the journey from PSD2 to Open Banking.
All of the developments taking place in Open Banking depend on (a minimum level of) harmonisation and agreement of common
standards. This harmonisation allows incumbent and new players to compete and collaborate on a level playing field, bringing their
customers the very best in innovative and convenient products and services. A half-hearted, hesitant, and fragmented introduction of
access to accounts will jeopardise these opportunities for all involved.
Therefore, both traditional and new market players should be taking part in the standardisation initiatives underway, as well as exploring
potential collaborations, be it co-developing API standards or working to provide other essential services such as API testing. There is
ample scope for organisations of all types to realise synergies while positioning themselves favourably in the new innovation ecosystem
that wide- spread use of APIs will usher in.
We shall now set out the current state of play in PSD2 standardisation initiatives in general, and API standardisation in particular, in the
following sections, covering:
• Market scenarios: addressing why the way we implement access to accounts is crucial. A brief summary of potential market scenarios
resulting from PSD2 and the direction in which the market is heading;
• The challenge for banks: a complex environment of PSD2 standardisation, with EU law makers closely involved. An overview and
categorisation of the complex structure of different levels of European standardisation initiatives, including the latest insights on market-driven
API standardisation initiatives and other standardisation initiatives focused on governance and operational matters resulting from PSD2;
• Unlocking opportunities of scale for customers, banks and TPPs by aligning and converging API standards for PSD2. An outline of how
European law makers are seeking to harmonise market-driven PSD2 API standardisation initiatives to realise the benefits of a more
standardised and harmonised approach to TPP access to accounts.
1. Why it is crucial to get right the implementation of “access to accounts” Clearly, access to payment accounts for authorised TPPs will happen under PSD2; the real question is what shape or form it will take.
The various market scenarios that could emerge as a result of these provisions of PSD2 are depicted in Figure 1. ➔
Figure 1: Market scenarios for TPP access to account and Open Banking
The Current State of Play: Working to Implement PSD2 and Towards Open Banking
13 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
The horizontal axis refers to the level of openness by banks across Europe, which can be conservative (focus on PSD2 and RTS compliance)
or progressive (opening up account access services beyond what is mandatory under PSD2, contingent on individual business cases).
The vertical axis indicates the level of harmonisation of the communication interfaces and operational connectivity measures provided
by banks. In a fragmented landscape, each bank with a compliance obligation under PSD2 defines its own interface and connectivity
requirements; while in a harmonised landscape, banking communities mobilise and collaborate to facilitate cost-effective pan-European
reach, connectivity, and interoperability.
Where we are now and where we are headingAt present, the European payments and banking market most closely resembles Scenario 1. The industry’s major task, therefore, is to
progress – by collaboration – to Scenario 2, which represents the minimum level of harmonisation and standardisation for industry players
to operate cost-effectively in the new PSD2-compliant payments landscape, making sure that customers and TPPs may start enjoying the
benefits offered by access to accounts through APIs.
Looking ahead beyond mere PSD2 compliance, Scenario 2 has the potential to evolve into Scenario 4, a fully developed Open Banking
ecosystem, in which market players make extensive use of the underlying innovation potential. Banks will be able to bundle services
around client information assets – beyond just those relating to payment accounts – creating incremental value for customers. This era of
Open Banking is already unfolding, driven by regulators in some countries and regions, and emerging by market appetite in others (see
Figure 2).
This will drive new financial products and services on the one hand, and enable new business models, partnerships, and revenue models
to emerge on the other. To achieve this, further collaboration will be required of the industry. Alternatively, the regulator may in due course
decide to require the industry to take this next step.
Hurdles in the way of achieving viable conditions for access to accountsThe first objective of all market players should be to move to Scenario 2, where access to accounts is offered via APIs at a reasonable
level of standardisation. This would represent a great leap forward for the payments market, and there will be many hurdles that need to
be overcome – regulatory, security, and technical – on the way to realising it.
As a starting point, current API models will need to be refined or adapted to accommodate particular market player interests, or specific
use cases. It is also not yet clear whether certain types of payment and payment-related transactions can be offered over APIs.
These include future-dated payments or standing orders where the settlement amount at maturity might be less than the nominal amount.
Terms of credit for API-mediated payments will also need to be considered, alongside benefits and protections for payments customers to
incentivise them to choose these over credit or debit card payments. The circumstances and terms under which (commercially valuable)
information about customers’ available credit lines may be disclosed is another area for discussion. The PayLater Initiative being
launched by the Berlin Group, SWIFT, and some banks, allowing push payment customers credit to make their payments, shows this is an
area in which work is currently being carried out. ➔
The Current State of Play: Working to Implement PSD2 and Towards Open Banking
14 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
In view of these current developments, corporates, particularly e-merchants, should be co-operating closely with banks and fintechs – if
needed through trade associations, user groups or conferences – to communicate their use cases, related requirements, and desired user
experience.
Latin America
– Mexico passed a law regulating fintechs on March 10, 2018. The law permits Open Banking, or the sharing of user information by financial institutions through public APIs. The law was crafted in general terms, and key details will be determined in the coming months by banking and securities regulator CNBV, the centralbank and the finance ministry
– Brazil is in the early stages of marketassessment.
North America
– US’ Consumer Financial Protection Bureau (CFBP) has pushed for moresecure data access as alternative to screen scraping
– NACHA API standardisation working group established with the aim of developing an “API Playbook”, which will serve as a tool to assist industry stakeholders with the creation of a standardised API ecosystem that can enhance support of the payments and business needs of industry participants
– Several US banks have launched Open Banking Developer Portals and APIs
– US Treasury Department published a report aimed at fostering innovation in the lending, payments and wealth management industries, including guidance on Open Banking and sharing of financial data
– Canada’s government is set to conduct a review into the merits of introducing an Open Banking regime which would give consumers the ability to share their financial data with third parties.
Africa
– PSD2 developments are being closely followed, South Africa may follow suit
– API banking use cases for financial inclusion are gaining traction in Nigeria.
Europe
– PSD2 regulates banks offering online accessible payments to enable authorised TPP access to account for account information and payment initiation services
– UK Competition and Monetary Authority (CMA) regulated 9 largest UK private banks to open-up using APIs and to form an Open Banking Implementation Entity. Scope of API access is larger than PSD2 and also includes generic bank information
– Swiss Open Finance API (SOFA) project aims to create a common API and a standard for the Swiss financial services industry.
Asia
– Monetary Authority of Singapore (MAS) is pushing for a lightweight regulatory framework regime, favouring a market-driven approach, and supports APIs. It has published a Playbook with guidelines for banks and is currently exploring an ASEAN-wide industry sandbox with the help of the World Bank and IFC
– Hong Kong Monetary Authority (HKMA) plans to regulate tier-1 banksto open-up APIs. The focus is on a wider set of retail banking products
– Malaysia Digital Economy Corporation (MDEC) is tasked with scaling the local fintech ecosystem. Malaysia’s central bank views Open Banking as a key lever for efficiency, access, innovation and competition. Implementation group will shortly be put in place to work on regulatory framework
– There are numerous Open Banking related initiatives in India, China, South Korea, Thailand, Cambodia and Indonesia.
Oceania
– Australian Treasury Department is pushing framework of the overarching Consumer Data Right and for application of the right to Open Banking, with phased implementation from July 2019 starting with the major banks. All remaining banks need to follow within 12 months. Australian Competition and Consumer Commission (ACCC) empowered to adjust timeframes if necessary.
– New Zealand banks and fintechs have come together for an Open Banking pilot, headed by Payments NZ. The partnership will develop and test two payment APIs, “account information” and “payment initiation”, and is expected to conclude near the end of 2018. Goal of the pilot is to build towards shared structure for APIs and come to consensus on what a set of common APIs should look like.
Figure 2: Important global Open Banking developments
Fintechs should also engage closely with the various current API standardisation initiatives, both to voice their own requirements and to
build their technological know-how and customer experience into the foundations of the API development.
Regulators and governments can contribute by driving open standards, and – in order to minimise the friction of two-factor authentication
that could potentially jeopardise push payment uptake – by allowing a risk-based approach to customer authentication. Two-factor
authentication must be applied equally to push payments and credit card payments, along with exemptions established in cases where
the merchant is applying a risk-based approach and taking related commercial risks. Governments and regulators themselves should also
encourage central and local government departments to use API services, and allow local API services to be accessed globally. ➔
The Current State of Play: Working to Implement PSD2 and Towards Open Banking
15 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
Finally, banks should be at the heart of API standardisation initiatives; building their API strategies on multiple levels and collaborating with
other organisations to create API-enabled services for corporates, and also for retail customers, as well as exploring the many possible
uses of APIs within their own organisations. Ideally, in an open payments market, there would be a single message- and communication
interface- standard for innovative and trusted transaction services enabled by TPP access to accounts.
The steps banks take should go beyond mere regulatory compliance, as they are the first steps into an entirely new world of financial
services. While good progress has already been made in terms of cooperation and alignment, further collaboration is still required in
order to reach Scenario 2. The alternative would be undesirable for all, and the real possibility of alternatives Scenario 1 and Scenario 3
underscores how imperative it is for the industry to achieve, at the very least, Scenario 2.
To achieve said scenario, a relatively complex landscape of standardisation initiatives, with different origins and aims, has sprung up in Europe.
Current landscape of standardisation initiativesMost PSD2 API standardisation initiatives were initially local in nature. This was largely driven by the tight deadlines for local banking
communities to comply with PSD2 and the RTS. The Berlin Group’s NextGenPSD2 initiative is the only API standard that has been cross-
border from its very inception. Indeed, the Berlin Group and STET are now in advanced convergence discussions and have agreed to full
alignment on any future developments. This means that harmonisation of the API landscape for PSD2 – that seemed until recently a far-off
goal – is now at last clearly in view.
It is interesting to note that the various PSD2 standardisation initiatives in Europe, mostly local in origin and focus, are nevertheless having
a wider geographical influence on the global move towards Open Banking, by setting clear precedents for international standardisation
organisations to follow in other regions across the world that are closely following the progress made.
Standardisation organisations such as BIAN, NACHA, IFX, ISO, and W3C5 are organising themselves to collaborate on Open Banking
APIs that go beyond the mere functionality foreseen for PSD2 services.
Figure 3 below shows the complex landscape of local and cross-border standardisation initiatives that have sprung up, by the focus of
their work. ➔
Figure 3: Categorisation of standardisation initiatives related to PSD2 and beyond
The Current State of Play: Working to Implement PSD2 and Towards Open Banking
16 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
2. The challenge for banks: a complex environment of PSD2 standardisation, with EU law makers closely involvedAs said, PSD2 standardisation is a complex environment, with seven interconnected stages (see Figure 4). To help signpost our readers, in
the following we provide a short summary of the relevant developments, origins and aims of each of these stages of PSD2 standardisation.
Figure 4: Seven stages of PSD2 standardisation
Stage 1: The European Commission’s vision rolls out slowly across member statesEU member states’ transposition of PSD2 into national law is progressing, albeit at an unequal pace. While a number of member states
– including Austria, Belgium, the Czech Republic, France, Germany, Italy, and the United Kingdom – have all transposed PSD2 into their
national law, others – including Poland, Portugal, Spain and the Netherlands – remain in the process of doing so.
The majority of members will have completed transposition by the end of 2018, although some will only be ready to do so in 2019. In the
meantime, the market is sensibly proceeding with preparations for a future in which all member states will have transposed and implemented
PSD2. ➔
The Current State of Play: Working to Implement PSD2 and Towards Open Banking
17 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
Stage 2: The European Banking Authority fleshes out the legislators’ intentionsThe EBA was mandated to issue six Guidelines under PSD2 addressed to market actors, to local competent authorities of member states
or to the EBA directly, and to develop and submit four sets of RTS and one set of Implementing Technical Standards for adoption by the
European Commission. All have now been finalised, although application by the competent authorities in the member states has not
been completed yet.
The most impactful of all is the RTS on SCA and CSC, which was adopted by the EU Commission on 27 November 2017 and published
in the official Journal of the EU on 13 March 2018. The RTS will apply as of 14 September 2019, allowing banks and TPPs an 18-month
implementation period.
The version of the RTS adopted by the EU Commission contained significant changes to the final version proposed by the EBA which was
overruled in this process. In particular, they provide that banks which implement dedicated interfaces will have to comply with a number of
additional requirements.
The EBA released a Consultation Paper on Draft Guidelines on 13 June 2018 (subject to consultation) as well as an Opinion Paper on the
implementation of the RTS on SCA and CSC. The former clarifies a number of issues relating to the criteria for banks being granted an
exemption from the requirement to have a fall-back option for dedicated interfaces. The EBA suggested the following conditions must be
met to benefit from an exemption:
1. The dedicated interface should comply with all the obligations for dedicated interfaces as set out in the RTS.
2. It should have been designed and tested in accordance with the RTS to the satisfaction of TPPs.
3. It should have been widely used for at least three months by TPPs to offer account information services and payment initiation services,
and to provide confirmation on the availability of funds for card-based payments.
4. Any problem related to the dedicated interface should have been resolved without undue delay.
A suitably designed standard API should ensure that all four of these essential conditions are met, allowing an institution that has adopted
it to gain an exemption from having to offer a fall-back option in addition to its dedicated interface (involving significant additional cost and
change work).
The EBA’s Opinion Paper, on the other hand, defines the scope that APIs delivering access to accounts will have, including standing
orders, future-dated payments and cancellations, and thereby addressing some of the concerns previously voiced. Following this Opinion,
a more flexible approach may also be taken on the redirect model of API interaction. The Opinion says this should not in itself be regarded
as an obstacle to TPPs providing services to customers, and will only be considered one where a bank implements it in a manner that
is restrictive or obstructive to TPPs. While the embedded model of API interaction certainly provides a more streamlined and convenient
customer experience, the redirect model may afford customers the higher level of trust as they only need to provide their credentials when
being present in the digital environment of their own bank. ➔
The Current State of Play: Working to Implement PSD2 and Towards Open Banking
18 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
API interaction models: embedded, redirect, and decoupledThere are three interaction models to provide access to accounts for TPPs, reflecting different approaches to how a customer can identify,
authenticate, authorise, and use a particular service via a TPP. The models are: the embedded model, the model using redirection, and
the decoupled model.
The last is more a variation of the embedded and redirect models. Decoupled means that the customer authorisation or authentication
happens through a different channel and session. This is necessary where a credential cannot be transmitted (when it is based on biometrics,
for example) and for many new payment devices (such as wearables).
The embedded model allows the TPP the same access to the account as the customer (via the sharing of personalised security credentials).
While this is straightforward, concerns have been raised by some market participants about the security risks of this approach.
In the redirect model, the TPP opens the session, giving information about the payment instruction, and then hands it over to the customer
who authorises the payment as usual with its bank. The bank verifies and accepts the customer’s payment authorisation, executes the
payment, and hands the session back to the initiating TPP.
Views appear to differ between different member states as to whether the redirect model may be used as the sole means of complying with
the RTS, or may only be offered as one of the options.
Stage 3: The European Central Bank lays the foundations for an integrated push payment market under PSD2In November 2016, the Euro Retail Payments Board (set up by the European Central Bank) established a working group with the aim of
defining a common set of technical, operational, and business requirements for developing an integrated market for payment initiation
services (the technical term for that group of new services that will include push payments). The working group completed detailed work
on standardisation of PSD2 certificates for TPP identification based on eIDAS, harmonisation of registers and establishment of directory
services, and event management and dispute resolution between banks and TPPs.
Stage 4: The European Commission invites a broad spectrum of market players to choose criteria and evaluate standards for APIs used for PSD2While the Euro Retail Payments Board’s working group clarified many aspects of PSD2, the European Commission subsequently invited
market players to establish a European group with the express purpose of evaluating API specifications, and identifying those features and
functionalities that an API must provide to satisfy the needs of all market players.
In response to this, the API Evaluation Group was formed, aimed at API specification convergence at a European level and to help harmonise
market practices, as well as acting as a source of guidance to market participants and competent authorities (for more information on its
deliverables and time horizon, please refer to its Terms of Reference). It also intends to publish a list of recommended API functionalities,
which it believes API initiatives should support to ensure that the dedicated interfaces banks adhere to regulatory compliance requirements
and that these will be widely used by TPPs. ➔
The Current State of Play: Working to Implement PSD2 and Towards Open Banking
19 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
Stage 5: Some market-driven API standardisation initiatives clarify technical requirementsNeither PSD2 itself, nor the RTS, cover the functional and technical details of the dedicated interface that TPPs will use to connect with
banks. As a result, market initiatives have emerged to fill in these gaps. We note that current API standardisation initiatives for PSD2 in
Europe quite understandably tend to focus on ‘getting the basics right’ for PSD2. That is, they focus on creating API specifications for the
services required under PSD2 and setting up specifications for operational aspects of access to accounts (e.g. sandbox/testing, directory,
event/dispute management). In addition, commercial solution providers are complementing this by offering banks and TPPs the required
capabilities for compliance ‘as a service’.
Noteworthy from the point of view of local collaboration are the CMA Open Banking API (UK), STET API (FR), and the API specifications
published by the Slovak, Czech and Polish banking associations respectively. There is also the Swiss Corporate API (albeit that
Switzerland is not an EU member state and need not comply with PSD2) that aims to build a central, secure API banking platform
accessible to customers, banks and TPPs, saving banks the cost of building their own API infrastructures.
In addition to local collaborations, the Berlin Group – which brings together over 45 major players in the payments industry – has also
published its “NextGenPSD2” API standard. This initiative has participating organisations in Austria, Belgium, Bulgaria, Croatia, Denmark,
Finland, France, Germany, Ireland, Italy, Latvia, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Sweden, and other parts of
Scandinavia, Spain, Switzerland, and the United Kingdom. The API standards of the Berlin Group and STET are now closely aligned, to
the extent that they are practically converging.
To allow this to progress and roll out further, market players are urged to continue to work together to ensure specifications are ready ahead
of the projected RTS implementation date of September 2019. To this end, the Berlin Group will publish its updated standards at the end
of July 2018, taking into account the latest opinion published by the EBA of what it believes is required by the RTS for access to accounts.
Stage 6: Other market-driven initiatives work on other aspects of standardisationFor access to account to work at scale, the market also needs a centralised PSD2 directory, as recognised by PRETA’s Open Banking
Europe (OBE) initiative, and also by ETSI.
Under PSD2, each local competent authority will publish data using its own formats, terminology and timetable. The PRETA OBE directory
will harmonise these into a central, standardised, trusted, machine-readable repository where all TPPs across Europe may list their contact
information, enabling banks to notify them of changes and contact them in case of incidents. Similarly, it will also list operational information
from banks for TPPs, allowing them to find the correct location of documentation and end points for each bank, bank brand and service.
Thirty financial institutions and industry service providers have already joined the directory which is available to participants for testing.
Until recently, it appeared that PRETA would be the only operational central directory service available. However, in June 2018, Mastercard
announced it is also developing a pan-EU directory service, which will include fraud monitoring, dispute resolution services and a
connectivity hub. ➔
The Current State of Play: Working to Implement PSD2 and Towards Open Banking
20 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
Meanwhile, in May 201816, ETSI had completed a standard for EU qualified certificates as defined in the eIDAS regulation that
meets secure communication requirements under PSD2 and standardises the required data attributes including the payment service
provider’s authorisation number, its PSD2 role(s) and its local competent authority.
Stage 7: An ecosystem of complementary services is emergingHowever, while the interface is essential to enable TPP services to emerge at scale and at relatively low cost, there are many more
business opportunities in the technical, functional, operational, and governance domains, both for PSD2-compliant services and services
enabling Open Banking ecosystems (see Figure 5).
Figure 5: New business opportunities for market players beyond PSD2 compliance
These include services facilitating operational compliance, such as registry services (see above), and those providing testing facilities,
a support desk, transaction/fraud monitoring, interface specification documentation and change management. We can therefore expect
market players to position themselves as service providers for PSD2 compliance, as well as potential enablers of innovation in an Open
Banking ecosystem. While these competitive dynamics will drive innovation in the emerging open payments market, both PSD2 access to
account services and Open Banking services require interoperability and reach to gain traction at scale. Unlocking opportunities of scale
for customers, banks and TPPs by aligning and converging API standards for PSD2
Defining an interface standard for PSD2 will enable industry actors to socialise associated costs by sharing effort and insights during
the development phase. Such a standardised interface is in turn important to enable TPP services for payment initiation and account
information to emerge at scale and at relatively low cost. Furthermore, if industry players collaborate on PSD2 standardisation, the need for
further regulatory intervention – similar to the SEPA end-date regulation – could be avoided.
The API standards so far put forward by the various initiatives differ most significantly in the data structure they each support (including the
exact fields they include), and in the interaction models enabling payment service users to authenticate and authorise TPP access, and/or
payment transactions initiated by a TPP. ➔
The Current State of Play: Working to Implement PSD2 and Towards Open Banking
21 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
The Slovak API standard and the Berlin Group’s NextGenPSD2 standard support both JSON and XML data structures (albeit only as
options). The other initiatives mentioned in this paper support JSON only. In terms of interaction models, STET’s and the Berlin Group’s
NextGenPSD2 standards both support multiple models in addition to the redirect model, i.e. also an embedded model and a decoupled
model. The other initiatives only support a redirect model.
As explained earlier, STET and the Berlin Group are in talks about converging their respective API standards, while alignment has also
recently commenced with the Polish API. This gives hope to the industry and market that API standardisation for PSD2 is close to complete,
ensuring Scenario 2 can be realised, and a minimum supportable ecosystem established for access to accounts to commence and be
deployed at scale by banks and TPPs and taken up by customers
The Current State of Play: Working to Implement PSD2 and Towards Open Banking
22 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
Consult HyperionPSD2 API Services – Why Such a Slow Burn?
As many commentators have noted, the introduction of PSD2
APIs hasn’t really stirred the wave of competition, innovation, and
new services. There are many reasons for this, including a lack
of API standardisation, no common security architecture, and
entirely reasonable bank concerns around their liability if anything
goes wrong.
However, in the one country where there is some level of
standardisation – the UK – there is evidence of services being
created. Currently, there are 32 TPPs registered in the UK alone,
potentially providing services that range from the boringly bland to
the downright worrying. Out of this, however, we can get an early
indication of how PSD2 APIs are going to be used in the market
when security concerns are addressed.
The limits of PSD2 API securityWe shouldn’t be surprised at the slowness of the response –
many banks missed the January 2018 deadline for having their
APIs available and there are no common definitions such that,
in theory, all 6,000 plus banks in the EEA could publish different
interfaces. It’s hard to achieve any level of standardisation or
cooperation in such an environment.
On top of that, there are concerns about the security of the
processes involved. Just as PSD2 demands that banks open
up APIs but doesn’t concern itself with the details, it also
expects high levels of security on those APIs, but fails to be
specific enough to allow the creation of a common security
architecture, leaving banks and TPPs scrabbling about to find
common ground.
Who’s a TPP?As it stands, a lack of a centralised register of TPPs or the eIDAS
certification process to identify TPPs opens up risks in the
process. For example, if a TPP has its authorisation withdrawn,
it’s unclear how this would be communicated to all of the parties
affected – and a bank allowing a payment or account information
access to an unauthorised TPP would be in breach of the directive.
Beyond this, these types of problems open up the possibility
of fake TPPs intercepting the authentication process, and
orchestrating attacks on the ecosystem. At this critical point in
the development of Open Banking, this kind of attacks could
serve to undermine the credibility of the processes and risk
permanently damaging consumer confidence in PSD2 services.
Put into perspective, in the worst case, a TPP must interface to
unique APIs for every bank and manage a unique security and
identification process with every bank and there will still be a risk
of TPP impersonation. Given this, it will be a long time before
PSD2 initiated payments are a realistic interoperable competitor
to existing card payment schemes.
Beyond API securityIf all of this wasn’t problematic enough, there are other problems
around the PSD2 payments service. The directive only specifies
the payment initiation process, including strong customer
authentication, and consumer protection. While this is valuable,
it is far from a complete payments service and leaves open a
whole range of critical operational and technical functions, such
as clearing, settlement, disputes, and collections.
In essence, the whole governance process around PSD2 API
payments is undefined and now the participants in the payment
process are expected to sort everything out on a bilateral basis.
It’s not really credible to expect a single TPP to interface to
multiple banks via different APIs, including bank-specific mutual
authentication processes – and then support changes to those
APIs on a rolling basis.
Where payment initiation APIs are used, it’s likely to be either in
isolated use cases such as payroll, benefits disbursement, and
remittances or where the business offering PSD2 payments has
a strong brand, which can be used to convince consumers or
businesses to trust the process. ➔
23 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
About Tim Richards: T im Richards has over 25 years’ experience designing secure smart card solutions across payments, mobile, transit, identity, passport, healthcare and loyalty solutions covering both issuance and transaction processing. What he hasn’t seen in the industry probably isn’t worth knowing about.
About Consult Hyperion: Consult Hyperion are an independent consultancy. We hold a key position at the forefront of innovation and the future of transactions technology, identity and payments. We are globally recognised as thought leaders and experts in the areas of mobile, identity, contactless and NFC payments, EMV and ticketing.
www.chyp.com
Tim RichardsPrincipal ConsultantConsult Hyperion
This doesn’t mean card payment schemes can afford to rest on their
laurels, however – even if only a small number of retailers offer these
direct to account payment services this could still take significant
volume away from card payments.
Opening up API servicesDespite this, we are reasonably optimistic that these issues will be
eventually solved. In the UK, the OBWG has managed to specify
APIs and a common security and authorisation process, and we can
see TPPs registering. Given the wider payment governance issues,
it’s not surprising that most of the initial services will be based
around account information. In fact, screen-scraping, which is the
closest equivalent service to Account Information Service Providers
in operation today, is specifically banned under PSD2 when strong
customer authentication comes fully into operation in September
2019, so there’s an immediate need to address that requirement.
Therefore, it’s no surprise to see that budgeting applications are
among the first to be being rolled out – providing customers with
aggregated account information and helping them to manage their
budgets most efficiently is an obvious approach. We can also see
that loyalty and risk profiling services are being prepared as well as
some focusing on small businesses.
Successful – eventuallyThe example of the UK shows that TPPs will register and provide
services if they have some certainty around how the technical and
security requirements should be supported. It’s not that there aren’t
willing players out there in the market, it’s more that the pathway to
achieving success is still unclear.
As a consequence, the rollout of PSD2 services will be patchy
and inconsistent. While this is disappointing and isn’t the instant
explosion of new services that many had hoped for, all is not lost.
As long as care is taken to avoid major breaches and a loss of
consumer confidence, the development of consistent security
protocols and common governance processes will eventually allow
the full potential of Open Banking to be revealed
EUROPE’S LEADING EVENT FOR
INNOVATION IN FINANCIAL SERVICES.
19-20 November | London
REGISTER NOW AT LENDIT.COM Save 15% using code: ThePaypers15%
KEYNOTE SPEAKERS INCLUDE:
John Goodall Co-Founder and CEO, Landbay
June Ou COO & Co-Founder, Figure
Kaushalya Somasundaram Head of Fintech Partnerships, HSBC
Nikolay Storonsky CEO, Revolut
1,200+ Attendees | 150+ Speakers | 50+ Countries
Rt Hon George Osborne CH Headline Speaker
NEW & SPECIAL PROGRAMS:
Family Office Forum
Inaugural Pub Crawl
PitchIt@LendIt Fintech
1:1 Meetings by VIBE
Women in Fintech Night Out
25 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
PPROBanking Half Open or Half Closed?
It‘s not about optimism or pessimism if you see banking half
open or half closed, but a matter of which country you are living
in. Several countries, mainly in Northern Europe, enjoyed open
banking for more than a decade, whilst others were closed up
to now. Some because their banking lobby managed to protect
it well, others because their card penetration is so high, like
in the UK for example, that there was not much demand for
anything else so far.
Is PSD2 opening or closing EU banking?The EU is now harmonising this situation with PSD2, forcing
all banks in Europe to open up to a certain extent. This is good
news for the people in the countries, where banking was closed,
but bad news for the more advanced ones, where banking
was already wide open and is now closing down again to the
mediocre standards proposed by the infamous RTS (regulatory
technical standards), which empower banks to make Third Party
Providers (TPPs) dance to their tune.
Originally, PSD2 was not meant to close, but to secure the previ-
ously uncontrolled open banking by a) regulating and supervising
TPPs and their systems, b) limiting access to authorised TPPs
only, c) imposing liability insurance upon them, and, last but not
least, d) adding secure customer authentication (SCA) to de-risk
credential sharing.
Not surprisingly, banks are trying to open their doors just a
little crack, and taught everybody a lesson in salami slicing.
Lobbying every bit of subsequent PSD2 specifications such as
RTS, guidelines and opinions, they managed to dilute the law’s
original intention, and are now at the verge of getting it all their
way. What is surprising, however, is that the European regulator
(European Banking Authority, EBA) seems to endorse this,
despite being well aware of the negative impact it will have on
end-customer products.
TPPs fighting the windmillsOf course, TPPs are battling hard to get this situation improved,
for example via the API Evaluation Group, which the European
Commission created in early 2018 to give the market some voice.
Unfortunately, that is also at the mercy of the banks and with their
public scaremongering, they even got the consumer lobbyists on
their side in trying to keep banking as closed as possible. This is
very unfortunate, because the end-user potential for value added
services is huge, and so will the damage be to existing services,
unless common sense prevails in the end, which I sincerely hope -
still.
Take a look at the telecoms industry and how its deregulation
enabled competition to a point where even international calls
merely cost a penny and almost everybody can now have and
afford broadband internet. Today, we could not imagine living
without the myriad of value-added services that came with it. I
can vividly remember the incumbents’ resistance at the time, but
fortunately, they did not have such a strong lobby and regulators
rather supported the incoming challengers.
Taking the customer’s viewPSD2 and RTS leave room for interpretation and TPPs, banks
and regulators have different views and opinions. In the end,
courts may have to decide, but a lot of time and money could be
saved by simply taking the customer’s perspective and allowing
the necessary functionality for good products, which is what we
really need. Therefore, dear banks and regulators, please take
the view of our (joint) customers and:
• do not force them getting redirected to your websites, which
adds unnecessary screens and clicks and ruins the TPP user
experience (make it an optional feature for those who like it,
but not a mandatory obstacle for those who don’t);
• do not hold back available balances from payment initiation
service providers (PISPs), which customers want to see before
choosing an account to pay from;
• do not hold back non-execution risk data from PISPs, because
otherwise merchants have to wait a day or two before sending
off the purchased goods;
• listen to merchants’ transaction risk analysis to avoid bothering
users with unnecessary SCAs; ➔
26 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
About Ralf Ohlhausen: Ralf Ohlhausen, MSc in Mathematics and Master of Telecommunications Business, has over 25 years’ experience in ecommerce, financial services, mobile telecoms and IT. Ralf is responsible for expanding the company’s portfolio and global reach, as well as developing new business areas and partnerships.
About PPRO: PPRO enables integrated electronic payment processing on a global scale spanning the entire payments value chain from acquiring through processing, collection and settlement. Positioned as ‘The Payment Professionals’, PPRO acts as a B2B payments hub, connecting PSPs and other merchant aggregators, such as acquirers and processors, with local payment schemes.
www.ppro.com
Ralf OhlhausenBusiness Development DirectorPPRO Group
• let PISPs add or remove beneficiaries from the user‘s white-list
to improve ease of use;
• provide the required user identity data to avoid fraud;
• let account information service providers (AISPs) do the strong
customer authentication (SCA) for the 90-day consent renewals
to avoid separate SCAs every 3 months for every single bank
aggregated;
• let AISPs access more than four times per day to enable real-
time alerts rather than up to 6 hour delays;
• let AISPs access non-payment accounts data, which is actually
the majority of what users want to see;
• put enough contingency in place to ensure continuation of TPP
services at all times.
Most importantly, I would like to urge the API standard initiatives to
support all that, because otherwise banks couldn’t offer it, even if
they wanted to.
It would be a great shame if banks got away with denying their
customers all of these functionalities, but they cannot resist the
wind of change forever and should remember Gorbachev’s wise
words: “Those who are late will be punished by life“. Customers
will vote with their feet if banks and their authorities try to hold back
services available elsewhere, or – even worse – deprive them of
some they enjoyed already.
For once, Europe is ahead of everyone else, so let’s not give up
that lead and let’s not waste our time waiting for courts or PSD3!
27 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
The revolution began in January 2018, sparked by the release of the UK Open Banking Standards intended to stimulate innovation and
competition. With Open Banking, consumers can choose to authorise registered FinTech companies to access their banking data, in
real-time, including transactions and balances. The Open Banking Standard has been designed and implemented by the Open Banking
Implementation Entity (OBIE). Open Banking has been described as “the future of money” and the OBIE website says, “Get ready for
a world of apps and websites, where you can choose new financial products and services from providers regulated by the Financial
Conduct Authority (FCA) and European equivalents.” We spoke to Imran Gulamhuseinwala to tell us more about Open Banking and to
give us a glimpse into what a “powered by Open Banking” future might look like.
What is the progress of Open Banking in the UK and what are the learning points so far? “The Open Banking Implementation Entity (OBIE) is the body set up by the Competition and Markets Authority (CMA) in 2016 to deliver
open banking. It is governed by the CMA and funded by the UK’s nine largest banks and building societies: Allied Irish Bank, Bank of
Ireland, Barclays, Danske, HSBC, Lloyds Banking Group, Nationwide, RBS Group, and Santander.
We were the first Standard to have a live API in live production as of 13th of January this year. However, January 2018 is just the start –
the functionality is a Minimum Viable Product (MVP), meaning that it works, and that what we have out in the market is a safe and secure
example of what an open banking API is. What is more, it has good AIS (Account Information Services) functionality that covers personal
current accounts and business current accounts.
In terms of timelines, it won’t be until 2019 that we expect to see the “killer app” – however, things are definitely moving in the right direction.
Moreover, I think that open banking is a world first and ewe are beginning to see signs of a meaningful impact in the market.
Much work remains to be done. January’s release was just one of four releases that will take us all the way through to September 2019.
The second release was published on 7 September 2018, when the OBIE announced the publication of the Open Banking Standards,
version 3 - which builds significantly on the version of the Standards that was launched in March 2018, giving account providers, who
implement them, a solution that complies with the EU’s Second Payment Services Directive (PSD2). Whilst previous versions of the
Standards covered business and personal current accounts, Version 3 covers all products with payment capabilities (for example, credit
cards, pre-paid and e-wallets) in any currency. ➔
Interview with Imran Gulamhuseinwala OBE, Trustee of the Open Banking Implementation Entity (OBIE)
This is a remarkable project; one with the potential to change retail banking forever. If we get it right we will for the first time anywhere in the world, put the customer in control of their data, their privacy and their finances. It is difficult to overstate just how revolutionary Open Banking could, and should, be.
28 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
Over the last 18 months, much has been achieved. The UK banking industry has started to adopt the Standard, and we are leading the
way globally. There is still a long way to go and we are now looking forward to the next two releases. The next one will build out the full
suite of PSD2 functionality in terms of payments. It will cover not just single immediate payments, but also future data payments, standing
orders and so on. And then, in March 2019, we will release the app-to-app redirection, which will really simplify the consumer journey
from the point of view of Strong Customer Authentication (SCA), allowing biometrics to be used for the first time.
You mentioned the full suite of payments. Does that include getting a guaranteed payment if you use open banking with the TPP? Will they get a guaranteed payment?The UK is fortunate enough to have a real-time settlement system, which is Faster Payments. The API puts a payment on to the past
payments track, enabling the receiving bank to see in real-time that it is, effectively, a guaranteed payment.
We are currently working on increasing the functionality of the API to provide a very granular status of payments. This result might actually
turn out to be in one of the two pending releases - the third or the fourth - we haven`t quite decided on that. But it will tell the PISP exactly
where in the payment process the payment instructions sit- and because of Faster Payments all this happens very quickly.
In terms of the status of payments, confirmation of funds, these are critical things for adoption and we’re very happy to go beyond PSD2,
where the real end-user need lies. As an example of that, we are also building refund capability into the APIs, which is something that
merchants have told us that they need. In some sectors, as much as 25% of all card payments are reversed – it’s what we call “chargeback”.
Therefore, if open banking pushes payments from banks, this is going to compete with cards. And we need to have the ability to offer the
equivalent of chargebacks (refunds).
The Standard setting process is complex. We’re very prescriptive with our standards and have a very intense governance process to go
through. Compared to other European Standards, which have more flexible requirements, our Standards are very tight and prescribed;
however, the Standard setting process isn’t really the hard bit. The hard bit is the implementation of those Standards by the banks and
that’s where we are very different from Europe. We actually have an Implementation Entity and that Entity is designed to support both
ASPSPs, as well as TPPs, in the implementation of those standards. And it’s my role as Trustee and the powers given to me by the
Competition and Markets Authority to help, support and mandate the banks to implement these Standards. ➔
Interview with Imran Gulamhuseinwala OBE, Trustee of the Open Banking Implementation Entity (OBIE)
29 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
Could you mention some examples of successful new services being launched off the back of open banking, specifically for the consumers and the SMEs market? What are some first success stories from mandated banks and non-mandated banks?The ability to offer more innovative and more individually tailored propositions is paramount in open banking. Mandated and non-
mandated players need to engender a shift in culture towards an agile way of working that encourages innovation. We are beginning
to see some compelling and innovative propositions develop, including initiatives for helping financial institutions reduce onboarding
time, reduce cost, and reduce complexity, all of which will ultimately help customers. What’s more, we are witnessing a lot of activity
around helping customers automate affordability checks, income verification, and suitability requirements for everything - ranging from
mortgages to savings products. Looking ahead, I am confident that, throughout 2019, we’re going to see prominent, mainstream “killer
apps” coming out.
Aggregation services were the first to be developed in open banking. Yolt, for example, gives you an oversight of your current and
savings accounts, plus credit cards, on a single interface. It also sends you insights into how you’re spending your money and what your
major expenses are. The platform allows you to manage your bills and subscriptions – you can see your debts, how much you’ve paid
previously, and any linked transactions. If you’re looking for a better deal, it also offers a comparison service.
Moreover, an area where we’ve seen a lot of activity in the UK market is how FinTech can help customers unbundle overdrafts. Actually,
providing overdrafts independently from banks is an area where competition needs to occur. I’ve seen one FinTech providing overdrafts
50% to 90% cheaper than the high street banks - adding real value there.
On the SME side, in the UK we have an innovation prize process called The Open Up Challenge, managed by Nesta’s Challenge Prize
Centre (announced in February 2017). It is part of the Competition and Markets Authority’s package of remedies to shake up the UK retail
banking market. It builds on the UK’s pioneering role in implementing open banking to bring greater competition and innovation to the
market. ➔
Interview with Imran Gulamhuseinwala OBE, Trustee of the Open Banking Implementation Entity (OBIE)
30 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
The Challenge leads a global search for talented teams building innovative products and services that will help small businesses save time
and money, find better services, reduce stress and discover the intelligence in their financial data. In June 2018, Nesta’s Challenge Prize
Centre announced the twelve finalists – who each have the potential to win the GBP 2.5 million prize fund backing the next generation
of financial technology for small businesses. The twelve finalists received a GBP 100k grant, special access to open banking data and
support to bring their products to market. Five or six of these finalists will go on to win a further GBP 200k each at the end of 2018.
Another area that I find really compelling is cash management. Cash flow management is the lifeblood of all businesses - and particularly
for SMEs. FinTech is changing the way that small businesses meet cash flow concerns within their business by adopting digital
technologies and tools to assist in the diagnosis, management, and prediction of cash flows.
What was FinTech’s response to open banking and which new entrants are setting themselves up to take full advantage of open banking?Back in 2017, FinTechs were sceptical that the banks would produce a single API that would allow them, with customers’ permission, to
access their data. The good news is that, now, FinTechs are truly enthusiastic about open banking and about how the MVP works, with
most of them seeing it as a major area of opportunity.
Open banking has empowered a host of innovative FinTech startups to improve the way customers handle their money, taking steps to
simplify the customer journey in banking, keep it secure and make it convenient and straightforward.
And now we are beginning to see how the banks that have implemented the APIs are also now beginning to consume those of their
competitors. With open APIs, customers can share their financial information with other providers, if they so choose. Open APIs will
also make it much easier for customers of banks to transfer their accounts, manage payments, and conduct transactions through other
banks and non-banks—thereby creating new opportunities for aggregators to offer customers services from multiple providers on a single
platform. No doubt, open banking is good news for consumers, who will gain access to a broader array of financial services offered by
a larger selection of providers. Then, of course, we are also beginning to see non-banks, non-financial services players, come into the
space as well, such as mobile phone operators, OEM manufacturers, big ecommerce providers, as well as companies and so on that are
all beginning to think how can they utilize these APIs to better support their customers. ➔
Interview with Imran Gulamhuseinwala OBE, Trustee of the Open Banking Implementation Entity (OBIE)
31 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
How can companies overcome the security and privacy concerns associated with data sharing?At the heart of the open banking revolution is the need for greater security for customer data. From a technical point of view, we need to
make sure that the APIs are secure, robust and resilient.
Any third party provider that is authorised by the FCA to use Open Banking connections has had their business plan, risks, systems,
controls, and staff independently reviewed. We also ensure that all TPPs and ASPSPs have a permission dashboard, which means that
the customer genuinely has control of their data sharing. So, either at the bank side or at the FinTech side, customers can see the status
of all the permissions that they’ve shared and all the payments that they’ve made, and, importantly, they can revoke them at any point.
If a customer goes to a bank, they would see all the FinTechs that have connected to that bank, and all the TPPs operating as FinTechs.
If they go to the FinTech side, they can see all the banks - if they have more than one bank - that they have connected to via the FinTech
and, critically, they can revoke their permissions at either of those two locations.
One of the things that we felt was important was to have something called two-way notification of revocation. With two-way notification
of revocation, consumers will be able to revoke at one party and confirm that the revocation has been recognised by the other party. This
standard allows a bank (ASPSP) or TPP to notify each other if a consumer has revoked their consent. This ensures a consumer will see
the status of their consents on both ASPSP and TPP dashboards.
In terms of authentication, there are various specifications describing how Strong Customer Authentication should be implemented and
several models have been defined: the redirection, decoupled and embedded models. These models vary in the way the user interacts
with the TPP and the bank and have a deep impact on the user experience.
We support SCA through the “redirect” approach (where within the redirection model the Payment Service User (PSU) starts interacting
with a TPP and is redirected to a web interface of the ASPSP for authentication) as well as the “decoupled” approach, (which allows the
PSU to receive a push notification to authenticate on their mobile banking app).
Achieving APIs standardisation/harmonisation seems challenging in Europe. What makes a good API? When it comes to the API, we put as much emphasis on the implementation as we do on the creation of the Standard.
We need to ensure that the basics need to be right, the documentation needs to be all in one place, and it needs to be correct. For this,
we’re now working on something called programmatic onboarding, which means that, should any of the banks have variations in the API
(which they really shouldn’t have), then a developer can connect through our model bank effectively to all APIs and they don’t have to
work through each of those workarounds themselves.
We need to be very consistent, clear, and transparent in how we do upgrades and what historic APIs can be supported. We need to be
very clear about how we reintroduce things like upgrades to the authorisation security protocols. The technical team consists of 150
people, out of which approximately 25 are working on support desk sandboxes providing model banks, model TPPs, and helping both
banks and TPPs with queries. ➔
Interview with Imran Gulamhuseinwala OBE, Trustee of the Open Banking Implementation Entity (OBIE)
32 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
Furthermore, we monitor and manage the performance metrics across all the banks to support both them and their TPPs. All these are
crucial for making a good API work and it goes well beyond just the design of the API.
Looking broadly at open banking, what is the future roadmap and where do you see the major initiatives going forward? As said, the revolution began in January 2018. Right at the heart of what we’ve done so far in the UK is building open banking on open
licenses, thus enabling any ASPSP to use the Open Banking Standard without a license. They can also modify it, build upon it, and
generate value-added services upon it.
Open Banking has the potential to transform banking, not only in Europe, but across the world. What I would expect and look to see over
the next few months, as PSD2 becomes real for many ASPSPs in the UK and around Europe, is for the Open Banking Standard to be
adopted and implemented in order to meet their PSD2 requirements.
This is the beginning of an ecosystem that will then be well-positioned to broaden out the Standard beyond PSD2 to other non-PSD2
products, including savings products, mortgages and so on. We are now witnessing a lot of excitement and interest in the adoption of
these standards on a global scale, including in Australia, Canada, Hong Kong, Singapore, Thailand, Malaysia, and Israel. I believe that we
will see interest by participants across Europe who want a fully tried, fully tested open license solution to PSD2. ➔
Interview with Imran Gulamhuseinwala OBE, Trustee of the Open Banking Implementation Entity (OBIE)
33 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
About Imran Gulamhuseinwala: Mr. Gulamhuseinwala was appointed as Trustee for the Open Banking Implementation Entity (OBIE) on 13 April 2017. He is seconded to Open Banking from Ernst & Young LLP (EY) where he is a London-based partner in its financial services practice. He is also EY’s Global Head of FinTech.
About Open Banking UK: Open Banking was created to enable innovation and competition for financial services. It is tasked with delivering the APIs, data structures and security architectures that will make it easy and safe for customers to share their financial records. Open Banking is a private body; its governance, composition and budget were determined by the CMA. It is funded by the UK’s nine largest current account providers and overseen by the CMA, the FCA and HMT
www.openbanking.org.uk
Imran Gulamhuseinwala OBEImplementation TrusteeOpen Banking UK
34 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
11:FS11:FS Point of View: Will PSD2 Deliver on its Promise?
The story so far Open Banking’s launch signalled a change in the UK retail banking
landscape. It’s the country’s interpretation of the EU’s Payment
Services Directive (PSD2), which promises consumers greater
control of their data and easier access to more personalised
financial products.
The Competition and Markets Authority (CMA) 9 were required
to make a number of Account and Payment APIs accessible to
developers as of 13th January 2018 (the group includes Allied
Irish Bank, Bank of Ireland, Barclays, Danske Bank, HSBC,
Lloyds Banking Group, Nationwide, RBS Group and Santander).
After a number of extended deadlines, eight are now meeting the
letter of the requirement, while Bank of Ireland plans to have
its APIs up and running by August 2018. Of the first eight,
HSBC was the first to offer a customer-facing proposition. Its
data aggregation service, ‘Connected Money’, allows customers
to view their current accounts, loans and mortgages from up to
21 different banks. Meanwhile, ING-backed app Yolt is working
with Lloyds Banking Group and RBS Group as part of a trial to
provide the banks’ customers with multiple account management
services. The ability to categorise payments and forecast future
payments is now available to the 100 new users from said banks
that onboard daily, as well as customers of challenger banks such
as Monzo.
Elsewhere, Account APIs are being used by the likes of ClearScore,
which has created a flow through which consumers with little to
no credit history can access credit scoring information.
Has the rollout been slower than expected?The delayed rollout means some commentators believe banks
are deliberately avoiding finding ways to use open APIs. However,
Jason Bates, co-founder of 11:FS, believes implementing Open
Banking is easier for those with expertise in “consumer tech
[rather than] than banking expertise” i.e. fintechs vs legacy banks,
which needs to be taken into account.
We also cannot overlook banks’ legacy technical infrastructure and
the volume of resources tied up in its maintenance. Open Bank-
ing requires allowing third-party access via open APIs, but such
dated systems cannot easily handle the demands of the new API
infrastructure. Simultaneously, banks cannot instantly abandon
their infrastructure as a result of Open Banking and so we must
make exceptions for it.
These considerations suggest that Open Banking has so far failed
to usher in a new wave of products and services for consumers
– but not because banks lack the motivation to move beyond the
minimum requirements of the regulation.
That said, delays have resulted in many third-party providers post-
poning plans for advanced functionality, based on the expectation
that the most useful APIs due to be delivered next will also be
delayed. As a consequence, third-party providers don’t yet pose
a competitive threat to traditional banks and the current state
of the data and payments landscape has failed to fully meet the
expectations of the consumer that were prematurely set by PSD2.
It’s worth noting that the Open Banking Implementation Entity
(OBIE) has recently revisited the Open Banking standards
and has implemented a number of changes, with priority given
to customer experience when using services offered on mobile
platforms. For instance, the proposed introduction of app-to-
app redirection should create a seamless journey and improve
authentication steps. This suggests that the OBIE also believes
the promise of Open Banking is struggling to be fulfilled.
What’s next?The aggregation platforms currently available are a respectable
start and likely to be widely replicated as they offer the consumer
a secure way of viewing large parts of their financial lives in one
place. That said, there remains a need for most providers to add
access to savings and loans to provide the consumer with a
holistic view of their financial position. ➔
35 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
Amanda BoachieResearch Intern11:FS
About Amanda Boachie: Amanda is a Research Intern at 11:FS, who is a challenger consultancy working to shape the next generation of digital banking. Find out more by visiting The 11:FS website.
Edited by Sarah Kocianski: Sarah is Principal Research Analyst at 11:FS, and host on the 11:FS Fintech Insider, Insurtech Insider and Blockchain Insider podcasts.
About 11:FS: 11:FS are a challenger consultancy made up of some of the greatest minds in FinTech, united over a passion to make banking truly digital. They are also founders of self-service research platform 11:FS Pulse, which hosts thousands of real user journeys from fintech and financial services companies across the globe. 11:FS are also creators of the industry-leading podcasts FinTech Insider, Blockchain Insider, and Insurtech Insider. Find out more about the work we do on our website.
11fs.com
Beyond aggregation, this data could be used to provide advice to
customers on how they can better save and spend, or to recommend
products that would be well-suited to their spending habits.
The CMA’s requirements indicated that we should begin to see
payment APIs rolled out soon, including those that enable future-
dated payments and standing orders, allowing consumers to carry
out recurring payments without putting cards on file.
Payment APIs, if fully exploited, can radically transform retail
banking as we know it because they pose a threat to payment
schemes. They pave the way for bank-to-bank transfers between
merchants and banks, removing the need for merchant acquirers,
card schemes, and interchange fees, which in turn could result
in cheaper-priced products. Of course, this heavily depends on
customer adoption, which has yet to be tested.
PSD2 was implemented just six months ago, so we are witnessing
the beginning of what is to come. More functionality is needed
before we will truly see the benefits and customers get the products
and services they need and want. Additionally, a distinction should
be drawn between the mandated API set and the competitive API
set that banks can build. The first encompasses the APIs that
banks must provide according to regulation, namely Account APIs
and Payment APIs. In contrast, the second goes a step further by
providing APIs that provide access to other areas of retail banking,
for example integrating loans and credit card applications into
third party apps. Once banks move away from fulfilling minimum
requirements and look into building APIs that concern risk,
data, and identity management – as suggested by Adam Davis,
11:FS’ delivery manager – we’ll begin to see the competition and
innovation that the OBIE hoped for. Perhaps the most promising
option is for banks to collaborate with third-party providers, which
have the modern technology, in order to make the most of this
evolving landscape and offer exciting products and services to their
existing customers
36 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
PelicanDigital India – How Digital Identity and Open APIs are Driving Payments Innovation
Much has been written about the potential of Open Banking and
the transformative impact this will have on Europe’s payment
landscape. There are, of course, many uncertainties and
challenges. While Europe is at the start of this Open API journey,
perhaps some indications of the road ahead can be gained by
looking at India’s digital transformation experience over the past
10 years. The introduction of a digital identity system and an
open-API economy have truly revolutionised India’s payments
ecosystem and customer experience and highlighted the
transformative potential of Open Banking for Europe.
The Indian StackThere are a number of drivers behind digital innovation in the
Indian economy, including challenging social issues (lack
of financial inclusion); fiscal pressures (tackling hidden and
un-taxed cash-based transactions); the opportunities afforded
by ubiquitous digital technology; and the national need to
develop a robust open banking infrastructure. India’s Unified
Payment Interface (UPI) enables anyone to send and receive
payments, including instant payments using their smartphone,
a web interface or at the point-of-sale, without the need to
know bank account information. This unified payment interface
links to all Indian banks and sits within a highly capable digital
infrastructure. This ‘India Stack’ is built upon an open and
interoperable API architecture, at the heart of which is ‘Aadhaar’,
meaning ‘Foundation’ – a unique digital identity reference
incorporating biometric data and validated personal data.
Digital identityAadhaar is approaching 10 years of operation in India and has
grown to become the world’s largest biometric-based ID system.
A validated Aadhaar ID can be linked with bank accounts, welfare
schemes and mobile phones, providing a strong trust anchor and
enabling instant, frictionless and secure payments. In reviewing
global digital identity schemes, the World Bank reported Aadhaar
to be ‘the most sophisticated ID programme in the world’.
Aadhaar provides paperless, online, anytime, and anywhere
authentication and is truly the ‘foundation’ of the Open API
Unified Payment Interface. This Open API architecture in India has
enabled a cashless and paperless digital economic ecosystem,
encompassing a paperless e-KYC process, a digital e-Sign
allowing Aadhaar holders to electronically sign documents, and
a cloud-based DigiLocker for issuing and verifying documents.
Interoperable API economyThe Open API and the fully interoperable digital economy in India
have transformed the payments landscape over the last decade.
The synergy of the India stack with the digital economy has
provided significant benefits for everybody:
• The government is able to ensure efficient payment of subsidies
to the rural poor without a bank account and enabled cashless
transactions – just with a thumbprint.
• Apps and services such as the e-wallet Paytm bring targeted
discounts to consumers’ phones.
• Google Tez (now Google Pay) & WhatsApp allow payments to
anyone without sharing any personal data.
• Telcos have been able to securely onboard over 100 million
customers within 6 months revolutionising customer experience
– reducing the wait from 2 days to 5-15 mins.
• Smartphone and data usage is now one of the highest in the
world – 400+ million smartphones with 31 PetaBytes of data
usage per day.
• Mobile data rates have dropped to less than 5 cents per GBP,
further spurring the digital economy.
One area where there is a divergence between India’s digital
transformation and European open banking initiatives is data
protection ➔
Source: http://www.apnlive.com/india-news/wikileaks-says-cia-
may-have-accessed-indias-aadhaar-data-officials-deny-it-25131
37 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
Specifically, the lack of a clear legal framework covering individual
data and privacy needs addressing, but India is catching up.
A right to privacy now forms part of the Indian Constitution, and
the government is forming an expert committee to chart out a data
protection framework in 2018.
European lessonsSo what lessons can Europe draw from the Indian example?
The interoperable API economy in India connects multiple
counterparties together in a secure and validated way, delivering a
customer experience that is simple and frictionless. This highlights
one of the key and fundamental challenges for European open
banking initiatives. The aim of PSD2 is to create a unified, innovative,
pan-European digital ecosystem for financial products, and
uniform interfaces are essential for ensuring low implementation
costs and promoting predictable, efficient and secure interactions
between banks, customers and third parties. However, although
the standards under which PSD2 should operate are defined in the
Regulatory Technical Standards (RTS), these standards stop short
of defining a communal API. An open banking-based economy
throughout Europe is an innovative idea with huge potential
but is hindered by the lack of a properly defined, common API
standard. This is limiting openness and defeating the principles
of collaboration and standardisation that sit at the heart of open
banking, and ultimately slowing down innovation and growth.
Way forwardThe Indian digital transformation demonstrates the clear
advantages of a fully interoperable API ecosystem, connecting
identity validation, banks, government, third-party providers, and
retailers. The only viable way forward in Europe is the adoption of
an API interoperable ‘switch’ that can support the multiple existing
APIs across Europe, with the ability to harmonise and hide the
differences between various API protocols.Such an interoperable
API supports the multiple APIs for each existing regional, national
or individual standard – enabling a bank to be accessed not only
by its own published APIs, but also via other APIs in a transparent
and interoperable manner and delivering the frictionless ecosystem
that has benefited the Indian economy so dramatically
About Parth Desai: Parth Desai is the founder and CEO of Pelican and PelicanPay. With over twenty-five years of expertise in the practical application of Artificial Intelligence technology to payments and compliance, Parth has a thorough understanding of Payments, Securities, Anti-Money Laundering and Risk Management.
About Pelican: Pel ican provides banks and corporates with solutions that enhance, streamline and secure the payments life-cycle. With over twenty years of expertise in the practical application of Artificial Intelligence technology to payments and financial crime compliance, Pelican partners with its customers to deliver innovative and agile solutions and drive growth.
www.pelican.ai
Parth DesaiFounder & CEOPelican & PelicanPay
38 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
Holland FinTechTowards Open Banking in Australia
Hot on the heels of Europe, Australia is set to implement open
banking as early as July 2019. So far, the Treasury Laws
Amendment (Consumer Data Right) Bill 2018 has been tabled in
parliament, while USD 44.6 million have been committed over four
years by the 2018/2019 Federal Budget to establish a Consumer
Data Right (CDR). Now it is up to the legislators and regulators to
decide on the final details and set up appropriate data standards.
How will the CDR shape open banking in Australia, and what will
it mean for consumers?
What is the Consumer Data Right?The CDR was announced in July 2017 in response to several
inquiries that recommended that Australia develop a data
right and standards for customers to access and transfer their
information in a usable format.
This initiative comes at a time when the banking industry is under
a great deal of scrutiny in Australia. In December 2017, the Royal
Commission into Misconduct in the Banking, Superannuation
and Financial Services Industry began reviewing open banking,
at the same time the Australian Government embarked on a
similar mission. This is not a coincidence: the Government hopes
that open banking will make the industry more competitive and
help combat widespread misconduct in delivering consumer
services generally.
Besides misconduct, the Australian rationale for embracing open
banking is similar to that of other countries who have implemented
it: banks don’t compete hard enough, small banks find it difficult
to grow, and consumers’ choice and control is limited in a banking
sector dominated by a few large companies.
As in Europe, the CDR will allow Australians to access their data
and direct banks to share their data with accredited third parties.
This includes banking, phone, energy, and internet transaction
data. It will initially be rolled out in the banking sector, followed
by the energy and telecommunications sectors.
Regulation and data standardsThe CDR will be governed by a dual regulator model. The Office
of the Australian Information Commissioner (OAIC) will have
the primary responsibility for enforcing privacy safeguards and
external dispute resolution, while the Australian Competition and
Consumer Commission (ACCC) will play a strategic enforcement
role. Consumer complaints may be addressed to either body in a
“no wrong door approach”.
When it comes to the development of technical standards
applicable to all aspects of data transfer, including data formatting
and transfer, authentication, security and policy application, the
process is coordinated/guided by Data61. Data61 (part of CSIRO)
is the interim Data Standards Body. As their website explains:
“Data61 will facilitate this by developing open standards that
enable consumers to safely access data about them held by
businesses, and direct this information to be transferred via APIs
to trusted, accredited third parties of their choice”.
Differences to EuropeWhile Australia’s move towards open banking has been influenced
by regulation in Europe, especially PSD2 and GDPR, the legislation
is very different.
The CDR emulates the second Payment Services Directive (PSD2)
in that it opens the door to open banking by making it mandatory
for banks to share customer data with accredited third parties,
when requested by consumers. However, the CDR concerns all
sectors of the economy, not just payments or even finance.
The CDR also differs somewhat from the General Data Protection
Regulation (GDPR). Like the GDPR, the CDR contains principles of
data portability and making data available in a machine-readable
form. Notably absent from the CDR is the “right to be forgotten”,
for example, which the Australian Privacy Act does not cover.
Initially, the Open Banking review in Australia considered including
a “right to be deleted”, but did not recommend it in the end, due
to concerns about technical feasibility. ➔
39 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
Nor does it seem that the ACCC’s digital platforms inquiry will
adequately address this issue.
The upshot is that Australian consumers will have the right to
share their data with companies, and can withdraw their consent
for the use of their data, but will not have the right to be forgotten.
Getting consumers on boardCommentators differ in their views on how open banking will
impact Australia, and who will benefit from it. Not surprisingly,
the fintech world is enthusiastic, with chair of Fintech Australia,
Stuart Stoyan, commenting that it will be a “game-changer for
consumers and businesses” and “drive a new wave of fintech
innovation and growth”.
On the other hand, Australian banks have expressed concerns
about the possibility of data security breaches to damage their
reputations. They are not alone: consumers are also gravely
worried about their data security. In fact, Australians continue to
trust banks more than startups with their data. According to
Accenture, 53% of people don’t yet understand the potential
benefits of open banking enough to grant third-party providers
access to their data.
The media are working to educate consumers about open
banking. For example, a 2017 article in The Conversation explains
the benefits of open banking to consumers by demonstrating
how they will be able to use their data to access better, and more
personalised, financial tools.
These efforts to explain open banking are a good start, but need to
go further. To make informed choices and give informed consent,
consumers must be equipped to ask more hard-hitting questions
about their rights and risks. This means educating consumers
about the downsides of open banking as much as the upsides.
The limits of the legislation, the potential for security breaches, and
the risks of sharing data should permanently be among them
About Erin Taylor: Erin is Research Lead at Canela Consulting, a research & strategic consulting firm specialising in research design & implementation, corporate culture analysis, advisory services, strategic direction, and program management. She has designed and implemented research on technology use, financial behaviour, and cultural difference in Europe and the Americas.
About Holland FinTech: Holland FinTech is an organisation fostering innovation within the financial services industry. Bringing together stakeholders in the ecosystem, from financial institutions to start-ups, Holland FinTech provides an array of services prompting a smarter and faster finance for tomorrow.
hollandfintech.com
Erin TaylorResearch ConsultantHolland FinTech
40 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
KapronasiaIs Asia Ready to Embrace Open Banking?
Open banking readiness across AsiaOpen banking is relatively straightforward from a technological
perspective. APIs have been around for decades, so we are
just leveraging technology to take an API from a bank and let
external parties use that API to access banking services.
What is not so straightforward is how API and Open banking plays
out from the business perspective. Much like real-time payments
when they first gathered momentum, neither this business model
is entirely clear, nor who will be successful. Will third party fintechs
make banks nothing more than a utility? Will consumers use third-
party platforms enough to make a difference to the status quo?
Open banking is still very nascent globally, and it is still yet unclear
how everything will pan out.
Although Asia lacks the regional regulatory structure and
harmonisation that Europe has through the ECB and regulations
like PSD2, in some ways, Asia, and more specifically China, may be
a leading indicator of the future business model of open banking.
By any measure, whether transactions, assets, or valuation,
China’s fintech market is the largest in the world. Every day
millions of Chinese consumers use their phones to pay, invest,
book travel, or any countless other activities. The mobile phone
was always the center of their lives, but now it is the center of
their financial lives as well.
The two dominant players behind this massive shift are Ant Financial
and Tencent. Initially, these two companies were considered
‘financial services providers’ as products included not only payment
services, but wealth management, credit, and lending.
A decade ago, when these platforms were launched, the Chinese
government took a ‘wait-and-see’ approach to allow these
platforms to develop as they addressed several shortcomings in
the traditional financial industry.
The mobile payment platforms brought millions into the economic
fold. Merchants could readily accept digital payments, which
are safer, more transparent, and cheaper than handling cash.
Consumers loved the convenience and the near frictionless
experience.
Years ago, if you wanted to buy a wealth management product,
you would typically need at least a CNY 10,000 (~USD 1,500)
to invest and would not see your money again for at least six
months. Digital wealth management platforms, like Yu’ebao from
Ant Financial, democratised wealth management by providing
options of very short duration wealth management products
with low minimum investments, opening up wealth management
products to an entirely new subset of investors.
Nowadays, consumers and companies can also very efficiently
access credit. With a trove of user data, Ant Financial and
Tencent can assess credit, often better than the banks and lends
against that credit, giving both SMEs and consumers access to
funds that would have been nearly impossible to obtain from
a bank.
Therefore, in many ways, the financial products from Ant Financial
and Tencent have helped the industry grow and innovate.
However, at the same time, the companies were growing very
rapidly, which was becoming somewhat anti-competitive in the
market and risky as more assets were tied up in these companies.
As the government shifted from their ‘wait-and-see’ approach to
a more proactive regulatory approach to fintech, over the past
few years, they have focused on limiting the size and scope of
some of these fintech businesses.
Because of this shifting market sentiment, both Tencent and Ant
have made the conscious decisions to focus on the technology
aspects of the business model and leave the ‘finance’ to the
traditional banks.
Today, when MyBank, Ant Financial’s digital-only bank, gives out
a loan, they use their technology and data to rate the borrower,
but they syndicate that loan out to one or many different banks.
The loan is then issued and sits on the banks’ books. ➔
41 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
kapronASIA
Zennon KapronFounder and DirectorKapronasia
About Zennon Kapron: Zennon is the Founder and Director of Kapronasia and has been involved in the financial technology industry for over 20 years covering all topics financial technology and digital currency. Before Kapronasia, Zennon was the Global Banking Industry Manager for Intel and the CIO for Citigroup Portugal.
About Kapronasia: Kapronasia is a leading provider of research and consulting services on Asia’s financial industry including banking, payments, capital markets and crypto-currency. Kapronasia helps clients make sense of the world’s fastest growing financial industry.
www.kapronasia.com
In many ways, this is a natural evolution of the industry; the
fintechs provide what they are good at, the tech, and the banks
offer what they are good at, the balance sheet.
Similarly, both Tencent and Ant Financial now also offer SaaS
services for banks. Many small and medium-size banks will use
services with the Ant Financial Cloud to quickly ramp up their
technology infrastructure. Both companies provide everything
from basic core banking functionality to more sophisticated
financial product syndication.
Across Asia, we are seeing multiple Open Banking and API
initiatives, most notably in Hong Kong, which has very recently
published standards. Similarly, in Singapore, the Monetary Authority
of Singapore (MAS) published a set of APIs in 2016 followed shortly
by Singapore’s main banks. Both of these initiatives are government
driven in close cooperation and consultation with the industry itself.
As Europe is already on the path of open banking, Hong Kong and
Singapore can benefit from the lessons learned, but again, the
challenge with open banking is not the technology, but -what do
you do with it? How do you make a business out of it?
Although the conditions and scenario in China that allowed these
fintech giants to grow were unique, it is an excellent case study
in how cooperation between fintechs and financial institutions
can work, especially as the rest of the region and world moves
towards an open banking environment.
China’s banks saw Ant Financial and Tencent as competitors,
capturing a significant amount of retail payment and wealth
management flow. Today, they have reached a symbiotic relationship
where both parties leverage their strengths to provide a better service
to clients, which needs to be the primary focus of open banking.
So although Asia might not be leading in actual open banking
initiatives, it could still be defining the future of where things may
go and what the business model looks like. Led by banks all over
the region like DBS, Macquarie, and NAB, there are big changes
happening in redefining banking
42 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
Holland FinTechHow Banks Are Preparing for Openness in Europe and Asia Pacific
A wind of changeLast few years have witnessed the rise of open banking on a global
scale. In Europe, the definition of what a service provider is and does
has become more flexible. The enforcement of the Payment Services
Directive 2 on January 2018, which obliges European banks to open
their Application Programming Interface (“API”) to other financial
institutions, means that small companies can better compete with
large banks. As a result, the groundswell for competition among
banks, fintech companies, and telecommunication firms continues
to intensify as the EU regulator responds to the digital disruption the
industry is facing.
Moving across to Asia Pacific, the Monetary Authority of Singapore
has recently endorsed a guidelines for commercial banks for
identifying and developing APIs. At a glance, Singapore seems
to be driving the regulatory transformation in the region at the
absence of a single harmonised payments zone or regulatory
mandate, with other countries are championing a market-driven
approach.
This paper assesses how banks are approaching openness in
Europe and the Asia Pacific, based on the factors of regulatory
compliance and market-driven entrepreneurial initiations.
Regulatory compliance and beyondIn Europe, important initiatives have come from the French
and Spanish market-leading banks; Crédit Agricole and BBVA,
who launched their API marketplaces even before regulatory
mandates. These steps were followed by Nordea, when the bank
launched nordeaopenbanking.com in 2017, reaching more than
700 companies shortly after, as shown by Jarkko Turunen in
The Paypers Open Banking and APIs report 2017 (page 40).
The Dutch pioneer ING accelerated this movement by launching its
marketplace for SME financing open to external financing providers,
thus expanding its financial asset management services offered
to customers. On the other side of the North Sea, we witness an
effort toward creating industry guidelines fostering competition and
innovation, that is, the Open Banking Implementation Entity,
by the UK’s Competition and Markets Authority.
A study conducted by Bain & Company, Salesforce
and MaritzCX (published in February 2018) presents various
technical considerations that British banks should take on board
when coordinating their business around the changing needs of
customers in the realm of open banking. These considerations
include unifying the accountability for the underlying resources
needed by each customer, cutting silos of activity into its
components by setting a common set of customer needs and
episodes, and simplifying process architecture and governance to
shorten time to market. The report also indicates various strategic
approaches of the forward-looking UK banks, including partnering
with third-party digital platforms, investing in new data and
service providers, and actively engaging with current customers
to ensure that the bank remains as their first choice. A survey
from Deloitte reports that 27% of European banks are in the
early implementation stage of PSD2, while 16% of them are in an
advanced stage of implementation. Also, according to the survey,
more than half of the respondents reported not having a budget
assigned for preparing for PSD2 from a strategic perspective,
while many have reported to have at least considered their
strategic situation. A robust demand for common standards is
revealed by the large number of banks who are eager to participate
in a collaboration to define a collective approach for third party
access, which can be interpreted as an acknowledgement that a
standardization will foster overall success in the industry.
Moving onto the situation in the Asia Pacific, The Monetary
Authority of Singapore is pioneering a regulatory framework
regime that favours a market-driven approach, and the API
playbook issued by the Authority adds to that claim. On the
other hand, Malaysia’s central bank believes that open
banking catalyses competition, broadens access, and fosters
innovation in the sector. A pioneer bank in the country, Maybank,
has organised hackathons, and is welcoming fintech companies.
Similarly, Thailand enjoys a fintech friendly environment. A local
bank, Kasikorn Bank, has recently launched a +30M venture
fund for start-ups in the region. Moreover, the Bank of Thailand
has encouraged standardisation of a code payment scheme,
initiating a regulatory sandbox environment. ➔
43 OPEN BANKING REPORT 2018 • A VIEW ON OPEN BANKING
About Asli Seven: Asli Seven is a Research Analyst Intern at Holland Fintech, driven by the organisation’s mission to empower people to build the future of financial services and fintech solutions. Her field of interests includes decentralized financial systems, regtech, data protection& privacy.
About Holland FinTech: Holland FinTech is an organisation fostering innovation within the financial services industry. Bringing together stakeholders in the ecosystem, from financial institutions to start-ups, Holland FinTech provides an array of services prompting a smarter and faster finance for tomorrow.
hollandfintech.com
Asli SevenResearch Analyst InternHolland FinTech
In Indonesia, Bank Central Asia has initiated a sandbox
environment.
What’s next?The data laid out above indicate that banks in Europe and the
Asia Pacific region are engaging with open banking in ways
that exceed the requirements of regulatory compliance, and are
reaching to entrepreneurial initiatives, which include simplification
of technical infrastructures and various strategic considerations.
Moreover, there is a positive correlation between the number of
open banking initiatives and the level of regulatory intervention.
This is visible through a comparison between Europe and the Asia
Pacific region, as well as among different countries within the
same region. However, to claim that regulations and guidelines
positively affect the promotion and initiation of open banking may
be an overstatement at this point, given the limitations of the data
above. Furthermore, the analysis of the growing body of empirical
research does not clearly answer the question of whether
regulation has a positive effect on innovation or not.
Finally, the evidence further suggests that in the absence of a
regulatory mandate, open banking in the Asia Pacific region is
driven by creating new revenue channels and market competition.
This can be seen most clearly in the banks initiating entrepreneurial
steps toward an open fintech environment
220+ CEOs speakers
60+ countries
150+ fintechs on stage
2600+ attendees
120+ exhibitors
∞ networking
@ParisFinForum
C100 M100 Y35 B55 Dégradé Dégradé Ultra
C100 M100 Y35 B40
C0 M96 Y90 B0
C85 M50 Y0 B0
C85 M26 Y0 B0
C100 M100 Y35 B55 Dégradé Dégradé Ultra
C100 M100 Y35 B40
C0 M96 Y90 B0
C85 M50 Y0 B0
C85 M26 Y0 B0
T I C K E T S O N S A L Ewww.parisfintechforum.com
Opportunities for Banks and Third Party Providers in Open Banking The entry into force of PSD2 in January 2018 encouraged financial institutions to create new products and business models aimed at creating deeper relationships with customers and at generating new revenue streams. This section describes the various ways of turning to advantage the opportunities of Open Banking.
45
46 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
TokenOpen Banking Means Business
Most organisations have yet to build a clear picture of their long-
term future in open banking, including many banks. As dawn
breaks on PSD2, the majority are focusing on compliance, API
development and bank-to-bank integration. One or two are
dipping their toes into data aggregation, with a view to displaying
a customer’s complete financial information in one place.
Compared to what’s possible, however, this is a dangerously
narrow focus. Zeroing in on just one or two use cases discourages
broader exploration of how open APIs can be used to create new
services, power new revenues, and deliver the digital customer
experience that’s now normal elsewhere.
Two-sided ecosystemOpen banking is creating a two-sided ecosystem. Banks sit
on one side. Everyone seeking API access to banks including
merchants, developers, other banks, consumers and payment
and data TPPs, sit on the other. The middle ground, conventionally
inhabited by clearing houses, payment schemes, processors and
other authorising service providers, is no longer needed. ‘Bank-
direct’ engagement is the order of the day and transactions (in
the form of either payments or data) can now occur automatically,
instantly and at a fraction of the conventional cost. When viewed
like this the true power of open banking becomes apparent.
Figure 1: Open banking has created a new two-sided ecosystem
New use casesThe payments industry is currently alight with talk of ‘embedded
commerce’. Well, with the right open banking partner, merchants
can integrate an instant bank-direct payment gateway into their
e-commerce checkouts and deliver the secure and frictionless
embedded commerce experience while axing the cost of their
payment acceptance by 50%. This is just one compelling example
of many, and one that Token has already delivered for travel money
and foreign exchange leader, Caxton.
Personal financial management apps can evolve into genuine
multi-banking platforms, giving the customer much more than
a consolidated view of all their financial products. They can
empower the customer to manage all their affairs from that
one place – adjusting transfers, setting up recurring payments,
settling bills and credit card debts, and sweeping funds between
accounts instantly, regardless of institution, time, and location.
Soon, AI services will make better use of this aggregated data by
automating some of these activities according to rules defined
by the customer.
Elsewhere, the reduction in the cost of payment acceptance
could make a previously unfeasible micropayments service for
IoT and other connected devices a commercial reality. It could
be delivered by a bank, it could be a TPP.
And therein lies ‘the problem’ for banks. Open banking enables
services that could once only be delivered by them, to now be
delivered by others.
But is that really a problem?
A matter of perspective Everywhere, customers of banks - be they consumers, merchants,
businesses or other banks – are calling for better digital trans-
formation; for faster, cheaper, more convenient and more innovative
digital services. PSD2 and open banking is every bank’s chance
to deliver. The global successes of Google Play and Apple’s App
Store show that an enabled and well supported community ➔
47 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
About Marten Nelson: Marten Nelson is co-founder and CMO at Token, a Silicon Valley based technology company, focused on building a global open banking platform that helps bank generate new revenues. Marten is a widely experienced technology entrepreneur/executive. Token is his third company to found.
About Token: Token’s universal open banking platform, TokenOSTM, allows banks and third parties to interact in a digital global financial services ecosystem. TokenOS provides one API to access all banks in Europe, with the tools to deliver best-in-class data and payments use cases, and better open banking propositions.
token.io
Marten NelsonCo-founder and CMOToken
of developers can deliver more and better apps than any company
can achieve in isolation. In the same way, by supporting TPPs with
easy API integration and data availability, banks have a chance to
be the architects of their own transformation.
One API to rule them allThe real problem banks face is how to get going. A lack of
standardisation is preventing the mass interconnectivity that PSD2
was designed to generate. Of the APIs now available, only a handful
of banks in the UK and Ireland are using the same one. They are
only doing so because the UK regulator required them to and, even
then, each bank has implemented the standard differently. This is
bad for everyone: it increases costs and complexity at each bank,
opens the door to insecure solutions, which expose banks and their
customers to unnecessary risk, and it hinders adoption by software
developers who only have bandwidth to write to one or two open
APIs. Today, Token is the only FCA registered payment and account
information service provider that can offer API access to any bank
in Europe. It is also responsible for the first third party-initiated
open banking payment in history. In time, billions will follow.
Identity-based commerce At the heart of the open banking revolution is the business of
transaction authorisation. With open banking APIs, a bank’s ‘power
to authorise’ could extend beyond payments and into digital
authentication and ID. ‘KYC-as-a-Service’ has huge revenue
potential for banks that reposition themselves as guardians of
customer identity. Banks could authorise customer logins for digital
services in the same way they handle payment authorisations.
Today’s ‘Login with Facebook’ or ‘Login with Google’– a lucrative
practice known as federated authentication – is still underpinned
by the same shared secrets model as old-world bank security. With
the right open banking platform, banks could dramatically increase
the security of digital services everywhere by performing this
service based on their KYC-enrolled customer data. This is another
example of how a bank can quickly reposition for new services,
generate new revenues and break into new markets. How many
other opportunities are out there? In truth, no one knows. But with
the cat out of the bag, it’s only a matter of time before we find out
48 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
WorldlineThe Revolution of Open Banking and the New Opportunities for Banks
Faced with the transformation of the regulatory and competitive
landscape, a broad change in the retail banking industry is
taking place and new financial services are emerging. Like other
industrial sectors, such as telecom, retail or public transportation,
the historical services of banks are gradually being relegated to
the convenience stage, forcing the banking industry to reinvent
its businesses beyond simple financial services.
The entry into force of the PSD2 on January 2018 encouraged
financial institutions to create new products and business models.
There are plenty of ways to exploit the opportunities of Open
Banking, whether the bank’s strategy is reactive (with the exposure
of regulated APIs), defensive (aimed at generating new revenues
through the monetisation of proprietary APIs), or offensive (with
the creation of new financial and non-financial services).
Although complying with PSD2 requires a massive effort from
banks, with strict security requirements for electronic payments
and data processing, it also offers them the opportunity to move
into a whole new central position in future financial and non-
financial services.
In fact, Open Banking is not only a matter of regulatory compliance;
it is a way to unleash the value of data – in this case, but not only,
banking and payment data – and it has the potential to create a
new type of economic model for banks as well as for other parties
playing a role in the payments landscape.
In this context, banks can position solely on providing account
access to third parties or choose to make the most of this
opportunity by developing themselves new applications to
compete directly with these new third party players. For example,
they could add new offerings to their portfolios, such as digital
identity services, API-based lending or risk management solutions.
Under certain conditions, PSD2 forces banks to share data and
services that were previously reserved for their exclusive use.
However, this constraint actually paves the way for innovation
in the banking industry, while investing in customer relationship
and user journey.
What is more, Worldline believes that PSD2 has the potential to
stimulate the adoption of Open APIs in the European market and
to give rise to new business models – therefore strengthening
competition. Opening access to bank accounts could lead to
an explosion of new innovative services; banks can benefit from
this dynamic environment by positioning themselves in a timely
and proactive manner and taking full advantage of Open Banking
supported by Worldline’s solutions.
Mastering the digital transformation that this new context brings,
while facing all opportunities and related risks, is the key for
success and Worldline understands this prowess.
With more than 45 years of experience in securing electronic
transactions in the payment ecosystem, Worldline supports
businesses to address their PSD2 challenges, as well as their
need for innovation through its Digital Banking Platform, acting
not only as a technical service provider, but also as a trusted
strategic advisor.
The platform, winner in the API category of the PayFORUM
2018, provides a large and flexible range of services that
enables customers to maintain competitiveness by facing 3 main
challenges:
• innovate faster while reducing costs to enrich existing services;
• partner with the best fintechs to renew customer interest;
• generate new revenue streams.
Digital Banking Platform services structure
➔
49 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
Beyond basic compliance, Worldline’s goal is to support finan cial
institutions in their Open Banking strategy by providing an extensible
platform to innovate faster while reducing costs and create new use
cases in an omnichannel approach (like new customer onboarding,
personal finance management, loan subscription, financial assistant,
among others).
The flexible and modular WL Digital Banking Platform provides the
back-end that supports fast channel development. As a service
layer, composed of a collection of business enablers, the digital
platform allows simple data coming from the bank information
system or third-party to be processed, valued, and properly
displayed on mobile or web applications.
Each of the solutions provided by the platform can be deployed as
standalone or combined with others to suit the specific business
type, strategy and goals of the customer.
Some of the many services include:
• daily banking: consultation of accounts and loan / insurance
contracts, transfers (e.g. SEPA, including instant payment), P2P
payments, secure messaging;
• self-service banking: modification of card limits, mobile wallet,
alerting, subscription to online products, trade order manage ment
& stock data;
• security: Strong Client Authentication, Risk Based Authen ti cation,
fraud and litigation.
New revenue streams will evolve, and TPPs – being banks, telcos,
retailers, insurers, or any other type of company – can benefit from
this dynamic environment – if they position themselves in a timely
and proactive manner. The API economy is proving to us, more
than ever, that choosing the good strategic partner is crucial.
For this reason, Worldline and equensWorldline, its subsidiary of
payment services leader in Europe, propose a comprehensive
suite of services and solutions to reduce and manage any of the
Open Banking complexities
Mathieu BarthélémyProduct Manager of the Digital Banking PlatformequensWorldlinea Worldline company
About Mathieu Barthélémy: Mathieu has been working at Worldline in Digital Banking teams for more than 10 years. He started as a software engineer before spending a number of years as a team leader in Mobile Banking Apps. Currently, Mathieu is the Product Manager of the WL Digital Banking Platform, the solution designed to support Worldline’s customers in their Open Banking strategy.
About Worldline: Worldline is the European leader in the payments and transactional services industry. With nearly 45 years of experience, we are a highly innovative pan-European company with global reach, providing secure payments and transactional services covering the entire payments value chain. Our next-generation, omnichannel, end-to-end solutions provide seamless transactions for Merchant Services, Financial Services and Mobility & e-Transactional Services.
About equensWorldline: equensWorldline is the pan-European leader in payment services. Being part of the Worldline Group, we combine long-standing proven expertise in traditional mass payment systems (issuing, acquiring, intra- and interbank payment processing) and innovative ecommerce and mobile payment solutions.
worldline.com
Share this story:Blog | Twitter | LinkedIn | Facebook | Youtube
50 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
ONPEX
How does ONPEX position itself in the open banking and payment ecosystems and what customer segments do you serve?We provide a modular platform with full banking functionalities
and offer this as Banking-as-a-Service to our clients. The func-
tionalities include everything that you normally expect from banks,
like issuing IBAN accounts, local and cross-border transfers
like SEPA and SWIFT, handling 25 currencies, managing cash,
payment flows and foreign exchange in one centralised place
powered by API-driven technology. Our aim is to enable simplicity,
transparency, and automation in payments and banking.
What is our approach to open banking? We offer what banks
offer – through simple APIs. Our client groups are regulated
financial institutions and non-regulated corporates. For financial
institutions, such as payment institutions, e-money issuers, or
even fully regulated banks, we help them structure their payment
flows or design their own banking or financial services. This could
be either an e-wallet provider that wants to make his e-wallets
bankable or a card issuer who wishes to add an IBAN to every
card that he issues. With regards to banks, their legacy core
systems are mostly linear, which means this does not allow them
to build structures relevant for providing solutions to marketplaces
or PSPs. Therefore, we have banks approaching us to use our
white-label system in their name to set up account structures
and handle payments on behalf of their clients and their clients’
clients. Our non-regulated clients, like marketplaces or resellers,
use our compliance setup and license services to collect and
distribute payments under a regulated umbrella. They are also
enabled to create their own financial services as we mainly
operate in the back-end offering of the whole engine, the platform,
the regulation, the infrastructure, and the clearing services.
How can businesses and banks benefit from a collaboration with ONPEX? Businesses benefit from our vast IBAN issuing capacities. Let’s
take a phone service provider. In order to avoid reconciliation
issues with invoice payments and numbers, they could give every
customer an IBAN for directly reflecting the customer’s balance
with the phone service provider.
Another benefit: Real-time transfers. Large multinational
conglomerates, for example, are enabled to make cross-border
payments with ONPEX accounts within seconds. One of our
clients operates in Alipay settlements; we receive these incoming
funds, which are normally sent out of Hong Kong and they clear
same day with us. This means that the Alipay Payment-Service-
Provider can then settle within minutes towards their merchants.
We do not only supply IBANs, we also add multi-currency
capability integrated into our Banking-as-a-Service. A great
benefit is that all these processes can run in the back-end, behind
any kind of online banking management or app front-ends and it
can be used through the APIs.
Could you give an example of a customer success story?We have many fund collection services. For example, Amazon
sellers that receive payments through ONPEX accounts opened in
the name of their marketplace participants, have access through
an online banking interface and can directly pay their vendors
or transfer these funds into their regular business accounts
wherever they are – China, Hong Kong, and so on.
We also collaborate with a large FX service provider. This provider
is using Goldman Sachs as their liquidity pool, but for incoming
and outgoing transactions, they use our IBANs and payments
capabilities. Their clients do the wires into ONPEX accounts in
the name of the FX provider and, subsequently, the FX provider
pays out the respective clients. In between all the cash transfers,
the large volume transfers between Goldman Sachs and the
FX provider is handled on our platform. It’s all about the same
product: IBAN accounts with multi-currency support and API
accessibility that can help every business accelerate.
What are your PSD2 compliance and KYC/AML strategies and how do they differ from what is now on the market?In regards to PSD2, we are fully compliant, including two factor
authentication, access to accounts and so on. Our regulator
CSSF has re-authorised ONPEX under PSD2. ➔
What is our approach to open banking? We offer what banks offer – through simple APIs.
51 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
Christoph TutschFounder and CEOONPEX
About Christoph Tutsch: Christoph is the founder and CEO of ONPEX. He started the company with the goal to provide businesses with a simple solution for online payments and banking. As payments expert, he saw the need for a solution to manage all financial processes in one single platform.
About ONPEX: ONPEX helps businesses build their own financial services. We provide multicurrency IBAN accounts and acquiring powered by a flexible, API-driven BaaS platform to create simple, compliant, and cost-efficient payment and banking solutions. As a Luxembourg CSSF-regulated payment institution and institutional SWIFT member, ONPEX focuses on improving the automation, transparency and efficiency of payment and banking transactions.
onpex.com
Concerning RTS of PSD2, these are rather framework standards,
not technical ones. In the process of developing our platform, we
already anticipated these standards and implemented Access to
Accounts as a feature, all while the industry was waiting to define
technical standards that enable banks and service providers to
connect. Our platform can adapt to any new requirements as it is
based on an extremely flexible, modular API.
Regarding KYC/AML strategies with AML4, the rules are more or
less the same for everybody in the game. It is very strict here in
Luxembourg, as CSSF puts a close eye on KYC so that everyone
is in line with the requirements.
We have a seamless process of identifying all our clients and the
clients’ clients, including the work- and fund-flows, because every
transaction is processed through our platform. We see the sender
and receiver, we have automated screening implemented of all
counterparties and, therefore, we feel comfortable with what we
have implemented and what we see coming with AML5 and 6.
Can you give our readers more insights into your API-first technology?Our platform is completely information and third-party API
agnostic, being a fully modular scalable micro-service architecture
in a cloud-based environment. Our clients decide what kind of
modules they need and they only pay for what is used.
All functionalities – like multi-currency management, ePayment
transfers or onboarding – are possible through the API. Later this
year we will add cryptocurrency capabilities as well. That means
that we have a direct interaction between conventional currencies,
crypto assets and smart contracts.
Whatever will be available in the future regarding digital assets or
value exchange, as soon as we connect the API and clearing, the
respective currency or asset would be available. Therefore, the
platform is steady and strong, and we are looking forward to what
the future brings
52 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
Volante Technologies
Nadish Lad from Volante Technologies discusses how firms
can become PSD2 compliant while also preparing for commer-
cial opportunities within the new Open Banking economy.
What is the current state of the PSD2 landscape? What is the timeline for open banking for the second half of 2018 and through 2019? At the moment, the focus is on becoming compliant with the
PSD2 regulations, which came into effect as of 13th of January
2018. This is then closely followed by working with the security
measures as outlined in the Strong Customer Authentication
(SCA) and Regulatory Technical Standards (RTS) which are
applicable 18 months after the date of enforcement of the
RTS. Currently, most of the banks are focusing on meeting the
compliance standards and deadlines. There are, of course, many
different models and solutions evolving, but at this moment,
compliance is a key driver in the adoption of open banking.
Looking ahead to 2019, we expect tier 1, tier 2, and tier 3 banks
to be ready with their solutions and we will begin to see new and
exciting use cases within open banking.
What challenges are banks facing when imple-menting open banking? How is Volante helping financial institutions overcome these challenges?Generally, tier 1 banks have started implementing in-house
solutions. Some of the challenges that these tier 1 banks face
are tied up with their legacy technology. Therefore, their key
challenge is to implement quite a few changes in their complex
ecosystem. On the other hand, for smaller banks (which have a
smaller number of systems), the main challenge is the business
case for running a technology program to implement this
regulation with very little plan for an ROI.
Yet there is one problem which remains the same for all the
banks. Even though everyone talks about APIs, the challenge,
at a conceptual level, is not about creating and exposing APIs.
It is about fulfilling the functionality of the API in a simple user
experience to make the user journey as smooth as possible.
Adoption and momentum will begin only when the use cases and
the user journey are seamless.
Open banking and PSD2 are trends that will certainly grow.
Therefore, it is important to ensure that you are ready from a
compliance perspective, and that you also understand why the
open banking concept has been introduced. Volante is working
closely with banks to not only provide compliance but also
flexibility for the future.
How is Volante enabling banks to adopt new API-based technologies regardless of their current infrastructure?Volante provides an out-of-the-box PSD2 solution designed for
all banks no matter their size. This has been of particular interest
to the smaller banks who are looking for a solution that makes
them immediately compliant with minimum cost and time taken
to implement.
The same solution also works for the tier 1 banks. They do not
want to re-engineer their back-end payment systems to handle
API-based payment orchestration and processing. The solution
acts as a strategic pre-processor, supplementing their existing
payment workflows. It provides the flexibility in the back-office
for an effective, seamless payment processing user journey,
in a very cost-efficient and timely manner. This way, not only
do banks become compliant quickly, but they also build the
foundation for a much wider adoption of open banking and new
potential revenue streams.
What are the strategies out there for banks looking to adopt open banking capabilities and meet open banking demands? What options are available to them?The strategies for all banks depend on their size, geography, as
well as the customer base they serve and more. The key aspects
around open banking demands, for now, are related to achieving
compliance and planning for commercialisation. ➔
Volante is working closely with banks to not only quickly provide compliance but also readiness for the developing open banking economy
53 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
About Nadish Lad: Nadish heads Volante’s Payments Products. He has over 20 years of design and advisory experience in payments and related areas such as: funds check, liquidity, FATF, FX and sanctions. Nadish started his career working on cheque Payments within the UK and has worked with leading banks and organisations implementing core payment products.
About Volante Technologies: Volante Technologies enhances business agility in 80+ financial institutions and corporates globally. Volante’s solutions, including VolPay Suite of payments products and Volante Designer, promise rapid implementations in payments on-boarding, pre-processing, processing, clearing and financial message integration. With our out-of-box software, extensive automation, configuration rather than coding and inbuilt testing, we deliver significantly accelerated implementations for large or small projects.
www.volantetech.com
Nadish LadHead of Payments ProductsVolante Technologies
It’s relatively easy to be compliant today by putting your trust in
a strategic piece of software, which enables you to grow your
business. However, the revenue stream can also be improved by
introducing new products and entering new markets, new customer
bases and new segments – for example, paying a taxi service
through a current account, providing your bank statements for a
credit check or partnering with players in the fintech world. Thus,
it’s not just about becoming compliant, but setting the foundation
for wider usage and a new business or a new product line.
What is the future roadmap of open banking and where do you see the major use cases and new propositions going forward? How can banks get revenue on the investment in open banking?Open banking on its own is not what one would call a revenue
generator. However, it will be the enabler to build new products
which enhance your customer’s experience. You need to provide
real-time experience within your back-end to accompany it, which
is what APIs provide - real-time, ease of access and more. If your
back-office is not supporting a real-time scenario, the whole
customer experience falls through. Once you are able to achieve
productivity in the backend, you can start tackling some of the
problems with payments, such as lack of transparency or lack of
speed and transformation
54 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
BankiFiTangible Value in Open Business Banking for Banks and Entrepreneurs
The road to Open Banking and the general merits – for as far as
we can see them today – are fully documented and start to be
understood – in degrees – by the industry participants. But once
we go beyond the ideation, the sandbox and we start pulling
the ideas off the page and into the business, one big question
prevails – how do we turn this idea into a viable business? As the
customer journeys and drawings get condensed into management
summaries and boardroom proposals, that question comes more
to the fore. Banks do appreciate that their service to the business
customers has been product-driven, inflexible and, in fairness,
often below par. As fintechs appeared offering niche, attractive,
easy to manage and often cheaper alternatives for lending,
financing, currency exchanges and more, business users started
to meander through this unconnected forest of parties vying for
their business. As the fintech community grew, businesses were
inundated with choice, offering benefit, but also adding complexity
and still not offering an integrated overview on the financials of
their business, actionable insights and access through the two
channels they know and work with: their accounting package and
their bank account.
A bank operated market place for businessIf you ask any entrepreneur, they will agree that the juggle
between focus on the business and the time to be spent on
finance and other support services is seen as a necessary evil.
SME owners in particular appreciate the financial insights that
help them to manage their business but not the ‘hard way’ to get
access to those. Cumbersome, in a myriad of places, in multiple
bank accounts, in short – dispersed, unconnected, and not made
for a 24/7 life on the move. Because of PSD2, banks can now
service their customers in a multi-bank setting with consented
access to other relevant data, such as held in the business’
accounting package. Payments on behalf of, invoice payments,
cash forecasting, pooling and sweeping, factoring and lending
can be offered in an open eco-system, made up of a bank’s own
services and those hosted in the app store.
Cash management akin to full corporate treasury solutions can be
offered by the bank by combining data of the account package
with those held at various bank accounts. This offers the business
owner a real-time cash position today and, more importantly,
based on supplier obligations and expected receivables, a cash
forecast into the future. Credit can be offered on a need-basis (for
a few days not ongoing), sweeping, or invoice payments. All from
the device of the business user’s choice; in and during his busy
working life. Lower cost, more choice, connected view, relevant
tips through one partner they know, need – if not like – and trust.
The bank as a TPP – fee-based revenue from other banks’ customersThroughout the Open Banking debate we hear suggestions that
we will face thousands of new Third Party Processors (TPPs)
who will overnight take business away from banks. Really? There
are three main impediments to this being the case. Firstly, these
organisations need to be regulated to provide either AIS or PIS
services. Secondly, they need to have very, very deep pockets
for a marketing budget to get customers to know who they are.
Last but not least, there is the issue of trust – we are coming to a
view point that most big-techs have the same interest as banks
and are, as such, not really different.
If banks take the opportunity to act as TPPs themselves, they have
the opportunity to understand what their business customers do
with other competitive banks, and fintechs. ➔
55 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
About Mark Hartley and Conny Dorrestijn: Mark is a renowned innovator and thought leader on Payments & Open Banking and Advisor to the Board of Nationwide Building Society. Conny is a frequent speaker at fintech events and a non-executive board member at a number of fintech companies, Holland FinTech and a Global Innovation Awards Judge at BAI (US).
About BankiFi: BankiFi (UK, NL) offers financial institutions a consent centric platform with business banking solutions that enables banks to become a TPP and as such go ‘beyond an open experience’ promise with relevant offerings to their business clients & developer community such as: Consent as a Service, Pocket Treasurer, Sandbox etc.
www.bankifi.com
Mark Hartley and Conny DorrestijnFounding PartnersBankiFi
Open Banking, Open Data, and GDPR enable banks to offer their
customers much more meaningful services built on consensual
access to customer data that can be combined and analysed to
help them choose the right products and services. Moreover, banks
could truly act on behalf of the business customer, rather than
simply trying to sell them one of their own manufactured products.
Business customers, in particular, have the common sense to
recognise and appreciate value. Thus, banks can gene rate fair
fee-based income by charging flexible rates for those services and
insights to the fintechs that use the bank’s app store as the last mile
to the customer.
And the winner is…The critical success factor for Open Banking is trust, and a key
driver to building trust is ensuring data is not lost or stolen, but
that it is also only used for the purposes that customers “allow” it
to be used for. Consent becomes the key service enabler for trust.
In summary, alongside the customer, banks are in a great position
to be the winners of Open Banking, but that requires them to realise
the opportunity and look towards and even beyond the medium
term and not see Open Banking as yet another compliance issue,
but as a genuinely great opportunity for them to service their
business customers properly. From custodians of money to data
and, finally, trust – everyone (finally) wins
56 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
SDK.finance Speeding up the API Journey Is Imperative for Banks’ Success
There has been tremendous growth of API use by companies in
ecommerce, cloud computing, mobile and social media industry
for the last 20 years I have been involved in IT development.
Google, Amazon, Facebook, are all the results of their well-
orchestrated API strategies. According to the Harvard Business
Review, Expedia makes 90% of their revenue through APIs,
while Salesforce around 50%, which is USD 9,1 bln and
USD 4,2 bln respectively in 2017. These facts made me question
what strategic plans have banks elaborated when it comes to
the use of APIs and what ROI do they expect to get from their
implementation. Interestingly, despite 4 years have passed since
after PSD2 was released, the published terabytes of articles
punishing bankers for reluctance to change, and thousands of
white papers offering the canvas for strategy implementation,
have revealed too much talk and too little action.
The true situation with banking APIsThough in Europe there are more than 6000 credit institutions,
banks, financial companies, and more, top payment consultancy
INNOPAY has listed only 32 top banks that work with open
APIs. We have used those 32 institutions in our research,
and the first thing we did was to study their APIs developers’
portals. We found out that only 2 out of 32 comply with a certain
standard. By the standard we imply that developers, who are the
end-users of APIs, can build the products they need in a fast and
hassle-free manner.
The key characteristics of a good API are:
• rich core banking API functionality;
• fast and easy onboarding processes;
• good documentation and working source code examples for
major programming language;
• a marketplace or an application constructor.
If we go below the standard, and sacrifice the marketplace
availability, we will come up with 8 banks, which means 25% of
the top listed banks. So what is going on with the rest? Seems
like they are in the early stages of their API journey. They don’t
go far beyond history transactions, P2P transfers, meaning
“check-the-compliance box” approach. What they also have in
common is the basic and simple format of API calls. But these
basic features are accompanied by some drawbacks; we name
the most common:
• basic 404 and similar error pages, which means the absence of
basic testing procedures;
• API documentation in bad formatted PDF files;
• lack of account activation or no developers’ API keys;
• registration form requested needs to be filled up and send by
e-mail not from registration form;
• documentation provided only in local language (French, Finish,
Spanish);
• lack of working examples;
• lack of community support/poor communication;
• long response time for support request.
None of the banks reveals the performance (transactions/minute)
that one can only obtain via direct communication. We have
measured the response time via email and it ranges from
20 minutes up to 6 hours with the majority of banks; others were
either very slow to respond or have not responded by far.
Obviously, since only 25% of banks in our sample are compliant
with Open Banking requirements, with the rest having a shallow
understanding of the initiative, change happens slowly.
However, by now, there are banks ready to step into the API
economy, such as BBVA and Starling. And obviously the majority
of banks are not incentivised to pursue any changes, indicating
that the bankers do not grasp the essence of the API concept.
API use cases in bankingIf used internally, APIs can reduce operational or technology costs
by simplifying and accelerating development. For instance, as
shown by McKinsey, the use of APIs internally by a bank reduced
traditional product-development IT costs by 41% and led to a
12-fold increase in new releases. What if the traditional way of
customer acquisition which is CPC (cost-per-click business model)
can be replaced by CPA (cost-per-action) as used by Expedia? ➔
57 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
About Pavlo Sidelov: Pavlo Sidelov is a СTO of a core payment platform SDK.finance based in the Czech Republic. He is an author, speaker with a 10+ year experience in digital payments.
About SDK.finance: SDK.finance is the Fully-fledged Payment Platform wrapped into 340+ APIs. It enables PSPs, EMIs & banks to launch payment or loyalty products saving time 10x, and decreasing 90% of CAPEX. SDK.finance allows to build Payment Services, E-wallet, P2P Money Transfer, Currency Exchange, and much more.
sdk.finance
Pavlo SidelovCTOSDK.finance
One can get clients by “selling” banking products from any third
party website. Isn’t it a way to slash costs? Another case is when a
bank needs to deal with foreign clients and check their history, then
go through the verification and onboarding process. Those costs
can be slashed if simply done via API. Yet, why are not they
incentivised?
Leaving aside the popular features provided by challenger banks
like multicurrency accounts, predictive analytics etc., which could
potentially boost the customers’ loyalty even more, banks can
also benefit by offering loans to customers of other industries
such as automotive for car loans, education for student loans and
real estate apps for mortgages. Retirement planning, vacation
planning, college planning, and other high-cost life events can drive
opportunities for bank services. On a broader scale, it would be
of great benefit to the whole economy. According to McKinsey’s
research, the estimated total economic profit globally from API use
can reach an astounding USD 1 trillion.
Time to become vertebrateBankers may not be good at understanding the technical part of
APIs, but they can use their core strength – quantitative evaluation
of API implementation. If a bank can calculate the optimal deposit/
loan rate, or optimal branch location, it can easily grasp the
benefits of developing API:
• anticipated number of users for the API;
• the number of application developers involved and their hourly
cost;
• how much the service would be worth;
• what new revenue streams would the API open;
• the competitors the API will face.
So why would the majority choose to preserve the status quo?
One things is sure: banks will only survive if they calibrate their
business model and stay in tune with the changing environment
58 OPEN BANKING REPORT 2018 • SECURING ACCESS AND CUSTOMER TRUST
INNOPAYOpen Banking and TPPs Trigger Banks to Innovate Their Corporate Onboarding Processes
PSD2 has been an important catalyst for banks to open up.
While many banks in Europe are still focused on making the
PSD2 deadline of September 2019, we see leading banks move
beyond compliance and shift towards Open API Banking.
In this emerging Open Banking play, banks start to understand
that enabling secure access to customer data is the new money,
an outstanding customer experience is pivotal, and trust is the
primary condition.
The benefits of Open API Banking are multifold, however, they
require collaboration with third parties to enrich the customer
journey and introduce new financial services based on data.
This forces banks to rethink their strategy for client product and
services and manage the challenges that come with opening up.
When collaborating with third parties, differences in (for instance)
client segments and value propositions, compliance, quality of
service and, last but not least, security protocols, will need to be
tackled. Trust and confidence in the financial system can easily
be damaged and breaking them can negatively influence the
reputation of all parties involved.
With their economies of scale, banks can lay the foundation for
an open and trusted financial ecosystem and safely collaborate
with Third Party Providers (TPP’s). A digital, secure and customer
centric corporate onboarding process for TTPs is therefore
essential, as it enables banks to further commercialise on their
role of trusted advisor and create value in safeguarding their
customers’ identity and put them in control of sharing their data.
Corporate onboarding essentially is about creating a customer
identity for a new legal entity and charging it with all things required
to deliver the requested product or service.
TPPs are a crucial success factor in creating customer value For corporate banks, the primary customer relationship is essential
in maintaining a profitable and future proof business.
Current corporate onboarding processes however are time-
consuming, costly and deliver a poor customer experience.
Already in 2014, Forrester research demonstrated that the
onboarding experience correlates with the profitability of
practically all (98%) customer relationships. Deals are lost and
business development rates are low. An outstanding onboarding
experience will improve conversion rates, time to revenue and
cross- and upsell, thus contributing to customer value. With the
financial industry opening up, onboarding becomes even more
relevant as banks need to constantly prove their relevancy as other
players will try to disintermediate existing client relationships.
PSD2 allows TPPs to access bank customers’ payment accounts
for Account Information Services (AIS) and Payment Initiation
Services (PIS). Open Banking goes beyond PSD2 and allows
banks to create customer value by sharing customer (data)
resources with TPPs in a secure way, through the use of open
application programming interfaces (APIs). Consequently, banks
need to onboard TPPs and, since they have all kinds of corporate
identities (f.i. financial institutions, BigTech, FinTech, Retailer,
SMEs), several corporate onboarding processes will apply.
For regulated PSD2 services, a standard procedure on how
to onboard TPPs is prescribed in the Regulatory Technical
Standards (RTS). However, for Open Banking no standards
apply. The diversity of TPPs and functionality of APIs is unfamiliar
territory for banks. As this impacts the risk profiles and the KYC
obligations and attributes needed to charge the corporate TPP
identity, banks tend to be hesitant and fall back on their existing
processes.
However, instead of onboarding TPPs via the existing siloed,
cumbersome, and costly processes, banks should seize this
opportunity and design a modular, digital, and secure TPP
onboarding process. ➔
59 OPEN BANKING REPORT 2018 • SECURING ACCESS AND CUSTOMER TRUST
How to best seize the opportunity and innovate corpo rate onboardingWhen innovating corporate onboarding, all types of TPPs and APIs
offered should be considered. It is therefore important to start with
‘the end in mind’ and go for flexibility. Where current onboarding
processes are often static, new processes should consist of
generic building blocks that can be deployed depending on f.i.
TPP’s identity, services offered, type of APIs offered by TPP and
the risks involved. This results in a flexible onboarding architecture
as depicted below:
The onboarding process should aim for convenience and ease of
use, while gathering all attributes required, minimising risks, and
adherence to KYC obligations where needed. A flexible architecture
therefore comprises of:
1. Variation in the order of steps: offer a relevant and tailored
onboarding experience.
2. Adjust to local flavours: f.i. KYC requirements could be a quick
check against sanction and PEP (Politically Exposed Person)
lists, but could also include full identification procedures.
3. Leaving out steps: when onboarding a TPP that offers APIs with
limited risk exposure, f.i. finding the nearest ATM, there is no need
for building blocks 4–7. When a TPP offers PSD2 APIs only, you are
only allowed to apply building block 1.
In short, with the PSD2 compliance agenda slowly dropping
in priority, banks should start with designing a digital, secure
and customer centric onboarding process for all kinds of TPPs.
An important step for banks to further leverage their role as
trusted advisor, create value for their customers through API’s and
strongly position themselves into the Open Banking play
About Esther Groen: Esther leads the Banking & Payments business within INNOPAY. She has a background in corporate banking & global transaction services and is an expert in business development, strategy execution and transformation management.
About Josje Fiolet: At INNOPAY Josje leads the Digital Onboarding practice. She has a background in digital banking, digital identity and Fintech. Her specialty is combining regulatory requirements, customer preferences and organisational capabilities.
About INNOPAY: INNOPAY is a consultancy firm specialised in digital transactions. We operate in the areas of data sharing, digital identity, openness, cyber resilience and digital transformation. Our aim is to help companies, organisations and consortia across Europe to identify and seize opportunities in a digital world in which everything is becoming a transaction. Together with our clients, INNOPAY experts develop innovation strategies, co-create new products and services and digitally transform businesses. Our headquarters is located in Amsterdam.
www.innopay.com
Esther GroenDirector, Lead Banking & PaymentsINNOPAY
Josje FioletManager, Lead Digital OnboardingINNOPAY
60 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
Senior bank executives are starting to understand that Open Banking will have key implications on their future competitive positioning
and related digital transformation activities. The regulation is set to transform digital experiences through compelling value propositions
developed by third parties leveraging access to bank resources, ultimately adding value and putting the customer more in control. Banks
that are able to put the required capabilities in place to effectively and seamlessly engage with third parties will benefit from an early
mover advantage.
In this article, we assess four core API Developer Portal capabilities of more than 50 banks and define five strategic actions that banks
can undertake to execute their Open Banking strategy.
In the capability assessment, we focus on specific aspects of the Open Banking strategy, that is, the functional richness of APIs offered (i.e.
Functional Scope) and the extent to which third parties are able to interact with these APIs in a seamless manner (i.e. Developer Experience).
The bank’s API Developer Portal is where these aspects come together.
Four core API Developer Portal capabilitiesMany banks are taking action to engage and support external developers through an API Developer Portal. However, the level of maturity
differs considerably across banks, as we assess in the INNOPAY Open Banking Monitor (OBM). Banks differ on four core capabilities: API
Catalogue, API Documentation, Developer Usability and Developer Community. While the majority of banks is still mainly working on ‘getting
the basics right’ of their Developer Portal, we also observe that others are gradually expanding the functional scope of their API portfolio.
Five strategic actions to execute on your Open Banking strategyWith many banks across the globe establishing the basics of their API Developer Portal, there is a strong incentive towards differentiation
in the emerging Open Banking landscape. To ensure banks are prepared for this new landscape, we have defined five strategic actions: 1)
learn from global API best practices across industries, 2) develop API rationale and strategy for your business to create new avenues for
revenue growth, 3) identify and prioritise the value that can be captured with APIs, 4) manage API value creation and monetisation actively
by determining if, what, how, and who to charge in a transparent manner, and 5) drive usage and adoption of your APIs to accelerate
network effects and gain scale.
Open Banking should be approached as a business strategy and model in its own right, requiring an alternative way of thinking and
working in product development. Combined with powerful execution capabilities and a successful and scaled partnership ecosystem,
banks will be able to future-proof their competitive position in the Open Banking era.
1. Introduction: INNOPAY Open Banking Monitor Shows That Open Banking Is Gaining TractionThe evolutionary journey towards Open Banking is driven by ongoing digitisation of financial services, as depicted in figure 1.
Open Banking could be seen as a business approach in which value creation results from sharing, providing and leveraging access to bank
resources. This in contrast to just owning these resources and being closed. Data, processes, and other business capabilities of banks
are made available to an ecosystem of (selected) 3rd parties (e.g. fintechs, technology vendors, corporate customers) through application
programming interfaces (APIs). ➔
Mastering Open Banking: How the ‘Masters in Openness’ Create Value
61 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
Figure 1: Evolutionary journey towards Open Banking
Open Banking is set to transform digital experiences by enabling third parties to develop compelling value propositions while leveraging
access to bank resources and putting the customer more in control. As the benefits materialise at scale, we will witness an accelerated
shift towards Open Banking platforms. These platforms enable banks to effectively and securely interact and co-create with an ecosystem
of service providers through APIs. Both banks and these service providers can create benefits for their mutual customers, strengthen
their competitive position in the API economy, and potentially establish new avenues for revenue growth. For banks, this could offset
competitive pressure resulting from the increasing openness in payments and banking introduced by PSD2. Indeed, in Europe, we already
observe that banks are starting to experiment with offering APIs beyond the (perceived) mandatory functionality under PSD2.
Open Banking is not fit for all banksOpen Banking is definitely not a business model fit for all types of banks. The extent to which an Open Banking play will be successful
depends on many different aspects that banks need to get right. This includes its Open Banking strategy, taking into account existing
product portfolio, competitive positioning and size of customer base, and the bank’s ability to execute on that strategy.
Strong API Developer Portal capabilities are key to winning in Open BankingA selected number of progressive banks are starting to engage by publicly launching their own Developer Portals, including APIs and
sandbox environments. These capabilities allow banks to offer secure and controlled access to third parties to interact and use the bank’s
functionality and customer’s data to create next generation financial services. Banks that are able to put the required capabilities in place
to effectively and seamlessly engage with third parties and facilitate an Open Banking ecosystem through its platform will benefit from
an early mover advantage. This will, in turn, strengthen the bank’s API offering and build a supportive ecosystem of third parties that drive
customer value creation. Many banks are taking action to engage and support external developers through a comprehensive Developer
Portal to facilitate effective interaction.
INNOPAY Open Banking Monitor assesses API Developer Portal CapabilitiesThe initial OBM assessment, conducted in early March 2018, included Developer Portals across the globe and triggered many positive reactions
from various banks and financial institutions worldwide. The OBM has proven to be an accessible and intuitive tool, providing a snapshot of
the current state of play regarding API Developer Portals and insights in a bank’s relative position. In this initial release, we have seen that the
majority of banks mainly worked on ‘getting the basics right’ of their Developer Portal, rather than the Functional Scope of their API portfolio. ➔
Mastering Open Banking: How the ‘Masters in Openness’ Create Value
62 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
In this second release, ‘OBM 2.0’, INNOPAY’s assessment has been enriched with new banks, new API functionality, and new features that
drive the Developer Experience and nurture the use of APIs to accelerate innovation in financial services. Figure 2 below depicts the updated
benchmark results.
Figure 2: INNOPAY Open Banking Monitor 2.0 – update September 2018
OBM 2.0 evaluates the relative position of banks across four core Open Banking platform capabilities, as depicted in figure 3 below. The state
of play and best practices across these core capabilities will be further elaborated in the remainder of this paper. ➔
Figure 3: INNOPAY Developer Portal Capability Model (Grey coloured capabilities not assessed in this OBM release)
Mastering Open Banking: How the ‘Masters in Openness’ Create Value
63 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
2. API Catalogue
Key messages on API Catalogue:
• Becoming a Master in Openness is about relative openness rather than absolute openness, meaning challenger banks and
incumbent banks can only open up the resources they have. Therefore, the functionality the API enables is a better indicator of
openness, rather than the number of APIs.
• Current Open Banking approach will lead to fragmented API Catalogues roadmap; guidelines in API design could improve the
growth of the Open Banking ecosystem, increasing scalability and cohesion between banks and third parties.
• The design of API functionality varies with the granularity offered and can range from “do it yourself” to “ready to assemble”
functionality.
The API Catalogue is referring to all the products banks are exposing through APIs. In Europe, many banks are responding to the PSD2
compliance challenge by offering APIs enabling the mandatory services (i.e. Payment initiation, Account information and Confirmation of
funds availability). We already observe some leading banks that are extending their offering by exposing more API functionalities to serve
third parties and corporate customers directly. Banks outside Europe are also starting to open up, seeking to expose functionality and
data through APIs to add value to their Open Banking ecosystem.
Current Open banking approach will lead to fragmented API CataloguesAPI functionality can be designed and built in various ways, and the decision to expose certain APIs is determined by the bank’s strategy.
There seems to be no general structure on how the various banks define and set-up the Functional Scope of their API offering (i.e. API
Roadmap). Common API standards for the Functional Scope could, however, promote growth of the Open Banking ecosystem.
Currently, both the content (what is actually offered) and the delivery (the way in which it is offered) differs to a large extent per bank,
increasing the risk of fragmentation. In Europe, however, we do see some early signs of convergence with numerous banks offering PSD2
inspired functionality (e.g. account information services and payment initiation services) according to the NextGenPSD2 API framework of
the Berlin group. While this framework provides for a good start, NextGenPSD2 is an API framework and not a single standard such as Open
Banking UK. Put simply, the API framework provides a toolkit for banks to build their own PSD2 API standard, allowing for various degree
of freedom on certain API design aspects. Creating common API standards in an early stage for a community of (small) banks in a particular
region could contribute to a faster growing ecosystem and increased cross-fertilisation.
Figure 4 below shows the division of the number of measured API functionalities per category currently observed in the Open Banking
landscape. Just over 50 banks with publicly available Developer Portals (in the English language) were examined, spanning different types
of banks (i.e. majority incumbent and one fifth challenger banks) and types of business (i.e. retail and wholesale) to create an insightful
overview of the current state of play in Open Banking. To define API functionality, we compared corresponding APIs of different banks with
the possibilities they offer. One API can hold one or more functionalities, next paragraph will elaborate on this.
On the right side, the categories are explained and the top 3 most common API functionalities per category are shown. This top 3 provides
insight on which functionalities are most commonly offered across banks. Most offered functionalities are related to reading information ➔
Mastering Open Banking: How the ‘Masters in Openness’ Create Value
64 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
(e.g. GET Account Balance) from the user’s account instead of writing (e.g. POST SEPA Credit Transfer). As banks grow accustomed to
Open Banking, more write functionalities are expected to emerge in parallel.
There is also a range of miscellaneous API functionalities that is offered by a single or very few banks, which are not taken into account in
figure 4. These API functionalities vary greatly and are still in an emerging state. If these offerings mature, they can be reported in a future
OBM release.
Figure 4: Number of measured API functionalities per category including top 3 APIs
API functionality is a better indicator for openness than the number of APIsThe various banks with a Developer Portal are often ranked by the number of APIs they are exposing. In our research, we are using the
number of API functionalities instead, because due to the fact that an API can have one or more functionalities, comparing number of
APIs would not give a clear representation of what the bank actually offers. Our analysis shows that a particular ‘Bank A’ can have a single
comprehensive API for transaction history incorporating various functionalities, where ‘Bank B’ offers a single API for transaction history
of payment accounts, another API for card payment transactions, another API for sent transactions and a separate API for incoming
transactions. While both banks are offering the same functionality, Bank B would (unfairly) score higher when number of APIs would be
considered a leading indicator for the extent of openness.
Becoming a Master in Openness is about relative openness, not absolute opennessChallenger banks and incumbent banks can only open up the resources they have. Being a true Master in Openness is more about relative
openness (which percentage of functionality does the respective bank open up), rather than absolute openness (how many functionalities
does the respective bank open up). The Open Banking Monitor measures absolute openness, therefore the results of challenger banks
need to be interpreted with caution especially when comparing these to incumbent banks.
Where, in our previous release of the OBM, we observed many challenger banks leading the ranks on Functional Scope (i.e. Bunq,
Starling and Fidor), we observe that incumbents are catching up. The top performers on API Catalogue, i.e. Functional Scope, in this
release are large banks with a clear focus on Open Banking, such as DBS, BBVA, and ERSTE Group. BBVA offers a very comprehensive
account functionality spanning multiple account types (e.g. savings, checking etc.). DBS offers five different ways of payment/transfer
methods (including instant payment), and extensive payment management options (e.g. merchant checkout, corporate bill payments, and
refund/chargeback management options). ➔
Mastering Open Banking: How the ‘Masters in Openness’ Create Value
65 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
Different regions show a preference for certain categoriesFigure 5 below shows an overview of the various API functionalities that are available across certain regions. The figure shows that, based
on our research, Europe is leading the Open Banking development in general, embracing this initiative even beyond the mandatory PSD2
APIs. It seems that Oceania is experimenting with Open Banking by offering APIs like “Branch locator” and “Product catalogue”. Asia
seems to show high numbers in the category of “Generic Bank Data”, although since the number of participating banks in Asia is rather
low, it is hard to make any reasonable statements on this region. Overall, Oceania and the US seem to be lagging behind in the variation of
API functionalities in comparison to the offering of banks in Asia and Europe.
Figure 5: Number of API functionalities, and possible variations, per region within a certain category
Figure 6 below shows a more detailed view of the number of API functionalities per category offered by the top 10 banks in the Open Banking
landscape. Banks in Singapore are embracing Open Banking and offering the most functionality. As stated above and emphasised by the
marginally presence of only two challenger banks in the top 10, challengers are lacking in Functional Scope, presumably due to their minimal
product offering. There seems to be great variation in the offering of functionality, as some offer fine grained functionalities (i.e. Bunq), while
others full serviced products (i.e. BBVA). These aspects will be further elaborated in the next paragraph elaborating on API design. ➔
Figure 6: Number of API functionalities grouped per category of the top 10 banks
Mastering Open Banking: How the ‘Masters in Openness’ Create Value
66 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
Design of APIs varies with the granularity offeredWe observe a great variety and granularity in API functionality offered by banks, as shown in Table 1 below. The table outlines the
approach banks can have on building their API offering. These approaches range from “do it yourself (DIY)” to “ready to assemble” APIs
on the other end of the spectrum with potentially many hybrid forms in between.
Do it yourself Ready-to-assemble
Description • Start without a pre-developed plan
• Everything needs to be designed, sorted, and built
• Starting with pieces of wood, a saw, and pipes will be the equivalent of the ‘stripped’ granular functionality like schedule and capture payment
• Mostly single functionality per API
• Build according to the bank’s plan, using building blocks
• There is a structured plan for every single cabinet or drawer, however, the total kitchen needs to be designed
• Building kit reduces the possibilities compared to DIY however, less self-inventing will be needed
• Most APIs hold multiple functionalities
API Consumer pros • Increased flexibility by using combinations (parts of) of APIs
• Efficient APIs can be built, by incorporating only the necessary single functionality
• More possibilities with less creativity
• Ready to use off the shelf APIs
API Consumer cons • Insights into the bank’s processes is required to build APIs (e.g. the steps in the payment process)
• More work to create apps, since several functionalities need to be combined
• Very dependent on the design choices made by the bank
• Reduced performance, due to the fact that a single functionality cannot be called separately
Example • Schedule-payment from Bunq • PayLah from DBS
Table 1: API design approaches range from “do it yourself” to “ready to assemble”
➔
Mastering Open Banking: How the ‘Masters in Openness’ Create Value
67 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
For banks, it is relevant to determine who the target group is that will be consuming the API and for which purpose. The API fit gives a
representation of the type of bank and the desired granularity of the API. Assessing the desired granularity of the functionality will allow
banks to conclude which design and structure will be most suitable for their APIs.
3. API Documentation
Key messages on API Documentation:
• Clear and unambiguous API Documentation is essential to enable API consumers to build efficient connections and facilitate
self-service.
• Banks differ in quality of API Documentation offered, with main difference in accuracy and comprehensiveness.
• Good API Documentation will support the marketing of APIs.
The core capability “API Documentation” refers to the quality, comprehensiveness, and (logical) structure of the documentation of the
complete API offering of a particular bank. API Documentation is needed for developers to understand the structure of the API, which data
fields are needed and which parameters can be used to use an API functionality.
API Documentation shows considerable difference in structure and qualityAs with the previous release of the OBM, there are considerable differences between the way documentation is offered and functionality
is being added for developers to get acquainted with the bank’s APIs more quickly. Although it is obvious that all APIs and their
functionalities need to be properly documented in order to drive usage, banks seem to be struggling to get this right. The top 3 banks in
API Documentation, BBVA, Nordea, and ING, all have elaborate explanations of all attributes used in the APIs. Version history of the APIs
seems to be missing for some banks, but this could be explained by the fact that their Developer Portals are only just recently launched.
Figure 7 below shows a comparison of two different Developer Portals offering API Documentation for a ‘GET Transaction history’ API.
This example illustrates opposite ends of a spectrum of how API documentation is structured by banks.
Figure 7: Comparison of API Documentation of two banks for API ‘GET: Transaction history’
➔
Mastering Open Banking: How the ‘Masters in Openness’ Create Value
68 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
Main differences between the API documentation of bank A and bank B consist of the overall structure and the description of each field.
Bank A has clearly defined which fields are returned, by offering a comprehensive explanation of each parameter; what its object type
is, the description of its contents, an example value, and whether the field is required or returned optionally. Bank B gives little to no
description of the returned values, leaving it up to the developer to guess what values he is actually receiving. It can be stated that Bank
A helps developers to get started more quickly, since the returned attributes are clearly documented and therefore the developer knows
how to use it and what to expect.
4. Developer Usability
Key messages on Developer Usability:
• Banks must get their Developer registration process right to enable easy onboarding of developers.
• Mature open banks add to their Developer Portal different functionalities, and increase usability by adding tools like app
management and comprehensive sandbox features.
• New ways of serving developers are being explored, such as offering swagger and postman files and testing API calls with
Telegram.
Developer Usability refers to the tools, guides, and experience provided by the bank to the developer to interact with the available APIs.
The usability indicates the ease of use of the portal in general, how effective and efficient developers can find their way around the portal.
Developer Usability starts with the onboarding of the developer, the GUI that is presented, the toolset that is being offered, and the
ability for developers to manage their apps. The range of usability varies greatly; where some Developer Portals offer guidance or help
by performing any action (e.g. automatic authentication in the sandbox), others introduce new ways to test API calls with Telegram (i.e.
BBVA). However, (starting) open banks miss out on these opportunities to interact with developers.
As stated earlier, the updated benchmark confirms that Open Banking is in an emerging state. While some banks have launched their
Developer Portal, others have updated their Developer Portal looking for better ways to service and interact with developers and increase
the overall Developer Experience.
Various approaches to Developer UsabilityThe top performing banks, respectively Nordea, ERSTE Group, and Fidor, have comprehensive portal usability, app management, and
sandbox environment. The analysis shows great variance in the offering of a sandbox. The top banks cover the complete API offering
in a sandbox and guide developers through the process, having the sandbox integrated and enriched with extended help functionality.
Other banks do not offer a sandbox or a GUI, leaving the developer to only get access to the sandbox through a terminal.
Bunq, however, has a deviant approach by offering a large set of useful developer tools and accompanying documentation, including an
Android app that connects to a personal test account in the Bunq Sandbox environment. Although this might take some extra time in the
initial set-up of the APIs and getting familiar with the Developer Portal, the presence of the available tools (e.g. offering SDK’s with the most
different (script) languages) seems to make up for it on the long run. Such an approach might be a good way of binding with developers, that
is, when developers are over the steep learning curve, chances are that they will return to use the respective bank’s APIs. ➔
Mastering Open Banking: How the ‘Masters in Openness’ Create Value
69 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
The depth of app management differs substantially across portals from only basic key management functionality to comprehensive
management of app permissions, team management (incl. roles), and even app analytics. These are good examples to improve a Developer
Portal focussing on how developers are being served by the bank through its Developer Portal. These extended features can offer a big
advantage to the developers, especially when third parties want to offer many different APIs, working with large development teams.
As shown in figure 8, most fluctuation is seen in the offering of SDK’s and other developer tools, with Bunq leading in SDK offering and
Nordea with additional developer tools. BBVA has the most consistent offering on each category in Developer Usability, by dividing their
attention and scoring far above average in each category. Nordea is the clear winner with great Portal Usability and a lot of additional
documentation (e.g. many tutorials and guides) to help developers get started.
Figure 8: Top 5 banks in Developer Usability rated on each of the six capabilities
First interaction with developers is keyAdditionally, the way the first interaction with developers entering the Developer Portal is shaped could create a barrier for developers to
get engaged. The research shows large differences in ‘getting started guides’ and ‘extended how-tos’ for developers to get acquainted
with the portal and its way of working. Also, for Developer Usability, next to API design, a common set of guidelines for all portals could
help developers to get up to speed more quickly. A progressive example would be the Open Banking Project in Nigeria. While this initiative
is still in an early stage and mainly focused on API documentation, various elements of Developer Usability are taken into account (e.g.
authentication and a sandbox). Creating common guidelines in an early stage for a community of (small) banks in a particular region could
contribute to a faster growing ecosystem and increased cross-fertilisation. ➔
Mastering Open Banking: How the ‘Masters in Openness’ Create Value
70 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
Banks tend to excel in a single capability of Developer UsabilityThe figure below shows a representation of the best performing banks in each of the six Developer Usability capabilities.
Figure 9: The best performing bank across six Developer Usability capabilities
The data in figure 9 shows that most banks tend to excel in a single capability of Developer Usability. Nordea, however, is the top performing
bank in Developer Usability achieving high scores on two capabilities: ‘Registration & Introduction documentation’ and ‘Sandbox environment’.
The bank’s sandbox is intuitive to use and has clear and well-structured documentation. Onboarding is quick and easy with the guidance of
their “Developer Portal Starter guide”, setting-up an account requires minimal effort. Only two banks (i.e. SEB Group and ING) are offering
federated login functionality enabling developers to create their account in just a matter of seconds. Banks, in general, can further improve
their Developer Usability by adding ‘App entitlement and management’ and ‘SDK’s start-up toolkits’ to their Developer Portal.
There seem to be only very few banks (e.g. Fidor, Erste, and Capital One), which are focussing on ‘App entitlement and management’,
where a large group of banks offer virtually no related functionality. Considering this is mainly of importance when working with multiple
developers on an app, most banks have not met that maturity level on their Developer Portal yet. As stated above this can, however, be
a great advantage in serving developers.
The fact that the quality of these capabilities substantially fluctuates across banks emphasises again that Open Banking is in an emerging
state. The different capabilities currently being measured will probably be extended in a subsequent release of the OBM. Most likely, the
fluctuation of the quality will decrease when Open Banking will achieve a more mature state, leaving fewer different banks reinventing the
elements of the Developer Portal as they learn from best practices.
5. Developer Community
Key messages of Developer Community:
• More banks are starting to see the potential of building a Developer Community to strengthen their position as an Open Bank in
the ecosystem.
• Critical mass is key for enabling a community around an Open Banking ecosystem.
• Banks differ in the sophistication of shaping their Developer Community, ranging from relatively simple support functions to full-
fledged collaboration approaches embedded in other communities. ➔
Mastering Open Banking: How the ‘Masters in Openness’ Create Value
71 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
Developer Community refers to the way banks actively engage developers to interact with the bank’s Developer Portal. Certain banks are
actively engaging with developers by creating direct channels to let third party developers get in touch with the bank’s developers. Other banks
are organising events like hackatons to build and engage the Developer Community.
Relevance of the Developer CommunityThe community of developers allied to the Developer Portal of the bank can play an important role for the banks position in the Open
Banking environment. As the Developer Community increases, most likely production of API consuming apps will also increase. Incentives
of developers joining the community might vary from a large customer base the bank is offering, the experience of the Developer Portal, to
a functionality that is solely offered by the respective bank. Setting up, maintaining and growing a community around the Developer Portal
and/or participating in other’s communities is likely to strengthen the bank’s position by encouraging third parties to drive innovation and
to offer a greater variety of apps in a faster time period.
Three stages of Developer Community sophisticationWe separate three stages in which the level of community engagement differs with the level of sophistication, respectively ‘support’,
‘manage’ and ‘collaborate’, shown in figure 10.
Figure 10: The three stages of Developer Community Sophistication
The ‘support’ stage can be defined as providing a Developer Portal with a toolset for developers to find their way around. This, over time,
will be the smallest investment for the bank, however this will also have the least effect on growing the size of the developer community
and cross-developer collaboration. Examples of banks in this stage would be Standard Chartered, BAML, and Lloyds Bank. Most of the
banks in this stage are “Starters in Opening-up” gradually working to improve the developer experience of their Developer Portal.
Moving up to the ‘manage’ stage, banks actively provide third parties the ability to get in touch with the banks’ developers, answering
questions, and establishing online discussions. Guidance through the development process can be actively stimulated by the banks’
developers through dedicated communication channels and messengers (e.g. Slack or Telegram). Offering the ability to subscribe to
updates on certain topics or specific APIs will keep developers informed of any changes or new insights in a suitable manner. Getting
traction on a more mature level can also involve crowdsourcing for ideas on generating new APIs and online presence on commonly used
forums (e.g. Github or Stack Overflow). Examples of banks in this stage are Swedbank, NAB, and Erste Group. ➔
Mastering Open Banking: How the ‘Masters in Openness’ Create Value
72 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
The highest level of sophistication is the ‘collaborate’ stage in which banks actively bind with developers by organising events and
hackathons to share experiences and insights. If these events are used adequately, it could lead to strengthening the bank’s position on
the Functional Scope of APIs, as well as the Developer Experience. Developers can share insights on the usability of the Developer Portal
and experiences of the tools can be gathered at first hand. On the same note, new ideas can be generated for an app or a functionality
to expose. If these new ideas are used in an updated version of the Developer Portal, developers will feel heard which will increase the
likelihood that they will return. This will eventually generate a sustainable community around a bank;s Developer Portal. Examples of banks
who are actively creating a Developer Community are Nordea, Monzo, and Starling.
6. Five actions to execute on your Open Banking strategyWith many banks across the globe establishing the basics of their Open Banking API platforms, there is a strong incentive towards
differentiation in the emerging Open Banking landscape.
A “one-size fits all approach” will most likely not lead to success, as banks need to make strategic decisions on the four core capabilities,
API catalogue, documentation, usability and community. Different types of banks are likely to reap different benefits and experience
different drawbacks from engaging in the Open Banking play. Moving forward, it is inevitable, however, that we will witness an explosion
of Open Banking APIs.
To support banks in the execution of their Open Banking strategy, we have defined five strategic actions that banks can initiate today, as
visualised in figure 10.
Figure 11: Five strategic Open Banking actions
Learn from global API best practices - learn from the ‘Masters in Openness’ in the Open Banking Monitor, and from digital players
outside the financial services industry. This will provide insight in 1) what APIs other players expose, 2) how these APIs are distributed and
potentially monetised and 3) how to create the most compelling developer experience to attract, grow, and maintain a strong developer
community.
Develop an API rationale and strategy for your business - Open Banking in general and API monetisation in particular are definitely not
a business model fit for all types of banks. Moving beyond PSD2 compliance APIs requires solid understanding and decision making on the
strategic attractiveness of APIs, and organisational and technical readiness to execute. Banks pursuing an “API first” mentality can generate
various benefits both for internal and external functions, however they first need to understand if and where best to apply APIs. ➔
Mastering Open Banking: How the ‘Masters in Openness’ Create Value
73 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
It requires deliberate decision making from banks to 1) define a business-backed strategy for different customer segments (e.g. retail,
corporate, SMEs, technology players, fintechs), 2) focus on setting up the right governance model to support effective execution of the
strategy, and 3) explore ways to create powerful new avenues for revenue growth by assessing if and how potential monetisation models
could work in your specific context.
Identify and prioritise the value that can be captured with APIs - with a clear strategy in place, banks need to focus on what they need to
implement in order to capture the value they have identified. Banks continue their journey by detailing further where 1) value can be created,
then they 2) estimate the potential impact in terms of revenue, customer experience, productivity and 3) determine efficiency gains by
reducing operational or technology costs through simplified and accelerated development.
Manage value creation actively - banks need to determine if, what, how, and whom to charge in a transparent manner. This requires
quantifying the value of the underlying data or service that is accessible through an API (e.g. how proprietary is it and what is its role in
generating value). In addition, banks need to assess how much API consumers and/or end-users might be willing to pay to access those
APIs, to obtain insights in the revenue streams the APIs will open up.
In determining which monetisation approach to use, banks should 1) think about how their data and 2) how APIs can add distinctive value
for different customer segments and 3) determine the most appropriate pricing strategy. Those insights can help banks make an informed
decision on monetisation arrangements to pursue with different partners and/or end-users.
Drive usage and adoption to accelerate network effects and gain scale - like any product or service, a successful Open Banking
API strategy requires a well-managed adoption campaign backed by rigorous performance management. A generally successful API first
approach starts with engagement of selected API consumers and/or end-users to explore what benefits the use of APIs brings. Along
the way, functional and technical requirements are updated to fix issues, while related business, legal, and operational arrangements are
put in place to govern relationships. Once this is in place, banks proceed with driving wider-adoption to achieve critical mass among API
consumers.
Combined with rigorous, ongoing performance measurement focused on relevant usage and traffic metrics, banks can obtain the needed
insights to make targeted improvements and validate desired strategic and customer outcomes. Indeed, delivering innovation through an
Open Banking API platform requires banks to build capabilities to 1) manage, 2) monitor, and 3) strengthen their relationship with diverse
segments of API consumers.
In essence, Open Banking should be approached as a business strategy and business model in its own right, requiring an alternative way
of thinking and working in product development. Combined with powerful execution capabilities and a successful and scaled partnership
ecosystem banks will be able to future-proof their competitive position in the Open Banking era. INNOPAY’s experience and services portfolio
can support banks to design, launch, and scale their Open Banking API platform strategy. ➔
Mastering Open Banking: How the ‘Masters in Openness’ Create Value
74 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
About Mounaim Cortet: Mounaim Cortet is a Senior Manager Strategy at INNOPAY, and Lead for the PSD2 and Open Banking practice. He works on strategic innovation challenges in banking covering digital payments, identity and data sharing. He supports business executives from various financial institutions to navigate the changing payments landscape and develop new insights to (re-)define their business (model) and operational strategy to compete in the emerging Open Banking era.
About Art Stevens: Art Stevens is a consultant at INNOPAY, working on strategy and innovation projects focusing on Open Banking and Data Sharing. Art is one of the creators of INNOPAY’s Open Banking Monitor, enabling banks to open up and start seeing data as a product to monetise.
About INNOPAY: INNOPAY is a consultancy firm specialised in digital transactions. We operate in the areas of data sharing, digital identity, openness, cyber resilience and digital transformation. Our aim is to help companies, organisations and consortia across Europe to identify and seize opportunities in a digital world in which everything is becoming a transaction. Together with our clients, INNOPAY experts develop innovation strategies, co-create new products and services and digitally transform businesses. Our headquarters is located in Amsterdam
www.innopay.com
Mounaim CortetSenior Manager StrategyINNOPAY
Art StevensConsultantINNOPAY
75 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
Aite GroupPSD2 Payment Initiation Services: Competition for Card Payments?
Introduction: how the revised payment services directive (PSD2) enables new payment modelsThe provision of instant payments combined with the payment
initiation services (PIS) enabled by the PSD2 has the potential
to transform the European payments landscape. PIS providers
(PISPs) will be able to develop innovative payment solutions that
compete with existing card-based models. Figure 1 shows how
this could work (for comparison, the traditional four-corner cards
model is depicted as well).
Figure 1. How the PIS Payments Model May Disrupt the
Traditional Cards Model.
Source: Aite Group
A consumer (buyer) visits a merchant’s website and orders
a product or service. The buyer selects the PIS option to pay.
The merchant then instructs its PISP (a third-party or in-house
PSP) to collect the money from the buyer’s account. The buyer is
redirected to the bank’s electronic banking portal to authorise the
transaction. When the buyer gives his or her consent, the PISP
receives permission from the bank to initiate a payment debiting
the buyer’s account and crediting the merchant’s account. Note
that, compared to the traditional four-party card flow, the card
networks would be completely left out of the equation. PIS
therefore has the potential to disrupt the existing cards model.
The promise of PIS PSPs would be able to offer merchants a service to receive
money from sales instantly, using the new ACH rails for instant
payments to collect money from every bank account in Europe.
Payments would be irrevocable (no chargebacks). The fees for
such transactions could be expected to be much lower than the
fees currently charged for card payments. There would be no
interchange, no scheme fees, and a fixed per-transaction fee
rather than an ad valorem fee charged by the PISP.
The first PISP initiatives are already coming to the market (see
for instance, Deutsche Bank Pilots Game-Changing Payments
Solution with IATA). Recent Aite Group research has shown that
the merchant community has high expectations about such new
payment models.
From promise to realisation? Several large retail organisations are preparing to offer PIS-type
services to their clients. However, Aite Group research indicates
that additional work is required in the following areas:
• Standardisation: Banks will provide access to their client’s bank
accounts for PIS through an API. There is no standard for these
APIs, and it would take a tremendous effort for a PISP to connect
to thousands of bank APIs all over Europe. Stakeholders groups,
such as the Berlin Group, have initiatives underway to develop
common standards, and broad adoption of such standards
will be critical to the success of PIS as an alternative payment
model. Preferably, there would be a certification process as well
to test new APIs against the standard.
• Scheme management: Banks and card schemes have developed
the global brands and acceptance networks that allow consumers
and businesses to pay in a convenient and secure way all
around the globe. Governance, scheme rules, and standards are
documented in detail for any jurisdiction, and the rules have been
tested in practice for every possible business situation. ➔
76 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
About Ron van Wezel: Ron van Wezel is a senior analyst for Aite Group’s Retail Banking & Payments practice. His research covers market and regulatory trends in the payments space, with a focus on Europe.
About Aite Group: Aite Group is a global research and advisory firm delivering comprehensive, actionable advice on business, technology, and regulatory issues and their impact on the financial services industry. With expertise in banking, payments, insurance, wealth management, and the capital markets, we guide financial institutions, technology providers, and consulting firms worldwide.
www.aitegroup.com
Ron van WezelSenior analystAite Group
Such a scheme is clearly missing for PIS. Multiple initiatives may
go to market, each offering a different user experience, thus
creating confusion and slowing down adoption.
• Customer redress: Many card-based payment schemes offer
consumers the possibility to dispute transactions in case of
suspected fraud, or perceived problems in the delivery of goods
by the merchant. Currently, the (instant) credit transfer schemes
do not offer such redress procedures. Money is irrevocably
transferred to the beneficiary, and banks do not offer a service for
consumers to dispute transactions.
This is an issue as instant payments increasingly become exposed
to fraud (see for instance: Time to Deliver Consumer Redress
for the EU’s Instant Credit Transfer?). There is a need for the
payment industry to invest in fraud prevention for schemes that are
based on (instant) credit transfers. This should be complemented
by a form of consumer redress for instant payments and other
new payment methods, to safeguard consumer trust in the new
payment methods.
ConclusionPIS payment models have the potential to challenge existing card-
based models and change the way people pay in Europe. Still a lot
of work has to be done to drive adoption of PIS by merchants and
their customers. Card schemes, therefore, have a time advantage
to address the potential threat to their franchise. They should
leverage their expertise, brand, and network to develop new
services fit for the EU market that can compete with the new PIS
models. They should be agnostic of the payment rails (cards, ACH,
instant payments) on which these services operate. Mastercard, for
instance, with its acquisition of VocaLink, seems well-positioned to
take on this challenge.
This space will be exciting to watch in the coming year as the
payments industry prepares to go to market with PIS. We should
expect more clarity about the success and future direction of the new
models in the 2019 release of the Open Banking and API report
77 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
Mobey ForumProducers, Distributors, Aggregators: Strategic Options for Banks in the Post-PSD2 Age
Thoughts and broad strokes on the Mobey Forum ReportThe way we watch movies, listen to music or order a taxi has
changed irrevocably in recent years, driven by growing consumer
demand for convenient, seamless, and personalised experiences.
Now, the banking industry is facing its own transformational
moment.
The introduction of PSD2 and other regulations, such as Open
Banking in the UK, is accelerating digital change. This requires
organisations to undertake a fundamental re-assessment of their
business models. And quickly. Open banking poses some short-
term challenges, but opportunity knocks for banks who have
a clear understanding of the new landscape. What options are
available to banks looking to get ahead?
As you were Most banks are receptive to collaboration, but some are concerned
by the uncertainties of a fledgling ecosystem. By continuing to
produce and distribute specialised financial products, banks can
maintain their current role. This initial stance can then evolve as
banks make sense of emerging challenges and opportunities.
The conservative approach may not be as effective as it has been
in the past, however. Under PSD2, banks are mandated to give
TPPs access to payment initiation and customer information if
consent has been provided. If banks adopt a straight compliance
strategy, they must accept increased competition from third
party providers (TPPs) leveraging their data.
It is imperative, therefore, that this business-as-usual approach
is a defined strategy and not the result of an interminable wait-
and-see attitude. If a bank does decide that change is required
beyond meeting the minimum requirements of PSD2, there are
various options available.
Distributors, producers, or both? Banks can choose to be ‘distributors’, offering products and
ser vices from TPPs directly through their own channels. This
approach allows banks to quickly expand, diversify, and enhance
their product portfolios, without the costs and complexities
involved with in-house development. TPPs also benefit from
access to the large customer bases of the banking platforms.
Of course, forging relationships with the TPPs is easier said than
done and brings its own challenges. Careful consideration is
essential when evaluating potential partnerships to ensure they
are complimentary and mutually beneficial.
Challenger banks, with more limited product stacks and internal
resources, stand to gain from this distributor approach as it
enables them to scale quickly. That said, traditional banks (who
have more complete product portfolios) can also benefit from
new partnerships, but may be at risk of ‘cannibalising’ their
existing products and eating into their own revenues in the short-
term. Any partnership must therefore deliver tangible value.
A contrasting approach to the ‘distributor’ model is that of a
‘producer’. Here, banks develop their own services to be distri-
buted by TPPs on a licensing or revenue share model. This extends
the reach of a bank’s core products and has the potential to open
new markets and audiences.
Again, banks must assess whether pushing services into new
channels delivers enough value, and whether they can compete
with similar products offered by the TPP. As banks consider their
options, they may choose to adopt the role of both a distributor
and a producer to maximise potential revenue opportunities.
A catalyst for innovation? The open banking ecosystem is built on a foundation of easily
accessible information. ➔
78 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
About Elina Mattila: Elina Mattila is Executive Director at Mobey Forum. With years of experience in the financial services and technology industries, Elina has held senior roles across the association since 2012. Before joining Mobey, Elina was a journalist specialising in digital disruption.
About Mobey Forum: Mobey Forum is the global industry association empowering banks and other financial institutions to shape the future of digital financial services.
www.mobeyforum.org
Elina MattilaExecutive DirectorMobey Forum
Beyond distributing or producing new products and services,
banks must also consider how this data can be leveraged and
utilised. Here, banks can position themselves as data ‘aggregators’
and ‘providers’.
As an ‘aggregator’, banks can take advantage of a TPPs customer
knowledge to quickly develop a compelling new service or improve
existing processes. The information can also be passed to other
banks to create additional revenue opportunities. And with more
and more banks offering open APIs, banks can use available APIs
to aggregate external information from various sources into their
own platform.
Another approach is to adopt the role of a data ‘provider’. This allows
banks to tap new revenue streams by offering TPPs a treasure-trove
of financial data, account information, analytics and authentication
services to help inform and improve their services. Many banks now
provide and promote dedicated developer portals enabling TPPs to
easily access and deploy the information.
Regardless of how banks choose to participate in the information
economy, the commercial impact of the stringent data protection
requirements introduced by GDPR must be considered.
Collaboration is the keyGiven the various strategic options available to banks, perhaps
the main challenge posed by open banking is not technological or
regulatory, but organisational. Banks are often big, complex and
siloed, making it hard to affect meaningful change quickly.
Understanding the organisational challenges posed by PSD2,
and identifying effective strategies to combat them, is critical for
banks. This is why cross-industry collaboration is so important, as
banks who clearly understand the various options and available
approaches stand the best chance of establishing early leadership
in open banking
79 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
The retail banking industry is changing into a more open ecosystem, due to the implementation of new European regulations, new
technologies, increased competition, and a change in customer behaviour and expectations. However, it is unclear what new products
and services could emerge in the Dutch Open Banking ecosystem that are of true relevance to customers.
Dutch retail banking is generally known as mass-market banking, strictly regulated and dominated by a small number of large national
banks. Moreover, the financial landscape used to have a very conservative and closed character, and was typified by a lack of innovation.
Within the boundaries of the law, the banks are fully in control.
The transformation of the retail banking industry is caused by four emerging forces, namely the implementation of new European regulation
(1), an increase of competition (2), technological advancements (3), and a change in customer behaviour (4).
1. The implementation of Payment Service Directive 2 (PSD2) and General Data Protection Regulation (GDPR) acts as a catalyst for
the concept of Open Banking. PSD2 is introduced in order to improve customer protection, stimulate innovation, lower costs in the
payments value chain, and increase the security of European retail payment services. A controversial key aspect of this regulation is
that it forces retail banks to grant licensed third parties access to the customer online accessible accounts, if the customer has given
explicit consent for this. GDPR is a privacy regulation, which aims to strengthen and unify data protection for all customers within the
European Union.
2. Non-traditional players are entering the retail banking industry. Fintech and BigTech companies are upending the status quo by
surpassing the expectations of the retail banking customer. In order to prevent becoming a back office utility, retail banks are forced to
develop truly relevant innovations.
3. The rise of open Application Programming Interfaces (APIs) provides the possibility to securely share data, content, and functionalities.
Additionally, multiple business rationales stimulate parties to open up their digital doors.
4. The ongoing digital transformation causes the customer to expect personalised support and seamless use of digital products and
services.
Open Banking ecosystems stand for the totality of interconnected systems of individual customers, third parties (non-banking), and other
financial institutions, which by means of multi-sided platform business models, enable exchange of value and data via open APIs.
The regulation embodies a real evolution, which stimulates innovation, enables openness, and puts the customer in control over their
financial data. Combining banking with non-banking resources enables parties to develop truly relevant products and services for the
customer. ➔
MoneyMaster - a Customer-Driven Open Banking Service
80 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
The voice of the customer The voice of the customer is represented by a customer profile consisting of the following key aspects:
• The most important jobs to be done concern the control and management of financial transactions, the activity to get the most out of
their money, the optimisation of the time spent on recurring activities and achieving savings goals;
• The most extreme pains related to doing banking business are caused by a lack of context, a lack of continuous feedback, a lack of
discipline, and the absence of an incentive;
• The most essential gains are a more informative overview, relevant guiding advice, products or service that are flexible in use, more
informative updates and motivational incentives.
The Dutch retail banking customer needs to be supported in pursuing optimal control over their finances. The voice of the customer is
translated into a representative concept, which is called MoneyMaster.
MoneyMaster is a digital financial assistant that, via a conversational interface, proactively empowers the Dutch retail banking customer to
have optimal control over his/her finances. The intelligent chatbot is able to provide the customer with contextual enriched recommendations,
conversing as a real human, by continuously analysing aggregated data of the customer’s bank account(s), calendar(s), and email account(s).
As the service is equipped with advanced cognitive capabilities, it is skilled in learning from experience and, therefore, is capable to define
and remember the customer’s preferences. MoneyMaster is rich in state-of-the-art tools, which the user can organise and activate in order to
create an online personal financial assistant completely based on his/her queries. Besides that, the service is capable to automatically carry
out a recommendation that is approved by the customer.
In addition to the option of arranging features, the customer is able to expand or compromise the range of possible recommendations.
If desired or necessary, a live agent of MoneyMaster is available to assist the chatbot in completing a query. The service is available to
the customer 24/7 and has an unconquered response time. The chatbot is channel agnostic and compatible with desktop, mobile, tablet,
and smartwatch.
The service enables conversational banking via text and voice interaction, and it is seamlessly integrated in the customer’s daily life,
placing them in the limelight. Moreover, this service is capable to adjust to the customer’s wishes and demands and can assist the
customer in achieving financial control.
The key features of MoneyMaster can be divided into three different categories. The chatbot is capable to function as a basic information
provider, an advanced information provider, and a solution provider. ➔
MoneyMaster - a Customer-Driven Open Banking Service
81 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
I. Basic information provider As a basic information provider, MoneyMaster exposes inactive features. This means that the customer is able to obtain a snapshot of
his/her finances without starting a conversation with the chatbot. The inactive features of the service relate to the two most common
(mobile) banking tasks that the customer carries out. Therefore, the chatbot’s main screen provides up-to-date balance information of the
customer’s main account and gives a clear overview of (recent) transactions.
II. Advanced information provider More advanced features are accessible when the customer starts a conversation with MoneyMaster via a text or voice message. To answer
the customer’s query in the right manner, the chatbot has to actively analyse data and perform additional actions. Therefore, these more
advanced features are called active features. As an advanced information provider, the service enables the customer to create payment
alerts, make money transfers, and manage budgets. Furthermore, the chatbot is capable of analysing spending patterns, monitoring financial
health, and predicting future income and expenses.
III. Solution provider Besides being an information provider, MoneyMaster also is a proactive solution provider. Via push notifications, it informs the customer
about (future) transactions, reminds him/her of past/coming events, and provides tailor-made recommendations. Furthermore, the chatbot
is able to take care of recurring and whitelisted activities.
Generally, MoneyMaster is a service that suits every Dutch retail banking customer who is already familiar with frequently using a retail
bank’s mobile application and online banking. More specifically, the financial assistant especially meets the needs of nomads. This type
of highly digitally active retail banking customers is ready for a new model of delivery. Nomads expect to be served with data driven and
real-time personalised services that provide an added value in daily life. Furthermore, these customers are ready for computer-only advice
on banking products and desire instant support via mobile devices. Nomads are willing to share data and value tools that enable self-
service.
MoneyMaster uses banking resources, non-banking resources, and advanced cognitive technologies to serve as the customer’s digital
financial assistant in a context-enriched manner.
Banking resources The chatbot knows the characteristics of both AISP and PISP. Data related to the banking resources payments and digital identity
are crucial input for the functioning of the service. As an AISP, the service aggregates account information via the open APIs of the
customer’s retail bank(s). The financial assistant retrieves transactional data of the customer’s payment account(s), but also acquires
real-time balance information and personal details of the customer. Based on this input, the service is capable to monitor and analyse the
customer’s financial health. Besides that, the chatbot is able to initiate and automate payments. Because of this feature, MoneyMaster
also can be characterised as a PISP. ➔
MoneyMaster - a Customer-Driven Open Banking Service
82 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
Non-banking resources MoneyMaster adds value to the customer’s financial data and personal information by using data from the customer’s calendar(s) and
e-mail account(s). Among other things, MoneyMaster analyses information about the duration, location, description, and participants of
past and future events. By taking into account what the customer does on a daily basis, the service is capable to provide the customer
with tailor-made recommendations.
By analysing content of e-mails and the enclosed documents, the service is able to identify specific information, such as (unpaid) invoices
and unused discounts. Besides that, it filters the content of the e-mails for past and upcoming events, for which the MoneyMaster can
make recommendations.
Technology MoneyMaster can deal with the customer’s queries by using artificial intelligence (AI). More specifically, the chatbot mimics human
behaviour by using two subsets of AI. These subsets are natural language processing (NLP) and machine learning (ML).
Natural Language Processing
NLP enables digital systems to process and understand unstructured natural language data. In other words, the technology supports
computers in understanding, interpreting, and manipulating human communication. This tech is already part of the customer’s daily life;
an example of the application of NLP is the autocomplete and auto-correct function used by online search engines.
To serve the customer with appropriate answers, MoneyMaster utilises NLP to break apart each element of the conversation. Thereby, the
technology enables the digital assistant to find out to the essential part of the query and to comprehend its meaning. Because of the inte-
gration of NLP, the chatbot is capable to instantly determine a fitting action and to reply in comprehensible language.
Machine learning ML gives computers the ability to learn without being explicitly programmed. It is an algorithm or method that teaches a digital system to
identify patterns and make predictions based on large amounts of data. The technology is already widely applied. By utilising the capacities
of ML, MoneyMaster is capable of learning from each conversation. Thereby, the chatbot is enabled to define the customer’s preferences.
Besides that, the technology makes it possible for the digital assistant to process large volumes of (textual) data. By executing intelligent
data analyses of the customer’s financial data, calendar(s), and e-mail account(s), the service is capable to provide the customer with
personalised recommendations.
Customer attitudes A qualitative research is conducted to identify the underlying rationales of the customer about the concept of MoneyMaster.
The validation study shows that the use of this service suits the Dutch retail banking customer. The customer describes the features that
the chatbot owns as handy, is positive about the conversational character, and likes to be proactively provided with relevant advice. The
service could achieve a better fit with the voice of the customer by making a few minor adjustments with regard to the design and use of
MoneyMaster. ➔
MoneyMaster - a Customer-Driven Open Banking Service
83 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
The Dutch retail banking customer seems to be reasonably ready to make use of a service like MoneyMaster. The validation study
indicates that the customer’s willingness to share (financial) data has a decisive impact on the customer’s readiness. The Dutch retail
banking customer is currently hesitant to share (financial) data. The fear of data abuse and data leaks partially submerges the perceived
values of the service. However, in practice, it seems that the customer does not behave in accordance with the high privacy awareness.
To attract potential users, the service must be free to use for the customer and has to be offered by a reliable party.
The concept of MoneyMaster achieves this by addressing several key aspects of the formulated point of view. The validation study
indicates that MoneyMaster supports the customer in pursuing optimal control over his/her finances and enables him/her to live now and
be prepared for the (financial) future.
The Dutch retail banking customer is moderately enthusiastic about the concept of MoneyMaster. However, the customer is currently very
aware about his/her privacy and, therefore, hesitant to share (financial) data. In order to stimulate the adoption and use of the service, it is
crucial that MoneyMaster convinces the customers that data sharing is completely secure and only necessary in their interest.
ConclusionThe digital financial assistant MoneyMaster offers the Dutch retail banking customer a more intelligent and contextual enriched solution to
achieve optimal control over his/her money in a time efficient and effortless manner, as it proactively provides tailor-made recommendations
via a conversational interface that significantly impacts the customer’s daily life. The service additionally supports the customer to get the
most out of his/her money and optimise time spent to recurring activities.
MoneyMaster suits the Dutch retail banking customer which is already familiar with using the retail bank’s mobile application and online
banking environment on a frequent basis. More specifically, the financial assistant especially meets the needs of Nomads.
The financial assistant knows characteristics of an AISP and PISP. The service utilises banking resources (i.e. payments and digital identity),
non-banking resources (i.e. calendar and email) and AI-technologies (i.e. NLP and ML) to serve optimally as the customer’s digital financial
assistant.
The combination of this all makes the concept of MoneyMaster a true beyond banking service which takes the needs of the customer into
account. ➔
MoneyMaster - a Customer-Driven Open Banking Service
84 OPEN BANKING REPORT 2018 • OPPORTUNITIES FOR BANKS AND TPPS
About Maarten Pater: Maarten Pater recently graduated from the Delft University of Technology and holds an MSc in Strategic Product Design. He concluded his Master thesis on “Money Master” at INNOPAY in 2018. Maarten has a keen interest in digital services, business and finance and an appreciation for innovative design. Currently, he works as a freelance service designer supporting commercial third parties to kick-start and realise disruptive innovations.
About Mounaim Cortet: Mounaim Cortet is a Senior Manager Strategy at INNOPAY, and Lead for the PSD2 and Open Banking practice. He works on strategic innovation challenges in banking covering digital payments, identity and data sharing. He supports business executives from various financial institutions to navigate the changing payments landscape and develop new insights to (re-)define their business (model) and operational strategy to compete in the emerging Open Banking era.
About INNOPAY: INNOPAY is a consultancy firm specialised in digital transactions. We operate in the areas of data sharing, digital identity, openness, cyber resilience and digital transformation. Our aim is to help companies, organisations and consortia across Europe to identify and seize opportunities in a digital world in which everything is becoming a transaction. Together with our clients, INNOPAY experts develop innovation strategies, co-create new products and services and digitally transform businesses. Our headquarters is located in Amsterdam
www.innopay.com
Maarten Pater Mounaim CortetSenior Manager StrategyINNOPAY
Open Banking – Securing Access and Locking in Customers’ TrustPSD2 could introduce new waves of fraud in never-before-seen patterns. Third-party access to customer accounts and the associated data will inevitably raise concerns about security and privacy. As such, fraud prevention is a top priority in Open Banking. This chapter offers practical guides and advice for players to identify, detect, and respond to threats in Open Banking.
86
87 OPEN BANKING REPORT 2018 • SECURING ACCESS AND CUSTOMER TRUST
The revised Payment Service Directive Regulatory Technical Standards (PSD2 RTS) will come into effect in September 2019. It will require
every bank (Account Service Payment Service Provider, ASPSP) to apply Strong Customer Authentication for almost every transaction.
Although this increases security, it also introduces unwanted friction in the payment process. Fortunately, there are exemptions where
SCA is not required. However, this requires an AS-PSP to perform Transaction Risk Analysis (TRA).
And therein lies the problem.
For TRA to be effective, the data about the transaction, the customer and the context needs to be available and analysed, in real-
time, by the bank (ASPSP). However, with new service providers or Third-Party Providers (TPPs) joining the payment chain, the data
is fragmented and distributed across multiple parties. Moreover, although there are several initiatives to standardise the exchange of
payment information (through APIs), there is very limited mentioning of standardising context and risk data.
In this article, we elaborate on three key points that need to happen in order for banks to make TRA more effective under PSD2.
Point number 1: Security and risk data should be shared through open and common APIsSecurity and risk data consist of contextual data that can be gathered during the entire process of the transaction. Collecting data starts
when a customer performs a transaction at a TPP. The TPP can read various data points based on the device the customer uses and his
behaviour. After that, at the ASPSP, various data points can also be gathered based on attributes of the transaction and of the account.
During this process, the TPP should use the API call to the bank to provide contextual data, which will be assessed within the bank’s
fraud engine.
This does require parties to use the same protocols and standards for communicating context data. Multiple standardisation initiatives are
aiming to decrease communication complexity between banks and TPPs. In Europe, several initiatives have been launched to create an
open and common API standard for PSD2:
• “NextGenPSD2” is the standard developed by the Berlin Group – consisting of almost 40 banks, associations and PSPs from across the EU;
• Also, in Poland (PolishAPI) and France (STET) initiatives were launched by consortia of banks in their respective countries;
• In the UK, the Open Banking Implementation Entity (OBIE) is also working on a common API standard, an initiative mandated by the
UK’s Competition and Markets Authority in 2016, ahead of PSD2.
Only when the transaction poses a “low level of risk”, then the payment service provider is allowed exemption from SCA.
PSD2 requires the risk assessment to include:
• Abnormal transaction behaviour
• Lists of compromised or stolen authentication elements
• Unusual information about the device or software
• Unusual information about the device or software
• Historic transactions of the user
• Amount of transaction
• Location of payer and payee
• Signs of malware infection
• Known fraud scenarios
• Signs of malware infection ➔
Sharing Transaction Risk Data Leads to Open Banking Success
88 OPEN BANKING REPORT 2018 • SECURING ACCESS AND CUSTOMER TRUST
However, there is a complication. These standards only marginally discuss the sharing of risk and authentication data. They also differ in
their requirements:
• The Berlin Group standard specifies only the IP-address as mandatory (from 1.0 version);
• STET and PolishAPI also add UserAgent as mandatory (information about the device and browser), besides IP-address;
• UK’s OBIE refers to the OpenID Foundation Financial-Grade API which prescribes just the “UserAgent” as mandatory;
• The API of OBIE talks about sharing of ‘Additional fields identified by the industry as business logic security concerns’, but that does not
give clarity on which data must be shared mandatorily.
With increased coordination and convergence between different standards, more risk data and authentication data could be added to
the APIs. Already, the scope of UK Open Banking has been aligned with PSD2, while STET and the Berlin Group are working together
to ensure convergence between standards. Moving forward, these standards could include application and device details, time since
credentials change (i.e. change of phone number, e- mail, rebinding of app etc.), time since onboarding of customer.
In addition, aspects of behaviour could also be shared. Think of properties of transactions like the moment of the day when they are
usually performed, the receivers and the value of the transactions. Also, through the speed of typing, tilt of the device, and the order of
pressed buttons. This behaviour is strongly attached to a device and a person, a combination that is hard to imitate.
In figure 1 a non-exhaustive overview of properties is listed to give insight on what can be used as risk data as input for a risk engine.
Figure 1: Various risk data that can be used as input for a risk engine
Point number 2: Machine learning becomes the new normal for fraud detection enginesIn open banking, the value chain is less vertically integrated. Without control over the end-to-end process, the AS-PSP needs to be able
to gather risk data through additional sources. So, how can banks maintain their ability to detect fraud? ➔
Sharing Transaction Risk Data Leads to Open Banking Success
89 OPEN BANKING REPORT 2018 • SECURING ACCESS AND CUSTOMER TRUST
Besides exchanging information with TPPs, banks could also exchange modus operandi (MO) with other banks through an API call.
Firstly, this requires banks to develop this capability into their “open” fraud engines so that they can consume external sources of data.
Secondly, engines need to be able to analyse and process larger volumes of data in real-time.
For years, rule-based engines have proven to be effective in uncovering fraud for known patterns. However, rule-based processing has
an inverse relationship with the size of datasets. By getting input from TPPs and other banks, the amount of risk data grows significantly.
Machine learning techniques are faster and more efficient at processing large datasets and can maintain a high level of detection capability
while working with large datasets. For discovering unknown fraud patterns out of large datasets, the application of machine learning is
therefore recommended. For machine learning to add value, a large dataset is needed, so it might be worthwhile to start-off with a rule-
based engine and then later improve by adding machine learning.
Point number 3: Use customer involvement as a detection mechanismIn open banking, customers need to have control over their personal data. Without control, customers will be reluctant to share data,
or transact with TPPs. Risk engines are able to learn from actions that are initiated by customers. For instance, they are able to detect
a security-aware customer or a customer that is likely to become malicious. Therefore, giving control to the customer will improve risk-
profiling, and therefore transaction risk analysis (TRA) for banks.
A solution that gives the customer a convenient way to manage access to his account would be beneficiary to all parties in open banking.
The customer should be able to determine access restrictions for devices and users, and/or provide limits to spending and withdrawals.
Based upon the customers’ own insight, he could revoke access, or adapt access requests. Through the same system the customer can
also administer which of his own devices are to be trusted, which means that in case of loss he can act upon that immediately.
To concludeIt goes without saying that any data sharing initiative should adhere to the applicable privacy laws. GDPR requires a lawful basis for
processing personal data. Legal obligation is one of them. The PSD2 RTS on Strong Customer Authentication states in Article 2 that
payment service providers shall have transaction monitoring mechanisms in place. Our solution mentions risk data sharing from TPPs
towards banks. Part of that risk data is data on behaviour, which is personal data. Therefore, it is important that only the banks’ risk engine
can make use of that data. This can be ensured by using a bank-controlled software development kit (SDK) for gathering behavioural data
and sending that data over a secure connection.
Being able to do transaction risk analysis has its benefits for TPPs, banks and customers, but requires ongoing cooperation of the three
parties involved. TPPs need to collect and share risk data with banks; banks need to share risk data amongst other banks and delve into
the possibilities of machine learning, and customers can contribute by monitoring and controling the access others have to their data.
By combining these perspectives, Open Banking finds layered support aiming to lower risk and set friction to a minimum.
The future will show to which extent transaction risk analysis (TRA) will be adopted for payment services, and a trusted infrastructure will
undoubtedly be fundamental to its success. ➔
Sharing Transaction Risk Data Leads to Open Banking Success
90 OPEN BANKING REPORT 2018 • SECURING ACCESS AND CUSTOMER TRUST
About Milan Kaihatu: Milan Kaihatu, CISSP is a senior consultant at INNOPAY. He advises on cybersecurity challenges for organisations in the financial and public sector.
About Rob van Meijel: Rob van Meijel is a consultant at INNOPAY, focusing on strategy and innovation for fraud management. He has been involved in various payment innovation programmes for banks and PSPs.
About INNOPAY: INNOPAY is a consultancy firm specialised in digital transactions. We operate in the areas of data sharing, digital identity, openness, cyber resilience and digital transformation. Our aim is to help companies, organisations and consortia across Europe to identify and seize opportunities in a digital world in which everything is becoming a transaction. Together with our clients, INNOPAY experts develop innovation strategies, co-create new products and services and digitally transform businesses. Our headquarters is located in Amsterdam.
Milan KaihatuSenior ConsultantINNOPAY
Rob van MeijelConsultantINNOPAY
91 OPEN BANKING REPORT 2018 • SECURING ACCESS AND CUSTOMER TRUST
FeedzaiBehind the API: Managing Third Party Risk Under PSD2
Open banking is about making the economy compatible with all
the other shifts in our new digital lives: online payments, 24/7
services, seamless experiences across channels, and instant
payments. And enabling this new payments landscape, there’s
one basic component: an interface, most commonly an open
application programming interface (API), to open up bank data
to account-information service providers (AISPs) and payment-
initiation service providers (PISPs).
Through this interface, challenger banks and “non-bank banks”
are entering the scene in unpredictable ways, putting billions of
euros in revenue at stake. We’ve seen this before. “Traditional
business models have been disrupted (or destroyed) due to the
rising supremacy of APIs.” Those are the words of an Accenture
report that demonstrated the API-based insurrections in multiple
industries: Netflix disrupting content over Blockbuster, Amazon
disrupting hardware servers over Dell, and Expedia disrupting
Thomas Cook through a collection of APIs and its easy-to-use
interface.
The most forward-thinking traditional banks are trying to anti-
cipate all these coming innovation inflection points, so that
they can turn challenger threats and regulatory directives into
business opportunities. PSD2 is creating a fully interconnected
payments ecosystem where banks can pursue new revenues, for
example, by using customer insights to cross-sell new services.
Customers will get more of what they’ve been asking for all
along: personalised, differentiated services and innovative and
seamless digital experiences. But as PSD2 creates a customer’s
paradise, is it creating a fraudster’s paradise too?
A fraudster will never give upSimilar to how the adoption of EMV in the US led to a surge in
CNP fraud, PSD2 will introduce new waves of fraud in never-
before-seen patterns. There will be new attacks on the users of
new payments services, an increase in “director” and invoice
fraud, and new social engineering schemes. Meanwhile, new
third party providers (TPPs) will increase transaction volume,
and instant payments will decrease the time to make decisions
about fraud.
Adding to the challenge is the new “constrained PSD2 view.”
Now that third parties can act as intermediaries between banks
and customers, banks may find it more difficult to access the
customer data that they have traditionally relied on to make
decisions about fraud and risk. And because these new providers
are associated with new data streams, banks have new kinds of
data coming in that they will have to make sense of.
So it’s perhaps no wonder that this McKinsey Survey
“indicated that the risk of fraud arising from third party access
to accounts is a serious concern and that fraud prevention is a
top priority.” McKinsey concludes that banks “recognise that they
must invest in fraud management.”
The API at the centerAn unknown entity is coming through the API, having clicked: “Pay
with my bank account.” How can a bank secure the transaction?
The API-enabled interface at the center of PSD2 doubles as
an attack vector. To get at the bank, now fraudsters just have
to get at the TPP. A compromised TPP that stores financial
data and gets breached can expose a bank’s customer data.
A compromised TPP can also lead to fraudulent requests about
a bank’s customers and fraudulent payment requests.
Banks are used to existing fraud controls – for example, via
Mastercard and Visa systems. Now that there’s a new channel,
it’s uncertain how to identify fraud reliably at scale, and it’s
certain that fraudsters will seek to exploit that fact.
The orchestration differenceSince fraudsters count on disappearing through the cracks
between siloed transactional activities, stopping them requires
orchestrating these activities into a complete and connected
“PSD2 view.” While they’re managing new risks, banks will also
need to protect seamless customer experiences. ➔
92 OPEN BANKING REPORT 2018 • SECURING ACCESS AND CUSTOMER TRUST
About Richard Harris: A veteran in both the finance and technology industries, Richard is helping to lead Feedzai’s global scaling. Before joining Feedzai, Richard held Vice President roles at both Experian and Accertify, during which time he built global sales teams and helped lead regional expansion. Richard has held leadership positions with Visa and PayPal, following various technical and development roles, and has also served as a member on the board of the Merchant Risk Council.
About Feedzai: Feedzai is the market leader in fighting fraud with AI. We’re coding the future of commerce with today’s most advanced risk management platform powered by big data and machine learning. Founded and developed by data scientists and aerospace engineers, Feedzai has one mission: to make banking and commerce safe. The world’s largest banks, processors, and retailers use Feedzai’s fraud prevention and anti-money laundering products to manage risk, while improving customer experience.
feedzai.com
Richard HarrisHead of International OperationsFeedzai
Walking this balance depends on a total risk management workflow
for PSD2 risk, where risk assessments above specified thresholds
either trigger automated escalations, like Strong Customer
Authentication (SCA), or manual reviews.
Because PSD2 is a new channel, there isn’t sufficient data to deploy
machine learning models on Day 1. That’s why it’s critical to have a
system that is architected to train and deploy new machine learning
models into run-time production as soon as the data becomes
available, with highly effective stopgaps fighting fraud in the mean-
time.
At Feedzai, we are perfecting the process. Our AI-enabled platform
ingests internal and external data to create real-time nano-profiles
for every entity in the system, and we apply a combination of
machine learning models and configured rules to produce risk
assessments specific to each activity. At one of our open banking
customers, we are almost done building what we believe will be
the world’s first open banking machine learning model.
Underlying our orchestration strategy is an agile, graphical user
interface that splits and rejoins customer journeys in order to make
the best decisions about risk, without adding friction. And our API
connectivity is based on space-grade architecture that simply
cannot be hacked into. At one of our bank customers, beyond PCI
DSS, we implemented 800 custom security controls to satisfy their
requirements for total risk mitigation.
Feedzai for PSD2 is the result of years of data science innovation,
in the service of an AI platform purpose-built to fight fraud. But
with all the technology that goes into it, what I’m proudest of is
how agile it is. Our orchestration is enterprise-grade, but it’s also
easy. However a bank wishes to interpret open banking, with all its
potential opportunities, Feedzai can make the strategy secure and
seamless. That makes us a partner, not just in risk, but in digital
transformation too
93 OPEN BANKING REPORT 2018 • SECURING ACCESS AND CUSTOMER TRUST
ThreatMetrixThe Paypers sat down with Mike Nathan, Senior Director
Solutions Consulting EMEA at ThreatMetrix, to discuss the
solutions available for banks to identify and respond to threats
in Open Banking.
What are the fraud and security implications of Open Banking, in terms of customer data storage? PSD2 and open banking requirements aim at enhancing trans-
parency, innovation and competition throughout the EU’s financial
services industry. It empowers customers to take control of who
can use their data and advise on financial alternatives that offer
more competitive services. This includes regulating third party
aggregators to access customers’ account information, in a similar
manner to how credit bureaus and bank reports store information
about people’s credit files, credit histories and delinquencies.
As part of Open Banking the banks are required to offer third-party
providers (TPPs) access to accounts via APIs, under the condition
of customer consent. With the end consumer’s permission, TPPs
can access a bank statement for an agreed time-period, for
instance, to look at how that person is managing their money or
recommend a new financial product. How will customer data be
used in making the assessment, and perhaps most importantly –
what happens to the data after that? The customer might under-
stand the access that they have given to their primary data – but
will also need to clearly understand the way it is going to be used,
and potentially shared. Taking control of your own data might lead
to higher proliferation of that data than it does today. There is
a lot of power in this information – the stored data about the
consumers’ behavioural habits, and all their transactions both
digital and physical will now be visible to TPPs.
Some banks have already started developing their own aggregation
products to supplement the existing TPPs. The implications in
terms of the types data and data storage needs to be well thought
out in order to avoid further breaches and GDPR questions.
What is the impact of the Open Banking regulations on screen scrapers and banking aggregators?At ThreatMetrix, we work with some UK banks and we see that
a high percentage of their traffic is based on screen-scrapers
who act as aggregators today. These screen-scrapers never do
anything but log into an account, check a consumer’s balance and
then return it back to their host systems. This allows the customer
a holist view of all their bank accounts in one place. The UK banks
have also started in a more limited capacity allowing payments via
online banking, this will further pick up pace in 2019.
Banks have previously allowed screen scrapers to operate
because they know there isn’t a threat and it is a service. We are
now moving into a regulated environment, where the same
parties and new entrants will be able to create more functional
applications based on APIs.
What about the risks and challenges Open Banking is going to pose to financial institutions?For Open Banking consent, authentication, and authorisation,
UK banks generally have followed the redirection model.
Therefore, for authentication and authorisation, the customer
is redirected from the TPP’s domain, to the bank’s domain
allowing the maintenance of high security standards and relying
on direct customer consent before the customer shares data.
Redirection screens will be presented between the consent and
the authentication steps, and, after the authorisation step, the
customer is redirected back to the TPP’s domain.
However, while Open Banking is designed to enhance the
customer experience and choice, it could also increase the risk
of specific kinds of fraud, including account takeover via stolen
credentials, malware targeting or API hacking. For example, if the
fraudster has access to the customer security credentials, they
might be able to re-use them across all accounts via a single
TPP interface. Another example could be a Man-in-the-Browser
manipulating the TPP journey after consent to initiate unwarranted
payments or return data the customer never intended to share.
Banks must ensure the same level of security across all access
points including the Open Banking environment, with the additio-
nal check around consent. ➔
Strong Customer Authentication plays an important role in creating a framework for identifying, detecting, protecting, and responding to threats in Open Banking.
94 OPEN BANKING REPORT 2018 • SECURING ACCESS AND CUSTOMER TRUST
They also must focus on risk control and put more emphasis on
active risk management and monitoring; they can no longer rely
on the behaviours of a direct customer and must now manage
multiple interactive profiles.
To fight these negative activities, ThreatMetrix has developed the
ThreatMetrix Digital Identity Network, which analyses millions
of transactions in real time across billions of devices. The latest
data, as revealed in the Q2 ThreatMetrix Cybercrime Report
highlights in the first half of 2018, financial institutions were hit
with 81 million cyberattacks on the ThreatMetrix global network.
The ThreatMetrix solution for Open Banking supports organisations,
maintaining authentication and customer validation processes
whilst enhancing the customer experience by piecing together the
true digital identities of users already known to the banks via their
regular online banking account. What is more, the solution allows
companies to evaluate real-time risk factors in the context of past
user behaviours to make accurate risk decisions – to accept,
reject, or review (step up) a transaction as necessary.
What are the solutions available for banks in order to build a framework for identifying and responding to threats in Open Banking?Strong Customer Authentication (SCA) plays an important role
in creating a framework for identifying, detecting, protecting,
and responding to threats in Open Banking. ThreatMetrix offers
SCA solutions that focus on minimal user intervention, such
as persistent authentication through device binding using
cryptographic keys. This works hand-in-hand with Risk Based
Authentication to support the banks in maintaining the optimal user
experience as they define, within a new regulated environment,
how and when to use step-up authentication.
For more information on ThreatMetrix solutions for the banking
and finance sector visit – https://www.threatmetrix.com/
cyber-security-solutions/banking-and-brokerage
About Mike Nathan: Mike Nathan has nearly 15 years of experience in the risk and fraud space, with key interests in online banking fraud, application fraud, internal fraud and card fraud. Mike started as a credit analyst at Lehman Brothers, before moving to Lloyds Banking Group as a Fraud Manager, where he led large teams of analysts and data scientists. He was a consultant at SAS, the analytics company, and a Vice President at Barclaycard, looking at Credit Card Fraud. At ThreatMetrix, as Senior Director, Solutions Consulting EMEA Mike advises many of the world’s largest banks and holds an MSc in Information Management & Finance from Westminster Business School in the UK.
About ThreatMetrix: ThreatMetrix, A LexisNexis Risk Solutions Company, empowers the global economy to grow profitably and securely without compromise. With deep insight into 1.4 billion anonymized digital identities, ThreatMetrix ID delivers the intelligence behind 110 million daily authentication and trust decisions to differentiate legitimate customers from fraudsters in real time.
www.threatmetrix.com
Mike NathanSenior Director – Solutions Consulting EMEAThreatMetrix
95 OPEN BANKING REPORT 2018 • SECURING ACCESS AND CUSTOMER TRUST
DataVisorAPIs: The New Attack Vector
The promise of APIs in enabling innovation is unquestionable.
Open banking has transformed the traditional banking ecosystem
into one that benefits consumers and banks alike. APIs have also
opened up a completely new line of business for fraudsters.
According to Gartner, “By 2022, API abuses will be the most-
frequent attack vector resulting in data breaches for enterprise
web aapplications”.
Traditionally, the risks arising from API exposure were considered
to be under the domain of the CISO. However, the emergence
of digital channels and associated threats has highlighted the
need for a cross-functional fraud prevention strategy – one that
involves a broader discussion with product and risk teams.
Banks typically handle the risk associated with APIs with multiple
layers of security. Perimeter security such as firewalls and/or
endpoint protection, only protect against network layer attacks
targeted towards gaining access to internal banking systems.
They do not provide defense against application layer fraud
attacks. What’s more, threats associated with APIs are often
buried in areas that may not be monitored. Fraudsters target
these unmonitored openings, automating scripts and taking
advantage of weak APIs as a way to scale attacks for maximum
impact.
Machine learning technology offers a way to mitigate the security
threats posed by these API weaknesses. The most common
approach has been through rules and recently, adoption of
supervised machine learning. Unfortunately, this approach can
only use historical patterns to identify known fraud patterns
coming from the same API. For that reason, a more effective
approach is what’s known as “unsupervised machine learning“.
This approach does not require labeled input or training data to
identify patterns and allows organizations to stay ahead of the
game in fraud detection.
What follows are the most common attack vectors for financial
fraud, and a brief explanation of the advantages of unsupervised
machine learning in stemming the tide of fraud via APIs.
Vector 1: Outdated application interfacesExisting applications on mobile devices may not be upgradable
because of compatibility issues – or end users simply skip the
upgrades because of performance concerns. IT teams effectively
roll out newer versions of apps and web pages with better anti-
fraud measures but may not be able to upgrade all outdated
API versions with the latest detection capabilities like device
fingerprinting, Geo or bio-signals.
Fraudsters can then intentionally target these interfaces to slip
under the radar by sending only limited information.
Vector 2: Inadequate partner authenticationsThe adoption of third-party applications like financial tracking/
trading software is on the rise. When banks partner with these
third-party providers, they have special partner API connections
that may not have the same level of authentication and security
measures as the banks. Many important attributes such as end
user IP address, device and browser information etc. may not be
collected by these APIs.
Vector 3: Unprotected testing interface APIsMost banks and financial institutions have testing interfaces
where banks or third-party vendors can test functionality.
As these interfaces are designed for testing rather than real
end users, they usually have no fraud detection/prevention
protections. As a result, when the interface is discovered by an
attacker, it can often be followed by big waves of attacks.
Vector 4: Mobile/Web emulatorsHackers can reverse engineer an app to discover the API protocol
details, such as the secret API key used to communicate with
the application server. ➔
96 OPEN BANKING REPORT 2018 • SECURING ACCESS AND CUSTOMER TRUST
About Fang Yu: Fang Yu is the Cofounder/CTO of DataVisor, where her work focuses on big data for security. Fang has developed algorithms for identifying malicious traffic including fake and hijacked accounts, and fraudulent financial transactions. Fang received her PhD from UC Berkeley and holds over 20 patents.
About DataVisor: DataVisor is the next gen anti-fraud platform based on cutting edge AI. Using proprietary unsupervised machine learning algorithms, DataVisor helps restore trust in digital commerce. Combining an intelligence network of more than 4B user accounts globally, the DataVisor solution is deployed across a variety of industries, including financial services.
www.datavisor.com
Fang YuCofounder/CTODataVisor
This allows them to easily craft scripts that call an API and pretend
to be the legitimate app. Often the back-end servers are not aware
of the malicious app and will freely interact with it.
Staying ahead of the game with unsupervised machine learning
Existing anti-fraud endpoint solutions such as device fingerprinting,
behavioral biometrics, webpage obfuscation etc. effectively
protect up-to-date applications, but do not offer a robust way to
manage the broader threat emerging from old and retired APIs.
As a result, the fraud coverage of these solutions is low.
Machine learning technology holds great promise to mitigate the
security threats posed by these API weaknesses. However, the
most common approach has been through supervised machine
learning. The supervised machine learning approach requires
multiple models to be trained to address different APIs. They are
reactive, rely on historical attack patterns and can only detect
fraud based on features and attributes that are already defined
and trained.
DataVisor brings the next generation of AI and machine learning
to fraud prevention. By expanding the view to all input traffic and
correlating that traffic for suspicious activity, DataVisor is able to
identify previously unknown fraud patterns coming from any API–
typically before any financial damage is done.
Using a patented machine learning approach and techniques,
DataVisor’s Unsupervised Machine Learning Engine™ works
without requiring labeled input or training data. The detection
engine also eliminates the need for frequent re-tunings, because
its predictive power is not based on intelligence derived from
historical experience. Unlike supervised machine learning models,
which decay in effectiveness over time, DataVisor models maintain
consistently high performance without the need for re-tuning.
Outdated APIs can be an open door to financial fraud. Unsupervised
machine learning can shut that door
Kirsty RutterManaging Director, Chief Innovation Officer UK
Barclays Bank
Karen PepperHead of the UK, Amazon Pay
Amazon
Toshihiko OtsukaChief Executive Officer and Director
Rakuten Bank
Megan CaywoodChief Platform Officer
Starling Bank
Ewan MacLeodChief Digital Officer
Nordea
Lana AbdullayevaDirector, Open Banking & PSD2
Lloyds Banking Group
Linda DuncombeChief Marketing Officer, Head of Growth, Citi FinTech
Citigroup
Joseph GordonChief Executive Officer
First Direct
26 – 27 November 2018etc.venues 155 Bishopsgate, London
ww
w.m
arketforce.eu.com/mlsum
mit
Bringing the best and brightest of the traditional banking industry together with the most exciting FinTechs and new digital challengers, MoneyLIVE Summit is a hub of creativity
and innovation, where attendees can spark new ideas off one another and help to change the course of banking as we know it.
54% Chief, Director, Vice President or Head
400+ attendees 200+ companies 85% European attendees
Banks’ Quest for Better Customer ExperiencesOpen Banking encourages banks to become more innovative and to improve the user experience to retain relationships with their customers. In this section, banks and experts share best practices and strategic responses in Open Banking.
98
99 OPEN BANKING REPORT 2018 • BANKS’ QUEST FOR BETTER CUSTOMER EXPERIENCE
BNP Paribas FortisThe Anatomy of Aggregation Services
Taken at face value, account aggregation services might look like
the proverbial ‘good solution to a non-existing problem’: after all,
people hold accounts at different banks precisely to keep their
assets separate.
Although very specific, this is just an example of the way the
debate about the possibilities unlocked by PSD2 is sometimes
focused on the answers (technology, capabilities) rather than on
the questions (in which way are customers’ needs actually met?).
Still, if tackled the right way, a topic such as account aggregation,
which by definition concerns multi-banking clients, is very relevant
for any major financial institution. In Belgium, for instance, about
1/3 of the 4 biggest banks’ customer base spread its banking
relationships across the market.
To answer the question above, we have dissected the aggregation
issue, asking BNP Paribas Fortis clients for their opinions and
preferences and reaching some relevant conclusions along the way:
- Next to 23% of early adopters, studies show that 56% of
customers are open to using aggregation services under the
following conditions:
• Services are offered by the main bank;
• Security level is proven;
• Customer data are NOT used for other purposes or visible to
third parties.
First conclusion: there is a public for aggregation services and
an institution like BNP Paribas Fortis is seen as a legitimate
provider. Trust is a major pre-condition here.
- A remaining 21% has a negative attitude towards the aggregation
proposition, mainly linked to:
• Access to data (I don’t want Bank X to have a full view of my
assets) – [this group represents 15% of all customers];
• Own follow-up system already in place;
• Security/control/trust concerns.
Second conclusion: as conventional wisdom suggests, there is
a hard core of customers who spread their assets by design and
that are insensitive to aggregation. It is unlikely any institution
will ever convert them. They are however a limited number.
Third conclusion: aggregation emerges as a polarising topic,
being very relevant for some and highly sensitive for others. In
particular, worries and resistances around security are real.
- When presented with an aggregated overview of accounts, the
most customers want to act on what information is shown (e.g.:
by making a transfer between accounts)
Fourth conclusion: ‘consult’ functions alone are not enough.
Pure aggregation needs to come with payment initiation and other
complementary services bringing added value (PFM, for instance).
Figure 1: Appetite for Aggregation Services (BNPPF market
survey, 2017)
The observations and conclusions above were critical to our
choices in bringing the service to the market.
In terms of communication approach, we now have a definite view
of the strengths BNP Paribas Fortis (with its customer base and
brand positioning) may leverage on and, conversely, which issues
need to be addressed upfront in terms of user reassurance.
In particular, we acknowledge and are mindful of a wide customer
need for information and – indeed – reassurance on the boundaries
of PSD2-enabled services: in which cases accounts can be
aggregated, under which conditions a third party can gain access
to one’s accounts, what is the active role account holders need to
play in this dynamic.
Though it is to be recognised that the items above cover the ‘pre-
aggregation phase’, rather than the experience itself, adoption by
mainstream population will only happen once we get past those
argument or objections, at least in a market like Belgium. ➔
100 OPEN BANKING REPORT 2018 • BANKS’ QUEST FOR BETTER CUSTOMER EXPERIENCE
About Valentina Caruso: Valentina is Head of Product Management Cards & Accounts within the Retail & Private Banking division of BNP Paribas Fortis. In the course of her career in Belgium she has been covering segment marketing for Professional clients, and product management for accounts, customers, and more recently payment instruments. Before joining BNP Paribas Fortis Valentina practiced law at an international law firm in Milan.
About BNP Paribas Fortis: BNP Paribas Fortis offers the Belgian market a comprehensive package of financial services for private individuals, the self-employed, professionals, SMEs and public organisations. In the insurance sector, BNP Paribas Fortis works closely with Belgian market leader AG Insurance. The bank also provides wealthy individuals, corporations and public and financial institutions with custom solutions for which it can draw on BNP Paribas’ know-how and international network.
www.bnpparibasfortis.com
Valentina CarusoHead of Product Management Cards & AccountsBNP Paribas Fortis
Aggregation will be available to BNP Paribas Fortis and Hello Bank!
clients in Belgium as of late 2018, with a progressive enrichment
of the offer going forward. In order to provide such services, BNP
Paribas Fortis has decided to ‘go open’ and enter a partnership
with Tink to offer a wide range of aggregation-related capabilities.
Given Tink’s outstanding record at innovating, we intend this
partnership to evolve in terms of technological solutions and user
experience. The combination of Tink’s technological expertise and
BNP Paribas Fortis’ strong customer relationship backbone is a
powerful one, and can certainly evolve towards a wider range of
services offered. All this whilst keeping the high level of security and
data protection to meet our customers’ concerns.
All this for Step 1. Now, what is the future of aggregation services?
Customer adoption rate will eventually show us, but it is possible
that, over time, aggregation will evolve towards something wider,
perhaps encompassing asset management, retirement planning
or debt optimisation. Provided, of course, that the regulatory
framework evolves in the sense of enabling these trends.
In parallel, the landscape for open banking will certainly extend
beyond the ‘account/asset view’ and will touch extensive banking
journeys and different experiences.
We are now standing on the brink of a new banking world. At BNP
Paribas Fortis, we are confident this is the way to go: in the future,
the new technologies and the new way of conducting business will
prove their worth, expectations of customers will evolve further
and their worries will eventually subside.
In getting there, our responsibility – at BNP Paribas Fortis, but
also everywhere else across the market – is to preserve the trust
capital and keep being relevant for our clients. The customer stays
in the driver seat
101 OPEN BANKING REPORT 2018 • BANKS’ QUEST FOR BETTER CUSTOMER EXPERIENCE
RabobankSeizing Open Banking Opportunities – Rabobank’s Experience
Rabobank understands that bringing the best experiences
and solutions to users is essential to stay relevant. And since
it is in our roots, we also understand that together we can
achieve more. As such, it is no surprise that being open
and connected is a key component in our digital strategy
and vision.
Within Rabobank, open banking is a strategic topic, which now
drives development of new financial services, new non-financial
services, and new business models. And although we are just
at the beginning of being open and connected, we can already
say it will have a real impact on our ability to bring innovations
to existing customers and expand to new customer segments.
Innovations for existing customersBy strengthening our existing solutions and connecting
digital (API) services from other financial institutions, we bring
innovations to our existing customers.
For customers who are using our online channels, we offer one
environment to connect all their bank accounts and hence have
an integrated overview of all their balances. As it is recently
launched, our users can now connect their Bunq account, see
their transactions and balance and do a payment.
We are also developing extended insight such as categorisation
and other personal finance management tools to assist our
customer in the best way possible. For these tools we are looking
into possible collaboration with partners who have experience in
that field as well.
Aside from adding functionalities to existing solutions, we also
create new propositions and bring new solutions to our clients,
such as Rabo PinPin, Rabo Assistant and Payconiq.
The first one, Rabo PinPin, is an augmented reality pocket money
app teaching children in a safe and fun way about the value of
money. While playing mini-games and earning and spending
virtual money, they learn valuable lessons.
Also, as a parent, Rabo PinPin allows you to connect your
children’s bank account. This way, their savings goals become
both tangible and real.
Another example is Rabo Assistant. Rabo Assistent connects
to our own digital (API) services and uses the Google Assistant
platform so customers can retrieve their balance and set a budget
with their voice.
The final example of a proposition made possible by being open
and connected is Payconiq, which simplifies paying online, offline,
and between friends.
Expanding to new customer segmentsAs stated, open banking drives development of new (non-)
financial products and services. This attracts new customer
segments like tech-savvy businesses, FinTechs and Developers
aka third parties.
Rabobank believes that working together and enabling digital
businesses we can further excite innovation and create excellent
customer experiences. For instance, allowing users to have
a more seamless login experience with Rabo eBusiness or the
ability to send a Rabo Payment Request as part of an invoice.
To service these new clients, we have introduced a new Open
Banking platform – the RABO Developer Portal, allowing third
parties to build on top of our digital (API) services and incorporate
Rabobank functionality into their propositions. As of last year,
we are working closely with partners to validate and improve our
platform and offering.
Yet we did not stop there – another new open banking initiative
is Rabo eBusiness, which is a partnership between a traditional
bank and a fintech (Signicat). Rabo eBusiness acts as a service
aggregrator that provides a distribution channel for new products
and services to our customers. Rabo eBusiness helps businesses
shape their online services in an efficient way, in order to achieve
higher online conversion. ➔
102 OPEN BANKING REPORT 2018 • BANKS’ QUEST FOR BETTER CUSTOMER EXPERIENCE
About the authors: Daan van den Eshof & Ali Babakhan are both Product Managers for Rabo eBusiness and responsible for Business Development, Sales, Implementation and Marketing for Rabobank’s identity solutions and value added services. Desiree van der Geer & Tjeerd Tesselaar are both Product Managers for Rabobank responsible for API development and Open Banking opportunities.
About Rabobank: Rabobank is an international financial services provider operating on the basis of cooperative principles. It offers retail banking, wholesale banking, private banking, leasing and real estate services. As a cooperative bank, Rabobank puts customers’ interests first in its services and is committed to being a leading customer-focused cooperative bank in the Netherlands and a leading food and agri bank worldwide. Rabobank Group is active in 40 countries.
www.rabobank.com
The platform is easy to integrate into the existing business
processes using API technology.
Rabo eBusiness is our Digital Identity Service Provider (DISP) and
is a great example of an open bank. We are combining the expe-
rience and reach of the Rabobank with the agility and technical
knowledge of Signicat. Therefore, we are able to use the best of
both worlds to service our customers most effectively Daan van den Eshof and Ali BabakhanProduct Managers, Rabobank’s identity solutionsRabobank
Desiree van der Geer and Tjeerd TesselaarProduct Managers, API development and Open BankingRabobank
103 OPEN BANKING REPORT 2018 • BANKS’ QUEST FOR BETTER CUSTOMER EXPERIENCE
Nordea
Nordea has a long-standing reputation as one of the most
technologically progressive banks. We’re already investing in
transforming our core banking systems through digitisation
and new technologies – and we have a strong reputation for
driving technological progress.
What are the solutions already launched on the Open Banking Developer Portal? Going forward, what are the next solutions and partnerships to empower the platform?We have launched the sandbox, which now has over 2,200
regis tered users, with dynamic features, high-quality documen-
tation and support resources.
We have published XS2A APIs as open APIs, and are still in a pilot
mode. We gather feedback and develop the service further until we
are sure it functions in a satisfactory manner for customers, third
parties, and us.
In addition, we are working on exposing a few premium APIs to
selected partners. With compliance APIs we refer to Account
Information and Payment Initiation Services, which we are expo-
sing in order to comply with PSD2. Premium APIs are exposed
to selected third parties based on agreements. New solutions
will cover many product areas across Nordea. As it looks now
the premium APIs for corporates will hit the market before the
compliance APIs.
It is extremely important for us to have a large network of developers
and fintechs around us. The developer community with over 2,200
sandbox users helps us to iteratively improve our services; it also
ensures that we can enter into partnerships creating value for our
clients, third parties and us.
What are the benefits of Open Banking for corpo-rates? What are Nordea’s (current and future) initiatives to help the business banking customer segment?Open Banking is about improving digital customer-centric
offerings by opening up currently un-available data-streams on
a wide range of business areas such as banking, investments,
lending, trade-finance, insurance, peer-benchmarking, bank
account management, embedded ERP-data, KPI-dashboards,
cash and treasury functionality etc.
Treasurers can move away from batch-oriented solutions to real-
time information allowing corporates to develop processes that
are more efficient, seamless integration and data-driven decision-
making. One example is account aggregation for corporates.
At its best, it can solve the treasurer’s need to get consolidated
real-time data on their liquidity situation in a multi-bank environ-
ment. It remains to be seen how forthcoming banks will be with
their APIs on corporate data.
Corporates will benefit from the increased number of APIs and
banks and their partners can offer customised solutions, with
technology components combined in a way that partner banks,
corporates or third parties find meaningful.
Overall, treasurers stand to gain benefit in terms of real-time
data and improved data analytics. With time, Open Banking
will create new ways for banks to collaborate and be part of
corporate value chains. Instead of fuelling a battle between new
and old players, it targets to enable co-creation between banks
with trustworthy processes and powerful service organisations
and non-banks with innovative ideas and agile ways of working.
What is the role of banks in consent management, as safe keeper of personal data (beyond financial data) and money?The customer is the owner of his own data and sharing this
data should be based strictly on his consent. One of the most
important aspects of PSD2 is the customer’s right to control its
own data and to share parts of it with a third party.
Within the PSD2 scope, banks need to be aware of the consent
model between their customer (PSU) and a third party (TPP), so that
the banks have a basis on which to share the data with the TPP.
Banks will provide APIs outside of the PSD2 scope, and in those
APIs the requirements on consent and contract may vary. ➔
Open Banking helps us stay relevant and gives us the chance to establish ourselves as the “partner of choice” when it comes to shared innovation.
104 OPEN BANKING REPORT 2018 • BANKS’ QUEST FOR BETTER CUSTOMER EXPERIENCE
About Gunnar Berger: Gunnar is heading a Nordic unit responsible for ensuring PSD2 compliance and proactively embracing the opportunities for more innovative development and 3rd party collaboration based on open banking. Gunnar’s goal is to make Nordea’s Open Banking Platform the go-to hub for financial APIs in the Nordics, where customers, 3rd parties and banks can meet to exchange data and co-create more comprehensive and value-adding solutions. Gunnar has a long history working in the banking industry, especially with complex customer cases and development initiatives.
About Nordea: Nordea is the largest bank by size in the Nordic region and the only bank that has a truly Nordic identity at its heart and culture. With key operations in all of the countries of the Nordics, Nordea has been fundamental in establishing the shared economy in the region and the fostering of a borderless trading area.
www.nordea.com
Gunnar BergerHead of Open BankingNordea
The open APIs will call on micro services that do basic stuff and
the front-end in this new environment will be much more intelligent
than just a presentation layer. If we do this in the right way, we
can reach a state where the cost for change will be so low that
customer specific development can become a reality again.
Nevertheless, the banks will always need to know that the customer
willingly wants to share data/services with a third party (TPP).
The client should always be made aware of for what purposes data
is being used, this responsibility lies with the third party. On the
other hand, the customer should also be made aware of with whom
the data is being shared. This responsibility lies with the bank, the
data controller.
As the consent is negotiated between the customer and the TPP,
Nordea registers and presents that consent in the authentication
method Nordea UI, where it is very visible and clear for the customer
what he is consenting to. The customers may cancel a third party’s
access to their account at any time. We offer our customers a portal
that allows them to control the data they expose to third-parties and
monitor which third-party apps/services they have given consent to.
Looking forward, our focus remains to provide our customers with
in-demand products and services while keeping them in control
of which data they wish to expose and which products they wish
to use
105 OPEN BANKING REPORT 2018 • BANKS’ QUEST FOR BETTER CUSTOMER EXPERIENCE
FincogNeobanks Are Setting the Benchmark in Banking
The rise of neobanksOver the past years, we have witnessed a steady rise of challenger
banks, or neobanks, in Europe. These newly established retail-
and SME banks are challenging the established banks with
modern banking propositions tailored to the digital world. Starting
from zero, they collectively managed to secure their position in
the market and make a sizable impact.
One of the biggest success stories is UK’s Revolut. The company
was founded in June 2013 and launched in July 2015 with foreign
exchange services. Over time, it gradually expanded its offering
to include amongst others current accounts and cryptocurrency
trading. Nowadays it boasts a client base of 3 million customers
across Europe (Techcrunch, 6 September 2018).
Another success story is the German N26, founded in 2013
by two friends, with the goal to reimagine retail banking for
the mobile phone. It offers a free current account including
overdrafts, savings and others, and additional services such
as instant money transfers and mobile payments. Since its
initial launch in 2015, it achieved over 1 million customers from
Germany and other markets (N26 blog, 4 June 2018).
These success stories do not stand on their own: there is a
large number of innovative neobanks that collectively capture
a gradually growing market share across Europe. Most of them
are from the UK and Germany, but these type of banks have
appeared all over Europe, for example Compte Nickel (France),
Hufsy (Denmark), Bunq (Netherlands), and Holvi (Finland).
These challenger banks share some important commonalities.
First, they have a strong focus on the digital world, and deliver
advanced mobile apps and modern banking features – often only
exclusively available through a mobile app. Not only the front-
end, but also the back-end is largely automated, with minimum
human interaction.
Second, they offer great customer experience with modern
banking features. The account opening process is simple
and quick, daily banking service are easy to use and intuitive,
and pricing is transparent. In addition, many offer financial
management services (e.g. financial overview, savings tools)
and seamless payments (e.g. instant P2P payments, mobile
payments). Neobanks tend to focus on a specific customer
segment or product, typically areas underserved or overpriced by
incumbent players, with a better solution. Monese, for example,
enables migrant workers to easily open a bank account, without
the need of a postal address.
Third, they typically offer very competitive pricing to compete
with incumbent banks. For example, many offer a free payment
account, free or low cost international money transfers and travel
money, and top rates on lending and deposits.
As opposed to incumbent players, challenger banks are not
hindered by legacy IT systems, large organisations, or physical
distribution networks. Neither are they subject to the same
regulatory requirements, as they often only provide a subset of
banking services or operate under an e-money license (instead of
a full banking license). In addition, they bring a fresh view and a
new culture to banking, while focusing on customer experience.
A new era of opportunities with open bankingPSD2 enables neobanks to better service their customers; they
typically only offer a subset of banking services, which helps them
to operate at competitive prices. By leveraging open banking,
these financial institutions can easily insource third-party services
or data to offer a more complete banking experience. Starling
Bank, for example, offers a financial marketplace of third-party
apps, integrated within its mobile banking app. This enables
customers to enrich their banking experience with a variety of
solutions such as money management, savings, and pensions.
Moreover, integration with partner banks provides neobanks
with an additional distribution channel, which enables them
to sell and integrate their services within the partner banking
environment. Thereby they can reach and service customers of
other banks. ➔
106 OPEN BANKING REPORT 2018 • BANKS’ QUEST FOR BETTER CUSTOMER EXPERIENCE
Transferwise, for instance, has partnered with many (neo) banks to
offer international money transfers at competitive pricing.
Overall, open banking puts the neobanks, with a smaller existing
customer base, at a higher level playing field in relation to incumbent
banks.
The future of bankingWhile we have witnessed a wave of neobanks in the past years,
and open banking offers them better opportunities as well, the
future is not without challenges. They must compete with existing
banking infrastructure and banking relationships. Churn-rates
in banking are rather low, depending on the market, on average
around 4% per year. Customers need a large incentive to switch
banks, being a better service or price. In addition, many customers
still prefer to be able to visit a branch with face-to-face interaction.
Most challenger banks struggle to secure the primary customer
relationship, which is the most sticky and most profitable one, and
offers the best opportunities for cross-sell. Instead, customers
typically use the neobanks as secondary accounts for specific
services or features.
Another challenge is that most neobanks are (yet) unprofitable.
They are still in their early phase, operating at subscale. They re quire
large IT investments to build the company and marketing to attract
customers. Revenue per customer is also often lower, due to
competitive pricing and the use of freemium models (e.g. the basic
services are free).
This may spark the question of whether these initiatives are worth
their high valuations and whether they will be able to survive in
the long-run, achieve sufficient scale and become profitable.
Looking forward, it is unlikely for them to gain a majority market
share, but rather stay more of a niche, similar to the first wave of
internet-banks from about 20 years ago. Yet the neobanks are
making a permanent impact on the market, driving innovation and
competition, as incumbent players are gradually following suit with
similar modern banking apps and improvements in the customer
experience
About Jeroen de Bel: Jeroen de Bel is the founder and principal consultant of Fincog. He is an expert in retail banking and payment innovation, and helps companies navigate the complexities of the fintech sector in a structured manner by developing winning solutions.
About Fincog: Fincog special ises in f intech consulting. They offer bespoke solutions in strategy consulting, market research, and commercial due diligence. They work for a broad range of stakeholders in fintech such as banks, payment service providers, investors and regulators. Their solutions give detailed, actionable insights, and their business strategies propel businesses forward.
www.fincog.nl
Jeroen de BelFounder & Principal ConsultantFincog
Don’t Miss the Opportunity of Being Part of Large-Scale Payments Industry Overviews
Once a year, The Paypers releases four large-scale industry overviews covering the latest trends, developments,
disruptive innovations and challenges that define the global online/mobile payments, e-invoicing, B2B payments,
ecommerce and web fraud prevention & digital identity space. Industry consultants, policy makers, service providers,
merchants from all over the world share their views and expertise on different key topics within the industry. Listings
and advertorial options are also part of the Guides for the purpose of ensuring effective company exposure at a
global level.
Online Payments and Ecommerce
Payment Methods Report 2018
B2B Fintech: Payments, Supply Chain Finance
& E-invoicing
Web Fraud Prevention & Online Authentication
For the latest edition, please check the Reports section