The role of APIs in Open Banking initiatives

What is a banking API?

Open banking is the practice of securely sharing financial data, subject to customer consent. The exchange of data between the bank and authorized third parties (such as financial institutions, fintech companies, and enterprises that are not necessarily active within the financial sector at present) is enabled via Application Programming Interfaces, or APIs.

APIs enable the communication of different applications with each other by regulating how different software components interact. We use dozens of APIs each day – in mobile bank apps, in movie streaming services, on various websites, and in electric cars. APIs grant companies opportunities to provide easy-to-use and intuitive services to their customers.

Banking APIs help financial institutions provide modern web-based services and mobile apps to their customers. Historically, banks had proprietary services and offered them only through their own channels. Thanks to the adoption of PSD2 (Payment Services Directive) by the European Parliament in October 2015, this situation has changed forever: PSD2 promoted the development and use of innovative online and mobile payments through open banking solutions.

Open banking APIs allow third parties – like Revolut and Wise– to access account information and initiate payments. These new companies were crucial for developing new apps and services for the customers of traditional banks on top of bank infrastructure. Their impact can be compared to the role of Google Maps API – thousands of mobile services now rely on geolocation data provided by Google Maps. As the number of users of only these two fintech companies has exceeded 22 million by 2022, it is not an exaggeration to say that open banking APIs have successfully shaken the financial system, and transformed how incumbents interact with their consumers, with other banks, and with fintech companies.

Although open banking has brought many advantages to customers, it is not without risks:

• Open banking solutions are popular targets for cybercriminals. Given that the largest cybercriminal groups have begun to operate as professionally as multinational companies in recent years, we can confidently say that a large data breach could happen at any time

• Freemium business model threatens privacy – most customers do not understand how sharing too much personal data may come back to bite them. For example, healthcare-related information may make personal insurance more expensive

• Malicious actors may use open banking information to trick customers or companies with phishing scams

• Traditional web application defense systems such as WAFs (Web Application Firewalls) are insufficient to fully protect APIs, as API attacks are logic-based, rather than rule-based. It is not a coincidence that OWASP released a Top 10 list targeting API Security in 2019 to expand the original OWASP Top 10 that began publication in 2003. However, many organizations still have a false sense of security based on security products that were not designed to protect against API-attacks

What are the benefits of Open Banking APIs?

Open banking APIs bring many advantages to customers:

• They can choose from a wide variety of service providers; they are not bound to their bank

• Wide variety is true for the available services as well; fintech companies offer many services that were previously unavailable

• API-based mobile banking apps enable a ’streamlined’ banking experience; customers do not need to go into their banks; they can manage almost all their requests and tasks with their mobile phones

But open banking is also beneficial for banks and third-party providers:

• Financial organizations get the potential to increase their revenue streams

• Open banking makes it possible to create revenue-sharing ecosystems: banks give customers access to 3rd party services while taking advantage of every new subscriber

• Banks may open their infrastructure and provide core services to fintech companies on a Backend-as-a-Service (BaaS) basis

Examples of Open Banking APIs

Thousands of banks and other financial companies have built various services in the last few years. Here are a few examples:

BNP Paribas is a French international banking group. It is the second largest banking group in Europe, with 190,000 employees. BNP Paribas’s Open Banking Portal enables developers to test and use various APIs in production free of charge. It offers a wide variety of services in addition to the ’compulsory’ PSD2 ones (Account Information, Payment Initiation, and Availability of Funds), such as smart derivatives API or net asset valuation API.

Barclays is a British multinational universal bank headquartered in London. It launched its Open Banking initiative in 2018 and offers various services beyond account information or payment initiation, such as an ATM Locator and Branch Locator.

DirectID is one of the earliest open banking pioneers to use open banking data to offer different credit and risk decisioning services, such as bank account verification, portfolio risk management, and SME financial health.

Regulations

Although open banking brings advantages for incumbent financial institutions too, it also fosters competition – which is why regulators had to be the key drivers of open banking’s spread. As we outlined earlier, the most important regulation – and stimulant – around open banking is the Directive of the European Parliament and of the Council (EU) 2015/2366 of 25 November 2015 on payment services in the internal market, i.e. PSD2. PSD2 introduced increased competition and innovation into the financial services sector and successfully gave birth to several new customer-centric payment services changing the classic bank-customer relationship forever.

But PSD2 is not set in stone: the European Commission has already announced and launched a comprehensive review of the Directive – the consultation period ended in August, and the adoption of the modified regulation is planned for Q4 2022.

PSD2 is not the only good example available of open banking. In the UK, the Competition and Markets Authority (CMA) set up the Open Banking Implementation Entity in 2016 to foster innovation and competition in the retail banking sector. In recent years, the open banking ecosystem has enabled customers and SMEs to share their current account information securely with third party providers, who then use that data to tailor their apps and services to people’s specific financial circumstances.

The UK and the EU are the most developed countries in terms of open banking, and their development is accelerating further. But without regulations like the PSD2, other countries with advanced banking systems – such as Japan, Canada, or the United States – are only opening their banking services very gradually.