PSD2-Sanctions-Access-to-Personal-Banking-Data,-Amplifying-FinTech-GrowthOn the European FinTech stage, forthcoming initiatives and regulations will both disrupt and foster innovation in the banking sector of the API economy. The most significant of these is the Payment Services Directive 2 (PSD2), a new regulation that will apply across the European Union and is likely to result in a huge increase in the number of APIs for banking products. Making banks programmable will significantly change the engagement model for accessing a consumer’s account. What is less clear is how this may affect the consumer themselves, including their level of access to the data (that in theory they own), and their ability to use their data in any way they see fit. In this post we’ll look at how PSD2 and the growth of APIs for banking will affect personal data ownership.

The Status Quo

Most banks lock customer data away in internal systems with very limited access, restricted to tightly controlled channels. This state of banking data accessibility is widely viewed by industry commentators and even banks themselves as nothing short of a travesty, epitomizing the hegemony banking giants have held for a long period of time. According to Andres Wolberg-Stok, global head of emerging platforms and services at Citi, APIs present an opportunity to “break a few windows to let free air and light in.”

Whilst disrupters and innovators (especially challenger banks) will be prone to hyperbola, the common consensus is that banks should open up to provide APIs for a number of compelling reasons:

  • To enable consumer choice: There are many consumers who want to be selective about banking products without having to choose a single banking provider, instead simply picking from a marketplace. APIs provide a mechanism to enable such selectivity of product. Supporting this notion is the great deal of media coverage on the “narrowing” of banking (where the portfolio of bank activities is restricted), as well as the lack of trust millennials place in traditional banking establishments;
  • To unlock customer data: Internet banking has become the key customer engagement point during the last two decades, but the digitization of the customer experience has made it clear that the vast majority of banks consider this data to be a vault with only one entrance and two sets of keys — theirs and the customers. This is juxtaposed with the wants and needs of customers, who are keen to exploit what is essentially their data in any number of different ways: Personal Financial Management (PFM), credit checks, digital notarization, and more. However, banks simply don’t provide facilities for third-parties to work at the delegated authority of the customer, forcing many third party solutions to use the customer’s internet banking login credentials and web scraping to function (examples include Mint and Xero). While this provides customers with useful solutions, by sharing their credentials with a third party they may actually break the terms and conditions of their bank’s internet banking platforms;
  • To unlock themselves: Anyone who has worked in the IT department of a large bank will be familiar with the architecture and approach that typifies them — extreme risk adversity with large amounts of governance on top of legacy systems and monolithic applications. An API-based architecture, built incrementally with many small steps could help unlock and decouple these architectures, making them more accessible and providing an environment to foster innovation.

The core theme is that banks could be doing much more to open customer data up to new use cases and business models. Naturally there are disrupters and innovators who are having some success trumpeting down the walls of Jericho, and the Open Bank Project is clearly the poster boy for the open banking movement. Another example is Figo in Germany that delivers a single API that integrates with the German FinTS/HBCI banking network. These initiatives show what can be achieved without a standardized API network, but a lot of hard yards are involved in creating the solutions with a myriad of different integrations across the banking ecosystem. Such efforts could be significantly reduced if each bank offered a standardized suite of APIs.

Regulatory Impact

The rationale for standard banking APIs is clear, and there has always been the potential for a large bank to “break cover” and offer a suite of APIs with access to customer data in advance of its rivals. However, in the absence of this early mover encouraging other banks to offer APIs by way of market competition, regulatory forces are now likely to coerce many into taking action.

PSD2 will force banks to allow third parties to access a given customer’s data, where that third-party is acting as a data consumer or a delegated authority: The EU describes these as “third party providers (TPPs) [who] offer specific payment solutions or services to customers”. As this could include making a payment on a customer’s behalf, PSD2 grants third-parties considerable power. There is a great deal of debate how this might be implemented from a technical perspective, but an obvious solution for anyone familiar with the API economy is the use of APIs to facilitate access. Moreover, APIs could be coupled with a rich framework such as JSON Web Tokens under the guise of OpenID Connect to provide strong authentication and non-repudiation.

It is an oversimplification to say using APIs and OpenID Connect would immediately provide the framework for implementing PSD2, and some of the logical architecture has already been framed: it includes the introduction of Account Information Service Providers that will provide a single view across multiple customer accounts. However, with the right governance framework these technologies could provide the bedrock of a new open banking landscape, supporting a wide range of new entrants to the market.

The Open Banking (and Data) Landscape

The open banking landscape will allow customers to unlock their data and give delegated authority to their payment instruments, empowering them to share it with whomever they saw fit via an API. The value in this unlocked data isn’t restricted to banking — clearly other solution providers see much value in it. For example, frameworks like Figo will become much more commonplace with initiatives like PSD2 and possibly draw in data sources that aren’t financial in nature, again via APIs.

Customers will have a single window on all their data, financial or not: while solutions already exist in this space, such as Trunomi and Mecco, who offer federated personal data stores and mechanisms to produce different views of an individuals’ personal data, the integration effort is fraught with difficulty. With standardized APIs there is an opportunity to view, understand, and control a unified view of our data.

Blog-Post-Wide-CTA-API-Stack

The consolidation of our digital persona into a single construct is both a risk and an opportunity for individuals: a risk, because without the right governance we offer ourselves up to solicitation on a huge scale, but an opportunity because we can enable the genuine usage of our data for our own benefit, truly empowering consumers to make insightful decisions. With such insight at our disposal concepts like the Secco Aura could become a reality for more people than just Secco bank customers, with a broadcast of interests possible across many different service providers, financial or otherwise. Such possibilities are so relevant in the data sphere that large organizations like Visa Europe are researching them, with their innovation lab currently running their “Me2B” theme. Howard Elsey, the innovation partner running this theme describes such a personal data network as:

“the connective tissue and nervous system of the data economy. This has ramifications into all current areas of technical innovation, from big data to blockchain, identity, and IOT but is so interesting … because of the impact that it will have in overcoming something that computerization has managed lose — the personal nature and trust in the relationship between business and the individual and the disrespect of third party companies that exploit the value in an individual’s data without returning value to the individual.”*

PSD2-data-access-third-partiesIn architectural terms, APIs underpin this framework as both the personal data source, federated into what Mecco calls “the API of me” and the service delivery point. However, there is a new paradigm, the carrier for the broadcast of interests which, at face value looks and smells like massively distributed publish-subscribe network: the NATS technology for the personal data network. It is to this network that both consumers and providers broadcast their interests with APIs providing the delivery mechanism for data or services; requests can be serviced either directly from the consumer’s data stores or via aggregators that pull together and consolidate the data in a myriad of different views. Some initiatives already exist that could grow into the backbone of this system, such as the Open Mustard Seed project, but however it comes about, the “network of me” will make the personal API economy truly revolutionary.

 

Final Thoughts

The opening of banking through APIs, whether through competitive pressure or regulatory enforcement, has massive implications across the data ecosystem:

  • for consumers it empowers their ability to access products and their data;
  • for solutions and services providers it allows them to engage with customers in a much more seamless fashion;
  • for IoT it provides the network for devices to make autonomous actions based on an individual’s preferences, wants, and needs.

It will take work to come to fruition but these are exciting times for us all as consumers. It will be fascinating to see how banks receive the PSD2 regulation, and how this personal data network develops over the next couple of years.

Chris Wood

About Chris Wood

Chris Wood is an API specialist from the UK. His main interests are API management, Python and working on cool and interesting stuff. Connect with Chris on Twitter.

  • Robert Macho

    Good article – the devil is in the detail….
    Banks are bound on different legal restrictions as they are Data-Protection and (at least in my country) even strong Bank-Secrecy. It will be interesting, how these limitations are reflected in the local legal regulations of the different EU-member states, which have to be followed after PSD2 in the next 18 monthes.
    Secondly it is not clear until today, for what acivities the so called “Strong Customer Authentication” (SCA) will be needed and even required by the Banking Supervisors (or what are the exemptions) and it is is well not clear, what are the misterious “Sensitive Data” for which SCA must be applied if some TTP like to have access on. Lastly it is not clearly defined, if TTP’s shall offer and maintain their own SCA-system or at what preconditions they are allowed to re-use existing SCA-systems of the banks…..

    Means, there are crucial question to be answered in advance – not to talk about, who / which organisation is going to define “THE” european access-standard, although that should be the easiest task, since we have already in the SEPA/xml20022-rules appropriate standards, which could be utilised for account-information, initiating payment orders and even the famous and poorly regulated Directdebit-eMandate…. as well for that: some countries are demonstrating, that it could work already.