Banking has well and truly embraced the digital age, with the rapid growth of mobile devices laying the foundation for non-cash payments and bringing a wealth of opportunity to the financial sector. However, it is also forcing banks to look at more flexible ways of managing their data processes, such as Apps and the glue that sticks them together – Application Programming Interfaces (APIs). At the end of last year, the UK Government announced plans to standardise the APIs used across the banking industry. The chief idea being to deliver greater transparency for customers to help them make better decisions about financial services.
APIs are opening up organisations to the wider financial ecosystem, and whilst providing many benefits, such as stronger customer engagement and streamlined internal processes, there are still some risks that need to be addressed to ensure the governance of data.
Research has shown that financial organisations are looking to bolster cyber security budgets by $2 billion in the next two years. But it’s more than just cyber-attacks that banks need to protect themselves from, as they open themselves up to the wider financial ecosystem. Banks need to ensure data flows are securely governed at every stage. They also need to empower teams to respond quickly to customer security risks, to ensure the integrity of each data exchange.
In a rapidly shifting financial tech landscape, banking organisations are coming up against a number of hurdles:
- Mobility: Fast mobile growth, the IoT and business policies like BYoD and BYoIoT mean consumers expect to be able to access their financial data from any place at any time. The World Payments Report states that mobile payments are actually doubling year on year now. Wearables are bringing a whole new dimension to mobility and finance – devices could be used to measure fitness and health for insurance rate purposes.
- Competition: As Payment is more and more commoditised, services have to be added on top of payments and these are the ones that make the difference. Competition is coming from all angles – from online financial payments services like Paypal and startups, and even the likes of Facebook and Google, who have applied for licenses to deliver financial services. So banks not only need to link with various payment services but more importantly, they have to create new services linked to payment services so they bring improved value to the customers.
- Cloud computing: As the financial ecosystem (i.e. the financial services providers) broadens, it is also spreading across a multitude of different platforms, both on premise and in the cloud. The cloud offers financial organisations the ability to bundle both internal and external services, resulting in reduced costs and improved flexibility. This in turn removes the barriers between countries and gives financial organisations the ability to effectively manage the flows of data globally.
The challenge will be for banks to create agile ways to connect these systems and orchestrate them together, but with the existing infrastructure they have. If they can manage to do that, the cost of deploying new services will be kept in check.
As banks scrabble to keep up with customer demand, changing platforms and increased competition, payments are fast becoming a commodity. With this in mind, new offerings need to be developed faster than ever, so financial organisations can continue to leverage their value chains in the world of immediate mobile payments. In order to monetise processes and utilise partner companies to get this added value for their customers, banks need to ensure that their IT platforms are up to the job and they’re not being held back by legacy systems. Financial organisations can’t take a year to plan and execute a new digital service or business model, it needs to be built and deployed quickly or they will risk falling behind the competition.
The open bank
Many banks and financial organisations are turning to APIs for the solution. APIs are opening up a whole new digital world for banks to work in. Not only do they open existing services to the outside world in a flexible, easily implemented way, but they also enable banks to launch new services with very little cost. Open APIs can be published and shared with other merchants, corporates or apps to leverage the use for their business. For example:
- Customer services: Banks can launch new customer apps to streamline and improve the customer experience. They already expect to be able to check balances, transfer funds and pay bills, but additional functionality could enable them to make the most of their smartphone – use the camera to pay in a check, use the GPS to ensure the customers location and identity to improve security, or let them know where the nearest cash machine is. A deeper level of personalization can be added through new services and tailored content.
- Partner services: By sharing the API with regulated partners, banks can drive additional business such as inclusion in comparison services, but also improve customer services with easier sign up for new services or quotes and new schemes with offers through partners.
- Streamline internal processes: APIs will free data trapped in legacy systems and enable banks to share data assets from other departments – whether it’s to solve custom service issues through social media sites or improve operational efficiency.
The cost of becoming digital
Mobile financial services aren’t anything new; in fact they have been around for years, and payments are just the tip of the iceberg. But it’s precisely the part that we can’t see that needs to be addressed. Data flows aren’t stopping at the edge of the enterprise, as they flow out across the network and to a multitude of services; increased resistance needs to be in place.
Banks are a cautious breed –the technology is already available to deliver new services, but the security issues are holding many back. And it’s no surprise, given the highly regulated nature of the financial industry. The need to comply with an increasing number of regulations is essential. Take SEPA for example. The payment-integration initiative was rolled out last year to streamline cashless cross-border Euro payments, as has the Directive on Payment Services.
Unfortunately the kind of open access mobility provides could potentially be a sticking point for adhering to industry regulations. Banks need to know who is making the payment, where from and what their liability is. If a consumer uses their log in details in a third party via an app, the bank can no longer ensure the integrity of their account, because a third party now has those details. So it falls to the banks to provide or grant access to the outside world in order to maintain control. This is why it’s essential for banks to open and manage their own APIs. And, any bank investing in an API will need to ensure that access at any point in time is only granted for something that has been authorised.
Every single data flow needs to be managed and secured and when you consider the scale of today’s financial ecosystem, this is no easy task. Banks need to ensure they have a mobile strategy in place that meets compliance, while providing agility, but which also doesn’t threaten innovation. This is why banks are increasingly looking to APIs rather than just app functionality to manage new digital capabilities.
The gate keeper
Digital exploration by financial organisations in 2015 is only going to grow. Whilst an API can provide many opportunities, if the proper precautions aren’t put in place, it could also open the bank up to security risks, cyber-attacks or malicious hackers. Banks need to make sure that customer identity management will not be exposed outside of the bank. In other words, banks have to carefully chose their enabling technology so that they can still guaranty their customer ID will not be stolen.
This is why a solid API management strategy with tools that provide granular data trails, will be essential for maintaining data integrity over your API. Additionally SSLs should be used to encrypt the link between the server and browser as well as HTTP authentication. API needs to be all encompassing, protecting both XML and JSON, especially with many people accessing data from unsecured mobile devices.
API technology can also enable banks to identify the devices themselves that access the data, both inside and outside, the banks. It has the power to not only ensure efficient data flows but grant access according to predefined security polices for mobile devices.
API gateways are the new gatekeepers for all finance services data, giving banks peace of mind that the technology is in place to cope with the levels of data generated by omni-channel and multi-partner functionality as well as new customer services.
The right API management strategy will enable them to do this – not only securing their API but providing the insight that enables them to keep control of their ecosystem as a whole.
By Bruno Cambounet, VP Finance Services and Insurance industries Program Leader, Axway