Open Banking, PSD2

Want to know more?  Click here to download our jointly authored whitepaper - Accelerating Compliance In The API Economy With Open Banking & PSD2

APIs have been an key enabler of digital transformation for some time. Forward-looking companies have realised that by opening their data and capabilities to customers and partners, it would be easier to build mobile applications, social integrations and mashups to drive traffic and associated commercial opportunity.  

These 'open APIs' and the 'API economy' are about to hit banking and financial services industries in a big way. Consumers have been adopting aggregation tools such as mint.com, comparison shopping and screen scraping in a bid to get at their data through alternative front ends. The regulators have noticed this and are mandating that banks open up product information, customer information, and transactional information over open APIs for more market participants to consume.  

At Contino, we noticed how disruptive this would be to banks. To achieve this regulatory mandate, banks would need to expose their data from legacy mainframe datastores over the internet using modern REST APIs. They would also need to secure these using federated techniques, such as OAuth, and would likely need to deploy these APIs in cloud-based infrastructure. This would have huge implications for infrastructure, security, networking and application architecture. Even the act of developing APIs and then iterating on them quickly is a change in mindset for the typical bank who aren’t used to iterative digital delivery. All of the above would be best delivered using modern agile and DevOps techniques.  

To support this, Contino have recently teamed up with Paul Rohan of Rohan Consulting to help our FIS clients make sense of Open Banking and PSD2 (a forthcoming EU directive that will oblige banks to provide third-party providers access to their customers’ accounts through open APIs).  

Paul is a researcher, management consultant, executive educator and author on business strategy in financial services. He is also the author of PSD2 In Plain English. His advisory customer base straddles the potential PSD2 PISPs and AISPs, including fintechs, credit monolines, card processors, accounting software, challenger banks, as well as the banks that will be AS PSPs.  Paul’s blog on the impact of PSD2 and Open Banking on market structures is followed by 6,000 market professionals globally.   

Contino are the experts in DevOps, Microservices, and we look forward to working alongside Paul to develop a strategy for turning Open APIs from an existential threat to an opportunity.    

Below, we interview Paul for his perspective on what Open Banking & PSD2 are all about.  

Contino: what are Open Banking and PSD 2 all about?

Paul: Given the pivotal role of financial services, public policy makers such as financial regulators and competition authorities want high levels of innovation and competition. EU public policy makers have been focused on low levels of customer switching between financial providers for many years. Bank accounts used by customers have historically been very “sticky”, with very low churn rates.

Public policy makers in trading blocs around the world are also seeking to both emulate and rival the global success of Silicon Valley. Loosely organised collaboration takes place between Silicon Valley firms within informal networks. These characteristics lower the costs of invention and enable growth at large scale. Firms clustered in this environment drive strategies that aim to reshape markets and industries rather than merely seeking tactical advantages against established rivals.

The EU appears to have identified Open Banking as one potential remedy to an area of slow innovation and market development that seems to be holding back the competitiveness of its trading bloc. PSD2 is the regulatory intervention that is introducing Open Banking. PSD2 will compel banks to connect their digital assets to regulated entities outside their organisations through a standard API interface.  

Why is this so disruptive?

When a platform business sets up for the first time, it has to design its platform architecture and business model to help the ecosystem  grow. The platform business has to figure out which decisions should be taken by the platform and which decisions should be taken by application developers. Crucially, in a commercial platform business, a pricing approach to fuel growth and divide rewards between platform and app developers has to be designed. In terms of “gatekeeping”, the platform has to decide which app developers and apps to admit to the platform. The platform has to decide which parts of ecosystem processes to control and which parts to merely influence. Metrics have to be designed to allow the platform to track the behaviour of app developers and the evolution of the ecosystem. Although automation levels are very high, the commercial relationships between platform and app developers need guidance and management.

PSD2 is creating a deadline and an initial standard that forces all major EU banks into a basic Open Banking platform business at the same time. The regulator has taken control of the gatekeeping to these platforms. App developers that get accredited by regulators as 'Payment Initiation Service Providers' (PISPs) and/or 'Account Information Service Providers' (AISPs) can use the standard APIs at all EU banks to make payments and/or extract data from the underlying bank accounts. The regulator has also taken control of platform pricing.  The bank account user won’t pay any extra fee to the bank if the customer uses a PISP or AISP for a service. The bank, labelled an 'Account Servicing Payment Service Provider' (ASPSP), cannot charge a PISP or ASIP for access to the standard APIs. PSD2 and its Regulated Technical Standards also sets out a lot of requirements on how the process will be designed and controlled, a task that the platform normally carries out in a purely commercial platform business.

In summary, when a very powerful regulator like the EU steps in to force major EU banks into a platform business, while controlling gatekeeping and pricing for the platform, a major disruption of market structures is being attempted by regulators.

What are the implications for banks' strategy?

Open Banking will force banks to share reference data about clients and products with third-parties. Reference data is internally and externally sourced information obtained and used by different parts of a bank. The sharing of reference data with independent third-parties is an entirely new discipline for banks. It will have a big ripple effect on how banks manage sales and service.  

A wave of business volume coming through new independent third-party channels will also put a strain on operations and execution processes. Risk and compliance teams will be hit by this wave as they have to study unproven business processes and design new risk models for Open Banking. Finally, the broad range of general management and enabling activities common to banks, such as corporate strategy, finance, HR and IT, will have to incorporate the ripple effect of Open Banking on organisational governance.

Open Banking could have a very strong influence on the evolution of business strategy in banks, as they become more like platform businesses than pure product organisations. This seems to be exactly what the regulators wish to happen.

What are the costs and risks of getting this wrong?

The vast majority of EU banks are not globally-scaled organisations. They have their roots and customer footprint in specific regions, cultures and languages. In the immediate aftermath of PSD2, it may be more likely that each EU country or region may have their own emerging Open Banking platforms.  

In the early phases of a platform market, a variety of firms experiment with different types of features, capabilities, and designs to assess the market's response. As these competing designs for Open Banking continue to improve, at some point one design will eventually become widely accepted - implicitly or explicitly - as the winning standard.

This then becomes the industry's dominant design and is usually associated with a shakeout, with the market switching over to the dominant design. Significant business flows from app developers are likely to accrue to the market actor, country or region that produces the dominant design.   

Which banks are leading the way with open APIs?

I see three main groups on my travels up and down the emerging Open Banking ecosystem and I think the leaders are in one of these groups.

There is a group of challengers (i.e. challenger banks, but also other niche financial providers), who have bought into open APIs and platforms as a growth strategy. These challengers are learning platform architecture on a purely commercial basis, looking at decision rights, gatekeeping, process controls and pricing policies. They can see themselves as either a platform, an app developer or both, depending on the market context. The challengers are likely to be active in using Open Banking to extract customer data from the very large incumbent banks, in order to help their growth. However, these challengers are small in scale. Even as the network effects from Open APIs accelerate their growth, they have a long way to go to have a sizeable market share.

I also see incumbent banks who have reacted very cautiously to PSD2 and Open Banking. Older businesses that were not born in the networked economy can be excessively focused on the downside risk of data travelling out to third-parties. For the moment, despite their many millions of customers and huge vaults of data, the current mindset of these cautious incumbent banks is “minimum viable compliance with PSD2 APIs”. I see these banks running a major risk because they are not thinking about the platform architecture they will need if subsequent market evolution forces them to embrace Open Banking as a growth strategy. In simple terms, because the regulators are controlling platform gatekeeping for PSD2, the cautious banks are not designing commercial platform gatekeeping into their architecture. Similarly, because the regulator is in control of platform pricing for PSD2, they are not designing commercial pricing structures into the platform architecture. It will be difficult to retrofit a more strategic design at a future date, especially if the market starts to move towards a dominant design at a high pace.

The third group will be formidable. They are incumbent banks with millions of customers and huge vaults of data who have moved their thinking beyond PSD2 compliance. They have brand, capital, scale and they are designing an Open Banking platform with full commercialisation in mind. They believe that the initial PSD2 specification will be irrelevant and forgotten in five year's time, as Open Banking will have become a commercial market norm. These progressive incumbents are starting to look at multiple service domains they could expose through APIs, not just the PSD2 obligations. They are thinking about the likely dominant design in an Open Banking ecosystem and not just thinking about the initial tactical impacts at the level of individual financial products. These banks will have major challenges in renovating their architecture and transitioning into DevOps, but I think the future market leaders are in this group.

Paul is the author of “PSD2 in Plain English”, published last April. The book is a succinct primer text on PSD2 that was accredited for clarity by the Plain English Campaign. We are giving away 20 copies of the book to the first people who request one. Please email bw@contino.io if you wish to request a copy.  

Want to know more?  Download our jointly authored whitepaper - Accelerating Compliance In The API Economy With Open Banking & PSD2

  • Benjamin Wootton

    Co-Founder and CTO

    Benjamin Wootton is the Co-Founder and CTO, EMEA of Contino. He has worked with tens of enterprise organisations on DevOps transformation and is a hands-on DevOps engineer with expertise in cloud and containers.

    More Articles by Benjamin