In this era of proliferating fintech apps, open banking has emerged as the preferred way for financial institutions to share data with third-party providers (TPPs). The latest open banking protocols favor the use of application programming interfaces (APIs) to boost performance and reduce latency, but as with any digital data-sharing process, security and consumer privacy are of paramount concern.
A 2018 survey from The Clearing House makes plain how important consumers regard the safeguarding of their financial data to be. Nearly two-thirds of survey respondents said they were very concerned or extremely concerned about data privacy when using fintech apps, and a majority said they want to control which financial accounts and types of data that third parties can access.
Consumers’ data security and privacy concerns are a legitimate measure against which to gauge the effectiveness of APIs as an open banking solution. Clearly, APIs offer several benefits. They give consumers more choice, control, and convenience when sharing their financial data with TPPs. Financial institutions also reap benefits—not only by achieving greater data-sharing efficiency but also by getting a more comprehensive view of their customers’ financial lives.
However, the need for security is at the heart of any open banking protocol, and it’s here where APIs excel over other data-sharing technologies. Earlier this year, the Office of the Comptroller of the Currency (OCC) issued a supplement to OCC Bulletin 2013-29: Third-Party Relationships, in which it cites APIs as an efficient and secure portal through which banks can share sensitive customer data with data aggregators. According to the OCC, banks that establish bilateral agreements with data aggregators can use APIs to reduce the use of less effective methods like screen scraping while also allowing their customers to better define and manage the data they wish to share.
Unlike screen scraping, APIs don’t require consumers to provide their account login credentials to third-party entities. The ability to safeguard their personal information provides an added comfort level for consumers who enjoy the convenience of using popular financial apps like Venmo, Mint, and others, but because of privacy concerns would prefer not to share usernames and passwords beyond their core banking usage.
The United States has yet to implement any regulations governing the use of open banking standards, although the OCC has sent out an Advanced Notice of Proposed Rulemaking (ANPR), which would indicate that regulations are on the horizon. The Consumer Financial Protection Bureau is also preparing an ANPR in the area of consumer-authorized access to financial records, though the Bureau’s approach to date has been to allow the industry to develop standards in this area without direct regulatory intervention.
While the U.S. has yet to experience regulatory intervention in the open banking arena, other parts of the world have already implemented such initiatives. In Europe, the EU has enacted the Second Payment Services Directive (PSD2), which requires banks to create mechanisms—most commonly APIs—to provide data quickly, securely, and reliably to TPPs with the consent of their customers. Other countries, such as the U.K., Canada, Hong Kong, Japan, Mexico, and Australia likewise are progressing with open banking standards.
In the absence of regulations in the U.S., the banking industry is moving forward to advance the use of API protocols. Competitive forces are compelling many of the larger banks, such as Wells Fargo and Bank of America, to prioritize implementation of their own API solutions. Joint industry efforts also are underway and may serve as a template for the eventual regulatory standards that dictate the use of APIs.
There are indications that federal financial regulators and other government agencies are encouraging industry-driven efforts as a means of enhancing security, privacy, and innovation. The most notable industry effort has come from the Financial Services Information Sharing and Analysis Center (FS-ISAC), which in 2018 launched the Financial Data Exchange (FDX) as a consortium of financial services institutions working together to define, standardize, and secure data transfers.
FDX’s mission is to define an API framework that will put the consumer “in the driver’s seat” regarding how they control and share their financial data. A big step toward that goal occurred earlier this year, when the consortium introduced FDX API 4.0, an updated API standard designed to enhance interoperability and performance for a full range of supported use cases that will enable consumers to have greater control over their savings, investments, digital payments, and tax history.
Competitive forces, as well as the potential for imminent regulatory action, provide a sense of urgency around banks exploring refined approaches around their APIs. One way to proceed efficiently with the development of an evolved API strategy is to call on an outside expert.
F5 stands ready to work with banks of any size in helping them develop a customized open banking plan that best aligns with market forces. We offer a high-performance, low-latency API management solution and a secure API gateway solution, which permits financial institutions all over the world to leverage modern security protocols to support microservices-based apps.
Open banking is the way forward in this era of fintech apps. By being proactive about advancing their open banking initiatives, financial institutions will get ahead of the curve.
F5 is here to help. Learn how to grow your business through open, secure APIs by visiting our Open Banking webpage.
By Andy Franklin, Senior Director, Solutions Engineering – NA Financial Services, F5