Global adoption of open banking is growing, but not at a rate commensurable to the optimism shared regarding how it may forever change banking. Challenges such as security and privacy concerns, deep customer apathy, limited consumer awareness, and financial institutions’ legacy technology landscape are blamed for the slow uptake of open banking. A recent survey by Finastra revealed a positive outlook — 86% of the banks surveyed plan to leverage open banking capabilities in the near future — but about half the banks surveyed highlighted several bottlenecks, such as poor regulatory support, high investment requirement, and lack of will from decision-makers.
UK adoption has been the fastest, with consumers generating over 200 million monthly calls, driven by 226 registered providers including third-party providers (TPP) and banks. Elsewhere, the industry is playing catch-up. In the U.S. for example, players are just warming to the idea of opening up their banks; only a few banks have notable open banking initiatives. BBVA's banking as a service (BaaS), for example, allows third parties to integrate payments and banking services with their own business models. Sadly, other than some guidance on data aggregation, U.S. regulators have not provided any legislation to effect open banking. However, some industry associations and operators (including NACHA and Financial Data Exchange) are driving the adoption of standardized and interoperable access to data.
Open banking success will require the cooperation of banks, mutual funds, wealth management, insurance and other traditional financial institutions to provide access for third parties to the affluent customer data they harbor. More important is the scaling of connectivity across these institutions. However, achieving this has proven challenging even in markets with regulatory support. Progress thus far has hinged on bilateral agreements between data aggregators, TPPs and financial institutions.
Recent moves by two of the world’s largest card networks — Mastercard and Visa — to acquire data aggregators Finicity and Plaid, respectively, may provide the nudge required for open banking to live up to its lofty potential. Mastercard and Visa have strong partnerships with financial institutions and merchants, and provide the rails through which some fintechs operate. Moreover, they run critical financial market infrastructures such as Automatic Clearing House (ACH), real-time payments systems, and mobile payment systems in some markets. By design, they are well-positioned to offer the type of interconnectivity and scale required to drive open banking. And with the acquisition of data aggregation capabilities, they offer a platform wherewithal to rapidly scale open banking globally.
Nevertheless, there are inherent challenges. Here are what we consider the three primary ones, along with thoughts on surmounting them:
The most commonly debated challenge is data security and customer privacy. According to Experian’s 2020 Global Identify & Fraud report, 72% of consumers are willing to give their personal information for easier access to their accounts but 88% want control over that data. The card networks’ holistic approach to risk management within the payment ecosystem (i.e., compliance of issuers, processors, acquirers, and merchants with guidelines and standards defined by the card networks) has driven consumer trust in electronic payments. Similar approaches can provide value in driving consumers’ trust with their digital interactions via devices (phones, wearables, and web) and with the stakeholders involved in open banking: banks, merchants, fintechs and government.
TPPs such as fintechs have provided more secured and innovative methods for consumers to authorize access to their data domiciled in banks — for example, consumer credentials are shared with trusted intermediaries, which in turn share the data with banks but tokenize it to apps and developers. However, banks must improve on consent management by investing in capabilities that allow TPP requests to access consumer data and to inform customers who is accessing their data, to what purpose, and for what period of time.
The manner of data transmission still faces criticism. Screen-scraping in particular has taken much heat, especially from banks. The argument for open APIs as the preferred and secured transmission method is well supported across the industry, but it is not an inclusive method because many smaller banks and credit unions cannot afford customized data interfaces or APIs. Here again, the card networks have a role to play in ensuring inclusivity and standardization of APIs for data transmission. In addition, they may need to collaborate with associations such as NACHA and FDX (to drive data standardization) and with core banking system providers like Fiserv, Jack Henry, and Oracle that serve small to mid-size banks (to facilitate open APIs for these institutions).
Banks struggle to articulate a clear path to generate a meaningful return on their investments in upgrading internal systems that enable integration with third parties. In some cases, they have spent millions of dollars upgrading legacy monolithic core systems to a modernized, highly componentized microservices architecture and API-driven core, but the justification to allow a TPP to plug in, access data, and compete for the same customers served by the banks is not clear yet.
Different API monetization models have been widely discussed (examples include charging per API call, bundled subscriptions for API access, and earning commission on API calls that complete or extend transactions). While these models can generate revenue, they won’t necessarily move the needle for banks. Rather, banks should consider APIs as enablers for driving products that can generate real growth to the top line, such as increasing risk assets and liabilities under management; extension of payment services; cross-border-related financial services; and risk transfer to third parties – particularly for customers deemed too risky for the banks to serve.
It is critical that banks take a holistic approach to investing in their open banking agenda (i.e., understand the ecosystem and partnership opportunities), be clear on the capabilities required to deliver on select use cases, articulate a plan to monetize and price the use cases, and align on technology strategy and operating model.
As the following figure shows, using a holistic framework, we helped a leading North American bank transform its online trading platform through APIs. The client realized 60% increase in API consumption, identified new revenue sources through cross-selling and upselling opportunities for its products, and reduced its data management costs by 15%.
Source: Cognizant Holistic Framework for Open Banking
The card networks can assist banks by serving as trusted partners brokering financial and contractual relationship with TPPs — just as they have successfully done with their traditional interchange model for issuers and acquirers. However, they must approach this with caution and take a neutral position, so banks do not perceive them to be heavily focused on direct-to-consumer services.
Unlike in the UK where the largest banks are required by regulators to create open-source APIs and provide access to third parties, there is no similar law in the U.S. The California Consumer Privacy Act (CCPA) grants consumers data privacy rights and control over their data, while the Consumer Financial Protection Bureau (CFPB), Securities Industry & Financial Markets Association, and Consumer Financial Data Rights Coalition have provided principles for consumer-authorized data aggregation. Recently, the Office of the Comptroller of the Currency released a guidance on data aggregation.
Industry stakeholders have expressed reservations pertaining to ambiguities in the directions provided by some of these regulators, which may have resulted in conservative investments and lackluster will for traditional financial institutions to embrace open banking.
The U.S. Treasury Department has reiterated the need for active involvement of regulators to remove legal and regulatory uncertainties, and clarify their positions on key aspects of consumer-authorized financial data sharing and aggregation. Examples of such uncertainties include which party is liable when there is a data breach, and whether the industry should adhere to a more secure mode of data transmission — via APIs — rather than using screen-scraping. Open banking in the U.S. may continue to be industry led, but regulators at both the federal and state levels need to work more closely with financial institutions, fintechs, the card networks, and associations to provide clear guidelines that increase the opportunity for all.
As the following Quick Takes demonstrate, we have collaborated with some of the leading financial institutions globally, including those in regulated open banking environments, to develop and implement strategic options that facilitate open banking including:
Client Situation: A leading UK financial services firms asked us to develop a catalogue of open APIs for TPPs and to meet the compliance requirements of CMA’s Open Banking and Regulatory Technical Standards.
Our Solution: We leveraged our suite of labs and solutions to support the development of a blueprint of the strategic middleware architecture solution comprising an API gateway, enterprise service bus (ESB), messaging, service registry and monitoring definition and implementation. In addition, we built an ecosystem with our FI partners to create the Open Bank API framework in accordance with Open Banking Implementation Entity (OBIE) requirements, created experience APIs focused on providing data to external customers and applications (intermediaries, digital and TPPs), and leveraged an API to develop a portal for API discovery, documentation and subscription with multi-factor authentication and security protocols.
Outcome: The program delivered a catalogue of open APIs that TPPs can subscribe to and provide a highly customer-centric digital experience, plus an API developer portal that enables easy partner onboarding and discovering of internal and external APIs, promoting reuse. We also reduced the total cost of change to APIs by 30%. In addition, the client met compliance requirements for open banking standards and operating model.
Client Situation: A leading North American bank required help to develop a long-term strategic API program with measurable outcomes to address its challenges with mixed API standards, poor API quality, fragile governance, and low internal (and zero external) API consumption.
Our Solution: We worked with the bank to develop an API strategy for internal and external API programs, acquired an enterprise-class API management framework for the external API, and set up a collaborative and virtual COE for internal API governance and design. Furthermore, we established a design-first approach for internal APIs, built a reusable API program, and implemented the bank’s API factory model.
Outcome: The bank achieved excellent reusability across lines of business API programs, standardized API results for external APIs, and improved the quality of APIs due to a business-driven, design-first approach. Additionally, the bank achieved excellent business usability due to simple test-driven self-runnable API docs and simulators.