Technologies that power open banking
Learn how your bank or fintech’s underlying technology stack for open banking APIs can establish, support, and strengthen trust from your clients.
Financial services are built on trust, and it is vital for banks that their clients trust them.
Clients need to trust banks to safely store their money, process transactions correctly, and keep their data secure. When banks introduce digital technology, such as open banking, it must be seen to improve customer experience (as discussed in blog 1) and enable the emergence of a vibrant digital ecosystems with a large selection of apps and digital solutions (as explained in blog 2).
So, when you, as a bank or fintech, do introduce open banking, it is imperative that your underlying technology stack can establish, support, and strengthen the trust that clients have in you. In this post, I explore the technologies required to participate in open banking ecosystems, and also how these technologies can be leveraged to establish trust with your partners and clients.
When you aim to participate in an open banking ecosystem, you need to master several digital technologies – most importantly APIs. APIs are used for sharing financial data in the open banking ecosystem. By using APIs and surrounding technologies correctly, you can establish yourself as a trustworthy ecosystem participant with partners and clients.
- Partners: To establish trust with partners, it is important to secure APIs and the data they carry according to best practices; to develop APIs according to established specifications and industry standards; and create a smooth onboarding experience.
- Clients: To establish trust with clients, you need to educate them; show that they are in control of their data; request the consent of your client for any data sharing or transaction triggered by the API; and create a smooth and convenient user experience for them.
Security is critical
Sharing financial data must be secure, this is absolutely essential for gaining the trust of clients and also for fintech partners. This means that APIs for sharing the data need to be secured, all ecosystem players need to be properly authenticated & authorized, and the fintech receiving the data needs to be trustworthy.
Not every fintech can get access to open banking data. They typically need to undergo a rigorous due-diligence process and, if successful, they get a machine-readable certificate. Under the PSD2 regulation these certificates build on TLS certificates and contain specific extensions, called QWAC and QSEAL. Banks check the validity of the certificate every time open banking data is requested by the fintech. Certificates are used to establish both the identity of the fintech and its status as a qualified recipient of open banking data.
The bank authenticates and authorizes the identity of the bank client – typically based on existing web-based or mobile authentication mechanisms. Once the identity of both fintech and bank client is established, clients can delegate fine-grained access rights to their bank accounts or to a fintech – and thus consent to the data sharing.
To trust an open banking system, your clients must stay in charge of their financial data, with final say over when their data is shared and with whom. To support this vital aspect, consent mechanisms are built into open banking. They ensure that bank customers are first identified and then actively and intentionally consent to sharing their data. The OAuth framework and its various security profiles (such as FAPI) are used as the technological protocol for implementing the consent mechanism.
API standards & specifications
Ecosystem players have to agree on the shape and form of the API, the formats and data structures involved, technical standards for exchanging data and calling functionality. If all participants operate on the same interface specification, complexity is vastly reduced, there is no need for translation and unification, leading to faster evolution in the ecosystem.
In some jurisdictions, the regulator prescribes the API specifications in the form of implementation-ready open API specifications (e.g. open banking specifications in the UK), in other jurisdictions (e.g., in the EU) regulation provides only vague guidelines for the API interfaces, leaving lots of room for different incompatible implementations. In the later case, voluntary industry standardization emerges such as the BerlinGroup’s NextGenPSD2 API specification or STETs PSD2 API specification. Following these established standards and API specifications signals to partners that there are no surprises to be expected; and thus strengthens their trust.
Documentation & onboarding
It needs to be easy for fintechs to figure out how to use the banks’ APIs. Banks need to provide documentation of their APIs, and a straightforward onboarding process. Since the due diligence requirements for fintechs can delay the onboarding of new fintechs using the APIs productively, it is important to provide ungated access to the API portal and the sandbox. It allows fintechs a soft start with a bank’s API on a sandbox. In such a sandbox the fintech operates only with synthetic data – while experiencing the capabilities and the behavior of the API.
Leveraging API technologies correctly gives your bank or fintech not just the possibility to participate in open banking ecosystems, improve customer experience, and fulfill regulatory compliance requirements, but also gives you a great opportunity to build, maintain and strengthen trust with your clients and partners.
You can learn more about open banking by clicking below.