There are many questions and myths about a banking API. Some people think of it as a new way of spying on you and stealing your private data to be used by big companies and governments alike. On the other hand, many believe that banking APIs will totally change the financial landscape and will result in lower costs and better deals for consumers, as well as new products and services.
We’re trying to get closer to the true picture of banking APIs by answering 10 most common questions about this technology.
A banking API is a method of communication with an online banking system. With a banking API, a third party – say, independent payment service provider or financial services provider – can access necessary information about a customer stored in the banking system where he or she has a bank account. A client simply logs in to his or her bank account and then the banking API does the rest, checking the account balance (for payment processing, for example) or retrieving incomes and spending summary for the past couple months (for credit scoring).
A banking API should be able to access customers’ data only with their explicit consent.
A banking API allows third parties to make use of previously inaccessible data. It eliminates the need of redundant procedures and documents – it simply retrieves information already available in a closed, secure and verified environment. A third party doesn’t have to verify its new customer thoroughly, since the KYC procedure has already been done by the bank – the banking API allows instant authentication and verification through successful online banking log-in process. Credit scoring can be automatically calculated within seconds thanks to information about client’s incomes and spending imported by the API from his or her bank account.
And, since it’s an API, its deployment is very easy and fast.
Currently, there are two weak points. Because the legal system is a bit conservative by design and doesn’t keep up with technology banking APIs are considered in many countries as at least “unofficial” and as such are not recommended by national regulators or even banned by them and/or by banks. The latter also warn about passing their login credentials to third parties and waive their liability for any damages resulting from it. In other words, using a banking API is treated as a security breach and a violation of the bank’s terms and conditions. In the EU it’s starting to change, as the PSD2 directive finally legalizes access to banking systems through APIs and officially acknowledges any present banking APIs, allowing them to operate until the European standardized open banking API emerges.
The second weak point is also addressed by the PSD2: all third parties using banking APIs will be certified and controlled by national regulators. Currently customers can’t be sure if a company using a banking API is trusted, and if it is a legitimate one.
No, not yet. Only in Germany banks and other financial institutions were able to work out an open, free and fully functional API, which is used by the vast majority of banks. Meanwhile in the UK, the Open Banking Working Group (OBWG) has recently published its framework for the UK Open Banking Standard, but it’s just a starting point of the standardized banking API creation process. The rest of the EU still awaits regulatory technical standards mentioned in the PSD2 directive, which will be developed by the European Banking Authority and adopted by the European Commission.
As with almost everything, it’s as secure as its weakest point – and this usually means a human being. Apart from people’s weaknesses, the concerns mainly refer to storing banking credentials (see the next question), and the transmission and storage of the data imported from the banking system.
Transmission of the information extracted from a user’s bank account is secured with the same SSL technology used to safeguard your data on the way from the bank website to your browser. The banking API simply uses the same HTTPS connection as you would use when accessing your bank account with a browser or mobile app.
When the data are transmitted through the banking API to a third party service provider, they can be used once and then discarded (eg. your account balance when processing a payment or incomes and spending for credit scoring) or stored on the servers of this third party. You either have to trust its security policy or disagree on storing any information. Of course, companies are taking security very seriously and most of them is controlled and certified by trusted third parties.
When it comes to online banking login credentials required for the banking API to work, there are basically three options: 1) the user credentials are not stored anywhere else but in the bank itself (the user manually logs into his or her bank account, and then the banking API starts its job); 2) the credentials are stored on the secured server of the banking API provider; 3) they are stored on the secured server of a third party service provider, which uses the banking API. Of course, the most secure solution is the first one, but it also limits the usability of a banking API to “on demand” operations (services can’t work automatically as they rely on a user’s logon procedure).
The problem of storing user credentials outside of the banking system can be solved very easily: the banking APIs can be “authorized” by a user in the banking system and they can use only tokens afterward, not the full user login credentials, to authenticate themselves on your account.
With no standards for banking API at the moment the answer is simple: all they can eat. When you – or the API – log into your bank account, the API can do practically the same operations as the user (but some of them, like transfers, will still require the owner’s authorization, of course). So currently the range of the data retrieved is unlimited.
When banking APIs are standardized, eg. as under the European PSD2 directive, they will be probably restricted to particular operations resulting with very precise feedback, so the user will always be sure the API gets only the information he or she agreed upon.
First of all, they will gain a whole new level of comfort with very fast and easy authentication and verification. Once a consumer gets a bank account, the personal information stored there will be available to other parties, if a client agrees to share it with them. This means no more entering the same data all over again on other websites and elimination of verification procedures like ID scanning – one successful login to online banking system will do.
Consumers will also get better and cheaper services: thanks to new players on the market with new products and services, the stronger competition will result in better deals for clients. External PFMs will analyze your account, cards, loans and deposits and compare them against the offers from competition, giving you the best options and allowing to apply for them within seconds with just one click. Third party payment providers will enable instant payments for goods online with better exchange rates when shopping internationally.
What is good for consumers is also good for businesses. Easy authentication and verification means comfortable experience for clients, but for companies it gives another level of security and validation. A new client is not so unknown anymore, as the KYC procedure was already done by a trusted party (a bank); moreover, the information stored in the bank account is reliable and provides the big picture of a consumer’s financial status. This translates into lower costs and less risk for a company leveraging banking API.
Banking API allows businesses to reach for clients, who previously were inaccessible or underserved: those, who were reluctant, afraid or simply too lazy to search for better deals, or those, who were recognized as good, reliable partners by their banks, but could not prove it elsewhere, since their only proof of credibility was a perfect account history.
Banking API is also a great tool to offer completely new services and products. Peer-to-peer loans or currency exchange, instant transfers to recipients without knowing their account numbers, mobile payments at POSs – the possibilities are infinite.