Banking technology experts share their perspectives on adoption and implementation of the API technology, risks and future scope at Finnoviti 2020. Edited excerpts:
Sunita Handa, CGM, IT Channels & Ops, State Bank of India:
Earlier, our customers used to visit bank branches, where the cost of transaction is very high; even when customers visit bank ATMs, the cost of transaction is still high, though less than at branches. State Bank of India’s customers have taken their first step of moving towards digitization and we are seeing the advantages. It has made us think why these customers are not using the bank’s app? Why can’t we collaborate with fintechs or small startups in this? Can we do better than that? We can take digitization to its next level through collaboration or by buying fintechs and giving customers that experience which he is trying to get with the help of another entity. The new revolution of open banking or data sharing mechanism is also helping banks, and they must continuously think of innovative ways to give the customers the experience that they desire.
Open banking is when customers share data, an entity holds the customer data, customers gives consent and they hand over their data to another entity. When we give the same experience and product to the customers, then why should the customer go for another app or some other third-party lender? So, we must gear up for it.
The regulator must come into the picture and all the players should get benefits. Banks should become tech-savvy and providers of best digital solutions. The regulator and government must be aware of the digital solutions. If these things work together, then it will create a perfect ecosystem for open banking.
From an India perspective, it is important to think about the outcome, ie, what do we expect out of any technology system? We must find whether our approach should be based on the UK or the US model. The UK model is driven by increasing the competition; therefore, regulations and guidelines are made by following that principle. In the US, banks wanted to have interoperability, they wanted to engage with the fintechs and customers are given a higher value proposition. So, they adopt an open banking kind of integration. For India, market-led innovations combined with regulator opinion will keep a balanced ecosystem.
There are chances of frauds because there are many players in the ecosystem. It could be the entity with whom banks have shared the data which will be held responsible. Customers also could be responsible, as despite all efforts to spread awareness of data privacy, mistakes on their part still occur. Regulators and the government should have system regulations and guidelines where everyone is motivated to do his best and no single entity should be punished or made responsible for it.
Banks require a robust system where no fraud can be committed, but then other aspects are also important. We at SBI are fighting two aspects. One is when you give convenience to the customer, the fraudster is also getting the same convenience. Second is when you give convenience, then it should not be at the cost of security and privacy. We need to see that the ecosystem is not spoiling. Obviously, UPI and open banking will keep on raising concerns.
In open banking, customer consent is necessary but not enough. GDPR makes the sharing of data even more complex because you always must keep in mind privacy and heavy penalties. The UK has a specific model, while in Europe there are no API standards; each country in Europe has its own API standards.
Douglas Kennedy, CTO, Aegon Life Insurance
Open API technology helps in sharing of the data between institutions. Data can be consumer data or business data that is shared between the banks, insurance companies and fintechs. The key part of this business model is that banks are open for sharing the data across various ecosystems, and in creating those ecosystems. API is just one way of sharing the data. There are many other ways of sharing data, and Aegon Life Insurance is developing such ways.
If you look at the UK and European market, it is driven by real competition for the consumer. Some 10-15 years ago, banks were monopolies in the UK market. It is not about the bank giving the data out; banks should be looking for getting the data to help the customers. It is a 2-way street and opportunities ae there for the banks to use data from other sources to help the customers. I believe regulation is needed; it is always a challenge especially in India. The regulators need to work in conjunction with the industry at fast pace and it is a huge challenge. There cannot be a model of people breaking the rules and asking forgiveness afterwards. It is not going to work, especially for the banking and finance industry. Banks need to adapt, they need to make some changes and it is going to happen when they get challenged by fintechs.
Aseem Ahmed, Senior Product Manager, Akamai Technologies
Banks have made good strides with digital transformation and transformation 2.0. There is still hesitation among banks in adopting cloud and the regulator must play a role in it. From the perspective of technology integration with API, many banks have moved into mobile applications. A good amount of revenue goes in generating good application stuff and users are benefiting from it. There is lot of integration happening between third-party providers; for example, Ola has integrated with Citibank and if the customer wants to apply for a loan or a credit card, they can do so through the Ola app. There is demand shift towards integration with the whole ecosystem. In the coming 5 years, there will be lot of innovation in different forms of API banking.
Open banking is one of the key technologies that will lead innovation; however, it comes at the risk of balancing security and user convenience. There is an evolving concept of user consent management, a lot of banks or industries are moving towards getting the user consent. What sort of data do customer want to share? With whom? This will become a core premise in the future of open banking.
A few years ago, we use to enter username and password in the app for doing financial transactions. But by using open banking, we do not need to supply our credentials everywhere; user consent management is an evolving area for many geographies. It will be good for the users of open API or open banking systems to explicitly mention or choose with whom they want to share the data.
Raja Debnath, Manging Partner, Cogence Labs
Open banking is about taking the data which banks have within the legacy systems and making it shareable with the third party vendors. When open banking goes to another level of allowing customer to give consent, the customer can decide where they would like to share the data and the bank cannot stop them – and this is open banking.
When you use Paytm, UPI, Ola, Uber for the payments, that is not open banking. It becomes open banking when they start taking the data, which a bank has within its own systems. For example, when Citibank ties up with Ola and gives a loan to an Ola customer, then Citibank is leveraging the data which Ola has shared. In terms of open banking Ola will say these cab drivers of mine are your customer, Ola wants to see their transaction data and their transaction history, what they have used the credit card for, details of the savings account, etc. Based on that, models are created and based on those models, any bank can give loans.
SBI has 450 million customers and it has spent millions to get them on the board. The bank will service them and then give that customer data to the third party who can leverage it. Does open banking make sense for banks? When the customer is interacting with the intermediaries, they are aggregating the accounts of multiple banks at the same time. Sharing of the customer income is a big question mark because of the various partners in the ecosystem.
L.S. Subramanian, Management Consultant
If there was no core banking, then none of the ecosystems like mobile, tablet or API would have worked. APIs are plugged in as a matter of convenience and they are not worried about the architecture. APIs have come in the late 1990s and Microsoft had started pushing it. Security is a major concern for APIs and bank APIs will get easily hacked because there is no security when you are connecting it to the core banking system. Banks need third party tools to secure the API, they need to invest in it – whether regulator wants it or not.
Cybercrimes are being monitored by the local police and the state governments an there is no central financial fraud unit or crime cell in India. It is time to set up one. If you have a central cybercrime cell in India managed by the central government, things will be much smoother. In the initial days, we spend lot of our time in training the police on cyber security. The value of the transaction is very low, so the police don’t have time for it. There is a team of 20-30 people in Mumbai cybercrime cell.
Social engineering happens everywhere, not only in banking. It is something difficult to prevent and even technologies have failed to prevent it. India has many laws and no lawyer can read all the law books in their lifetime. There are many other ecosystems which must change in our country. Should we stop open banking? Should we stop all these tools? The banks should insure themselves – and that is the way forward.