Banking Frontiers brought together BFSI experts for a panel discussion on how APIs are driving open banking and how to manage them effectively. Edited excerpts:
Shiv Kumar Bhasin, COO & CTO, National Stock Exchange
Open banking started first in Europe, and they set up the standards for the personal banking area. In the stock exchange scenario, we have a lot of data which gets disseminated using the TCP IP. Currently it uses the multicast methodology, and people listen to the systems. All these price feeds are currently coming with a proprietary protocol based on multicast, and there are API based approach being set up where we are hosting these APIs is on the cloud. People can use it as a channel for browsing, ie, get the one particular set of stock symbols now, the prices, etc. So, with API integration, a snapshot of price feeds are made available for the customer.
There are interdependencies between multiple departments of a bank and its IT department, which makes the end-to-end customer journey work. While API is not the best way to resolve all those dependencies, it is the best contract than having tight integration.
Furthermore, on the connected experience, one needs to know whether it is device neutral or channel neutral. To make it device or channel neutral, it cannot be supported unless there is a platform approach. Platform approach means that the experience API and the transactional APIs are exposed. Suppose I am applying for a loan, and I have uploaded my details, finalized on the amount of loan, chosen the EMI etc, but got distracted and left. After sometime, if I use a different device to log in again, I should be to pick up from where I left that process. This requires various kinds of APIs, sometimes fintech collaboration-based APIs. Ultimately, API is the engine behind all this.
Apart from programmatic approach, all the modern APIs are scalable and most of them are hosted on the API gateway. And majority of the API gateway, whether open source, licensed or available as a cloud service, have built in security features like the velocity control that allows you to understand how many times the same interface is invoking one particular API. Similarly, there could be a DDoS attack – people are trying to throttle your API by sending huge number of requests using bots recursively. The gateways are smart when you are subscribing to the service. It will help you define the rate of transactions per second. Beyond that, they will stop serving.
We know that APIs will thrive and the entire digital ecosystem will thrive. But given the payload requirement, improving the scalability and performance of the API are key. And a lot of these operations which are API driven get done in memory. So the payload of the API has to be optimized, and what matters is the granularity of the API. The key KPIs are security, data privacy, and then the performance, which is driven by the payload, fine-grained vs coarse-grained API. These are the KPIs which need attention to deliver a truly connected experience.
Shahnawaz Backer, Principal Security Advisor, F5
As per a recent survey done by F5, 6 out of 10 people in the Asia Pacific are okay to share their information in lieu of personalization services. Secondly, 80% of people have a smartphone. The quest to have friction-free experience while doing banking is really fueling open banking in the region.
On the one hand, we have consumer data rights in Australia, wherein the regulation has mandated that every bank allows the user or consumer to share the data at their will, to whichever technology firm they want. They will have the safety net by providing the ratings for these fintech organization. Then on the other hand we have Singapore, where Monetary Authority of Singapore and Association of Banks in Singapore are working together and have come up with very detailed API guidelines to facilitate open banking.
If you look at CDR or Australia’s version of it, there is a registrar, and all the fintech have to be registered with the registrar and they get data based upon the rating from the registrar.
Babu Thomas, Vice President& Head IT, Federal Bank
API banking is a way to move forward and connect between the ecosystem players –banks, fintechs, and other corporates. Compromise at third-party sites is going to be a common scenario as organizations are not sure about the security or the security governance at the partner or third-party sites. Partner due diligence and audit before entering a partnership will address the concern of security attacks within the system. A bank must do a good audit and identification and know your partner (KYP) process – it maybe an extra step for the banks to know the partners.
Educating the customer is going to be a very tricky and difficult affair as it has to be a continuous activity. The regulator is also putting in a lot of effort by advertising through different mediums about the ombudsman scheme, minimum balance scheme etc. Besides, banks are also carrying out customers awareness drives. For banks, it may not be possible to explain to the customers the technicalities and partnerships involved. But it is necessary to assure the customer that the banks work in a regulated environment and the data will not be sitting with any third party.
The regulator is expected to come with a framework for API and fintech partnerships with banks by the end of 2021. Because of the regulations, we should not lose some of those niche and exotic, innovative products. One size does not fit all, but regulations will always be like one size for all. Regulations should not impinge upon or hamper innovative solutions. What is required is a balanced regulation.
Sony A, Joint GM, Head – Digital Banking, South Indian Bank
Globally, the context is pretty clear in terms of where the world is headed as far as open banking is concerned. UPI is the best example that happened in the transactions space across the globe, crossing 2 billion mark. If you need interoperability, you need to have standard APIs, you need to have protocols that talk to each other, and systems that are capable of handling huge volumes due to the scale-up that happens today.
Scalability of the entire ecosystem, starting from the API onto the entire downstream systems, including control measures, fraud measures, fraud control measures – all becomes the most important criteria for technologists. The other aspect would be on the security side, how can you make the API secure? Even though you know the partner with whom you’re sharing the API with, there could be other downstream system consuming the data. Therefore, the security of the complete site lifecycle of the entire customer journey, where you also play an integral part as an API partner, becomes the next important thing.
The regulators are going to have a very calibrated approach when they allow an all-digital growth; they’re going to ensure confidentiality, integrity and availability.
Sarath Chandra Kummamuru, Chief Information Officer, Airtel Payments Bank
Open banking is all about being a platform layer. For the banks, building customer trust is critical. As a bank, there are some key goals that have to be achieved. These include ensuring that we build customer trust, ensuring that customers trust us to store key assets with us, and believe that we will handle them safely, guaranteeing that we are putting their needs first before anything else.
Privacy becomes the next important aspect. Consent follows next and security is also extremely critical.
In an account aggregator model, somebody can ask us for customer data through a very formal mechanism with the customer consent; explicit consent being available is very encouraging.
Finally scalability, ie, ensuring that our banking systems are always up, 99.99%. If my bank is operating from a particular time to time a branch, it’s okay, but now I have outsourced my APIs to a third party who’s providing services to the customer 24×7, my systems have to support that partner.
Prasanna Lohar, Head Technology – Innovation & Architecture, DCB Bank
We have an opportunity, and if you do not grab it, the risk is that your bank will not really do the better service for existing customer and also the future customers. Everything is moving towards digital. SMEs are going digital; there are initiatives digital initiatives happening across India. So as a bank, if you are to reach out to the same customer, same SME who is doing banking with multiple banks, you have to be there. Suppose I as an SME I am banking with one bank A. I want to move to bank B provided bank B gives me better service. At a DCB Bank, we co-created a product for SMEs with a fintech who is just like Tally for accounting. Using this tool, an SME who is connected multiple banks can switch from DCB bank to any other bank. Apart from the projection, daily inventory and invoicing, etc, he can even file GST through these APIs integrated system.
As a part of open banking, there could be 2-3 types of open banking scenarios. One is the one API connect, another could be this platform, so within a platform complete bank is embedded. The third could be integrating API on to someone else’s platform like the OLA. Like we had internet banking, mobile banking and ATMs as a channel, the future would be every Fintech would be a channel for the bank.
