To what extent are banks simply technology providers? It’s a question being discussed in boardrooms around the world as the financial sector grapples with advances in technology.
And it’s one that goes to the heart of the debate among bank bosses about whether to participate in third party payment apps using an Application Programming Interface (API) or build their own standalone versions.
Naturally, there are pros and cons to each approach.
It’s worth pointing out that banks won’t have much say over third-party access to accounts with the arrival of PSD2. The legislation means banks must allow third party payment providers (TPPs) access to their systems, including customer account data.
The European Banking Federation (EBF) said this “will be to the detriment of European consumers and the necessary protection of their bank accounts”.
Certainly there are genuine concerns about the security of third party firms. A report for the New York State Department of Financial Services found a third of the 40 banks it surveyed had poor safeguards when working with third-party vendors.
Regulator Benjamin Lawsky warned that “third-party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data”.
Meanwhile, McAfee Labs noted in December that there is a growing threat for mobile banking apps resulting from poor coding practices. In particular it warned that integration with back-end services is a problem, especially when a third-party developer is involved.
“Mobile apps often rely on back-end services for secure data storage and communications,” explained McAfee in a blog post. “Nonetheless, mobile app developers are responsible for integrating their mobile apps with these back-end services. User data can be exposed if app developers fail to follow the back-end providers’ security coding guidelines—a possibility that is now more likely based on the increasing amount of personal and professional business conducted in the mobile cloud.”
But are banks’ own systems likely to be any more secure? There is an argument that by keeping all activity in-house there are fewer chances for this kind of integration problem happening. However, poor coding practices can happen in either scenario.
Dr Bill Curtis, chief scientist at software analysis group CAST, said: “Badly-constructed software won’t just cause systems to crash, corrupt data, and make recovery difficult, but also leaves numerous security holes.”
It’s a potential risk that needs to be weighed against the need to get services to market quickly and effectively.
Back in 2014, banks seemed very slow to progress payment apps. A report carried out by Finextra warned of the “glacial” approach being taken by banks, stymied it seemed by a lack of investment and in-house skills.
APIs and third party developers are a much easier and more effective way of getting the right services to market quickly.
As noted at the time, France’s Credit Agricole, Dutch bank ING and Australia’s Commonwealth Bank were among the pioneers, creating software development kits to enable third party firms to build banking apps.
Now, with PSD2 on the horizon, banks won’t be able to say no to third-party developers, as long as the consumer consents. The era of open banking is upon us, but that doesn’t mean banks cannot go their own way too.
A system may be secure but the consumer may not trust it to be so. And it’s interesting that banks hold the aces here.
A recent report for the American Bankers Association showed three-quarters of US consumers trust banks most to keep their payments safe, versus just four per cent who trust a non-bank payment provider such as PayPal or Venmo.
Another facet to this debate is to what extent banks are able to deliver the kind of innovation and services that consumers want.
Take the case of TransferWise, a poacher-turned-gamekeeper which is reportedly in talks with up to 20 banks to embed its API over their mobile apps. Having branded banks ‘rip-off merchants’, the startup is now in a position to work with them to deliver a service that the banks’ customers want.
“Applications designed by a banker look like what a banker can imagine,” Bernard Larriviere, director of innovation for Credit Agricole, told American Banker in 2013. “We needed to have the customer’s point of view to … make us think about another way of creating applications to meet customer needs.”
Left to banks alone, the kind of innovation in banking and payments seen today would almost certainly not have happened. It’s taken outsiders – third parties – to drive change. But banks have the resources, and the position of trust, to work with the innovators to deliver something that will really help consumers. Collaboration seems the only way forward.