Detailed analysis and outcomes

Evolution of the open API economy

An open API economy will accelerate competition and innovation within banking in Europe and beyond, creating new demands on banks’ business strategies, pressure on future revenue streams, and challenges to profitability. Bank leaders of the future will have a clear focus on their end customers and markets and will collaborate with other organizations to accelerate their market position either through increased use of digital technology platforms and/or digital insight that supports their specific business strategies. An open API economy will enable the delivery of new products and services through collaboration among business units within a bank, among banks across the industry, and between banks and other related sectors of the economy, particularly technology and data businesses.

Currently, Europe is leading the way in thinking about an open API economy in banking, with the rest of the world looking closely at how innovation and competition will change in the European banking sector as a result of open API economy initiatives by regulators and politicians. If implementation of legislation in Europe, such as PSD2, proves successful, we are likely to see similar moves outside of Europe. In an increasingly globalized, connected and complex world, the open API economy in banking will truly only develop when non-EU countries and regions also jump on board.

This is not to say that financial services industries within non-European countries have been passive spectators to the open API economy. In North America, for example, collaborative partnerships are developing among traditional industry players, FinTechs and other organizations to drive innovation and differentiation in bank products and services.
Citi, for example, has leveraged the IBM cloud platform and industry APIs to enable third-party developers to create new products and services via its mobile banking platforms. Multiple card payment services providers, such as Braintree and PayPal, have APIs to support e-commerce sites that connect merchants to their services, and BBVA (a Spanish bank) has partnered with Dwolla (a bank transfer platform) to support real-time payments by leveraging the latter’s FiSync API.

The open API economy should not be viewed in purely retail banking terms. Although much of the regulatory thrust is consumer targeted, the legislation will also include small business banking. After all, in many countries, the business banking sector is more concentrated with less innovation than its retail sibling.
For corporate banks, not explicitly included in PSD2 legislation, there is a clear demand from both corporates and the banks for the harmonization of interface standards, multi-bank portals and an improved customer experience. The majority of bank respondents in a recent joint GTNews and FORFIRM survey saw APIs as a means to delivering such benefits.

The development of the open API economy in Europe and the regulatory road ahead

Within Europe, there are currently two main strands of related activity occurring simultaneously.

First, there is the adoption of PSD2 into EU member state legislation by mid-January 2018 and subsequent implementation by European banks based on a defined set of regulatory technical standards (RTS) defined by the European Banking Authority (EBA). Second, there are efforts by the Competition and Markets Authority (CMA) in the UK to force banks to openly share their customer data with trusted TPPs, which will be discussed later in this section.

By and large, all the timelines for delivery of various RTSs will be before the regulatory adoption deadline of January 2018. However, there is currently one major exception to this: the RTS on strong customer authentication and common and secure communication is intended to come into force some 18 months post adoption by the EU Commission. Given that the earliest date for adoption is January 2017, the earliest date this RTS could come into force would be September 2018—eight months after the deadline for PSD2. However, it would be vital to successful implementation of PSD2 by banks to have all RTSs in place prior to January 2018.


What are the key principles of PSD2?

Overall, at the heart of this legislative activity is a requirement for banks to allow TPPs to access customers’ online payment services and account information in a regulated and secure way. The PSD2’s Access to Account (XS2A) rule mandates banks or other account-holding payment service providers to facilitate secure access via APIs to their customer account data and payments initiation service if the account holder consents. To provide this access to accounts, banks also must enable customer and provider identity verification and authentication to control access.

In particular, under PSD2 proposals, access to customer accounts via APIs will enable the provision of entirely new types of services, including the following:
1. Third-party payment initiation (provided by PISPs): Enables new payment solutions, as third parties will be able to initiate online payments to a beneficiary from the payer’s bank account via an online portal
2. Third-party account access (provided by AISPs): Enables new services that use customer data, including transaction history and balances.


Could the UK define the regulatory and technical standards for all European banks under PSD2?

The Competition and Markets Authority (CMA) within the UK is separately pushing for the adoption of open API standards with respect to the sharing of customers’ personal and current account transaction data by larger retail banks. The CMA wants banks in the UK to implement recommendations developed by the UK government-appointed Open Banking Working Group (OBWG) by no later than January 2018. The CMA believes the development of open APIs and the sharing of customer data with third parties will address a market that is still not as innovative or competitive as it needs to be.

Moreover, it is possible the UK will influence what shape PSD2 takes from a standards and implementation perspective based on two main factors:

1. Wider remit: The UK government and CMA have indicated that the open API banking standards they want retail banks in the UK to adopt may be farther reaching than PSD2.

2. More aggressive implementation timescales: The CMA has called for personal and current account transaction data with full read/write functionality held by large retail banks to be made available through an open API no later than January 2018. European counterparts may not be able to implement so quickly, given standards on strong customer authentication and common and secure communication may come into force only in late 2018.
At this point in time, the finer aspects of regulatory and technical standards are yet to be defined and agreed upon, both from a PSD2 and OBWG perspective in the UK.
It is noteworthy, at this point, to highlight that both initiatives are primarily focused on retail and SME customers. Although the potential benefits could support innovation in the corporate banking sector, this sector of banking will not be forced to adopt PSD2 legislation.

Impact of the open API economy on banks’ value chain

Corporate and transaction banks should not ignore the impact and potential of open APIs. The emphasis on APIs in the retail and SME sectors by regulators, in particular, does not mean that open APIs cannot be used to drive competition and innovation within corporate and transaction banking.
However, many corporate banks currently are distracted by other regulatory and balance sheet imperatives. Others have embraced API technology (private or closed) to create bespoke and hybrid services for their clients. For example, in Germany, banks are using it to help private and corporate customers deal with tax and treasury issues. In the U.S., corporate banks are using it to deliver bespoke modular services (e.g., cash forecasting). In addition, corporate banks are offering finance aggregation tools across multiple geographies, banks and accounts based on a consolidated view of cash management made possible by API technology. It is anticipated that the rise of the open API economy in time will accelerate the move to real-time, open API-enabled financial aggregation tools.

Although from a geographic footprint and a business model perspective, corporate banking may be viewed as more complex than retail and SME banking that, in itself, is no reason to believe the open API economy isn’t and won’t be equally as important.

Corporate customers see banking as a part of their supply chain and the efforts they have made to digitize needs to be mirrored by corporate banks. The stark reality of high customer churn and declining satisfaction is a loud warning bell for banks to speed up their own transformation.
Not only do open APIs offer both sides a way through this standoff, but TPP services could be more easily accommodated and encouraged by banks. The same survey highlighted corporates’ desire for harmonization of bank interface standards, multi-bank portals, and an improved customer experience, which, with the exception of multi-bank portals, was echoed by banks.

And, although banks had issues with APIs (seen through a PSD2 lens), as shown below, it is clear that both corporates and banks would benefit from the introduction of open APIs.




Given that corporate banks are increasingly regionalized and focused on specific products and services, and with the intensifying pressure on margins, it makes sense for corporate banks to connect into a wider ecosystem of TPPs that can offer complimentary products and services in regions where a corporate bank’s client has a presence, but the bank may not (or may have a smaller presence).

This benefits not only the bank by providing access to new revenue streams through its partners, but also improves customer service by giving customers access to a wider range of complimentary products and services, creating a one-stop shop for the customer. For example, open APIs transmitting real-time data among financial institutions would enable corporate banks to connect trade financing, cash management and merchant acquisition with a broader range of services from partners, such as e-invoicing companies, inspection companies and tax authorities, in a much more integrated and seamless way than exists today.

Transaction banks also have an opportunity to leverage innovative payment solutions to drive value for their corporate customers. Helping corporates manage capital more efficiently to drive shareholder value will ultimately grow banks’ own bottom line—and lead to the adoption of immediate payment services—first across Europe and then the wider world.

How will banks with predominantly retail and SME customers be impacted by the rise of the open API economy and related PSD2 legislation?

Tand innovation in the retail and SME banking markets. These results may be more difficult to achieve in EU countries with hyper-regulated financial markets, such as France. However, incumbent banks in these countries (the six largest banks share 95 percent of the current account market share) will maintain their market positions, at least for now.

Merchants will be key for customers to benefit from PISP services

In regulating PISPs, PSD2 presents a simplified payments value chain in which the card network can be fully disintermediated; thus, potentially displacing various fee elements that constitute the merchant service charges (MSC) from the issuing banks, acquiring banks, processors and schemes. This is further bad news for the bottom lines of banks that act as issuers or acquirers in card transactions after the enactment of interchange fee regulation in Europe, although the magnitude of the impact from PSD2 will be largely determined by the adoption level of PISP services by customers.
Additionally, banks in certain European countries will be less exposed to the shift away from card transactions where there are currently low card transaction fees (e.g., France) or where other payment forms are traditionally preferred over cards (e.g., cash transactions in Germany).
Nevertheless, the forecast drop in revenues is significant. Accenture estimates that 27 percent (c. €2.2bn) and 9 percent (c. €740m) of potential retail payment fee value in the UK will be eroded by a cap on interchange fees and the rise of PISPs, respectively, by 2020

The merchant will be key in convincing customers to shift away from using cards to make payments, and customers may require an incentive to switch to an alternative form of payment from the relative security and convenience of paying by card. The merchant may have to offer a financial incentive in the form of reduced prices, special offers and/or enriched customer loyalty schemes to achieve this aim. The evidence does not look favourable for the customer though. In the U.S., merchants have saved c. $10bn annually in fees as a result of the Durbin Amendment, but have failed to pass this on to customers in the form of lower prices and/or improved loyalty schemes.


Retail banks will lose interchange fee revenue under the PISP model, putting further pressure on their business model

Banks will need to carefully consider their response to the loss of revenue as a result of PISPs entering the market. More banks may elect to start charging customers for making bank transfers over and above a certain volume per month to offset the loss of revenue from card transaction fees. This could be a gamble. PSD2 states banks cannot discriminate in pricing between credit transfers initiated via a PISP or directly by the payer, which means increased fees for many customers who enjoy free bank transfers today via SEPA instant credit transfers or faster payments (UK).

Other banks may become PISPs themselves in order to take the entire PISP fee on offer. Moreover, banks could start to unbundle their payment account products from more profitable credit and debt products and services to offset the loss in transaction fees, with the introduction of fee-based accounts (which we see in some markets today) and a segmented account service based on customer profile.

Banks may have greater liabilities around payments under the PISP model

There are currently a number of fraud control processes supplied by the card schemes that support and work with the card issuing bank account in terms of security and risk management. These processes are all based on the channel used and whether the customer is present at the point of sale.
Additional card scheme security is associated with using chip and pin for point-of-sale shopping and “Verified by Visa” or “3D secure” supplied by MasterCard for online Internet shopping. In a PSD2 world of PISPs, APIs will facilitate the connection between the PISP or merchant and the customer’s bank account, including obtaining authentication and authorization to secure the transaction (first two steps in Figure 5 below).


This connectivity among parties will require considerable technical work to make it viable without a scheme present to intermediate.  Without an intermediary, banks likely will have less appetite to assume some of their current liabilities for transactions that go wrong or are fraudulent. The development of a common set of standards that all parties follow will be very important to determine exactly where future liabilities reside in this payment model.

Banks with retail and SME customers will see accelerated fragmentation of their value chain from new competitors entering the market and potentially disintermediation from their customers

The rise of the open API economy will see an unprecedented number of new players entering the financial services markets within Europe, taking advantage of both PISP and AISP models. FORFIRM believes the most significant shift from PSD2 and the rise of an open API economy will come from banks being forced to open up proprietary data about their customers to TPPs. In theory, this will hand back control over customer data held by banks to the customer, who will be free to order banks to share the data with TPPs that offer the customer relevant and personalized services.


This should accelerate the move to customer-centric business models within banking, as customers in the near future will enjoy a world where they can find simple answers to their questions about financial products and services, benefit from pay-per-use of these products and services, have these products and services tailored for their personal situation, and be able to compare across a range of providers the relevance and performance of the product or service. The services offered by banks in this environment have to be more efficient in reaching the customer and differentiated from similar products and services offered by rival institutions.
Entrants will take many forms, some of which are already establishing themselves in anticipation of the open API economy in banking:

1. Challenger banks are entering the market and offering a more customer-focused model that connects the customer to their own products and services, as well as relevant third-party products and services. Their banking platforms and business models are “API first,” and they operate more like FinTechs than traditional banks. Current examples of these include N26 and Fidor in Germany, as well as Starling and Atom in the UK.

2. Financial Technology (FinTechs) firms specialize in a particular bank product or service but leverage a model that is more transparent and generally less costly to the customer. For example, Transferwise (UK based) is revolutionizing foreign exchange transfer by leveraging a peer-to-peer (P2P) model where Transferwise’s platform connects buyers and sellers of different currencies and facilitates currency transfers among customers in a secure and low cost way.

3. Technology giants such as Facebook, Apple, Google and Samsung will be interested in leveraging financial information available via open APIs in a PSD2 world to augment their own customer data, refine their marketing strategies, expand their product and service offerings, and increase their brand presence and share of wallet with customers. Three of these technology giants (Apple, Google and Samsung) already have entered into the world of payments through offering payment services linked to customers’ debit and credit cards.

4. Non-financial service sectors with retail customers such as utility companies may expand into offering financial products and services traditionally reserved for banks as a way to grow revenues and enhance monetization of their existing customer data sets. For example, in France, the telecommunications company Orange has recently bought a 65 percent stake in Groupama Banque to muscle its way into mobile banking services.

5. Aggregators will take advantage of both PISP and AISP aspects of PSD2 legislation to develop services such as personal financial management (PFM) tools. Current aggregators in the marketplace, such as Mint in the US, aggregate basic product information today and offer simple budget planning software for retail customers. The ability to initiate payments directly and obtain transaction information from a customer’s account will support the development of “over the top” applications to aggregate multiple account balances across EUbased banks where customers have accounts, providing customers with access to a consolidated view of their overall financial status.

6. Payment service providers (PSPs) and schemes also will be impacted, both adversely and favourably, by PSD2 and the rise of the open API economy. As mentioned before, the idea behind initiatives such as PSD2 is to increase competition and lower the cost of transactions in the market for both merchants and customers. Therefore, acquirers (e.g., WorldPay and First Data) and card schemes (e.g., Visa and MasterCard) all will see a reduction in revenues from a lower volume of card transactions. They will all look seriously at becoming a PISP and/or AISP post-PSD2 implementation in the EU markets. PSPs will need to respond by offering this new payment mechanism to customers at point of sale, although some providers such as PayPal already offer similar account-to-account payment services

7. ERP providers in the SME market, such as Sage and Xero, both of whom already provide comprehensive accounting services to small businesses, also could take advantage of PSD2 legislation to further strengthen their relationship with the customer by providing new products and services tailored for clients around tax advice, cash management and forecasting activities.
Even traditional banking incumbents are creating 100 percent digital banks, removed from their parent bank’s legacy IT infrastructure. In France, many of the large banks have launched 100 percent digital banks that are separate subsidiaries and brands from their parent companies to minimize cannibalization of revenues from their parent brand. Examples include BNP Paribas’ Hello Bank and Credit Mutuel Arkea’s Monabanq.


Banks also will seek new revenue streams from opportunities enabled by open APIs

In response, FORFIRM believes banks with large retail and SME customer bases also will look to evolve their revenue models along the lines of a producer-distributor model, with options discussed as part of the strategic response from banks in the next section. This will inevitably involve important decisions about whether banks will “build, buy or partner” with competitors in the marketplace, especially FinTechs that offer quicker routes to market and more flexible banking platforms than traditional banks.

It is worth noting that the real prize with open APIs will be the rise of real-time payment transactions and data flows, which empower the customer with near real-time financial information from their account(s). This is key for real innovation in product and service delivery to customers. And, banks need not wait until the last minute to implement the spirit of PSD2 around payments. They can leverage the infrastructure (payment rails) that will enable real-time payments within Europe as part of the SEPA instant credits implementation due to be completed in late 2017 (prior to adoption of PSD2 into law within each EU member state).

Only time will tell who will be the winners and losers within this new world

What is certain is that payments are likely to become less lucrative for many of the established players in the market, and the rise of data and customer insight will become more important as a source of revenue. Key players’ revenue models will need to be adjusted as result. There is a fear among banks that they will be relegated to the role of a utility and lose control over customer interactions as non-banking organizations embrace the open API economy. They, therefore, face a stark strategic choice. Do they want to become another utility providing commoditized, “white-label” banking products and services or do they want to maximize future shareholder value by becoming trusted lifetime advisors to both existing and new customers?
However, banks should think positively about the rise of the open API economy. The opportunity is for banks to understand what open APIs will mean to their business strategy and how to execute against their strategic response. Some key questions banks should ask themselves when developing a strategy are the following:
1. How can open API technology support innovation in terms of my existing or potential customer bases?
2. What partnerships can we leverage to bring new products to the marketplace?
3. What role will open APIs play in my overall digital business strategy?

Strategic responses from banks to the rise of the open API economy

FORFIRM believes banks should embrace the opportunities afforded by the rise of the open API economy, a trend being accelerated by legislation such as PSD2, but also one increasingly demanded by customers, regulators and politicians who see it is an enabler to a more competitive, innovative and dynamic sector. Therefore, FORFIRM believes banks have three key responses from which to choose:

1. Refuse to change: Accept regulator fines based on an assumption that the fines are less than the expected revenue loss from new competitors enabled by PSD2 and the cost of transformation
2. Comply at a minimum: Keep current business models largely intact
3. Proactively respond: Develop new customer-driven products and services and/or create new distribution channels, either alone or by leveraging third-party providers FORFIRM believes the third option would be the preferred response for banks wanting to position themselves to play well in an open API economy. And, this response involves more than banks treating PSD2 implementation as just another compliance project and remaining oblivious to the multitude of agile, fast moving competitors joining the ecosystem. Instead, it will increasingly involve collaboration (either through partnership and/or acquisition) with TPPs offering product and service innovation at a speed that banks cannot match. FINTECHS have the distinct advantage of being unencumbered by legacy IT infrastructure issues and close scrutiny of regulators.
Conversely, FinTechs also will be keen to capitalize on forging strong partnerships with banks to access both the banks’ established customer base and expertise in the industry. For example, ING has invested in the FinTech Payconiq in the Belgian market to take advantage of a similar payment technology to that enabled by PSD2 (direct bank account transfer). The Payconiq model allows a customer to make a direct debit from his or her bank account at point-of-sale using QR code technology.
Other new “challenger” banks to the market have adopted business models more akin to FinTechs to win customers directly from their larger incumbent rivals. In Germany, Fidor Bank is using social media to engage its customers to crowd source new ideas for products and services that better fit its customer base.

Other new “challenger” banks to the market have adopted business models more akin to FinTechs to win customers directly from their larger incumbent rivals. In Germany, Fidor Bank is using social media to engage its customers to crowd source new ideas for products and services that better fit its customer base.
Based on a European Banking Association model for understanding the relevance of open APIs in banking9, CGI agrees there are four viable roles for banks to adopt if the third response above is selected. These roles are based on two important questions:
• Product and service creation: Who develops the products and services my organization will be selling to my own customer base?
• Product and service distribution: Who is distributing my organization’s products and services via an open API to existing and new customers?
A. Integrator: Banks can continue to control product and service creation and distribution in a similar way they do today. The rise of competition in an open API economy from traditional and non-traditional players will mean banks adopting this model will need to match others in terms of speed to market and putting customer demands at the heart of what they do as a bank. This would make it challenging for banks to remain in this position and still compete in the marketplace effectively in the years to come.
B. Producer: Where applicable in the B2C space, banks could focus on product and service development, but leave the distribution of these products and services to others, such as FinTechs. This has the effect of lowering acquisition costs for new customers, but also could result in disintermediation of banks from the customer, as both the producer and distributor will want to control branding and the customer relationship. PSD2 will in effect push banks into a “producer” role around payment initiation services and access to account information. Banks are increasingly looking at the producer role and partnering with the right FinTech to maximize market penetration, as evidenced by the increasing number of collaboration events (e.g., hackathons, etc.) among banks and start-ups.




C. Distributor: Although somewhat a departure from current banking models, banks may want to move away from product and service development to distribution. Banks that adopt this strategic approach are still likely to run into conflict with the “producer” around branding and customer ownership, but there also is an opportunity to develop their customer base and leverage their established Internet and mobile channels with customers to distribute TPP products and services. Conversely, banks also could extend their role as “distributor” by becoming a TPP to other banks, offering account aggregation and payment initiation services for customer accounts held across multiple banks and FinTechs.

D. Platform: With this model, banks retain stakes in product and service development, as well as distribution, by acting as a market intermediary, facilitating activity among customers, producers and distributors in the market. Many analysts and experts think this “Uberization” of financial products and services is the way banking will ultimately go in 5-10 years. Gregory Guermonprez, country director for France at Fortuneo Bank agrees: “I think it [banking] will evolve into a ‘producer-distributor’ model much less integrated than today, where a bank, to be relevant, will distribute the products of others when it is not positioned best to meet customer demands.”10
Adding to the EBA model, CGI believes that banks have an overarching strategic choice to make about whether they want to become a “white-label” banking services provider or a trusted lifetime advisor to customers—a choice that will have an impact on value creation for their organization and their longer-term standing with the customer.

In the coming years, “banking as a service” platforms may become the norm for all financial services and products. Traditional banks that refuse to change their business model may be disintermediated from the customer and could get stuck in the role of ”producer” and, at best, play the role of back office integrator for a number of “over the top” product and service providers in the marketplace (e.g., know your customer checks).

Retail banks will need to consider sustainable and profitable business models for open APIs

In the future, banks are likely to minimize the costs of operating payment accounts as their revenues dwindle from interchange fees and they look to comply with regulation such as PSD2 at a minimum cost. Banks also will want to minimize the cost and liabilities associated with granting access permissions to a customer’s payment account(s) from TPPs by looking for ways to share costs among financial institutions. How this will work has not yet been determined, but it will likely lead to greater cooperation among banks. Banks may even take the opportunity to charge customers for registering access permissions from TPPs against their payment account.
In addition, banks could consider segmenting products and services (rather than bundling them as they do today) and use open APIs within the banks’ proprietary products (e.g., loans, mortgages and credit). Banks could then, for example, sell credit lines directly to retail customers as credit options with drawdown to payment accounts. This product could replace the overdraft attached to a payment account, but with more transparent fees and charges attached to it.

What strategic responses should corporate banks employ?

Based on client conversations across Europe, CGI believes many corporate banking organizations are currently not leading the conversation around the development of an open API economy, but are following events as they unfold. Potentially, banks are treating the rise of the open API economy as more of a threat than a value enhancing opportunity and therefore are adopting a “wait and see” approach to the impact of PSD2.
Others are more active in their response. In France, for example, a consortium of leading commercial banks has created a working group specifically to address their collective response to the advent of the PSD2 and the rise of the open API economy. One initiative they are considering is to develop a single API that works for all banks and allows authorized TPPs easy access to all of banks’ customer data. The banks would own and maintain the single API and, in theory, it may be cheaper to implement and maintain technical standards when shared across banks.
In the longer term, it is imperative for corporate banks across the EU to seriously explore the opportunities created by the open API economy to create value, especially with the development of real-time payments and data flows, continuing pressure from shareholders to drive growth from new revenue streams, and pressure from customers to increase product and service innovation.
Corporate banks may choose to follow one of the four options described in the previous section. Which option they choose will depend on their individual circumstances, as well as their unique strengths in the production and/ or distribution of products and services, while partnering with third parties to strengthen their offerings.
However, CGI recommends that, in order to position themselves for the longer term, corporate banks should consider acting now. Banks can determine what an open API economy means for their business by taking the following steps:

• Start internally first:
» Leverage internal APIs to break down silos among bank services and products that exist today
» Learn from wealth and retail banking divisions about how they use customer data insights to create single customer views and how this translates to additional value-added products and services for both customers and the bank

• Expand internal thinking to the wider banking ecosystem: » Understand the security model around open APIs

» Map out detailed scenario plans (which relevant products and services could the bank develop and which customer segments and geographies should the bank target)

» Invest in innovation and make products and services that are API driven

» Establish a culture of testing and learning in the market through internal innovation labs. For example, at one American bank, gone are the days of a mobile-first approach. The bank is now taking an API-first approach to customers’ requirements, enabled by a center of excellence driving innovation within the organization.

» Consider developing a different strategy for internal (or private) APIs where you can innovate and launch products in a controlled environment versus external open APIs with third parties

» Develop your organization’s “digital talent” pool to drive innovation around open APIs

In the medium to long term, CGI believes there is real opportunity for corporate banks to create an ecosystem of products and services with third parties, and the creation of this ecosystem can be accelerated by the implementation of legislation such as PSD2 (and, in particular, the creation of AISPs). Corporate banks may take this opportunity to partner with the large ERP and TMS players, such as SAP, Oracle and Murex, to increase their market share by seamlessly integrating their products and services with major ERP players’ platforms (e.g., HSBC and SAP are currently doing this).

What should banks do in the short-, medium- and long-term in response to the rise of open API economy and the implementation of PSD2?

In light of these strategic choices, CGI recommends that banks complete the following activities in the short-, medium- and long-term:
• Short-term (0-12 months): Consider your overall strategic direction in light of the rise of the open API economy:

» Refresh your business and technology strategy

» Determine future markets and revenue streams based on existing/new products and services, powered by an open API economy

» Define the pathway(s) to future operating model(s) based on specific products and services, recognizing the market will evolve over time.


Key operational considerations for banks’ strategic response

From FORFIRM’s point of view, there are several practical considerations for executing any proactive strategy when retail, SME and corporate banks respond to the opportunities and challenges presented by an open API economy in banking.
Overall, open banking standards initiatives and the European Banking Authority have so far not established detailed standards around how open APIs will work in reality for interested parties. Practical considerations must be addressed to ensure transactions and data transfers can take place among parties, securely and in real time, as well as addressing other challenges such as where liability sits in the event of a customer data breach or fraudulent activity.
Assuming the challenge around detailed standards develops through natural market innovation and/or further definition of standards by the European Banking Authority and regulators within the EU, CGI believes that the following practicalities are important to consider for any banking institution thinking about doing business in the open API economy:

1. What is the right operating model to drive profitability in an open API economy?

Bank services come with associated costs, and, without revenues to offset these costs, bank business models become unsustainable. Legislation such as PSD2 creates both costs and additional revenue opportunities for banks, but many in the industry argue should there be some consistent financial incentive agreed upon among the banks with regulators in a similar way interchange fees are charged by an issuing bank for card transactions.
So, what is a fair charging mechanism from banks to TPPs for maintenance and use of the banks’ open APIs? An important aspect of PSD2 is that TPPs must be able to compete fairly with banks’ own products and services, which means pricing should be identical in both cases. At the moment, banks struggle to understand today what the end-to-end cost of one data request via an open API would be due to historic product cross-charging issues.
Therefore, CGI suggests, as a starting point, that banks choose a monetary amount they would charge to TPPs and then match this amount to internal costs. Evidence of the charging mechanism and structure would, of course, have to be ratified by the regulator in the EU member state. This monetary amount could be refined over time as banks better understand their end-to-end cost models and/or regulators express a desire to cap charges to drive better value for the customer.
Where does this leave banks’ operating models? To show compliance with PSD2, banks might need to segregate payment accounts and payment initiation as a generic service from other more profitable products and services. That would lead to an unbundling of services, but this would redefine not only their operating models but their cost structures as well.
Therefore, differentiation among banks with retail customers would lie in new and innovative lifestyle and personal financial services or in credit and lending services created and distributed by a combination of the banks and/ or partnerships with FinTechs. Some banks will have to make painful choices to balance the cost of compliance versus the cost of transformational change to their operating model given other competing priorities. This is highlighted in CGI research, which shows the number one concern for banks is the potential cost of implementing PSD2.11
Gazing into the future, if blockchain models for payments become commonplace, then this segregation between payment accounts and value-added products and services would fit well. Payment accounts and transactions might become open distributed services used by all, separated from banks, and administered by a neutral entity such as a central bank. This would, in effect, create a cheap and standardized payments service, with banks free to concentrate on innovative and value-added customer products and services.

2. How will your organization establish suitable security and permissions for all parties?

For secure transfers to take place among parties on open APIs, appropriate security and permissions must be established for all parties. There are three parties to be clearly identified and verified as part of the process: • The instructing customer • The intermediary service provider (e.g., PISP, AISP, agent) • The host bank for the customer’s account/service
Once all parties are correctly identified and verified, banks must provide suitable permissions to third parties wishing to access banks’ data via APIs. However, banks would need assurances that third parties accessing data or requesting to initiate a customer transaction have the relevant authority from the instructing customer to do so. There are two ways this may work:
• Provide third parties with digital passports to prove identities and for customers to sign permissions for them » In Sweden, for example, there is a national digital ID scheme owned by the banks that provides a public key interface (PKI) infrastructure on a customer’s mobile device, which makes customer authentication a quicker and more seamless process than using traditional username and password type mechanisms.

• Third-party permissions could be registered in bank systems in advance by the bank’s customers, with a live feed of permitted institutions (PIs) taken from the appropriate governing body. This approach is likely to have cost implications for banks in terms of maintaining a register of permitted organizations that can access a customer’s data or initiate a transaction on the customer’s behalf.
In addition, banks also must consider constraints around whether permissions are single use or are available for a period of time (whether this is a defined period or until a customer retracts permission).


What data strategy will ensure maximum value is created for banks?


Third parties that want to provide enriched customer products and services would require meaningful financial data (AISPs) held by banking institutions. This, in turn, would focus a spotlight on what banks are willing to share based on agreed upon data sharing standards and whether this is over and above the regulatory minimum to be meaningful for TPPs to use. This could include details such as important definitions of what constitutes a payment account and whether financial information is (near) real-time. For example, it is no use providing a customer’s account balance if the AISP does not know when the snapshot was taken and what transactions are included to create the balance. Data taken out of context is meaningless in providing an enriched customer experience.
Moreover, a typical customer bank statement or customer dataset held by a bank is limited today. For example, bank statements typically do not capture the exact time a transaction occurred on a given date, which would have implications in the future should third parties or banks want to offer services that rely upon real-time data about a customer’s account balance. Therefore, to create any meaningful insight for enhancing the customer experience, banks will need to be encouraged or incentivized to offer up additional data they may hold or to capture additional data. This will largely depend on the banks’ individual strategies and whether they want to play and collaborate with third parties.

What are the appropriate service levels for performance of the banks’ open APIs?

Once access rights are resolved, then service level agreements (SLAs) for the performance of data transfer among banks and third parties must be established. Again there are several practical considerations to bear in mind:

1. Standardized service levels across banks for data transfer performance should be established in order for TPPs to provide a consistent product or service to the customer. In particular, TPPs will want to understand the following:
» How long will a bank take to respond to a data request from a verified TPP? » How frequently can a verified TPP make requests to a bank in a defined period of time? » What would be the maximum number of data requests accept by a bank in a given period from a certain TPP?
2. Banks will have to balance whether they can be compliant with a restricted service level that impacts the frequency and volume of data requests from TPPs. They may choose to implement some form of “demand throttle” to restrict the number of requests in a defined time period and limit API bandwidth for TPPs, especially at peak times, much like the mobile and fixed line broadband networks do. Ensuring that a low volume verified TPP user gets its fair share of capacity will be challenging for banks. At the same time, internal bank activity requiring the use of the same APIs for data transfer will need to compete for space with these external data requests.
3. Banks will need to put in place protections against capacity overload within the system Online services are vulnerable to both legitimate peaks in data requests from verified TPPs at given points during the day and illegitimate attacks such as distributed denial of service (DDoS). Banks will need to ensure that they are maintaining and monitoring their APIs for such issues.

How will governance work to maintain open APIs among financial service players?

Banks will need to be aware of the key governance elements for open APIs, which include the following:
• Testing of open APIs: Regulators or other official bodies are advised to create “sandboxes” (pre-production environments), so that banks can thoroughly test open APIs before they are made available to TPPs. Certification and assurance around testing by TPPs will ensure an interbank standard is created.
• Registering and publishing of open APIs: A directory of all banks’ open APIs in a standard naming convention would need to be established and maintained in order for approved AISPs to easily find and connect to APIs.
• Certifying open APIs and legitimate TPP requests: It will be important to establish at what point a bank’s open API adheres to regulatory standards or not. In addition, a list of approved TPPs will need to be certified and approved by the regulators to ensure customer data is managed and used in accordance with the principles of PSD2 and customer data protection laws (e.g., “Right to be Forgotten” and counterparties in transaction data).
• Policing and sanctioning of organizations not following standards: Banks will need to be aware of the penalties (legal and/or commercial) for non-compliance with open API standards.
• Financial and operational liabilities: In the case of payments made via a PISP service, banks will need to work with regulators and PISPs to determine where liability resides for fraud, disputes, and chargebacks for transactions that go wrong.

Conclusion: What are the key takeaways for banks in this new open API economy?

Regardless of whether you are a retail or corporate and transaction bank, consider acting now. The rise of the open API economy is here, and CGI advises banks not to wait for politicians and regulators to force you to change. We believe banks should see the open API economy, not only as a threat, but as a great opportunity to do the following:

• Maximize payment transaction revenues for current and future payment mechanisms
• Exploit customer transaction data to offer tailored products and services, leading to profitable growth
• Implement new business models to challenge more agile competitors to safeguard your market position
Banks that respond quickly to these changing market dynamics will be able to shape and lead conversations with customers, legislators and regulators. Those that adopt a “wait and see” approach will find it increasingly difficult to keep pace and maintain market position.
FORFIRM believes the winners among banks in this competitive battle will be the ones who can “uber-ize” their operating model—providing a flexible and open “banking-as-a-service” platform to develop and distribute tailored products and services to customers, utilizing third parties when required. This way banks can ensure their survival as trusted lifetime financial partners for their customers.