Banking & Payments
Open API failure in Europe a warning for Asia
Fintech founders say Salt Edge’s new report shows the dangers if banks treat APIs as a compliance exercise.
Open banking relies on open APIs, software that integrates the systems among banks and third parties so that customer data can be shared.
It is a movement based on the idea that customers are the owners of their data and should be allowed to insist that banks make it available to fintechs or other players, who in turn can develop consumer apps, either with banks or in opposition to them.
Banks are generally not big fans of this approach, and there is now research that suggests many European incumbents are treating open banking as a box-ticking exercise.
A new report by Salt Edge, a U.K.-based company that sets up API platforms to help banks and third parties connect, suggests that in the U.K. and Europe, the vision of open banking is cratering because banks’ APIs are often shoddy.
“These numbers are truly shocking,” said Ned Lowe, CTO at SingLife, of the report’s findings.
For example, most banks in Europe now offer “API availability”, meaning they have APIs. This is true of more than 90% of banks in the U.K., Portugal and Czech Republic, with compliance falling off in other markets. But that doesn’t translate into banks’ APIs actually responding to requests from TPPs (third-party providers). In Czech, only one-third of banks’ APIs actually respond; across Europe, on average half the banks do not respond to connection requests.
Worse: 39% of banks have broken endpoints in their developer portal, meaning links are inactive, portals don’t respond, registration forms don’t work, or the bank doesn’t respond to the need to test the APIs.
Other findings from Salt Edge’s survey of over 2,000 API initiations (requests to interact with banks) across 31 European countries, including the U.K.:
- 38% of bank APIs don’t meet E.U. or U.K. regulatory standards
- 58% of integrations take more than 10 days
- 43% of banks don’t support automated registrations to access the relevant APIs
- 46% of banks don’t allow TPPs to test scenarios with the data to be used in consumer apps
- 37% of banks’ sandbox environments do not resemble their live ones
- 22% of APIs come with faulty documentation
- And a final whopper: 28% of APIs had downtimes during the integration.
Such rampant failures are clear violations of PSD2. But the issue goes beyond whether regulators should punish banks. It means the structure meant to gird open banking does not work.
- Read more:
- Fintechs worry H.K. banks impeding open APIs
- Asian banks finally Xero in on open APIs
- Research: Open Banking 2020
In Singapore, the Monetary Authority requires any system deemed critical to have uptime 99.95% of the time over any given 365 days. That amounts to only four hours a year of downtime allowed, says Lowe.
The degree of API failures in Europe shows that its banks are not taking open banking seriously. They are not treating it as critical.
(Salt Edge did highlight a few banks that stood out for excellent APIs, including challenger banks such as Monzo and Revolut, but also incumbents such as Lloyds Bank, Commerzbank, and Nordea, among others.)
This begs the question of whether open APIs should be “critical”. Helping aggregate data to feed to a consumer budget app is probably not critical. But if open banking is to be mandatory, it will fail if the system is not reliable. Customers will end up with apps that don’t work.
“When people in the industry talk about open banking, they usually focus on regulation, data, and use cases,” said Ankit Suri, co-founder of Hong Kong fintech Planto. “What they don’t talk about is the developer experience of APIs. But the APIs need to work.”
This means simplifying integrations so that adding a credit card or payments company is reduced to a few lines of code. The easier the integration, the more time developers can spend on building apps and good user journeys.
Banks have baulked because they’re being ordered to do something they don’t like. But they also find APIs difficult. Open-banking tech does not fit neatly with legacy core banking systems. It’s hard to design a real-time API to connect to a system that operates by batch processing.
In Europe, at least there is a licensing process for TPPs, so banks can have some confidence in who is getting the data of their customers. In Hong Kong and Singapore, the regulators have so far declined to do this, leaving the onus and the risk to banks.
“Who tells the consumer what’s safe? The bank,” said Victor Lang, co-founder of gini enterprise, a Hong Kong fintech. “That’s why nothing’s happening. All the APIs we see are one-way.” For example, a bank integrates with an ecommerce site to market a credit card to shoppers, but it isn’t giving away its own data to third parties who might want to develop apps with it.
In the U.S., on the other hand, authorities have blessed open banking and allowed TPPs to gather information but have not mandated anything. It’s up to the market to decide what to do. Some banks offer APIs, others do not. Those that resist will find customer data getting screen-scraped anyway.
“There’s a huge commercial opportunity in the U.S., so if a bank tries to block APIs, other parties will throw lots of resources at screen scraping,” said Ray Wyand, CEO and co-founder of gini. “The report [by Salt Edge] suggests it’s not a priority in the U.K.”
The U.S. has therefore seen the rise of infrastructure companies such as Stripe and Plaid to help connect banks with users, merchants, and fintech partners. At the same time, the U.S. has also seen the rise of big consumer app providers, such as Acorns and Clarity Money (which was acquired in 2018 by Goldman Sachs and rolled into its Marcus digital bank).
Some Asian markets have enjoyed huge success with open banking. India, thanks to the digital stack its government built for identity and payments, is de facto an open-banking market. Korea’s digital banks have leveraged the scale of parent e-commerce and telecomm companies to do the same. Australian banks, in the wake of a scathing report last year into consumer abuse, have been more reliable API partners.
But Europe has been the vanguard of open banking – and it’s botched it. One reason why Europe has so few fintech giants may be that, despite more than a decade of encouraging or mandating open banking norms, its banks have dragged their feet and not created APIs that are reliable. And if the infrastructure isn’t secure, then no one is incentivized to invest in building risky consumer apps.
For places like Hong Kong and Singapore, the warning to regulators is if they really want to see open banking, they need to consider the balance of liabilities, obligations, and commercial outcomes for banks. Do they want to see their banks tick the boxes, or actually partner with third parties to innovate?
This could mean giving mandates teeth: for example, regulators could require bank APIs meet MAS uptime levels for critical systems.
Or it could mean leaving this to market forces. Small city-states lack the scale to get America-like business outcomes. But Covid-19 means banks must go online to acquire new customers and engage with existing ones.
“Before, APIs were a project,” Suri said. “Now they’re continuity planning, because the business won’t run without acquiring customers online.”
Banks will need to see open APIs as commercially useful.
“There’s a huge competitive advantage to banks that do it well,” said Lowe: SingLife moves money around via DBS because the insurtech trusted the bank’s consumer API capabilities.