Author: Clayton Locke
2018 promises to be a significant year of change for the finance industry, particularly in the shape of PSD2. The Open Banking requirement to provide access to customer data opens up a wealth of new possibilities. A properly engineered digital banking platform is essential for taking advantage of these opportunities.
Open Banking has arrived. The long-awaited Payment Services Directive (PSD2) became effective on 13 January 2018. With the directive now enshrined in national regulations, a key driver to accelerating Open Banking is now in place.
So how do banks and other financial services companies turn these changes to their advantage? Let’s start by examining the basics from a technology perspective:
- How do banks expose their core capabilities as APIs?
- How do banks ensure open APIs are easy to manage?
- How do banks secure their customers’ data?
- How do banks ensure reliability, throughput and scalability?
How do banks expose their core capabilities as APIs?
To successfully expose core capabilities, banks must first build enterprise-grade APIs into their existing systems. Responsible for providing access to data, integrating systems and more, these APIs can simply be seen as another channel supported by the bank’s digital banking platform. Similar to the platform’s presentation layers in web and mobile applications, the APIs are the system interface for delivering the data most often held in the system-of-record: the core banking system.
The architecture required to deliver data and services via APIs is very similar to the software required to provide online banking through a browser or an app. The difference, of course, is that it’s another computer accessing information and services. Nevertheless, the digital banking platform can use many of the services already built to facilitate human access.
How do banks manage the new APIs efficiently?
Under the directive, banks are required to make their APIs available to third parties. These third parties need to be able to find, understand and integrate via the APIs – both seamlessly and with low levels of effort.
To provide this open service, banks must manage how they authorise, publish and manage this new channel to market for their customers’ data. Efficient service management requires a digital banking platform with built-in tools for publishing, monitoring and controlling access to the APIs.
While the digital banking platform already provides features needed by end users accessing online banking services, it must also provide features that respond to requests coming from third-party systems.
The digital banking platform not only manages which APIs are exposed but also provides management information and analytics on how third parties are using them. The monitoring and alerting required is very similar to the way the platform already manages online banking features and services provided as part of a digital banking user experience. There are clearly many synergies between the web, mobile and Open Banking channels.
How do banks protect systems and data?
Open Banking systems must be totally secure, providing authentication and access management without affecting performance or scalability. A digital platform that acts as an API gateway allows banks to centralise and manage security at the API layer, offering the best solution for ensuring consistent and repeatable security.
That platform could be responsible for identity management, simplifying how banks provide third-party access to resources across multiple assets. It should incorporate standard authentication methods, such as OAuth 2.0 or OpenID, to support single-sign-on for downstream applications that use its data or services.
Banks that have already implemented digital banking platforms should already have a robust security framework that authenticates requests for access to its core banking systems. The security that authenticates and approves requests coming from a mobile app, for example, can be reused to authenticate and approve requests coming from third-party systems. The security framework provides the same Strong Customer Authentication (SCA) features across its channels, as required by PSD2.
How do banks ensure reliability, throughput and scalability?
In addition to securing the APIs, the platform monitors the availability and throughput of the exposed service. As demand for the service increases, the service should either throttle it or elastically scale to meet it without degradation in performance. Synthetic transactions and automated alerting are key capabilities for ensuring the total reliability and performance of the platform.
In my next blog post, I’ll be taking a more detailed look at how an API gateway fits into the overall architecture of a digital banking platform.