Opening the Kimono

It was the “stop!” heard round the world for fintech companies. Last October, two of the nation’s biggest banks temporarily interrupted the flow of data to popular third-party applications such as Mint that use the information to help people manage their finances. JPMorgan Chase & Co. and Wells Fargo & Co. didn’t do so because they’re opposed to sharing data. Instead, the banks were concerned that the way the data was being collected put undue pressure on their websites and exposed customers to an increased risk of fraud.

The issue was so significant that JPMorgan Chairman and Chief Executive Officer Jamie Dimon dedicated an entire page of his shareholder letter this year to discussing the bank’s policy on sharing customer data with outside parties. “When we all readily click ‘I agree’ online or on our mobile devices, allowing third-party access to our bank accounts and financial information, it is fairly clear that most of us have no idea what we are agreeing to or how that information might be used by a third party,” Dimon wrote.

After analyzing the contracts that customers sign in order to use services like Mint, JPMorgan found that the companies take far more information than is necessary to provide the agreed-upon services, sell or trade the data in ways customers may not understand and continue to collect the information on a daily basis for years even after customers no longer use the service.

The solution, wrote Dimon, is to build systems that allow banks to push data out to third parties as opposed to letting them pull data at their discretion from customer accounts. These systems are known as application programming interfaces, or APIs. However, far from offering a answer to this issue alone, APIs lie at the heart of an intensifying debate over how financial products and services will be delivered to customers in the future.

The technical name makes APIs seem more complicated than they actually are. APIs are tools that allow systems and software applications to work together. They serve as a gateway between the two that can be opened or closed depending on whether a user has permission to access them. The Google Maps API, for instance, allows third-party developers to create applications that build upon the technology company’s trove of geographical data. This is what enables Yelp to map the location of nearby restaurants in its popular smartphone app.

Even though APIs are currently attracting a lot of attention in the financial industry, the concept and the technology are not new. APIs have essentially been around for as long as computer programs have, acting as the glue that binds programs together. The financial industry itself is no stranger to them. APIs are what empower a bank’s mobile applications to access customer account and transaction data, as well as to initiate payments or deposit checks. The application doesn’t store this information; it taps into it through APIs that connect the app to the bank’s internal systems and databases.

What is new-at least to the broader financial industry-is the concept of so-called open APIs. These expose a bank’s internal system to outside developers. Inspired by companies like Facebook and Apple, which have encouraged the growth of large ecosystems of third-party applications that run off the larger companies’ infrastructures, the idea is that banks should leverage the reams of data they collect to become platforms upon which outside developers can create new and innovative applications that help customers take better control of their financial lives.

“We think that future value creation in the financial industry is going to come much more from sharing rather than protecting critical assets, which includes data, transactions, algorithms and business processes,” says Kristin Moyer, research vice president and distinguished analyst at Gartner, a leading information technology research and advisory firm.

One bank that’s working aggressively in this regard is Wells Fargo, which sees APIs as a new channel over which to deliver financial products. “We’re very bullish on the API opportunity and what it’s going to mean for our customers and our company,” says Danny Peltz, executive vice president in charge of Wells Fargo’s treasury management group. That said, Peltz is adamant that Wells Fargo would only allow trusted and thoroughly vetted third parties to access its APIs.

Peltz sees three principal use cases for APIs at Wells Fargo. First, they will extend the bank’s capabilities to deliver its products and services within digital ecosystems-over, say, Facebook’s social media platform. “There are broader platforms out there that customers are interested in,” explains Peltz. “We want to make it easier for them to integrate their information and conduct their transactions in the way they desire.”

APIs will also allow business customers to identify and implement services directly into systems of their choosing. Instead of dialing into a call center for assistance with payment issues, for example, business customers will be able to use Wells Fargo’s APIs to pull the necessary data into their own servicing platform.

Finally, APIs provide a more elegant way for Wells Fargo to establish relationships with third-party data aggregators, such as Yodlee, Intuit and Plaid. Many of these companies have traditionally used screen-scraping technologies to access information from customer bank accounts, which is then incorporated into third-party applications such as Mint. APIs provide a more efficient and secure way to deliver this data. They eliminate the need for customers to share sensitive information with the third-party aggregators and reduce the strain on bank websites from screen-scraping bots that log into customer accounts in order to collect data.

“Let’s say that you bank with Wells Fargo. You can give us permission to go to it, use its API to pull down your account data in a read-only format, and then pass that to an end developer,” explains William Hockey, co-founder and chief technology officer of Plaid, a third-party aggregator that’s using APIs to bridge the technological divide between banks and application developers. “While banks don’t have public-facing APIs, that’s why they work with us, because we handle that technical and security complexity to go ahead and get that data.”

All three use cases cited by Peltz promise to change the way financial products and services are delivered to consumers, but the final one is likely to be especially challenging for banks to navigate. “The biggest concern is that they’ll lose the customer interaction,” says Chae An, vice president and chief technology officer of IBM’s Global Financial Services Sector. By empowering outside developers to create third-party financial applications, such as smartphone apps that aggregate account and transaction information from multiple financial service providers, customers will have less incentive to log into their separate accounts.

The fintech company Simple, which was purchased by Spanish banking giant BBVA in 2014, provides a case in point. Simple’s smartphone app is designed to help people save money. Its Safe-to-Spend feature takes a customer’s bank balance, accessed via an API, and then subtracts upcoming bill payments, pending transactions and any goals that they’re saving for. “We’ve re-thought all the features you’d want from a bank and made them smarter, less complicated and available whenever you need them,” says its website. “You shouldn’t have to get out a calculator just to figure out if you can afford a new pair of shoes or a nice dinner out.”

Simple is focused on what technology companies do best: creating customer experiences that are both elegantly designed and functional. “Banks are very good at many things, including treasury services and safeguarding customer deposits, but we have our core competitive advantage around the customer experience,” says Simple co-founder and CEO Josh Reich. But the downside from the perspective of a traditional financial provider is that BBVA has essentially subordinated its brand to that of Simple’s. The latter, not the former, is emblazoned on Simple’s smartphone app and website, even though the underlying financial products and services are provided by BBVA.

This challenge aside, it seems clear that an open API framework will play a major role in the supply chain of financial products and services in the future. “It’ll be one of the larger technical channels that we have over time,” says Peltz. “But it’s still only another channel. It’s not going to supplant the other channels like our stores, website, mobile app, phones and people.”

One reason to believe that APIs will gain in prominence is because some regulators see them as a way to level the playing field between consumers and financial service providers. Lawmakers in Europe are leading this charge. In 2007, the European Union passed the Payment Services Directive, or PSD, which provides the legal framework to make cross-border payments as efficient and secure as payments within a member state. This was enhanced last year in a directive known as PSD2, which, among other things, requires that banks give payment companies access to customer accounts via APIs so as to facilitate the payments process.

The United Kingdom took this a step further. In its 2015 budget, the country’s Treasury announced its commitment to instituting an open API standard for all U.K. banks. It did so to “help customers have more control over their data and to make it easier for financial technology companies…to make use of bank data on behalf of customers in a variety of helpful and innovative ways,” states a report by the Treasury’s Open Banking Working Group, or OBWG. The report recommends the adoption of a standardized open API framework through which third-party developers can access customer account and transaction data in the same manner from all banks based in the United Kingdom.

The OBWG highlighted multiple ways that open APIs could improve consumer outcomes in the financial space. One is to make it easier for people to compare accounts by enabling them to share account and transaction data with price comparison websites. It’s estimated, for instance, that a consumer in the United Kingdom could save on average between u00a370 and u00a3260 a year by switching into accounts that are more appropriate given the person’s transaction history.

The OBWG also believes that an open API framework could improve access to credit. “Historic transactional data is an important determinant of credit quality and real-time transactional data is a valuable indicator in the ongoing serviceability of loans,” states the report. “Currently this information is only available to the current account provider, which means third-party providers may not be able to offer the best terms to users when they shop around.”

Beyond these, the OBWG’s report lists four additional benefits that could come from wide-scale adoption of open APIs by U.K. banks. These include making it easier for people to manage their personal finances, qualify for loans, use online accounting services and increase fraud detection. This initiative positions the country at the forefront of the API issue, as the U.S. government has yet to weigh in on it. “Europe is three to five years ahead of the United States on this,” says Moyer.

Although legislation requiring banks to open their internal systems and databases to third-party developers would accelerate the movement in this direction, it’s important to note that banks have their own reasons to embrace open APIs. “This is important to the customer,” says Sonya Crites, head of product management for cash management solutions at D+H, a company that provides technology solutions to nearly 8,000 financial institutions. As a result, “banks don’t want to drive their customers away by not adopting them.”

Wells Fargo’s Peltz expressed the same sentiment: “From the consumer perspective, it’s really important for us to have ubiquity in terms of our ability to deliver services to customers, whether they want to come to us for them or to a third party.”

One of the biggest benefits to a bank is that APIs provide a more secure way for third-party developers to access customer data. The screen-scraping technology that aggregators have traditionally relied on to get data requires people to share the user names and passwords for their online bank accounts. “If you give out your Chase.com user ID and password, you are putting your money at risk,” admonishes Chase in a fraud prevention tip. Doing so, the bank implies, may release it from its responsibility under Regulation E to cover the cost of unauthorized transactions from customer accounts.

“APIs are much more secure,” explains Shamir Karkal, who heads up open API banking at BBVA. Not only do they eliminate the need for customers to share their login credentials with third parties, information conveyed over APIs is also well suited for tokenization, which is a more sophisticated way to encrypt digitally transferred messages.

Many analysts and observers believe as well that the proliferation of open APIs will spur innovation in the financial industry. “Today, banks have to create value from the inside out. They have to come up with their own ideas and create their own products and services,” says Moyer. “But with digital business models [that leverage open APIs] you’re enabling ecosystems outside the bank to co-create value.” This is very much in line with business models in Silicon Valley. “If you look at Facebook, Twitter and Google, a lot of their really interesting ideas have come from people building off their platforms,” says Hockey. By using open APIs, “banks are basically getting a free R&D department.”

There’s even an argument that open APIs will improve customer retention by increasing the switching costs associated with changing banks. “If I have my Wells Fargo account hooked up to 10 applications, I’m not going to want to switch banks, because I have everything hooked up to it,” says Hockey.

While these points are particularly relevant for national and regional banks, the cost and complexity of implementing open APIs isn’t so prohibitive that smaller banks can’t benefit from them, too. The difference is that while big banks will be able to cultivate their own digital platforms along the lines of Apple’s App Store, “smaller banks could work in a consortium, with fintech companies serving as a gateway to outside developers,” explains An.

It’s for these reasons that technologists urge banks to embrace the concept of using APIs to expose their internal systems and databases to vetted and trusted third-party developers, even though doing so goes against a bank’s natural urge to jealously guard its proprietary data. “There’s been this mantra that this is disrupting banks, and I think that Silicon Valley is partially to blame for that, because sometimes we overstate our objectives,” says Hockey. “But I think what the entire industry needs to realize is that nobody is disrupting anything. Banks aren’t going anywhere. If banks play it well, they’re actually going to be closer to the center of consumers’ lives than ever.”