Open API maturity is slowing due to a lack of industry standardisation

On 10 October 2022, Sibos brought together nearly 10,000 members of the financial services community for four days at RAI Amsterdam to hear from more than 250 expert speakers across 150 conference sessions with hundreds of exhibitors, connecting professionals from around the world both live and online.

If you didn’t manage to catch any of Sibos, there are many reports going around on all things ESG, diversity and digital assets to name a few. For me personally, one topic stood out the most – open APIs. And I would like to explore this topic from the point of interoperability.

Since its inception four years ago in the UK, open banking has been heralded as a revolution in the financial services industry. The initiative has spread to all corners of the world and continues to expand, be it regulatory-driven as is the case in the EU, Hong Kong and Australia, or market-led (for example, the US, Japan and Singapore, where some regulators are encouraging data-sharing).

The difference in the pace of progress means there is a lack of compulsory standards, which has even given rise to an API security market, with new companies rushing in to address the gap. So, given the desire of banks to partner with the wider ecosystem, is industry standardisation an answer to achieving mass adoption of open APIs?

The latest figures from OBIE show that both businesses and consumers in the UK made up more than 6 million active users of open banking services in May 2022, up from 5 million in January 2022. In March 2022, there were 21.1 million open banking payments, compared to 6.1 million the previous year, representing a growth of 245%. When Omdia asked payment issuers/acquirers about their IT investment plans as part of its annual IT Enterprise Insights survey, more than a quarter (28%) of respondents in the UK stated that they are investing in new payment services leveraging open banking APIs in 2022.

Changing perceptions

The pandemic, of course, has forced providers to reassess their existing capabilities in the quickest time possible, to not only be able to continue their service delivery but to remain competitive. Recently, a shift in thinking has been observed that APIs provide a route to new customer channels. When Omdia asked payment issuers/acquirers globally about their organisation’s attitudes and plans around both real-time payments and creating open APIs, more than 70% agreed that they view third-party developers and third-party providers (TPPs) as a new customer base and their organisation has a clear strategy around open APIs.

However, although this is encouraging, providers are almost equally likely to be concerned about the security of alternative payments, with more than 60% of all respondents concerned about the security of open APIs, likely to be driven by increasing data-protection requirements.

Figure 1: The majority of global payment issuers/acquirers view third-party developers and TPPs as a new customer base. Source: Omdia IT Enterprise Insight 2021/22 Survey.

While there is a growing consensus around the establishment of a new customer channel, the lack of standards means that innovative APIs may be developed ahead of security. This can result in product innovation becoming decoupled from the development of anti-fraud and security functions, which can put institutions at risk. Given the growth in newer strategies being made available by fintech companies and the willingness of banks to partner with the wider ecosystem, it is essential that standards keep pace with business requirements. This is particularly problematic with cross-border trade when banks are required to interface efficiently with customers and service providers across multiple jurisdictions.

Omdia research finds that there is a growing API security segment, with providers such as Salt Security, 42Crunch, Noname Security and Cequence. Salt Security, which is a pioneer in the space, delivers its technology through a software-as-a-service (SaaS) model, available primarily through channel partners. The sector has also gained traction with vendors offering web application firewall (WAF) tech, bot management, content delivery networks (CDNs) and cloud-native protection. The fact that Imperva, founded in 2002, acquired CloudVector in May 2021 points to larger players with a wide range of services making it their strategic priority to acquire some specialist API security technology start-ups.

Is Europe leading the way for a common API standard?

The initial driving force behind opening customer data up to TPPs has been regulation, particularly in Europe with PSD2.

The European Banking Authority’s recent response to the European Commission’s call for advice on the review of PSD2 indicates the direction of open banking as it seeks to explore the possibility of having a common API standard across the EU to be developed by the industry. It also stated that all account servicing payment service providers (ASPSPs) should provide a dedicated interface for the access of TPPs and remove the requirement for ASPSPs to also provide a fallback mechanism. In addition to a range of further considerations, all these proposals are aimed at promoting innovation and interoperability and reducing barriers to market.

Swift itself believes in the need for common business standards to enable interoperability of APIs for transactions, which was very apparent at Sibos this year. Following the launch of its first API in 2017, it expects many of its innovative services available on Swift to be API-native. Between 2020 and 2021, it reported an increase of 28% in the number of API calls made over Swift, growing from 2 billion calls to 2.56 billion. It also provides access to open APIs through its enhanced Platform Partner Programme that allows access to new capabilities offered by fintech and technology providers.

Banks are realising that open banking will be of fundamental importance for how customers interact digitally and need to approach and manage APIs as a channel rather than a system interface, in line with their existing core channels. To achieve this successfully, the industry needs to lobby for universal standards, reduce barriers to new entrants and ensure that their customers not only benefit from enhanced products and services, but are also protected.

About the author

Ouliana Smith is a senior research analyst in Omdia’s Enterprise IT Financial Services Technology team and has 10 years’ experience in financial services. Since joining Omdia in 2022, she has focused on digital transformation in retail banking and fraud solutions with a strong interest in alternative payments.

Ouliana started her career as an associate analyst with Datamonitor, now GlobalData, a global market intelligence provider, where she specialised in cards and payments before later moving into wealth management.

Ouliana holds a first-class honours degree in mathematics from Coventry University and an upper-second-class honours degree in art history from the Open University.