Open Banking World Congress partner, ForgeRock, recently launched Open Banking Sandbox as a Service. We caught up with their Head of Financial Services & Regulatory, Nick Caley, to discuss compliance, APIs and opportunities...
The enforcement deadline for PSD2 RTS compliance is 14 September - less than six months away. Do you think everyone's going to make it? What's your experience of how long it's taking to get APIs from testing to production-ready?
It is fair to say that many banks are far from ready for the September deadline - the fact that so many banks were unprepared for the most recent significant stage of PSD2 in March only reinforces that fact. The 14th March deadline to implement testing facilities for APIs was the first real test for banks to demonstrate material progress in their Open Banking journeys, and many missed that deadline, giving their competition a head start and signalling their unpreparedness to the wider market. But the good news is that there is still time for those who were not prepared for the March deadline. Our compliance-ready, managed Sandbox allows banks to deploy a testing facility in a short space of time so they can focus on getting their APIs production-ready ahead of September.
Of course, it’s also important to note that some banks - like HSBC, BBVA, and Lloyds - have prepared a great foundation. And, generally speaking, the UK’s Open Banking model with OBIE and CMA centrally coordinating implementation has been successful, which is why the model is being emulated in other countries such as Australia and New Zealand.
You already have several European banks using the sandbox. Do you have a sense of what issues are proving to be the biggest challenges?
Banks have a lot to consider when it comes to fully embracing Open Banking. The banks ForgeRock has been working with all want to improve the experience they can provide to customers, but they are faced with serious obstacles: siloed data across multiple legacy systems and departments as well as an outdated approach to authentication.
One of the concerns raised with open banking is that fintechs need to be able to connect to a whole host of different banks' APIs. Is RTS driving a greater degree of API standardisation?
RTS is driving API standardisation across the board. Significantly, we are already seeing glimpses of this among the larger banks, with several launching account aggregators recently.The pressure to continue on this path of standardisation will only increase as the deadline approaches because banks have a massive commercial incentive to standardise APIs. The potential to aggregate data from customer accounts at other banks into one place, providing both the bank and customers with a single view of their financial information, is immensely valuable for all parties.
For banks that have got over the 'compliance' hurdle, where do you see the most interest and potential in terms of future developments?
As the trusted custodians of banking data and the customer relationship, PSD2 gives banks an unrivalled opportunity to add value for their customers, even becoming the digital service provider of choice, over and above fintech. However, this is an opportunity that must be seized quickly and embraced by banks wholeheartedly to compete with other banks and fintechs. This will undoubtedly become the focus of competition and differentiation in the banking sector in the years ahead.
Two of the most interesting developments I think we will see in the near future are behavioural biometrics and voice-enabled banking. Both have the potential to deliver on banks’ vision for intuitive, secure digital services and experiences that are personalised to the customer, offering far greater insights and advice.
Looking at it from the other side, do you have a sense of where fintechs are at in this process? Is RTS compliance going to be the thing that really gets open banking going?
Fintechs are less risk-averse than banks and, by their very nature, can be more single-mindedly focused on innovation. Many of these new players in Financial Services are dictating the terms of customer experience with real-time spending insights, easy onboarding and marketplaces of additional apps.
Even though banks have been slow to embrace Open Banking, this has been gradually corrected by the behavioural changes in the financial services sector created by the push for RTS compliance. The RTS has helped to facilitate an environment which is more conducive to modernisation and bold thinking around simple, secure customer-focused services.
Importantly, fintechs will be watching developments at banks closely, looking for signs that they are embracing RTS-inspired innovation. In short order, they will quickly gravitate to those banks that are easiest to work with - like those who have developer sandboxes in place now or in the near-future. Combined with the scrutiny of regulators, this should provide banks with a strong incentive to meet and exceed their obligations under the RTS and give Open Banking the boost it needs to integrate further into mainstream consumer products and services.
If open banking is going to work, API quality and availability are going to be essential - to an extent, going beyond the RTS requirements. Are you seeing platform performance becoming more robust?
With so much promise of growth and opportunity for newly regulated fintechs, there will be little acceptance of poor quality and poorly performing APIs that are made available under the demands of PSD2. Beyond the regulatory driven tests by National Competent Authorities, the expected access via dedicated interfaces for AISPs and PISPs will be thoroughly examined by fintechs whose consenting customers are expecting positive outcomes.
Already there is a varied response to the requirement for a testing facility to be available 6 months prior to the September deadline for RTS enforcement. Significant numbers of incumbent banks have not provided APIs for testing and in some cases those that have are not compliant with PSD2. This will continue to be the case for some time and will enable the first movers to gain advantages as these ASPSPs typically want to compete and not just comply. It also makes a number of new services that monitor API availability and performance all the more relevant.
It is also true that PSD2 requires only a subset of the data that could be accessible via APIs connecting with accounts that are not part of the law currently. This is a very real opportunity for banks to extend value to their customers, as they form new propositions and partnerships to better serve the life events that would benefit from less time taken, less duplication and less manual effort.
The Sandbox is a cloud-based solution. Is that presenting any issues for banks that have concerns about cloud?
Certainly, the banks are all rightly focused on the security of this developing ecosystem and an increasing adoption of public cloud services is an additional factor. When it comes to the Open Banking Sandbox, operated as a cloud hosted managed service, the Banks have rightly asked all the questions on the required level of security for this test and development capability. Factors such as the regulated access by authenticated endpoints of validated TPPs and the mock data provided for testing purposes, have certainly helped address the concerns typically raised with a move to a cloud service. That said, the Open Banking Sandbox Service is robust, resilient and highly available to ensure that the expected experience is being delivered to the TPP developer community.
Join the discussions at the definitive Open Banking event www.openbankingworldcongress.com