The release in August 2016 of the long-awaited Competition and Markets Authority (CMA) report into the provision of retail and small to medium-sized enterprise (SME) banking services in the UK disappointed those expecting radical intervention. However, the report will nevertheless create an implementation headache for the industry, and one with potential political ramifications.
The CMA has ordered the creation of an open API standard for UK banks by 1Q18. In its report, the CMA concluded that "the discipline imposed by customers on banks through switching and the threat of switching is not as strong as it should be," and has consequently identified several remedies. An open API standard, to enable customers to provide third parties with access to their account information, is the most eye-catching from a technology perspective. To a great degree, this builds on the work already done by the Open Bank Working Group in 2015/16 to begin to identify the necessary technical roadmap to achieve an open API standard.
The CMA's focus is to deliver on one of the most commonly cited use cases from externally facing APIs, which is to facilitate more accurate comparisons across providers based on a customer's individual requirements. In addition, enabling the more straightforward viewing of an entire financial position held across multiple providers via a single portal is also something which, it is believed, would catalyze competition.
As a result, UK banks currently face delivering APIs based on two standards in 2018. One interesting implication of this is that, as things stand, UK banks face the need to comply with two potentially conflicting API standards in 2018. The EU's second Payment Services Directive (PSD2) requires all banks in the EU to create two sets of APIs available to authorized third-party payment service providers (PSPs), one making account information available and another enabling payment initiation. The key distinction is that APIs under the PSD2 are not designed to be open to all users, but will only be available to the third parties that achieve the requisite level of accreditation. The benchmarks and framework for this, alongside the technical standards for implementation, are currently being developed by the European Banking Association.
This is a challenging requirement for banks, and may take on a political dimension. There are a number of challenges for banks around creating APIs for third-party use. In addition to the complexities of delivering externally facing APIs from potentially multiple underlying products and other systems, the potential for unpredictable spikes in database queries will be difficult to manage and may increase the risk of service outages. At the same time, there are very real questions to be answered around security, customer education, and how end users can manage the way in which their API access is used.
For UK banks, the need to deliver the API requirements from the CMA and for PSD2 in early 2018, at the same time as the delicate process of ring fencing (for the banks with investment divisions) and other regulatory requirements, will introduce considerable risk. Harmonization of the CMA and PSD2 approaches, particularly around standards, would appear to be a necessary step. At the same time, the outcome of what may be a conflict between UK and European regulation could take on a political dimension.
Straight Talk is a weekly briefing from the desk of the Chief Research Officer. To receive this newsletter by email, please contact us.