How Banks Are Using APIs to Balance Security and Openness

By Tyler Mondres

Technology and widespread smartphone adoption is fundamentally changing the ways customers access financial services. Banks and technology firms are increasingly offering digital services that help customers more effectively track and manage their finances. As customers use these digital services, they are creating an unprecedented amount of data. This data can facilitate the creation of new banking products and services and has created a market for consumer financial service data. To enable customers to access these services, banks are actively developing ways to facilitate safe and secure data transmission via application programming interfaces, or APIs, which allow different software components to communicate and exchange information. For example, the Facebook API enables companies to let their users “sign in via Facebook.”

API data portals

Some banks have formed individual partnerships with data aggregators and third-party service providers to facilitate secure data transmission. For example, in early 2017, both J.P. Morgan Chase and Wells Fargo announced a data sharing agreement with Intuit. These agreements will enable customers to authorize their banks to securely share their personal financial data with Intuit’s financial management applications—without forfeiting their username and password. Customers will first be required to authenticate their identity to verify the request. After authentication, a one-use token will be issued to allow Intuit to access the data via an API. Tokenization is used to protect sensitive account credentials and customers have the ability to revoke access at any time.

The creation of a secure portal allows customers to share their data with third parties more securely. The legacy practice known as “screen scraping” requires customers to forfeit their online banking username, password and other account access credentials, exposing them to risk should the third party be compromised. APIs can facilitate a secure connection that provides data aggregators a “read only” portal to retrieve data from a customer’s account that ensures the customer retains control of their data.

API developer portals

In addition to partnerships, some banks are developing secure API developer portals that allow authorized third parties to access specific customer data sets in a secure, bank-controlled environment. The BBVA API Market, for example, currently offers four APIs to developers in the U.S. for applications in the areas of payments, customers, cards and accounts. The payments API allows third parties to access the services required to move money from a BBVA customer’s account. The customers API enables third parties to create, update or retrieve customer profile records. The cards API enables third parties to integrate information regarding the credit and debit cards of BBVA customers and the accounts API returns a list of customer accounts and certain details about each account. The API Market offers three additional APIs exclusively in Spain: for loans, PayStats and notifications.

Providing developers with access to APIs can benefit banks and their customers. However, the protection of sensitive customer data must always come first. To that end, banks require companies to pass a robust due diligence process to receive access to customer data. For example, in order to access BBVA’s API Market, developers have to create an account. The account gives developers access to a “sandbox” testing environment with a set of non-real user data; however, robust due diligence is required to access live customer data in the production environment. Once a company has successfully completed this process, they must receive authorization from the BBVA customer to access their information. All of BBVA’s retail APIs require customer authorization and authentication.

Through API developer portals, developers can leverage banks’ capabilities to build or improve their services. However, banks also stand to benefit from open banking systems. As more companies begin to leverage BBVA’s API Market, for instance, the number and variety of digital services available to BBVA customers could greatly increase. “The great thing about this business is that we can think up some basic uses, and build a service around those uses,” says Raul Lucas, Spain country manager for open APIs at BBVA. “But when we make it available to third parties—the ones who really know their businesses—they come up with uses which would never even have occurred to us.”

The APIs could also provide BBVA with new sources for customer acquisitions and loan originations. For example, through the loans API, third parties can inform customers when they have access to a pre-approved loan from BBVA. Additionally, the API can be integrated into the checkout process to allow customers to finance their purchase of a third party product or service at the point of sale with a BBVA loan.

APIs at community banks

While building API developer portals internally offers ultimate control over how third parties access authorized customer data and enables banks to offer access to a broader group of developers, it can be a more expensive and time consuming option. However, technology firms exist that can provide API-as-a-service support for banks that require technological expertise related to building developer portals. Alternatively, banks can strike individual partnerships with fintech firms that are capable of integrating their services into a bank’s system via individual data portals.

Community banks that receive technology services and support from a core processor may require the coordination of their provider to enable open banking capabilities. Banks should engage in discussions with their core processors to understand what options are available for facilitating safe and secure data transmission.

 


Recent Bank API Developments

As more customers demand access to third party financial services, banks continue to work on methods of safe and secure data transmission. Below are a selection of developments that have occurred in the bank API space:

Capital One DevExchange. In March 2016, Capital One announced the launch of a new developer portal, Capital One DevExchange. The DevExchange currently offers four APIs: SwiftID, Rewards, Credit Offers and Bank Account Starter.

Citi Developer Hub. In November 2016, Citi launched the Developer Hub. The Developer Hub currently has eight APIs available in a closed beta: Accounts, Authorize, Cards, Customer, Money Movement, Onboarding and Pay with Points. Money Movement and Onboarding are currently listed as only available in Australia and Singapore.

J.P. Morgan Chase. In January 2017, J.P. Morgan Chase announced a data-sharing agreement with Intuit that will allow customers to authorize Intuit to download requested customer data for the purposes of their financial services, such as Mint and QuickBooks.

Wells Fargo. In June 2016, Wells Fargo announced a data sharing agreement with Xero to enable small businesses to have their account data poured directly into Xero’s accounting software. In February 2017, Wells Fargo also announced a data sharing agreement with Intuit similar to the deal announced by Chase. Wells Fargo is currently working on a “Developer Gateway.” The program is currently in beta mode and is only available by invitation.


 

Email This Post Email This Post

About Tyler Mondres

Tyler Mondres
Tyler Mondres is a research associate in ABA's Center for Payments and Cybersecurity.