Uber is the biggest taxi company in the world, yet owns no vehicles; Airbnb provides accommodation to millions without owning a single property. Welcome to the world of platform businesses. They create value by matching large, scalable networks of users with the precise resource they require, and exploiting the power of cloud computing to do this seamlessly. Their growth in recent years has been astonishing, with revenues hitting US$19trn in North America (led by Apple, Google and Amazon), and US$23.5trn in Asia (led by Tencent and Alibaba). Enterprise resource planning (ERP) provider SAP dominates the European performance of US$19.5trn.¹

Now, it’s the banking industry’s turn to embrace “platformication”. We have seen how the European Commission gave banks their initial push towards the new platform economy, in the form of open banking driven by Payment Services Directive 2 (PSD2).² From September 2019, banks must open up their data and systems to third parties – whether other banks or fintech firms – and they will do so using application programming interfaces (APIs). 

Whether banks build this new API ecosystem in the cloud – leveraging its ability to collaborate and deploy remotely in real-time – remains to be seen. Regardless, the potential of cloud technology to transform more broadly is significant, providing the on-demand and flexible computation power, storage and advanced tools necessary to underpin banking innovation. Indeed, many see the cloud – public, private or a hybrid – as the building block for innovation around API, distributed ledger technology (DLT) and artificial intelligence (AI) – all of which require computing power and capacity beyond the infrastructure of most banks.

Industry practitioners seem to agree they are currently on a journey, the object of which, says John Gibbons, Head of Global Transaction Banking at Deutsche Bank, is “to provide an easy-to-use, seamless customer experience, with new digital services offered across a broad number of touchpoints”.³ “The need for this”, he continues, “has never been greater.” But this is a marathon, not a sprint. To ensure that open banking solutions are tested properly, secure and built for purpose, it is essential to start with baby steps, “first crawling, then walking, and finally running”, according to Thomas Nielsen, Deutsche Bank’s GTB Chief Digital Officer.⁴ This is a journey, he says, that will “require the embrace of new technologies and IT infrastructures, the establishment of defined rules on how data is governed and made secure – especially cross-border – and cultural change”.

At EBADay 2018 Claus Richter, Head of Cash Management Customer Solutions at Nordea, explained how he divides this journey into four key stages (exponents of stages 2–4 are shown in parenthesis):

1. Regulatory compliance.
2. Opening up bank platforms to competitors and their products (Netflix).
3. All parties leveraging and monetising each other’s data and products (YouTube).
4. Creating an ecosystem value chain that moves beyond just offering traditional banking products (Amazon).⁵

As with any major industry change, each stage should ideally be further supported by regulation where gaps or asymmetries are identified in the regulatory framework, to ensure that corporates, banks and fintech firms can all compete on a level playing field in a transformed financial services ecosystem.

There is no doubt that open APIs hold great potential for both corporates and their banks. Many corporates are already eyeing up the opportunities they will have to reduce payment costs, increase security, and speed up settlements. They will have the chance to automate large parts of their banking, integrating it directly into their workflows (see Figure 1), while banks and fintech firms will enjoy enhanced opportunities to develop new products and services.

For banks, once they are sufficiently API-enabled, the next question is whether to develop new solutions in-house using those APIs or partner with fintech firms as and when required to build end-to-end solutions. The Apple app store iTunes model is a clear example of where banking could go – while Apple provides the core platform (iPhone and iOS), it also enables developers to create a new ecosystem of applications and functionality around it – leveraging the APIs exposed by the iOS platform.

Cloud computing has been one of the most disruptive forces in the technology industry over the past decade – driving down costs, generating flexibility and, crucially, providing the building blocks for innovation and collaboration. At the same time, public clouds and multi-cloud environments have allowed customers to choose their optimum combination of providers and services.

US$23.5trn
Asia platform corporate revenues 2016

The key to realising this potential in banking (where comfort zones gravitate towards the bespoke security and governance designed into private clouds), is an enabling and responsible regulatory treatment of these technologies. However, the US Treasury Report Nonbank financials, fintech and innovation makes the point, “Financial services firms face several regulatory challenges related to the adoption of cloud, driven in large part by a regulatory regime that has yet to be sufficiently modernized to accommodate cloud and other innovative technologies.”⁶

On 3 July 2018, the European Banking Authority (EBA) concurred with this perspective in a report on “the impact of fintech on incumbent credit institutions’ business models”.⁷ It observed that while many banks have already altered existing processes to account for technology such as mobile banking and biometrics, they were still in the “exploratory stage” of implementing the “second wave” of technologies comprising cloud, big data, AI and DLT.

Exploration is rarely without risk, and the cloud is no different. Harnessing its potential requires solutions to concerns around data protection and location, security issues and concentration risks. 

While technology and public perception have both moved on, the outdated belief that systems and data can only be secured close-to-hand endures in the form of certain regulatory restrictions on data location and replication. In fact, restricting data storage to a single location increases security risks and costs, leaving it vulnerable to natural disaster, intrusion and surveillance. The Information Technology and Innovation Foundation notes that “dozens of countries have erected barriers to cross-border data flows”.⁸

While the EC proposal on the free flow of non-personal data⁹ relating also to cloud services is a step in the right direction, many issues still remain. There is clearly some way to go in the greater harmonisation of EU regulation and local implementation.

Data location restrictions are not the only hurdle on this four-stage journey (see above). In its final report and recommendations on outsourcing to cloud services providers¹⁰ the EBA requires financial institutions not just to know where their data is physically, but also to be able to access and audit it. This would not only mean cloud service providers (CSPs) disclosing their data sites’ locations but also inviting access. Such broad and unrestricted access introduces potential security risk to the CSP and the outsourcing institutions (and outsourced data), and thus could work against the original objective of the regulation.

“Respondents also indicated that the added value of access to physical locations was rather low in cloud technology environments, where data is physically and geographically dispersed across many systems, data centres and countries,” says the EBA report. It continues, “Logical access to the data and a virtual audit of data would be much more relevant to ensure that the appropriate controls were in place.”

Given a CSP has many clients, compliance with regulatory requirements to maintain physical access audit rights might be a challenge – how would a CSP support broad rights of access and audit in practice for thousands or millions of their clients? At the very least, differing interpretations of these regulations can complicate and slow negotiations between banks and CSPs.

The EBA recommendations on cloud outsourcing (28 March 2018)¹¹ recognises alternative ways for financial institutions to provide acceptable levels of assurance, by using pooled audits or third-party certification. While these are welcome, another solution would be the wider use of industry certifications, such as ISO, as an alternative to direct oversight. Such certifications would ensure a proper level of oversight and due diligence by the CSP over its subcontractors, and allow cloud users to demonstrate compliance by using only providers with certified supply chain governance practices.

The Berlin Group, a European Standards Initiative with 45 members from more than 22 countries, recognises that a minimum level of API standardisation is going to be essential to bring about wholesale change and buy in. According to their website, its NextGenPSD2 Framework Version 1.0 “offers a modern, open, harmonised and interoperable set of APIs as the safest and most efficient way to provide data securely”.¹²

For these standardisation efforts to progress, Shahrokh Moinian, Global Head of Cash Products, Cash Management, at Deutsche Bank stresses that “market participants should co-operate, adopt best practice and align themselves with developing common global standards.” For banks, this “goes far beyond mere regulatory compliance.” He notes that the greater the efforts market participants make now to get up to speed on open API development and stay abreast of evolving global standards, the more open, competitive and efficient the global market for API-facilitated services will become.

To safeguard against fraud and keep data safe, banks must also be able to verify that third parties accessing their customer data, or initiating payments, are authorised. A good way of doing this is a reliable central register, listing all licensed third-party providers (TPPs) across all member states. EBA clearing subsidiary PRETA’s Open Banking Europe is building just a central, standardised repository of TPPs’ contact information for banks, and banks’ operational information for TPPs, collated from local competent authorities – although it is not yet clear whether it will cover all EU jurisdictions. Where no regulatory confirmation of third party identities and credentials is available in real time, another independent and reliable source is needed. One thing is clear: to ensure certainty, any such register must record and be updated in real time.

Regulation may encourage or inhibit the industry’s current journey. “Ultimately, we need to ensure that the current and future legislative frameworks are adapted to the digital reality,” comments Noémie Papp, Head of Digital & Retail at the European Banking Federation (based in Brussels and Frankfurt). But, she underlines, regulatory bodies should take their cue from technology, and allow new business models to develop, rather than prescribing how individual technologies should be used.

It is a delicate balance.

Polina Evstifeeva is Head of Regulatory Strategy at Deutsche Bank’s GTB Chief Digital Office

Sources

¹ G. Parker, M. Van Alstyne, S. P. Choudary, Platform Revolution: How Networked Markets Are Transforming the Economy—And How to Make Them Work for You (2016)
² See Are you PSD2-Ready? A guide to the latest information and sources of support at corporates.db.com
³ 15 May 2018 when Deutsche Bank acquired Quantiguous Solutions in Mumbai. See https://bit.ly/2Ih1PYg at db.com
⁴ An approach echoed in his flow H1 2018 article, ‘Tuning up’. Read more here on pages 66-67
⁵ Observations made at EBAday, June 2018. See https://bit.ly/2wnMNHk at db.com
⁶ See page 50 of the report at https://bit.ly/2n1wsDX at treasury.gov
⁷ See https://bit.ly/2KMcqI6 at eba.europa.eu
⁸ See https://bit.ly/2p4Jz6N at itif.org
⁹ See https://bit.ly/2xJZXkB at ec.europa.eu
¹⁰ See https://bit.ly/3MdRfxr at eba.europa.eu
¹¹ See https://bit.ly/2LkuAQG at eba.europa.eu
¹² See https://bit.ly/2NgMwO0 at berlin-group.org