Professional Documents
Culture Documents
Humayun Khan
CEO, AxEdge Consulting
Agenda – Open Banking Capability
3
Copyright © 2019 AxEdge Consulting. All rights
Digital disruption in the financial services sector
New regulations are forcing banks to open up their business model and rethink their product
and distribution strategies in the digital era.
Open Banking Standards is an initiative started by HM Treasury to promote innovation and competition in EU banking. The high level
Background recommendation for Open Banking Standard is that the Bank Data including products and services information and customer transaction
information should be made available to Third Parties through APIs in a secure and controlled way.
Customers
PSD2 will be expected to be implemented as law across all 28 EU member PSD2 RTS implementation 18 months after enforcement by
states within two years. the European Commission
October 8th January 12th Q2 2016 January 13th July 13th January 13th July 13th
European Parliament PSD2 came into Establish OBIE**, EBA will release draft RTS EBA will release guidelines for Deadline for member states PSD2 compliance
adopted the draft PSD2 force Complete Industry for strong customer establishment, implementation & to transpose PSD2 as law attestation by local
Consultation authentication & security monitoring of the security across all 28 EU member authorities and entry into
measures measures states. PSD2 register
PISP and AISP services will change the way in which customer’s engage with their bank and
payment providers
8
Copyright © 2019 AxEdge Consulting. All rights
What is an API?
Used internally to facilitate the Used to facilitate communication & Used to publicly expose information
integration of different applications integration of software between a to third parties who may not have a
and systems used by a company company and its business partners business relationship with the company
OFFER ACCESS TO A
1 Salesforce Netflix Spotify YouTube Facebook Amazon
USER EXPERIENCE
ENABLE DELIVERY OF A
2 Amazon Walgreens Skype Google Maps
SERVICE OR PRODUCT
AxEdge Consulting Open API Capability Model is based on best practices and experiences
across the industry in designing, building and executing 100+ engagements globally
1 STRATEGY & PROPOSITION 2 API TECHNOLOGY & ARCHITECTURE 3 API MANAGEMENT FRAMEWORK
API Strategy API Architecture Governance & Operating Model
• Analysis & Prioritisation • Reference Architecture • API Governance
• Revenue Stream Analysis • Standards & Guidelines • API Operating Model within Bank
• Business Case • Security • Industry Working Group Operating
• Services Bundling Infrastructure Model & Methodologies
• Monetisation • Design and Deployment Stakeholder Management
Use Cases API Management Technology • Program Management
• Identification • Identification • Metrics & Reporting
• API to Use Case Mapping • Design and Deployment
API-enabled business models will present a number of benefits and opportunities for banks,
particularly for ‘first movers’
RAPID
INNOVATION
• In-house innovation
• 3rd Party Innovation
• Trusted Partners • New Value added apps • Banking App store • 3rd party pays per use
• AISP, PISPs, TPPS • Improved customer • 3rd party apps, portals • 3rd party gets paid per use
• FinTechs propositions on Public app stores • Indirect Monetisation
Financial Institutes have to provide the regulated APIs free of charge. Monetisation Models for any APIs beyond those
mandated by PSD2 (and other local regulations) are at the FI’s discretion and based on market demand.
Open API
Revenue Models*
Developer Developer
Free Indirect
Pays Gets Paid
The following diagram illustrates the scale and breadth of impact. Impact Key
API ECOSYSTEM
High Medium Low
PISP / AISP TPPs FinTechs Developers Regulator
New API Channel API CHANNEL & CONSUMER MANAGEMENT API Lifecycle Management
Understands consumer Adoption Developer Experience Evolution Development of new APIs on
priorities, supports strategic the API Gateway. Use of
& innovative thinking DevOps processes and
CHANGE RUN
through clear STRATEGY procedures that enable API
communications and Identification DevOps industrialised development
collaboration. Filters Architecture API Delivery through a defined API lifecycle
customer feedback and Prioritization Design management methodology.
manages expectations on Ensures adequate testing
development and delivery of Demand
Management Build processes, skills and tools are
Tooling
API Products and developer in place for API and API
capabilities.
API Strategy Test API Support
MONETISATION Platform testing.
Aligns API strategy and Infrastructure
Deploy
Model Selection
API Organisation to API Operations & Support
overarching digital Pricing & Billing
strategy; ensuring Defines operational processes
SECURITY MANAGEMENT
business and technology and procedures to effectively
Usage Tracking Cyber Defence, Compliance Identity & Access
leaders are collaborating & Risk
Authentication
Management support the API Gateway and
across API consumer DevOps tooling.
channels to achieve (G)OVERNANCE Seamlessly deploys reliable
defined objectives. APIs and provides end-to-end
New Monetisation operational support for their
Models usage.
Model selection, manage Light weight API (g)overnance New API Security Management Capabilities Manages to defined service /
and admin of monetised operational level agreements.
Governs how APIs are developed and ensures Need to protect against new attack methods. API Key
APIs (e.g. billing, usage standards are followed. Management to control who is allowed to access which Drives to improve quality and
tracking) APIs. efficiency through unrelenting
focus on continuous
improvement, using analytics.
15
Copyright
Copyright ©© 2019
2019 AxEdgeAxEdge
Consulting. All Consulting
rights All rights reserved. 15
For crafting an industrialized open API capability, financial institutions need to
give careful consideration to several important technical aspects
Security is essential
SECURITY AND
DATA ACCESS
Customer Authentication
(OAuth 2.0, OIC, Biometrics,…)
• Which standard to authenticate customers? TPP & ASPSP Authentication
1 Digital Identity • How to authenticate Third Party Providers (TPPs)? (via registration authorities?)
Secure API
Development Practices
ARCHITECTURAL
STANDARDS
ARCHITECTURAL
STANDARDS
• PSD2 APIs, but also enabling existing and future APIs and channels
BANK PSD2/CMA OPPORTUNITY 1 • Developer and Management portals for interacting with FinTech and
monitoring usage.
Web Telephone TPP AISP TPP PISP FinTech
BUSINESS
OPEN
Mobile Branch TPP AISP Partner • Identity and Access Management module allowing full delegation of
API PSD2 IAM, including oAuth and Customer Consent.
2 • Integration with banks IAM or a migration path to more modern IAM
1 • Retain existing consumer credentials
Management
API
IDM
Accounts
Payments
API MANAGEMENT
SOLUTIONS
Capabilities An API Management Layer allows self-serve registration and instant API access,
Required for sandbox testing environments, documentation, usage analytics and much more. • RESTful API design
API Enablement • API Documentation
• API Security Mediation with
OpenID and OAuth
• Developer Enablement
• Traffic Management
• Secure, Reliable and
• Prevention against attacks
Flexible communication
• API Versioning approaches
• API Lifecycle
Management • Lifecycle Management
• Measure and Improve • API Governance
Business Values • Identify and Define the right
• Integration with API Monetization model
A different way of interacting with the world
Backend systems • Automation for API
• Exposing APIs in an effective way requires
• DevOps businesses to implement many functions not
Development and
available in the SOA world. Deployment
• Scalability,
• This is particularly acute in security, classification • API Testing
Recoverability and
and production of services, developer services
Resilience (onboarding, self-service) and analytics. • Scaling the new high
• Operations • Integrated, purpose-built, off-the shelf products
satisfy these needs and produce massive savings Challenges for
over in-house build.
API Enablement
INFRASTRUCTURE
AND HOSTING
API
Internal API gateway components, API Management
Private Cloud Portal and “New IT” components on private cloud
Management can also be brought on-premise if client requires
API
On Premise
Legacy Systems assumed to be on-premise by
default.
Transactions
IDM
Accounts
Payments
Ref data
... Product Data DevOps Identity and Access
PaaS / Microservices
Data Store and Streaming from
NEW IT
Legacy Systems
22
Copyright © 2019 AxEdge Consulting. All rights
External drivers and forces – DRIVING TECHNOLOGY
Separation of Responsibility
Takeaways
Streaming and Delta updates has taken up to one-third of the total resource expenditure in the
framework
Complex recovery/disconnect/reset/reconnect scenarios
Throttling and business protection is a MUST on the endpoints
APIs get abused/misunderstood and misused both by accident and by intent
Session State
Necessary for your throttling strategy
User vs. Session specific strategy
Handling state of the underlying systems
Managing and controlling subscriptions
Avoiding IO/Cross process jumps utilize speed of RAM
Security
On one hand more openness available to “hackers”, on other hand more a TOP priority
Built on Open Standards/Frameworks endorsed by OBS.
Boundaries pushed by giants like Facebook, Google (that have more surveillance features,
detection of suspicious activity and maybe don not carry financial data etc., )
30
Copyright © 2019 AxEdge Consulting. All rights
Challenge 1 – What really is the compliance scope and its deliverability?
With different regulators, the definition for compliance for January 2018 is still under much
discussion. In additional depending on the products provided and the digital channels they are
delivered on – influences a further deliverability consideration.
OB Restricted PSD2 Scope OB Extended PSD2 Scope
PSD2 Scope
Investment of regulatory change has not always realised intended adoption rates – PayM, 7 day
account switcher. Therefore all are finding a balance of scale of investment against the
technical and organisational capabilities to be able react quickly.
Partner Outside-
API Ecosystem FinTech in
Hackatho Governanc Relationship IoT Develop
ns e s ment
Agile
@
Scale
API Hybri
Bank Ecosystem API d
Partner Governance Ecosystem Marketplace Clou
APIs Engageme s d
nt
Cloud
Bank API Security
Open Develop API Artificial
APIs er Curation Intelligence
Existing Data Hub
Channel Micro Cache Private
services APIs
API
API Product Developer
CMA Roadmap Communit Data
2/PS y Capabilities
Enterpris D2
e APIs
Services API API
Gateway Integration
33
Copyright © 2019 AxEdge Consulting. All rights