Open API in Banking sector

Humayun Khan
CEO, AxEdge Consulting
Agenda – Open Banking Capability

Sl No. Topic Slide No

1. Open Banking 4-7
2. Open API 9-14
3. Crafting an Open API Capability 16-21
4. Case Study – SAXO Trader GO / Open API 23-29
6. Challenges 31-32
6. Q &A 33
 Open Banking

3
Copyright © 2019 AxEdge Consulting. All rights
Digital disruption in the financial services sector

New regulations are forcing banks to open up their business model and rethink their product
and distribution strategies in the digital era.

PSD2/OPEN BANKING IN A NUTSHELL

European Commission PSD2 and Open Banking are data and technology-driven
Payment Services Directive, directives which aim to increase competition, innovation
PSD2 and transparency in the Banking and Financial Services
EUROPEAN Industry

REGULATORY The Open

Banking Standard
DIRECTIVES LIKE PSD2 In UK, CMA is driving access to reference and product
AND OPEN BANKING ARE Competition and Markets information for current account and SME lending products
made available through API by Q1 2017 and further
Authority
ACTING AS CATALYSTS remedies for sharing data throughout 2017 going into
Q12018.
IN DRIVING THIS CHANGE Payment System Regulator

At the core of these directives is the need for banks to grant

EBA Third Party Providers (TPPs) access to customer
European Banking Authority accounts, payments, product data and other aggregated
data through APIs

Copyright © 2019 AxEdge Consulting All rights reserved. 4

Open Banking in EU

Open Banking Standards is an initiative started by HM Treasury to promote innovation and competition in EU banking. The high level
Background recommendation for Open Banking Standard is that the Bank Data including products and services information and customer transaction
information should be made available to Third Parties through APIs in a secure and controlled way.

Scope of Data Open Banking Ecosystem

Customers

OPEN DATA CUSTOMER CUSTOMER AGGREGATED DATA

TRANSACTION REFERENCE DATA
DATA

• ATM /Branch • Account • KYC • Anonymised

Locator Balance aggregated data
• Anti Money
• Product • Transaction Laundering – Loan
Information History approvals to
• Credit Scores
business with
• Payment Data Third
a SIC code
Information Attribute Parties
– Cash Providers
withdrawals in
a location

Copyright © 2019 AxEdge Consulting All rights reserved. 5

Open Banking CMA & PSD2 Timeline

PSD2 will be expected to be implemented as law across all 28 EU member PSD2 RTS implementation 18 months after enforcement by
states within two years. the European Commission

October 8th January 12th Q2 2016 January 13th July 13th January 13th July 13th
European Parliament PSD2 came into Establish OBIE**, EBA will release draft RTS EBA will release guidelines for Deadline for member states PSD2 compliance
adopted the draft PSD2 force Complete Industry for strong customer establishment, implementation & to transpose PSD2 as law attestation by local
Consultation authentication & security monitoring of the security across all 28 EU member authorities and entry into
measures measures states. PSD2 register

PSD2 PSD2 OB PSD2 PSD2 PSD2 PSD2

2015 2016 2017 2018 2019

PSD2 OB OB OB CMA PSD2 CMA OB OB

Q4 2016 Q1 2017 Q2 2017 Q1 2018 Q1 2019

December 23rd Feb 2016 OBWG * Launch of Q1 2017 jan 2018
Open Data & (estimate) Inclusion of Customer Progression towards
PSD2 published in the published Open Banking Migration of MI Access to
Minimum Viable Product EBA RTS transaction data on read- the open banking
EC official journal Standards Report Product for Open Data onto Open Transaction
Information adopted by the only basis standard’s full scope
Banking API History
Banking Commission
and entered
into force

Payment Service Competition Market

PSD2 OB Open Banking Standards CMA
Directive 2 Authority

Complete *OBWG – Open Banking Working Group

**OBIE – Open Banking Implementation
Entity

Copyright © 2019 AxEdge Consulting All rights reserved. 6

Access to Account under PSD2 will result in new interaction models in
payments and online banking

PISP and AISP services will change the way in which customer’s engage with their bank and
payment providers

Copyright © 2019 AxEdge Consulting All rights reserved. 7

 Open API

8
Copyright © 2019 AxEdge Consulting. All rights
What is an API?

APIs are redefining the BOUNDARY of traditional banking.

Web • A new surface APIs have a nearly-20-year history helping
Mobile • Disintermediation from progressive companies like Salesforce,
Branch TPPs
customers eBay and Amazon, transform industries,
Contact • New type of product
• Disruption threat
open up new opportunities and improve
Centre
• Opportunity rewards against risks of the digital world.

Ecosyste They are at the heart of any digital

ATM
m organisation and critical to the success of
digital transformation.

Open Banking allows Banks to use APIs to

APIs ARE PRODUCTS
For many large enterprises, especially banks,
releasing technology products is new. They are
best designed to address a specific need in an
attractive, easy-to-consume way. The more
people who use the API, the larger the impact it
will have.
APIs ARE STRATEGY
To be successful, Business and particularly
Distribution strategy must be clearly defined. Speed
and agility can ensure banks capture market
opportunities. These are best gained when
business and IT work together, acting swiftly and
appropriately funding API-enabled opportunities.
surface externally developed products and
services on their own platforms. FinTechs
or developers could either sell the
solutions directly to the banks in a format
that enables integration via API, or run the
services themselves for the banks, on the
banks’ websites and apps, via APIs.

Copyright © 2019 AxEdge Consulting All rights reserved. 9

Today APIs can reach beyond Enterprise Boundaries

By externalizing appropriate APIs, different levels of collaboration and innovation can be

obtained to meet business objectives in the digital age

TYPES OF APIs AND TYPICAL USAGE

DEGREE OF Internal API Partner API Open API
OPENNESS (integration) (collaboration) (innovation)

Used internally to facilitate the Used to facilitate communication & Used to publicly expose information
integration of different applications integration of software between a to third parties who may not have a
and systems used by a company company and its business partners business relationship with the company

OFFER ACCESS TO A
1 Salesforce Netflix Spotify YouTube Facebook Amazon
USER EXPERIENCE

ENABLE DELIVERY OF A
2 Amazon Walgreens Skype Google Maps
SERVICE OR PRODUCT

3 OFFER ACCESS TO DATA AT&T Equifax FedEx PayPal

Copyright © 2019 AxEdge Consulting All rights reserved. 10

AxEdge Consulting Offerings - Open APIS

AxEdge Consulting Open API Capability Model is based on best practices and experiences
across the industry in designing, building and executing 100+ engagements globally

1 STRATEGY & PROPOSITION 2 API TECHNOLOGY & ARCHITECTURE 3 API MANAGEMENT FRAMEWORK
API Strategy API Architecture Governance & Operating Model
• Analysis & Prioritisation • Reference Architecture • API Governance
• Revenue Stream Analysis • Standards & Guidelines • API Operating Model within Bank
• Business Case • Security • Industry Working Group Operating
• Services Bundling Infrastructure Model & Methodologies
• Monetisation • Design and Deployment Stakeholder Management
Use Cases API Management Technology • Program Management
• Identification • Identification • Metrics & Reporting
• API to Use Case Mapping • Design and Deployment

4 API ENABLEMENT & BUILD 5 ECOSYSTEM ENGAGEMENT 6 LIFECYCLE MANAGEMENT

Initial Set-up API Marketing Partner Management Service Delivery
• Design Patterns • Hackathons • Identification & • Go Live & Production Release
• Shared identity • Events & Focus Groups Engagement • Release Management
• Security • Innovation Days • Onboarding
Service Support
• Environment set-up API Sandbox • Legal and Contractual
• Developer & Portal Support
Agile Sprints • API Catalogue Framework
• Incident Management
• Design, Build • Stubbed Developer Portal
• Test, Document Service Support
• Analytics & Dashboard
• Beta Launch • Optimisation & Analytics
• Reference Apps
• API Performance

Copyright © 2019 AxEdge Consulting All rights reserved. 11

Open API-enabled business will offer new opportunities

API-enabled business models will present a number of benefits and opportunities for banks,
particularly for ‘first movers’

BENEFITS AND OPPORTUNITIES

RAPID
INNOVATION
• In-house innovation
• 3rd Party Innovation

WINDOW TO NEW BETTER CUSTOMER EXPANDED

ECOSYTEMS OUTCOMES DISTRIBUTION MONETISATION

• Trusted Partners • New Value added apps • Banking App store • 3rd party pays per use
• AISP, PISPs, TPPS • Improved customer • 3rd party apps, portals • 3rd party gets paid per use
• FinTechs propositions on Public app stores • Indirect Monetisation

Copyright © 2019 AxEdge Consulting All rights reserved. 12

For API Strategy to support the business goals, business objective and
monetization model should be clear

Financial Institutes have to provide the regulated APIs free of charge. Monetisation Models for any APIs beyond those
mandated by PSD2 (and other local regulations) are at the FI’s discretion and based on market demand.
Open API
Revenue Models*

Developer Developer
Free Indirect
Pays Gets Paid

• Increased Brand / Service • Pay-as-you-go • Revenue share • Increase product sales

Recognition • Tiered • Sign-up referral • Acquire/retain customers
• Acquire/retain customers • Freemium • Product/brand • Increase share of wallet
• Faster Product • Unit-based advertising • Reduce losses
Development • Transaction fee • Purchase commission • …
• Community development (CPA/CPC)

*source: John Musser Programmable Web

Copyright © 2019 AxEdge Consulting All rights reserved. 13

It is equally important to look at the IT operations and how services are
provided

The following diagram illustrates the scale and breadth of impact. Impact Key
API ECOSYSTEM
High Medium Low
PISP / AISP TPPs FinTechs Developers Regulator

New API Channel API CHANNEL & CONSUMER MANAGEMENT API Lifecycle Management
Understands consumer Adoption Developer Experience Evolution Development of new APIs on
priorities, supports strategic the API Gateway. Use of
& innovative thinking DevOps processes and
CHANGE RUN
through clear STRATEGY procedures that enable API
communications and Identification DevOps industrialised development
collaboration. Filters Architecture API Delivery through a defined API lifecycle
customer feedback and Prioritization Design management methodology.
manages expectations on Ensures adequate testing
development and delivery of Demand
Management Build processes, skills and tools are
Tooling
API Products and developer in place for API and API
capabilities.
API Strategy Test API Support
MONETISATION Platform testing.
Aligns API strategy and Infrastructure
Deploy
Model Selection
API Organisation to API Operations & Support
overarching digital Pricing & Billing
strategy; ensuring Defines operational processes
SECURITY MANAGEMENT
business and technology and procedures to effectively
Usage Tracking Cyber Defence, Compliance Identity & Access
leaders are collaborating & Risk
Authentication
Management support the API Gateway and
across API consumer DevOps tooling.
channels to achieve (G)OVERNANCE Seamlessly deploys reliable
defined objectives. APIs and provides end-to-end
New Monetisation operational support for their
Models usage.

Model selection, manage
and admin of monetised
APIs (e.g. billing, usage
tracking)
Light weight API (g)overnance New API Security Management Capabilities
Governs how APIs are developed and ensures Need to protect against new attack methods. API Key
standards are followed. Management to control who is allowed to access which
APIs.
Manages to defined service /
operational level agreements.
Drives to improve quality and
efficiency through unrelenting
focus on continuous
improvement, using analytics.

Copyright © 2019 AxEdge Consulting All rights reserved. 14

 Crafting an Open API
Capability

15

Copyright
Copyright ©© 2019
2019 AxEdgeAxEdge
Consulting. All Consulting
rights All rights reserved. 15
For crafting an industrialized open API capability, financial institutions need to
give careful consideration to several important technical aspects

SECURITY AND ARCHITECTURAL API MANAGEMENT INFRASTRUCTURE

DATA ACCESS STANDARDS SOLUTIONS AND HOSTING

Lifecycle management, Cloud, On premise

Authentication, RESTful standards, Micro
Developer Portal, Traffic or hybrid, Data
Authorisation, services architecture
Management, Analytics access regulations
Access Levels, Consent

Copyright © 2019 AxEdge Consulting All rights reserved. 16

PSD2 will disrupt the financial services landscape – requiring a proactive,
adaptive and intelligent security strategy

Security is essential
SECURITY AND
DATA ACCESS

Customer Authentication
(OAuth 2.0, OIC, Biometrics,…)
• Which standard to authenticate customers? TPP & ASPSP Authentication
1 Digital Identity • How to authenticate Third Party Providers (TPPs)? (via registration authorities?)

Secure API
Development Practices

API Security Management

• Do you have secure foundations to expose APIs?
2 Cyber Security • How to prevent, detect and respond to Cyber attacks
on APIs?
A new Vulnerability Management
Security
Strategy Strategic Response Planning
• To which extent to banks have to open their
3 infrastructure? ?
Compliance Regulatory Compliance
• How to ring-fence & protect critical applications in (GDPR, PCI-DSS 3.2, etc.)
this upcoming new world?
Privacy in API Design

• Impact on existing fraud detection capabilities?

4 Fraud and • Sharing counter-fraud intelligence information with Logging Capabilities
TPPs and trusted orchestrators?
Liability • Who pays if things go wrong? Non-Repudiation of
Transactions

Copyright © 2019 AxEdge Consulting All rights reserved. 17

Existing legacy architectures can have a definite negative impact on bottom
line, while technology innovation is happening at a very fast pace

ARCHITECTURAL
STANDARDS

Over-standardised platforms, encumbered by

years of ‘design by committee’

Atrocious user experience with old-fashioned

applications and difficult to implement APIs

High TCO costs for software development

Vendor platforms requiring significant

investment to run and develop on

Difficult to deploy, extreme difficulties

adopting DevOps, Continuous Integration
and Delivery practices

Copyright © 2019 AxEdge Consulting All rights reserved. 18

Our new IT architecture is optimizing for agility and future – while
minimizing integration effort and TCO

ARCHITECTURAL
STANDARDS
• PSD2 APIs, but also enabling existing and future APIs and channels
BANK PSD2/CMA OPPORTUNITY 1 • Developer and Management portals for interacting with FinTech and
monitoring usage.
Web Telephone TPP AISP TPP PISP FinTech
BUSINESS
OPEN

Mobile Branch TPP AISP Partner • Identity and Access Management module allowing full delegation of
API PSD2 IAM, including oAuth and Customer Consent.
2 • Integration with banks IAM or a migration path to more modern IAM
1 • Retain existing consumer credentials
Management
API

oAuth / OIC API Gateway Developer Portal

Portal
• Managed Platform as a Service (PaaS) for scalability of hosted PSD2
3 microservices.
• Allows elastic scaling of deployed services
2 3 4
• High throughput, high availability data store for storing replicated data
Transactions

IDM
Accounts

Payments

... Ref data

Product Data
DevOps
4
(e.g. Product and Reference Data), caching (e.g. Transaction data) and
NEW IT

Audit Logs audit logging. Reduces impact on banks data systems.

AM Transaction Cache
• Basis for rapid prototyping or building new services (BaaS).
PaaS / Microservices Data store Agile M
DJ • Underpinned by PaaS and IaaS infrastructure and accompanying best-of
5 breed DevOps and Agile methodologies.
IaaS / ACP 5
6 • Minimal, simplified integration interface to existing bank’s systems.
LEGACY

IDENTITY ACCOUNTS PAYMENTS REF DATA AUDIT&FRAUD

6 Acronyms: PaaS – Platform as a Service, IaaS Infrastructure as a Service, TPP – Third Party Provider,
AISP – Account Information Service Provider, PISP – Payment Initiation Service Provider, OIC – Open ID
Legacy Systems Connect, IDM – Identity Management, AM – Access Management, DJ – Directory junction, ACP – AxEdge
Consulting Cloud Platform, API – Application Programming Interface

Copyright © 2019 AxEdge Consulting All rights reserved. 19

API management platforms are necessary to create capabilities and address
challenges for enabling businesses to succeed in the API economy

API MANAGEMENT
SOLUTIONS

Capabilities An API Management Layer allows self-serve registration and instant API access,
Required for sandbox testing environments, documentation, usage analytics and much more. • RESTful API design
API Enablement • API Documentation
• API Security Mediation with
OpenID and OAuth
• Developer Enablement
• Traffic Management
• Secure, Reliable and
• Prevention against attacks
Flexible communication
• API Versioning approaches
• API Lifecycle
Management • Lifecycle Management
• Measure and Improve • API Governance
Business Values • Identify and Define the right
• Integration with API Monetization model
A different way of interacting with the world
Backend systems • Automation for API
• Exposing APIs in an effective way requires
• DevOps businesses to implement many functions not
Development and
available in the SOA world. Deployment
• Scalability,
• This is particularly acute in security, classification • API Testing
Recoverability and
and production of services, developer services
Resilience (onboarding, self-service) and analytics. • Scaling the new high
• Operations • Integrated, purpose-built, off-the shelf products
satisfy these needs and produce massive savings Challenges for
over in-house build.
API Enablement

Copyright © 2019 AxEdge Consulting All rights reserved. 20

The recommended reference architecture follows a hybrid infrastructure
approach, leveraging public cloud, private cloud and on-premise hosting
capabilities

INFRASTRUCTURE
AND HOSTING

BANK PSD2/CMA OPPORTUNITY

Public Cloud
Public API gateway components and Developer
Portal hosted on public cloud for easy accessibility
BUSINESS

Web Telephone TPP AISP TPP PISP FinTech

Mobile Branch TPP AISP Partner
OPEN

API
Internal API gateway components, API Management
Private Cloud Portal and “New IT” components on private cloud
Management can also be brought on-premise if client requires
API

oAuth / OIC API Gateway Developer Portal

Portal

On Premise
Legacy Systems assumed to be on-premise by
default.
Transactions

IDM
Accounts

Payments

Ref data
... Product Data DevOps Identity and Access
PaaS / Microservices
Data Store and Streaming from
NEW IT

Audit Logs Management Legacy Systems

Transaction Cache
AM

PaaS / Microservices Data store Agile M

DJ
IaaS / ACP

DevOps, Agile IaaS / ACP

LEGACY

IDENTITY ACCOUNTS PAYMENTS REF DATA AUDIT&FRAUD

Legacy Systems

Public Cloud Private Cloud On premise

Copyright © 2019 AxEdge Consulting All rights reserved. 21

 Case Study –
SAXO Trader GO / Open API

22
Copyright © 2019 AxEdge Consulting. All rights
External drivers and forces – DRIVING TECHNOLOGY

Copyright © 2019 AxEdge Consulting All rights reserved. 23

Reference Architecture for the Open Bank Standard

Source: Strawman Reference Architecture for Open Bank Standard

Copyright © 2019 AxEdge Consulting All rights reserved. 24

Target Architecture – Front Office

Copyright © 2019 AxEdge Consulting All rights reserved. 25

Patterns

Copyright © 2019 AxEdge Consulting All rights reserved. 26

Design Steps and Takeaways

Realtime Streaming of deltas

Copyright © 2019 AxEdge Consulting All rights reserved. 27

Design Steps and Takeaways

Separation of Responsibility

Copyright © 2019 AxEdge Consulting All rights reserved. 28

Design Steps and Takeaways

Takeaways

 Streaming and Delta updates has taken up to one-third of the total resource expenditure in the
framework
 Complex recovery/disconnect/reset/reconnect scenarios
 Throttling and business protection is a MUST on the endpoints
 APIs get abused/misunderstood and misused both by accident and by intent

 Session State
 Necessary for your throttling strategy
 User vs. Session specific strategy
 Handling state of the underlying systems
 Managing and controlling subscriptions
 Avoiding IO/Cross process jumps utilize speed of RAM

 Security
 On one hand more openness available to “hackers”, on other hand more a TOP priority
 Built on Open Standards/Frameworks endorsed by OBS.
 Boundaries pushed by giants like Facebook, Google (that have more surveillance features,
detection of suspicious activity and maybe don not carry financial data etc., )

Copyright © 2019 AxEdge Consulting All rights reserved. 29

 Challenges

30
Copyright © 2019 AxEdge Consulting. All rights
Challenge 1 – What really is the compliance scope and its deliverability?

With different regulators, the definition for compliance for January 2018 is still under much
discussion. In additional depending on the products provided and the digital channels they are
delivered on – influences a further deliverability consideration.
OB Restricted PSD2 Scope OB Extended PSD2 Scope

PSD2 Scope

Open CMA & Open Banking PSD2

Banking CMA PSD2 Extended PSD2
• 9 financial institutions • GBP payments • GBP & Euro Payments • Multi-Currency, Int’l FX
mandated • Strong Customer • Additional “payment Payments
• PCA/BCA accounts Authentication accounts” accessible • Commercial Corporate &
only • Technical & API Standards online Private Banking
• Open Data • Open to EC wide third Accounts
• Read/Write APIs
• Open Banking Liability • Payment initiation
parties regulated by • PSP Issuing Card-Based
Model EC National Payment Instruments
• Transaction History
• CMA specific APIs Competency Authority
• PSD2 Liability Model
• Account Information
• Insurance

Source: Open Banking Implementation Entity Updates

Copyright © 2019 AxEdge Consulting All rights reserved. 31

Challenge 2 – What are the core capabilities to focus on and how much do you
invest on to be compliant vs compete?

Investment of regulatory change has not always realised intended adoption rates – PayM, 7 day
account switcher. Therefore all are finding a balance of scale of investment against the
technical and organisational capabilities to be able react quickly.
Partner Outside-
API Ecosystem FinTech in
Hackatho Governanc Relationship IoT Develop
ns e s ment
Agile
@
Scale
API Hybri
Bank Ecosystem API d
Partner Governance Ecosystem Marketplace Clou
APIs Engageme s d
nt

Cloud
Bank API Security
Open Develop API Artificial
APIs er Curation Intelligence
Existing Data Hub
Channel Micro Cache Private
services APIs

API
API Product Developer
CMA Roadmap Communit Data
2/PS y Capabilities
Enterpris D2
e APIs
Services API API
Gateway Integration

API Consent API

Legacy Security API
Platform Product Analytics
Private Mgmt
Cloud Machine
Learning

Source: Nationwide Open Banking Forum

Copyright © 2019 AxEdge Consulting All rights reserved.

32
 Any Questions?

33
Copyright © 2019 AxEdge Consulting. All rights