Open Banking: Why Agile Alignment is the Key to Success

Open banking can offer opportunities for retail banks that are faced with competition from newcomers to the banking and finance industry. For those unfamiliar with what open banking is, it can be best defined as “the use of open APIs that enable third-party developers (FinTech or non-banking service providers) to provide applications and services around the financial institution.” These services may be located between the customer and the bank, or placed in the bank’s bank-end.

However, some banks are reluctant to move to an open banking model because their mindsets have been focused on compliance and the possible disintermediation that may arise. However, what these banks are missing is that an open-banking ecosystem can create significant opportunities to improve customer experiences and the competitive advantage they will gain from third-party partnerships.

This article introduces how acronyms like PSD2, eIDAS and BYOK are acting as enablers for banks to embrace technology and security infrastructure as running mates in order to stay competitive or, even better, to extend their market penetration.

Banks Creating Their Own Roadblocks to Success

Unfortunately, many retail banks fall short of their goals with their open-banking programs. Instead of disrupting, they often gingerly approach innovation and only focus on opportunities that coincide with their current offering or minor improvements that stem from having to comply with regulations like the second Payment Services Directive (PSD2).

With the help of open banking, retail banks can now jumpstart their digital transformation with features and functionality from multiple third parties. They can then enable third-party access to combined custom account information from many banks. This can be accomplished much faster than building a digital front-end from scratch.

Hereafter we will describe two axes of opening up. The first one is located in the bank’s front end, the second one orchestrates services in the back-end.

PSD2 and eIDAS enabling to open up for “front-end” payment services

The Payment Service Directive 2 (PSD2) is an important technical and legal enabler for banks to open up for 3rd party services around their offering. Those Fintech services are active in the front-end of the supply chain, meaning between bank and customer. In the context of PSD2, payment of information-service providing Fintech take the role of a proxy between bank services and bank customers. 

The process, standardized through PSD2 guarantees the required level of assurance, confidentiality and the evidence of the transaction through strong customer authentication. PSD2 enables strong customer authentication through eIDAS-compliant qualified certificates. The certificates mandated by 

Technically, PSD2 defines two important services for this open bank relationship: Payment Initiation and Account Service Information. RTS are qualified certificates for electronic seals or qualified certificates for website authentication.

BYOK as an enabler for “back-end”-services in the hybrid cloud

In their quest for reorganizing as financial service platforms, banks have vital interest in preserving the role of the single point of contact to the customer. To do so, the bank defends its front end role and arranges all value-adding services invisibly for the customer in the back-end.

From an architectural point of view, two major approaches are possible:

• Connecting to ready-made cloud-based services (“brown field”) in the cloud - Many leading players in the banking software market like Diebold Nixdorf, NCR or FIS start offering cloud-based services, able to be interwoven into the banks’ composite service offering.
  
  The providers of cloud-based ERP software show even stronger growth rates with specially packaged and banking-oriented cloud-based solutions.
  
  Market-shaping examples are Microsoft Dynamics or SAP Hana.
  The advantage of these software service platforms is that they also possess an ecosystem of seamlessly integrated financial service providers. Their services become instantly accessible to the banks through connecting to the ERP-platforms. The platforms take care of architectural integration and public key infrastructure and HSMs.
• Building up own services (“green field”) alone or in cooperation with partners in the cloud - Banks have discovered the advantages of containerized services, scalability and elasticity in the cloud.
  They also use the cloud for coopetitive activities with other banks (e.g., block-chain, AI), research projects with universities or ventures with other third parties.
  PaaS providers like Microsoft (Azure), Amazon (AWS), or Google (Google Cloud) offer cloud infrastructure as well as cryptographic infrastructure (HSMs) as-a-service, as an environment to place and deploy services as well as to store data. 
  
  Speer-headed by IBM, infrastructure providers cloud-enabled their hardware.
  IBM’s z15 is now an enterprise platform hardware allowing for moving mission-critical processes to the hybrid multi-cloud, providing scalability and including a reworked and cloud-enabled version of  IBM’s Common Cryptographic Architecture (CCA 7.0).
  
  Using internal corporate synergies allows to blend the traditional mainframe architecture with cloud and containerization software such as Red Hat OpenShift or OpenStack supporting applications written in Node.js, PHP, Perl, Python, Ruby, JavaEE and more.

Both approaches need banking-grade data security and data privacy, as well as independence from the service providers. For strategic and security purposes, banks need to remain in control of their cryptographic keys and avoid vendor lock-ins. The right strategic answer is a “bring your own key” (BYOK) and “manage your own key” (MYOK) strategy.

Data will remain encrypted and unreadable for cloud service providers, even if it leaks out or if the platform is compromised. 

Technically, cryptographic keys remain inaccessible in the cloud-based HSMs, when conducting a BYOK strategy.

The keys are generated and managed throughout their life-cycle from the key management system, which is accommodated in the bank’s local data center. Also, audits can be conducted locally from the bank’s data center. 

BYOK with banking-grade key management systems is an important prerequisite for compliance.

Managing Competing Businesses by Aligning Governance, Technology and Security

With the goal to unlock commercial opportunities, the best open-banking portfolios have a mix of bank-branded and third-party offerings, independent ventures, and distribution networks. Some of these entities may compete with one another.

To keep this under control and provide strong guidance, there needs to be an alignment of governance,  technology and security infrastructure throughout the open-banking ecosystem.

To achieve this, retail banks may need to modernize their applications and security infrastructure.

Banks will need to lay out their vision for their digital transformation based on where they are now in their journey. 

This generally includes:

1. Identifying and prioritizing commercialization opportunities and use cases
2. Selecting potential financial services and service partners
3. Selecting potential (cloud) infrastructures 
4. Defining operating models and technology requirements
5. Developing clear paths to implementation

It is worth noting that steps 1 - 5 do not follow a clear waterfall model anymore. Infrastructures (step 3) like MS Dynamics or SAP Hana come with native financial services (either embedded or
through their store).

Those might impact step 1, the identification and prioritization of opportunities: When a service offered by a cloud platform paves the way towards low-hanging fruit, business priorities might change. The 1-5 sequence will become more iterative and agile.

Commercial and technical banking personnel need to align their efforts and live an agile process of business development, driven by vision, demand and technically-enabled opportunities.

Conclusion

Open banking offers opportunities for retail banks to strengthen their current offerings, attract the best partners, orchestrate the best value nets (agile customer oriented digital supply chains), and create bold and disruptive business ventures both within and outside their main business. 

Banks who execute well-rounded strategies in an agile alignment with technology and security infrastructure have good opportunities to create growth that will help them stay competitive in a challenging market.

References

• Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more
• Selected articles on Key Management in the Cloud (2017-today) by Matt Landrock, Rob Stubbs, Stefan Hansen, Ulrich Scholten, Joe Lintzen and more
• Selected articles on IBM Mainframes in Banking Infrastructure (2019-today) by Martin Schmitt, Stefan Hansen, Ulrich Scholten and more
• Retail Banks Must Embrace Open Banking or Be Sidelined
  (2018), by Thorsten Brackert, Stefan Dab, Steven Alexander Kok, and Maarten Peeters at BCG
• PSD2 and HSM-as-a-Service - part 3 - the opportunity for banks (2018), by Gaurav Sharma
• Composite Solutions for Consumer-Driven Supply Chains (2010), by Simone Scholten, Ulrich Scholten and Robin Fischer. In: Bogaschewsky R., Eßig M., Lasch R., Stölzle W. (eds) Supply Management Research. Gabler
• Banking-as-a-Service - what you need to know (2016), by Ulrich Scholten
• Winning in a world of ecosystems (2019), by McKinsey Company
• Global Banking Practice - The ecosystem playbook: Winning in a world of ecosystems (2019), by McKinsey Company

• NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker

• CKMS Product Sheet (2016), by Cryptomathic

• White Paper – Deploying CKMS Within a Business (2017), by Cryptomathic

• Digital Bank: Strategies to launch or become a digital bank Kindle Edition (2014), by Chris Skinner
• Value Nets: Breaking the Supply Chain to Unlock Hidden Profits (2009), by David Bovet, Joseph Martha
• Service Value Networks (2009), William E Hefley, Steffen Lamparter, Christos Nikolaou, Stefan Tai, Ulrich Scholten, et al.

</conclusion<>