Open API banking: New framework, threats, and opportunities in Japan and APAC
By Eiichiro YanagawaIn general, an API refers to a technical specification for operating a specific program by another program, and it defines command statements (commands and functions) used when the program is operated, a format of data to be transmitted and received, and the like. For example, many businesses today display a Google map when publishing their location on the website. This is realised by outputting map data (Google Maps) using Google's API (Google Maps API).
The origin of the API exists in the software industry, especially in an enterprise application integration (a method of building and controlling company-wide business systems). It was once a manner of system development for excellent software engineers. Today, the open API has become a business policy of outstanding business managers. In 2002, Jeff Bezos issued a mandate to all his internal development teams regarding how software was to be built at Amazon. All teams will henceforth expose their data and functionality through service interfaces; teams must communicate with each other through these interfaces; there will be no other form of inter-process communication allowed; it doesn’t matter what technology you use; all service interfaces, without exception, must be designed from the ground up to be
externalise-able.
Fifteen years after this declaration, an open API tsunami has spread to even the most conservative industry, financial services. In May 2017, the Japanese financial industry steered to a new framework. The Amended Banking Act decided to introduce a registration system for Electronic Settlement Agency Service Providers, so-called “Third Party Providers (TPPs)” and to announce policies of collaboration between banks and TPPs. Measures concerning the promotion of open innovation at banks eventually emerged as new regulations. This turned out to be a major shift in Japan's financial regulations.
When financial institutions disclose APIs to TPPs, the biggest system risks would be data leakage/ tampering, illegal transactions, etc. API is a new communication path of information systems but it could be misused. There is also a possibility that data included in the user's account information and settlement instructions will be exposed to the risk of leakage/tampering via TPPs. In response to this risk, various discussions emerged from the viewpoint of financial institutions/ TPPs/ users regarding risk types and convenience with respect to the service form of TPPs and the data transmission/ reception method, which have been mainstream in Japan so far. The outcome of the discussions was the shift from Legacy Authentication: scraping method to open API: token authentication. Legacy Certification: scraping method will no longer be accepted in the Japanese market in the future.
Token authentication means that after a financial institution authenticates a user, it generates data (token) indicating the range of data to be accessed to the TPPs and the range of available services, transmits the data to the TPPs, and uses it. It is a method of sending and receiving data between TPPs and financial institutions. Compared to legacy certification, the burden of information system upgrading, etc. to implement is generated at the financial institution side. For users, however, registration of ID and password to TPPs becomes unnecessary, and data range accessible by TPPs can be controlled. The Japanese financial industry will now begin to thoroughly enforce these access rules based on Token Authentication as industry rules.
In parallel with the discussions about systematic means of implementing such access methods and authentication methods, Japanese banks have pursued profit from open APIs in various ways. Until now, they have provided API release and collaboration for specific business operators (PFM/ Cloud accounting services/ ERP), mainly focusing on hackathon and accelerator programs (α program: idea contest, β program: a joint project with specified businesses, investment). In the future, the new strategy will dominate, where the banks will develop the community (3rd party developed application store, the operation of open API platform for developers, application platform delivery). Under some frameworks, not only will open APIs be new revenue opportunities for financial institutions as B2B products, but API platforms will likely evolve into a platform for innovation, encouraging financial reform in financial institutions.
Since they first began employing computers in the 1960s, Japanese banks have always limited themselves to closed and rigid approaches to system development. Today there are cracks appearing in those rigid foundations that have underpinned system development for more than half a century. If existing conventional banks stubbornly adhere to their analog approach, digital customers can be expected to flee to emerging financial service offerings that better cater to their needs, presumably precipitating the demise of these traditional banks. This shift will progress gradually at the very beginning and then at an accelerated pace.
The open API will be a powerful trigger for the value chain revolution sure to take place in the Japanese banks and financial services industry.