| Just a few years ago, financial institutions and fintechs seemed to be squarely positioned on a collision course, with institutions working to protect their customer and member bases and fintechs laser-focused on disintermediating those very institutions by marketing directly to consumers.
More recently, the two have realized that they need each other in order to succeed in the marketplace. For financial institutions, fintechs provide a level of innovation and rapid go-to-market capabilities that would be difficult to replicate in-house or through their core banking providers. For fintechs, banks and credit unions provide a more viable channel to get their wares into the hands of consumers through business-to-business (B2B) relationships versus the slower process of going direct to the consumers. Also, the financial institutions are necessary partners in navigating the complex regulatory environment that governs financial services.
With consumers having top-notch digital experiences outside of banking, banks and credit unions need to ensure that they can choose the right products to meet the consumer’s ever growing needs and be nimble in changing courses as technology continues to shift and customer expectations change. Initially, fintechs and other third parties relied on screen scraping technology to acquire customer data from banks’ and credit unions’ digital banking environments, but over time, as consumers’ use of digital banking and PFM solutions became more sophisticated, it required direct access to the data, which caused concern for FIs.
In recent months, fintechs have started to see some push back from large institutions who have banned financial technology applications from using customer passwords to access data to screen scrape the customer’s information. JPMorgan has gone so far as to indicate it will now issue tokens to allow third-party fintechs to access customer data. PNC customers recently found themselves without access to Venmo when the bank conducted a security upgrade that blocked access to customer account and routing number information. This begs the question – who owns the personal financial data, the FI or the customer? In Europe, regulators have gone so far as to mandate the Second Payment Services Directive (PSD2) requiring banks to create or expose their application programming interfaces (APIs) to third-party fintechs and other banks authorized by the customer to access data. The UK has taken it a step further with its “Open Banking” initiative that requires that data be available in a secure, standardized form that is more easily shareable between authorized third-party providers and fintechs. The idea is that doing so will foster innovation that will make banking services more equitable and readily available to the public and encourage better personal financial management behavior by giving consumers greater access to (and control over) their own data.
Here in the U.S., there is no (as of yet) single, comprehensive PSD2-like regulation to force financial institutions and their core providers into sharing customer and member data. After initially constructing a series of roadblocks for fintechs to overcome, the industry has seen a host of FI-fintech partnerships and/or large institutions’ acquisitions of fintechs in response to consumer demand. Today’s consumers are beginning to demand the integration of their banking and finances into a unified experience.
As the fintechs and the FIs begin to partner, banks and credit unions must thoroughly vet all third-party fintechs to ensure that each meets the same level of information security, cyber resilience, and businesses continuity requirements as the institutions themselves, per the requirements of the Federal Financial Institutions Examination Council’s (FFIEC). This has proven problematic for some fintechs, who simply do not have an understanding of financial institutions’ perspective of risk management. Fintechs (particularly early-stage companies) tend to focus most of their attention on designing a product, raising capital, going to market and quickly building a user base, but rarely direct an appropriate amount of attention towards creating a due diligence package that adequately outlines the stability of the fintech’s business structure, its business continuity and security.
Increasingly, the industry is seeing financial institutions begin to develop their own APIs and partnering with providers like Plaid (who was recently acquired by VISA for $5.3 billion) to make customer and transaction data available through a secure environment. The acquisition by VISA is significant in that it essentially allows thousands to fintechs to connect directly with more than 10,000 financial institutions.
There is now an initiative underway in the U.S. that is more analogous to PSD2 in terms of setting an industry standard. The Financial Data Exchange (FDX) is a non-profit consortium of financial institutions, fintechs and industry providers whose mission is to develop a standardized API for the industry to utilize. It is worth noting that JPMorgan has built its API to align with the FDX.
While some institutions have taken a stringent approach with outside fintechs, others are seemingly going the opposite route, encouraging fintechs to develop apps and solutions specifically for their platforms and customer needs. For example, CBW Bank, a nearly 120-year old community bank headquartered in Weir, Kansas, has recently indicated that it would like to be the “plumbing” behind fintechs looking to create apps for institutions and wants to help them with resources to develop their code. While it does not guarantee these fintechs would automatically get a plug into the bank, it does allow developers to create services and solutions from the ground up, interacting with real bank systems and platforms. Another example is Capital One’s move to publish its open APIs online for review, through its DevExchange Developer Platform.
For. many banks and credit unions, solutions developed in-house are proprietary, but others are opening access to outside institutions. Along with writing interfaces and/or creating the necessary APIs to connect their core with a variety of fintech companies, they are also allowing other banks and credit unions to use these same connections acting as a kind of go-between. By investing in the connectivity work, they in turn are gaining a small piece of the revenue based on the transaction volume going through their systems. This allows smaller, outside institutions – banks and credits that may not have the resources to create these technologies – to take advantage of capabilities from new applications or service offerings without having to do all or any of the heavy lifting themselves. With enough interest from outside users, these financial institutions could eventually position themselves as a sort of middle-ware marketplace with a potential for a lucrative new stream of revenue.
Open banking is here and will continue to become more and more ubiquitous. While FIs should stay on top of key issues and activities driving current trends, they should also be considering what makes sense for their specific institutions. Whether developing solutions in-house or working with outside fintechs, today’s banks and credits unions should keep in mind how these apps and services will interactive and integrate into the future banking landscape. Considering these issues now will allow them to better serve their customers and members, as well as also possibly open new streams of revenue, helping them remain competitive in the long run.
|Terry Ammons, CPA, CISA, CTPRP, (picture left) and Mike Morris, CISA, CISSP, (right) are partners at Wipfli LLP, a leading national accounting and consulting firm serving clients across a diverse spectrum of industries, including financial institutions, services and technologies.|