Open Banking is brand new, but maybe not. Token.io Limited CEO Steve Kirsch tells Karen Webster that there are limitations with PSD2 amid a lack of API standardization. There’s precedent in the World Wide Web when it comes to having the most open protocols in accessing financial services and innovative products.
Open Banking is brand new, except it isn’t — at least, to some observers.
More than a year into Open Banking’s debut in Europe, Token.io Limited CEO Steve Kirsch told Karen Webster that there’s a precedent in managing transactions effectively and safely, and in giving consumers access and control over their data as financial service firms seek to serve up innovative banking products. As most of Hollywood knows, though, the original is better than the sequel.
According to Kirsch, “we have had Open Banking, worldwide, for the past 20 years” — the World Wide Web. The web, he asserted, exists as an application programming interface (API) that interfaces with a computer, allowing bank customers to transact with their banks — and the interface is open to everyone, provided they are properly authenticated.
“It’s … an [open] protocol. You have to have the right credentials,” Kirsch said. “A consumer does not have to be a [payment initiation service provider (PISP)] or [account information service provider (AISP)] to go in and look at their balance. They can do that on their computer.”
From his view, the concept of APIs as marking a new way to share data is a bit of a misnomer. As applied to the World Wide Web, he told Webster, the data is meant to be consumed by humans rather than by machines.
PSD2, as has been reported, introduces two AISPs and PISPs. In the case of the former, AISPs offer consolidated details on at least one payment account held by a user, or on data held by more than one provider. With the latter, PISPs initiate payments at the request of the account holder, interacting with a payment account held at another provider.
The wrinkle, according to Kirsch, is that the EU said the payments industry has mandated that “we should move toward closed APIs, where it must be accessed through narrow portals and trusted third parties (the AISPs and PISPs). It gives consumers a fraction of what they had before. They call that Open Banking, but I call that closed banking.”
PSD2, he said, is no different than most other pieces of legislation, which has the best of intentions. However, he noted, the regulation should have — fundamentally — been one line, the gist of which should have been: “You have open APIs now called the World Wide Web. Just make it machine-readable.” Now, the launch of PSD2 can be likened to an alpha test that impacts half a billion people in Europe.
As he noted, the banks will eventually come to recognize the limitations set in place by PSD2. Those limitations come from a lack of standardization in Open Banking, as banks use different APIs, which leads to increased costs and complexity. Token has found that the U.K. Open Banking API is usable only by human beings, not by machines, and that it takes more than two minutes for individuals to approve a simple access request.
Yet, Kirsch told Webster, banks persist in requesting U.K. Open Banking APIs. “U.K. Open Banking is like buying IBM,” he said. “Nobody ever got fired by buying IBM” — at least, once upon a time.
The Trojan Horse
Not surprisingly, Token has taken a different approach, offering “a true Open Banking API, … where third parties can only do exactly what the consumer consents for them to do,” Kirsch explained. He added that the approach has been to do U.K. Open Banking APIs, but will include within that offering “an extra-special token API, which is secure and cannot be broken into” — and done in a way that uses the U.K. or Berlin API as a Trojan Horse.
“When people turn that on, they will realize they totally missed the boat,” Kirsch said of stakeholders who have only embraced U.K. or Berlin Group Open Banking standards.
That’s especially true where security is concerned. Under PSD2, banks are required by law to use a middleman AISP or PISP. However, middlemen can serve as points of attack for fraudsters — thus, the Strong Customer Authentication (SCA) requirement, which has the potential to create friction that results in billions of losses as consumers abandon their carts at checkout.
According to Kirsch, the system under PSD2 (again, reliant on middlemen) is less than efficient. Consider the fact that it is virtually impossible to have a dollar taken out of an individual’s account, as the consents are based on AISPs and PISPs.
“I can only consent to have your PISP take money out of my account. But what happens if a consumer changes their PISP?” he said.
To get a sense of just how hard the process is, Kirsch told Webster that he has been unable to remit a single dollar into his own bank account held at a large, global money-center bank. There’s a pop-up menu that appears to the user, who must then confirm on their mobile banking application that the transaction can proceed. Blame it on SCA mandates, he said, which require manual processes, introducing friction into the process.
The World Wide Web Model
Hearkening back to that World Wide Web as an Open Banking platform, Kirsch noted that users with the “proper credentials” can transact and look at their bank balances, but they do not have to be AISPs or PISPs to do that. “Your computer program has been able to do that for the past 20 years,” he said.
With the Token offering, it’s secured by the consumer, and third parties can only do exactly what the consumer consents to have done. (In one recent example of Token’s linkups with more traditional financial firms, Mastercard said earlier this year that it will work with Token to service European customers.)
He offered an illustration under Token’s system where, if Uber wanted to take $10 out of a consumer’s account, Uber would call the API. The Token software would then contact the individual and ask for approval — done, for instance, through a thumbprint.
“It’s kind of what PayPal would do, … and the model has been there forever,” Kirsch said, adding that such mechanics are “super safe for a bank. They do not have to worry about writing any extra code, about trusting Facebook (or a PISP) or about a breach by a third party.”