Recently, there has been a spate of interesting articles on the state of open banking in the UK. And “state” appears to be the operative word.
As an openbanking.space article opines,
Anyone with a LinkedIn account will see several articles a day extolling the virtues of open banking, and the potential it has to revolutionise behaviour in retail banking.
The implication here is that this is all hype and, six months in, there is no revolution to televise yet:
Open banking has not set the UK on fire.
Which may very well be true. The HSBC app has been getting some advertising push on the remoter regions of satellite television and online, but nothing has taken the world by storm. Yet.
The main reasons, according to the openbanking.space article, are
- A lack of rich data or functionality on the account information APIs,
- A regressive method coupled with very poor authorisation journeys on the banks’ platforms,
- Technical challenges such as that posed by a lack of immutable transaction IDs’, and
- The absence of any bank-provided, data rich testing environments.
The most serious one is perhaps the authorisation issue. Some challenger banks, such as Starling, have provided simple, secure, state-of-the art mechanisms for authentication. But the implication is that many of the incumbent banks have been dragging their feet over modernising their authorization functionality. And this means that users are faced with opaque, confusing and frustrating insecure legacy authentication processes.
We here at APImetrics know all too well from painful personal experience just how difficult it can be to get access to an API authorized.
The public should never need to have heard of OAuth2. Yet many of these authorisation journeys are a dog’s breakfast of the traditional and the new. There’s a reason for this, which is that ultimately you are trying to access an API. That should all be tidied away from the end user, but quick and dirty development of gnarly web applications can leave things in plain sight that frankly should be strictly behind the scenes.
The incumbents might not want to make things easier because they might hope that open banking will go away, but that does seem rather unlikely given PSD2. And no number of articles from expensive consultants can bring about the open banking utopias.
But open banking doesn’t become a bad idea just because some big banks are dragging their feet or because it takes a while for the killer app to emerge. There are still plenty of hungry startups out there, as well as some of the Big Beasts like Amazon, Apple and Google, that would be perfectly happy to disrupt the banking market if they can find the right use case.
The point of all this is that open banking is only as good as its APIs.
And note point 4 that openbanking.space raise about testbeds and sandboxes, something we at APImetrics have had much to say about in the past. APIs are only part of the authorization journey, and end users shouldn’t have to know about GETs and POSTs and 5xx errors. But users do know a bad experience when they have one, and if your APIs aren’t robust and reliable, it is a bad experience they will be having. And the more complicated the journey, the more there is to go wrong.
Which means more security holes and more need for negative testing and fuzzing. Which is why, whether in test or production, you need to managing your APIs. And that means actively monitoring them. Give us a call and we will see how we can help you finally immanentize the Open Banking Revolution.