Safaricom is launching an application programming interface (API) for M-Pesa to encourage third party app development. Open APIs are a key part of wider transformation in the banking industry and will become much more common as regulation forces banks to open up their systems. Announcing the API, Safaricom said it expects developers to create a range of innovative solutions for businesses and consumers using the mobile money service, one of the most successful in existence.
“One of the advantages of the new M-Pesa platform is the fact that it is easier to integrate with other financial platforms to offer more or improved services to our customers,” said Betty Mwangi, director of financial services at Safaricom.
The move comes just as the banking industry gears up for major changes to payment rules that will mean they have to open up their platforms to third party developers. In Europe, this is being enshrined into national law as part of the PSD2 regulation, which comes into force in 2016. PSD2 will create a new type of regulated entity, the third party payment service provider (TPP). “This change is aimed at promoting innovation and low cost electronic payment solutions while ensuring that security and data protection are not compromised,” said the European Payments Council. Effectively this will open up access across the industry to payment processing services and bank accounts held by customers.
Part of PSD2 is the ‘Access to Accounts’ (XS2A) rule, which actually forces banks to “facilitate access via API to their customer accounts and provide account information to third party apps if the account holder wishes to do so”, explains a Finextra Research report on the issue.
A big perceived threat around these changes is security. XS2A means banks have to build an API structure that any company registered with a ‘competent authority’ can use to provide services, so long as the customer consents. The Finextra study found that 88 per cent of bank respondents believe that data protection and risk to reputation are significant issues. Ambiguity about liability for any fraud or data loss was also a major worry for banks. The most recent draft of PSD2 says the account provider is liable for losses in the event of an unauthorised payment. This is true even if a payment initiation service provider was involved. Third-party security is a hot industry topic at the moment anyway with regulators in the US and elsewhere bearing down. Banks are worried about access to their systems, but perhaps need to do more.
Benjamin Lawsky, head of the New York Department of Financial Services, said: “A bank’s cyber security is often only as good as the cyber security of its vendors. Unfortunately, those third-party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data. We will move forward quickly, together with the banks we regulate, to address this urgent matter.”
Despite these concerns, open APIs are seen as crucial to widening participation and improving services. One report last year warned that progress on mobile banking apps was “glacial” because banks were not devoting enough time and resources to development. This is where open APIs make a huge difference. And while PSD2 is cementing this approach to development in Europe, some banks have already made big strides. France’s Credit Agricole, Dutch bank ING and Australia’s Commonwealth Bank have been at the forefront, building software development kits for third parties to create banking apps.
But not all banks are ready for PSD2 and universal API banking. Finextra’s study found just 14 per cent expect to be able to offer third party API access immediately. More half (54 per cent) think their core systems could be a barrier to their becoming an open-API bank.
With PSD2, open API banking is coming – banks need to be prepared.