When banking APIs emerged, or even when their processing screen scraping technology was used, banks hysterically objected, trying to block this “extraordinary” access to their clients’ data. It wasn’t only security precautions, which drove this reaction
— banks often referred to as opening the Pandora’s box — but mostly something very simple and practical: they didn’t want to share the data with others.
The question about to whom the information about a customer belongs to is the essential issue banks and regulators have to deal with. For us, the clients, the answer seems pretty obvious: all of the data related to our bank accounts — personal information,
transactions history, loans, deposits, cards and so on — is the result of our activities and private properties. What’s even more important, the activities and properties the bank profits from. This is why we think it’s us and only us, who decide when, how
and why access this data.
Is it that simple?
On the other hand, the banks often see the information contained within their systems as proprietary and classified, and as such cannot be disclosed to, accessed or extracted by any third party. In turn, no APIs or screen scraping is allowed to retrieve
any data from client’s account. OK, perhaps account balance could be available to some third parties — payment providers, for example. But transaction history or personal data? “No, we are not allowed, nor obliged, to give away this information to anyone but
the client”, banks protest. Are they right?
Setting things straight
We have to admit that banks are responsible for the security of our data kept in their systems. They need to protect our money and our identity. And they bear costs for it. But, as mentioned earlier, they also charge us, their clients, for their services,
security included. Besides, standardized APIs wouldn’t allow to do any harm to customers’ money — they would just retrieve information about it. Or about the identity of a person.
This last example of API usage can be the real problem. Why? My personal information such as name, date of birth, ID number etc. is strictly private, so it belongs to me and only to me. I can share it with whomever I want to and nobody should prevent me
from doing this just because is a keeper of my secrets.
But banks don’t BELIEVE in their customers’ identities. They are SURE of it, since the verification of their clients is the first thing they do, which of course means some costs. Now, if a banking API is supposed to be the provider of this verified, trusted
personal information to some third party, it means that a bank will give the results of its KYC procedure away for free to one of its competitors. So why should it? Want a real data? Then pay for it.
Or, maybe not. Customers go from one bank to another. So when a bank allows third parties’ APIs to authenticate its clients and verify their identities, it can use a similar API to get the same KYC experience with a new client coming from a competitor. Building
such a network of banks as “trusted parties” will benefit all: both clients and banks. And even governments, since they will not have to build separate, redundant infrastructure to serve the same purpose of people’s identity verification.