Perhaps we had a lucky escape when banks declined to become online ‘identity providers’. After all, their track record in online security has some peculiar idiosyncrasies. Arguably they’ve made the problem of fraud greater than it should be by failing to create a consistent, secure customer experience.
Obvious examples include the fraud caused by not being able to authenticate it’s your bank calling or contacting you via email or text. So fraudsters can contact customers pretending to be their bank, brazenly emptying customers accounts in the process. The ‘Know Your Customer’ checks that should ensure an individual opening an account really is who they claim to be clearly have notable failings that make some of these frauds possible.
The recent move to force SMS (text message) one-time codes onto customers to authorise transactions is equally bizarre, given SMS’s known insecurity and the problems of SIM-swap fraud, let alone those in not-spots that make it unusable for some customers – or who lack a mobile phone. Far better for those of us with phones if our banking apps provided a time-based code generation function like the ones we use to secure our online usernames and passwords with two-factor authentication. We could use such time-based codes not only for online authentication, but also as a way of validating the legitimacy of phone calls and text messages claiming to be from our bank.
Banks and their ‘new’ competitors
Let’s jump back twelve years to 2007 when I was invited to present to a board at one of the Big UK High Street Banks. About half the room understood what I was talking about, and the other half? Not so much. They seemed reluctant to accept my suggestion they were about to have their lunch eaten. In the years since, how they must have comforted themselves laughing at my ridiculous analysis and predictions. Until now.
The point I was making was that banks’ main business was increasingly about securing and managing digital bits. Mainly financial digital bits, yes, but also related digital information about us. It was that same realisation that had helped underpin the government’s belief in the 1990s that banks were well-placed to provide new services, such as online identity assurance. So not exactly a new insight – although from the reaction in the room clearly it was breaking news to some people.
I pointed out to the Famous High Street Bank that if they understood their business was predominantly about the secure ownership and management of digital bits, then they had a whole new range of opportunities, and competitors, to consider. Plenty of other organisations outside of the financial sector were also focused on managing data at scale – with global technology players such as Amazon, Microsoft, Google and Apple prominent amongst them. It was, I suggested, only a matter of time before some of these organisations might consider managing financial data too. And what would the banks do then? How prepared were they for this competition?
While much of the current media focus is on challenger banks, such as Starling and Monzo, I still believe it’s the global technology corporations that are the more interesting organisations to watch in this space. They operate at a global scale and with an efficiency that makes them formidable potential competitors for any organisation operating in the more traditional and slow-moving banking space.
The world has moved much slower than I predicted in 2007. It’s only recently that we’ve really seen other organisations driving their tanks onto the banks’ tired-looking lawns, perhaps most notably in the recent move by Apple with their Apple Card, launched in partnership with Goldman Sachs. 13 years on, I wonder whether anyone at the Famous High Street Bank has revisited those slides I presented? Somehow I doubt it. And anyhow, it’s probably too late now.
An uneven playing field
I suspect I’m being a bit hard on the banks here. After all they’re heavily regulated and hence somewhat risk-averse. In a sense, they’re playing with one hand tied behind their backs when compared to global technology players – who have been left largely free to do whatever they want with little meaningful regulation or constraint.
As heavily regulated entities, liability was one reason why banks were reluctant to become generic ‘identity providers’ during the late 1990s and early 2000s. Regulation is also the reason why the technology companies tend to stay one step distant, and, as with the Apple Card, form partnerships at present rather than directly entering the financial services space.
Alongside long-standing regulation, banks have recently been forced to open up in a way that the big technology companies currently avoid. Open Banking for example is forcing banks to let us better access, manage and share our financial information with others, including our banks’ competitors. The opening up of interfaces (APIs) to their systems that was forced on the banks is likely to bring significant changes in the way we can access and use our financial information.
Open Banking is creating an even more uneven playing field for the banks. The failure of government to properly regulate big tech companies has now been combined with the obligation for banks to open up their systems, placing them at a major disadvantage compared to their competitors in the technology sector who keep many of their systems and interfaces under tight control. These pressures could prove life-threatening – or possibly (just possibly) become the catalyst for major innovation and change in the banking community.
The power of open interfaces
I’ve long-believed in the power of open interfaces (APIs). I helped drive the focus on APIs as a core part of the cross-government services infrastructure in the late 1990s and early 2000s.
The UK government did some great, pioneering work in this area, including the creation of an API-based smart authentication and routing hub for use across the public sector that supported both third party ‘identity providers’ as well as government’s own authentication service.
HMRC too was an early pioneer, creating a variety of APIs to enable direct interaction for services such as PAYE and VAT, an approach that continues to this day. I’ve always believed that APIs provide great potential for improving the design, operation and quality of public services despite the tendency for government to focus much more on websites.
Open Banking shows that changes can be made to the way entire sectors of the economy work. But it seems unfair just to pick on the banks. Mandates for APIs should be evenly imposed, including on the technology sector to open it up to the same levels of competition now imposed on the banks. In addition, government should re-energise its own use of APIs and help show the art of the possible.
Levelling the playing field
So where does all this leave us?
I think there needs to be equality of regulation/rules/open APIs across all sectors – not just banking. The global technology players and government itself need to be subject to the same rules and expectations to help create a much more open ecosystem and level playing field. Who knows, maybe even the tortoise banks could show some flare and begin to win a few races if they could compete on a level playing field?
Open Banking, far from being a big stick to beat the banks with and marginalise their value could prove their salvation – if they can seize the initiative. Done well, Open Banking would place banks in a strong position, acting as the trusted gatekeeper of a whole range of our personal information and letting us control it and who we decide to share it with.
Perhaps, some 20+ years later, the banks could also finally become the sort of trusted, secure data management service organisation foreseen back in the 1990s. We shall see, given my tendency to be too much on the optimistic side about the speed with which innovation can happen.
In the meantime, the banks could do worse than close some of the obvious loopholes in their approach to security if they want us to stick with them rather than their new competitors.