Global Open Banking Frameworks and Standards, Luca Ferrari, Senior Solution Architect, Red Hat

Global Open Banking Frameworks and Standards, Luca Ferrari, Senior Solution Architect, Red Hat



so I'm typically presenting to technical crowd today is kind of a little bit of a different topic so I'm gonna present around API and open banking frameworks the history where are we going and the implication of this and then I'm going to conclude in terms of reference architecture from the perspective of Reddit so why am I here so beside being an engineer by study and also being specializing in computer science I've also had big interest into economics so I'm an avid reader of the Economist I've been taking several classes online plenty of you did or no Coursera or EDX so in gamification game theory micro and macroeconomics and at the same time three years ago I joined Driscoll which was a small start-up in Barcelona around API management and this then got acquired by reddit which now also got acquired by IBM and more recently I've been in work involved with reddit in the open banking team so I was traveling through amia presenting around open banking on open bank erodes oh and leading the technical workshop for it so these two elements came together as of today so and that's why I'm today present in this so why are you here today beside being interest into web BI management so I hope you are in the right room I understand there are three session running at at this time right now and really what I I'm trying to achieve today's to maybe leave you with an interesting fat or something that you could really use in your daily life around open banking so how really did we get here so this is a definition from Wikipedia I think they updated it recently but the important part is that besides the disrupting factor of FinTech really FinTech is trying to enhance the functionalities that traditional banking is providing and when we think about FinTech maybe most of us we think about the most recent innovations or blockchains or which had something like this but really FinTech is any financial technology as we speak right so this started way back in the 50s so it was the invention of our communist credit card and most recently foundation of paper which is already almost twenty years old and also most recently the first tax payment so through Nokia there was the the first first can of coke was bought back in the 90s so as we can see in taxes isn't something that was born in the last five years and open banking is just building on top of this type of innovation so I understand that we are you guys have already seen a lot of these maps showing the different frameworks across the globe so I'm not gonna go into the details also the European details are quite boring they go ahead four thousand pages my interest is to just highlight so what you see underlined as the interesting factors and differences between all these standards so the EU one is considered to be like the the oldest one it's also the one that doesn't really provide any detailed technical recommendation so it's more about the approach and the way that the interaction should be between banks and what they call TPP's so there are these new actors coming on stage so the relationship between customers and banks is now mediated by these new actors and the other important thing is that the consumer have to provide explicit consent so the constant management is an important aspect and also of course strong emphasis on strong customer authentication so then you have the UK which built on top of the U the PST – directive and they actually got into more details so there were much more technically detailed about how you could comply and achieve this compliance they now actually have a full suite of testing tool – which the banks can check if they are compliant the important thing is that the UK standard was applicable only to this or was involving only these nine major banks and there are two additional elements that are interesting so the first one is the fact that the banks are also responsible for the availability of their service towards the end user so they have now metrics in the UK that they have to expose around the availability of their banking services and the fact that the results on our security profile that's involved in interacting with these api's then you have Singapore so in this case as you can see through the slides that I'm going to present not all of these countries have strict standards or regulation so in some cases we have guiding principles or suggestion coming from the government or the monetary authorities so for example in this case in Singapore we have we don't have really a compulsory regulation and framework we have more kind of suggestion and this is trying to push the banks towards innovation so I'll get to conclusion around why this is different across the globe when I finish this part then you have Mexico in this case as you can notice they're actually forcing all banks to comply with the regulation that will come out so they are basically saying that any bank that doesn't comply with this model will be basically pushed out of the financial market in terms of consumer bank and the other interesting fact that is something that the banking market in Mexico I would say in South America share with African one at least is the fact that they're not looking at monetizing the api's so this is something that's very relevant for UK and amia market in Mexico it's more about including new customers into the banking world so you have plenty of users that are under bank so they're not taking advantage of the full possibility of robaix banks or that they don't have even access to network so that they cannot really use even the APS because you don't have internet coverage that's something that offer a revolution for open banking that will affect also of course the telco field so this two revolution will come together then you have Australia so in this case the important aspect is that open banking framework is part of a bigger picture so the consumer digital right framework and in the sense this is some part some ways similar to the GDP our revolution or norm in the EU so this is really focusing on bringing the power back to the user in terms of control on its data then you have Hong Kong which again has a regulation and Japan which doesn't have compulsory regulation but it's aiming with a date and a set of timelines to have moster Bank using open API approach to manage banking and more most recently in New Zealand this year actually came up with strong directive towards their biggest payment provider and is basically kind of forcing it to open up its api's so as you can see we didn't touch the US and other bigger country like China so the u.s. in this sense is kind of lacking behind so it's kind of a Far West so that government in this sense doesn't want to regulate or maybe it's afraid to regulate and stifle innovation and china isn't depicted here but it's actually one of the most innovative country in terms of digital payments so maybe to me or to other people living in in Europe this is not known but to you I'm pretty sure it's known the fact that you can pay with QR code and non-cash transactions in China account to a very huge percentage so related to this that are there are side initiatives so as I said before regarding China we have several payment platforms that have been out there already for a while and there are other frameworks that are kind of taking advantage of the fact that now we speak openly about open banking and is it's like cool thing to speak about open banking and w3c came up with a seamless way to pay through your browser plus other European countries now have a bank ID that you can use globally so like kind of your digital identity so as I was mentioning before how does this really relate to FinTech so we have here a list from from a research from Thomson Reuters about the potential for growth in terms of market for fin tech companies and as you can see that the list doesn't really reflect one to one the open banking regulation so and also here you can see that the amount of non-cash transaction I was mentioning before this is another research and again as you can see the list which is actually kind of outdated so it has already three years and China is sitting third I'm pretty sure it will sit first in a few years so what does this mean this basically means that every region has its different approach and is its different consumer sentiment around open banking so while you might interview people and banking user in anemia and they would be scared about sharing their personal data and personal turns out transaction with new FinTech in China that's perfectly fine and it's common usage so it really depends on also on the impression that end-user have of banks and of digital privacy so through all these frameworks we can distill a list of basic requirements that are needed once a bank wants to make this move towards being open and towards start dealing with external parties and external partners in an API fashion so of course first point would be REST API eyes plus all the requirements around security so the strong customer authentication the other element that guarantee security so preventing screen scraping asking for explicit consent from end-user plus all the requirements you see here and how does this translate so this doesn't really ask banks to buy a set of platforms or more components so basically banks can build their own architecture and infrastructure centered around this functionality to guaranteed the fact that they will comply no matter which country they are dealing with because these are general principle that are common across the open banking frameworks so point that I didn't mention but maybe you saw in the slide is the fact that several countries have taken as a example for their open banking initiative the UK one so you'll see that as soon as more government start dealing with this they will most likely use as a base the UK one so how does all this component translate into a practical architecture so the important element here is that with this kind of digital transformation you also have a cultural transformation so the architecture that I'm gonna show is definitely associated to an approach related to micro services to fast deployment and to of course DevOps culture so all these things that maybe banks are not so used to they have kind of more internally regulated environment but it's something that they should strive to achieve first of all in terms of culture if they want to map onto this type of architecture so you start of course with the API management layer with all this basic functionality so anything from developer portal to interact with your partners up to API contracts and API II rate limits to make sure that nobody is overusing your services then you have the security layer which is protecting you against bad actors and this is interacting of course with the API management layer so you have all the parts around authorization on usage of your PSD to api's and also the consent management that's achieved through an IDP platform integrated with API management and then you have the integration layer so of course you're gonna have basically two waves regarding your back-end service you have new service created from scratch there are gonna be based on micro services hopefully and you have a set of functionality related to this micro services so typically you want to stream all the events to later analyze for example for fraud detection purposes and then you have your old architecture that's my same place for maybe another 10 to 20 years you don't want to throw it out the moment you start doing open banking so you want to integrate with it so you also might plan for an integration and adapter platform finally you want to have all of this sitting on top of a pass platform typically if you're dealing with containers and micro services and this provides you additional value because it comes with the set of base functionality like monitoring clustering auto scaling logging and networking functionality that otherwise you do you would have to build on your own for communication between your micro services and this of course then it's protected by your external security layer which can be a wolf or a load balancer and the interesting thing is that this type of architecture is valid for any kind of actor or partner so doesn't matter if it's new TPP's your old banking customer who is accessing your services through mobile bank or even internal developers so the great thing of this is that you can reuse the same architecture it's just a matter of different configuration in terms of API management so why also I think that open banking and open source go well together so this is just a list of elements that I would argue that they both apply to to both world so in terms of rate of innovation possibility to exchange components or interoperability usage of standards security so security is definitely key in this world and you don't really want your own custom closed-source security protocol or implementation and also of course low barriers of entrance so you might start with your internal initiative with a small set of micro services and you might not want to to buy a full big platform and start implementing everything you might want to try with an open-source version and start implementing step by step internally first this is just to remind what the banks are dealing with in terms of competition and some of this it's already current so nowadays basically banks are used to this type of competition some of other of this other competition is gonna come in the next year so I'm I'm pointing at the last two on the list so the application of cryptocurrency to money transfer and to smart contracts so we're – so at the moment well there was a first wave of FinTech that we can associate with for example mint which was a data aggregator I think ten years ago based on screen scraping so if if a standard user gets into the data of what really screen scrape it screen scraping does is kind of scary so basically they're they are taking your own banking details you trust them that they will not use them maliciously and they're just pulling the transactions really so this is actually banned inside the EU framework and some other frameworks we'll likely bend this type of approach and we'll actually propose that the API based approach of course so this will also involve a new wave of FinTech and the banks I think that are trying to fight off because it happened there was a manifesto around living screen scraping as an open technology to share data we'll just wither and die my opinion so drawing some parallelism so what happened in the telco world so in the last 20 years there was a lot of regulation about openness in the telco world as well and especially in in Europe there was this concept of mobile number portability so we started being able to port our numbers between operators and there was a research you can see here the result this basically brought to the end customer savings and in general benefits so what what this really implies is the fact that if a banks is just relying on offering vanilla service without any additional feature anything that will really entice the end customer it's gonna lose the customer and it's gonna lose the customer even fast at a faster rate than before but there's also I would say is still a positive side for those banks that may be behind and will start their journey just now so even though most of the end-user especially the young ones there they would be willing to bank with the likes of Amazon and Google most of you we'll not really maybe even after the recent news around Facebook breach will not really share all their data with such type of players so most of us in terms of end-user we still trust the bank with our transaction and payment data more than any other sector so in this sense that the bank has traditional banking still stand for trust so we still have a high level of trust in the way that they manage our account and they kind of protect the money that's been really stored there they have also scaled that even though ripple and the lights are trying to publish the self as that the fastest network they still have a scale that's not really comparable to any new technology in this sense so and finally they have what you call magic so they're basically at the same time they're taking your money and they're making it appear in several different customer accounts loaning it to several customer at the same time and this is something that even with new technology doesn't apply really so the moment you complete a blockchain transaction well that money is really gone it's officially gone so that was my overview of what's gonna happen to banking even the st2 and open banking regulation and I just wanted to conclude with three short quotes that I think are relevant to this type of discussion so the first one is that banks are not really disrupted by new technologies new technology has been there for a while now subhankar really disrupted by the expectation of the customer so the customer which is optimizing his trip with ubirr were optimizing his shopping with Amazon is also thinking about optimizing banking why not so Bank should be really aware of putting the customer at the center of it this is another quote which is quite famous and the important thing here is that this is not this is not a recent quote it's a quote from the 90s and the fact is that for most of the functionality for which we use banks we're just interested in to the functionality we're not interested in to the paraphernalia that comes along with it so and then finally this is to put the accent back to security so we possibly not gonna be really confident about the fact of sharing my detail account to a platform like Instagram because we expect more securities of course on transaction and accounts than we expect on on selfies thank you thank you [Applause]


Leave a Reply

Your email address will not be published. Required fields are marked *