As FIs ready APIs for PSD2, they face a delicate balancing act. Nadya Hijazi — HSBC’s global head of digital, global liquidity, cash management and business banking — offers new insight on how FIs are designing API strategies that are robust enough to keep developers interested, but secure enough to keep the consumer’s trust.
PSD2 will become fully effective this September, bringing sweeping changes to Europe’s financial scene. Small businesses, major corporations, FIs and TPPs will all see their relationships change as the new regulation requires banks to allow third parties to leverage what was once carefully guarded data — so long as customers are willing. TPPs will then be able to create apps and other services that draw on banks’ data, meaning corporates and consumers may no longer regard banks as their primary sources for financial tools.
Banks and TPPs will need to make these changes work for them if they want to remain relevant. That means being compliant and ensuring that account holders can trust them with their data, as their partnerships unlock many more services for customers than are typically offered by banks alone.
If financial institutions (FIs) cannot provide TPPs with the right APIs in an easily accessible manner, however, consumers may struggle to make sense of clunky, difficult-to-use services. Even worse, they may be left fearing that their data is at a greater risk of cyberattack.
The stakes are high, and FIs dedicatedly prepared for the March 14 deadline by which they had to provide a testing environment for developers. This gives them slightly more than six months to work with these firms and troubleshoot their portals.
HSBC is among the FIs that launched PSD2-ready developer portals this month, and PYMNTS recently caught up with Nadya Hijazi, the FI’s global head of global liquidity and cash management digital, to discuss what it took to design the product and how to satisfy both TPPs and corporate account holders.
“The portal is at a place where we’re able to bring together the different propositions we’ve got aimed at our own customers and also the wider developer community,” Hijazi said. “As developers come in and start to use it, and as customers start to understand their own use cases around it, we’re hoping to develop this as a one- stop shop where they can come in and understand what [HSBC] can provide and how we can help.”
Meeting SMB, Treasury and eCommerce Needs
HSBC focused on catering to its customers’ day-to-day needs when determining which APIs to offer. It looked at which services were most frequently accessed through its online banking platform, finding — perhaps unsurprisingly — that top uses included customers checking their account balances, statements or transactions and making bill or supplier payments. As such, many of the APIs initially offered focused on those key areas, although Hijazi expects those supporting lending, onboarding and even know-your-customer (KYC) processes might be added as end users grow more accustomed to API-enabled TPP services.
“Nearly every banking service that’s provided will eventually be available through an API experience,” she predicted. “This is just the beginning. It will continue to extend and become as broad and wide as you’d see in internet banking in terms of range and scope of the services that will be delivered via an API.”
FIs’ APIs could be leveraged to help small and medium-sized businesses (SMBs) manage their finances, too, offering tools that could tap into information from various banks to provide more in-depth cash flow analyses. Other emerging SMB supports might help firms more efficiently manage supplier and employee payments via app, largely by integrating payroll or accounting software packages with their account information.
“APIs underpin the [services] by providing the [third-party] data enablers and payment enablers to bring these propositions to life,” Hijazi said.
The solutions could also help provide real-time information to larger corporations’ treasury departments about bank transactions’ statuses, she added. TPPs could use banking APIs to help eCommerce companies accept end-customers’ payments in real time, for example.
Catering to the TPP
Another major concern was how to support developers’ needs to quickly leverage APIs and enable frictionless services. HSBC consulted with its developers in preparation for its portal’s launch, then tested with partner TPPs. It offered feedback-based supports, including sample code snippets to guide them through authentication flows as well as other features to help them get up and running quickly.
Achieving this meant creating a smooth transfer of customer data between developer and TPP systems, Hijazi said, while also ensuring the process was secure and did not provide opportunities for cybercriminals.
“Third parties want to make sure they have [experiences that are as frictionless] as possible on their websites, because they know if they create any friction in their payment journeys they tend to have a lot of customers dropping out,” she explained. “We’re very keen to support that, but also very keen to make sure we are able to manage the risks around the transaction for the customer. [We want to ensure] that the customer isn’t vulnerable to any fraudulent attempt because of the handover from one system to the other.”
HSBC believes security must always be top of mind, Hijazi emphasized, and that it will also be what makes or breaks these offerings.
“For people to want to use [financial services APIs] widely, they have to be comfortable that they are safe in that environment, from a data protection, data loss, cyber, man-in-the-middle [perspective],” Hijazi said. “We don’t want to invest a lot of money in this — and time — and then get to September and not have a huge uptake of customers using it or wanting to use it because we haven’t been able to help them understand how we’re protecting them in this new environment.”
FIs have a lot to get in place as they prepare for PSD2’s full implementation in September, but the recently launched developer portals will help them refine their offerings and smooth pain points in advance. In the meantime, they appear to be doing their best to lay the groundwork for helpful, secure, API-enabled third-party services.
“At end of day, we see this as a great opportunity for everyone, and we are pretty excited to see how this will evolve over time,” Hijazi said.