starekase - Fotolia

Retail banks ordered to open up APIs

The Competitions and Markets Authority opens up the banking apps market following an investigation into how to create greater competition in banking

The Competition and Markets Authority (CMA) has called on the largest banks in the UK to develop a set of core open API (application programming interfaces).

As part of its reforms to banking, the CMA said banks will be required to implement Open Banking by early 2018 to accelerate technological change in the UK retail banking sector.

The new rules follow on from its investigation into retail banking, published in May 2016.

At the time, the CMA noted that the timely development and implementation of an open API banking standard has the greatest potential to transform competition in retail banking markets.

Its Retail banking investigation report stated: “We believe [the standard] would significantly increase competition between banks by making it easier for personal and business customers to compare what is offered by different banks, [as well as] by paving the way to the development of business models offering innovative services to customers.”

Such open banking will enable personal customers and small businesses to share their data securely with other banks and third parties, the CMA said.

The CMA said it wants consumers and small businesses to be able to manage their accounts using a single banking app, rather than running apps from each provider they use.

As well as being able to take more control of their funds (for example, to avoid overdraft charges and manage cashflow), the CMA said the API would allow users to compare products on the basis of their own requirements.

Read more about banking IT

The CMA has also ordered banks to develop tools for their small to medium-sized enterprise (SME) customers to help them select and see if they are eligible for bank loans.

Some industry commentators see that creating an open API could potentially lead to new third-party apps and comparison sites emerging.

Nick White, senior vice-president group product at Monitise, said: “The reforms are promising for the future of banking and getting the basics right and fixing the fundamentals will improve each customer’s banking experience.

“This presents the opportunity more so than ever for banks and fintechs to work together to accelerate technological change in the UK retail banking sector.”

However, sharing confidential banking information and potentially people’s transaction history could enable fraudsters to mimic genuine users.

Winston Bond, Europe, Middle East and Africa technical director at Arxan Technologies, said: “APIs, which are a major cornerstone of the CMA’s plan for banks to share consumer data, can also provide an easy route for attackers if not properly secure. Most APIs use a simple authentication protocol to confirm access to server assets.

“The usual approach is a simple challenge-response exchange that relies on cryptographic keys to keep it secure. If attackers are able to break into the app and decompile its code, they can root out these keys and use them to connect to any authorised system – including the bank’s servers.”

Read more on Software development tools