As open banking comes into force at the beginning of 2018 the UK's banks are racing to build and deploy robust application program interfaces (APIs) for the first time.
HSBC was the first to publish an open banking API last month, and it has already built a new mobile banking app to test out some of the features open banking promises to bring.
Computerworld UK sat down with David Knott, chief architect at HSBC, to talk about the technical work that has gone into the "API-ification" of the bank ahead of the open banking regulations coming into force.
An API, in short, allows one piece of software to 'talk' to another piece of software. They generally facilitate real-time applications.
This is useful in banking for a number of known, and as yet unknown ways. One example is of an API which connects your bank account to a mobile app to facilitate real-time categorisation of transactions, giving customers a better view of their finances than previously allowed by traditional banking apps that had to wait to sync up with old legacy systems.
Knott categorises the work HSBC is doing into two parts: what he calls "the plumbing" and the value-added services the bank can start to offer customers once this is in place.
He describes the 'plumbing' as: "Making sure we have the connectivity to backend systems with APIs that meet our standards. While that is work, a lot of that is building on the general API-ification of the bank we are undertaking anyway to pursue our digital transformation agenda."
Open banking has imposed some additional requirements, such as authenticating the third parties that are interacting with the bank. HSBC is using specialist identity management software vendor ForgeRock for this, using the platform as its underlying directory for customer’s digital identities and the third parties connecting to their APIs.
It's this area that still gives Knott, and others in the industry, pause for thought. "There is one thing that we need to make sure as we move towards the implementation of open banking, and I mean we as an industry, is make sure that the accreditation and authentication of the third parties that are going to turn up and participate in this ecosystem are rock solid.
"We have to pay attention as we are going to be exposing APIs, which means we are sharing our trust with those people, so we need to ensure that all of the companies that are turning up are worthy of that trust."
Then there is what Knott considers the more interesting part, namely what the bank can start to offer customers once this plumbing is in place.
"We must have a rock-solid and secure set of APIs and we won't launch any APIs into the bank where we aren't comfortable about the security," he says. "At the same time, part of the value of this initiative is to try and accelerate innovation and value for customers. So on top of those APIs we will innovate fast."
HSBC announced that it was the first major UK bank to release an aggregator app at the end of September, allowing the selected users of the HSBC Beta app to see all of their accounts on one screen, even if they are with one of 21 rival banks. The 'test and learn' environment is being used to develop a new mobile banking app which it plans to release for customers in early 2018.
Some features of HSBC Beta will be familiar to users of banking apps from more agile fintech startups like Monzo and Bud, the latter of which is already partnering with HSBC.
These features include Safe Balance, which shows customers how much disposable income they have before the next payday, and a Spend Analysis tool, which categorises spending, adds tags, notes and photos to transactions and analyses patterns for more informed financial decision making.
A lot of the thinking around new services for customers at HSBC has been heavily influenced by Richard Thaler's nudge theory. The behavioural economist posits that even in the presence of complete information, people don't tend to act rationally, and that counts for finances. As Knott put it: "We can build people reminders and insights to make better decisions on how they are living their financial lives."
In terms of the technology stack, HSBC is one of the more adventurous banks when it comes to the cloud. That doesn't mean that it is ready to move core account and transaction data to the cloud though.
The backend systems that hold accounts and ledgers are centrally managed and held in two private data centres, and will be "for the foreseeable future" according to Knott.
It's his team's job then to get that data from the backend "through pipes to the frontend" in a secure and robust way.
Knott expects the bank to have to implement this approach across more geographies in the coming years.
"The solution we have used to build the plumbing is replaceable across markets and our expectation is that other regulators will follow suit," he says. "This is a natural evolution of the trend of digital banking to respond to customer expectations, this is just the next phase."
Luckily for Knott: "The underlying plumbing is the same everywhere, the question is whether those regulators will take open banking as a template or will come up with another set of regulations."
The bank already uses Google Cloud for big data analytics and machine learning, Oracle Cloud for ERP and financials, Microsoft Azure for things like Dynamics 365 CRM; and Amazon Web Services to develop and run certain applications. "We see a role to play for each of the major cloud providers," Knott adds.
The bank uses MuleSoft for API management, on-premise for now. "MuleSoft runs in two modes, on-premise and cloud and ours right now is an on-premise deployment," he says. Why did HSBC pick MuleSoft?
"They are offering good API management facilities across both both deployment models because we knew we would start on-premise and move to cloud over time," Knott explains.