Guides

How Bank APIs Work

How Bank APIs Work

cover

This guide is intended for employees at banks, credit unions, and fintech companies who are interested in investing in APIs. 

Introduction to APIs

If you’re already familiar with what an API is, feel free to skip this section.

The concept of an application programming interface has been around for many decades, but it can still be somewhat hard to understand. To get on the same page, we’ll quickly unpack it here. 

We’re all familiar with digital interfaces made for humans, such as websites and mobile apps. These interfaces take information that might otherwise be unintelligible to most people (such as raw computer code) and turn it into something that most people can easily understand.

Human API Interface

Just as there are interfaces made for humans, there are also interfaces made for programs — application interfaces that communicate between programs. Thus the name: application programming interfaces (APIs). As Daniel Jacobsen, author of APIs: A Strategy Guide, writes, an API is “a way for two computer applications to talk to each other over a network, using a common language they both understand.” In other words, APIs convey a set structure for requests and responses so data can transfer between one application and another.

To take a common analogy, think of a waiter in a restaurant. You make a standard order — “I’ll have the #7 with a side of fries” — and the waiter conveys that exact order to a chef in the kitchen. The chef then cooks the food according to the request, which he gives to the waiter, who responds by giving it back to you. 

Similarly, this process of request and response is at the heart of APIs. For example, an API enables Program A to make a request of Program B and give a response back to Program A, just like a waiter taking an order from customer to kitchen and returning with food. Without a standard for requesting orders and responding with orders, the process wouldn’t work. It would be like going to an Italian restaurant and ordering Japanese food. Chances are, the order wouldn’t work. The same is true with APIs. In order for requests and responses to work, there has to be a shared understanding — a standard method for requesting and responding with data. This is essential to all APIs.

Examples of an API

The process works like this: the API provider sends data to the API consumer, which passes it along to a customer. 

API customer provider

That might still sound abstract, so let’s turn to an example. If you’ve ever used an app or a website with an embedded map — Uber or Find an ATM, etc. — you’ve used an API. The people who made these apps likely couldn’t afford to re-create the efforts of companies like Google in mapping the entire world, so they instead connected to map services that exist already via an API. 

When you use Uber, for instance, the app sends a request to Google Maps to show you and the driver where you are. This way you don’t have to have the Uber app open and the Google Maps app open — and Uber is able to automatically calculate the cost of the ride. Uber has paid Google millions for this ability. (It’s also worth noting that Uber has APIs of their own, which enable third party developers to integrate Uber’s features into their apps.)

One more example: APIs from Expedia enable travel and hotel companies to be aggregated and listed on their site so that customers can make bookings via Expedia for those companies. Customers find the aggregated view helpful, so they don’t have to go to half a dozen websites to compare options. Travel companies find it essential because they’d lose out on potential revenue by not being featured on Expedia. And Expedia takes a cut of the profit.

There are countless other examples, including APIs from Facebook, Twitter, YouTube, DocuSign, Salesforce (which offered the world’s first Web API in the year 2000). In fact, there are already estimates of 200 million active APIs available worldwide — a number that is quickly growing. 

Growth in web APIs since 2005

Source: ProgrammableWeb

It’s worth noting that while APIs have been around in many forms for decades, today most people refer to web APIs when they talk about APIs. 

Why are Web APIs so Universal Today?

There are a few reasons:

  • They enable programmers to use what others have already created and then build on it.
  • They connect otherwise separate technologies. As each day brings a new slew of apps, consumers can feel overwhelmed. Since APIs connect software, they help to make the situation more manageable.
  • They allow for speed in experimentation and innovation. What happens if you combine a number of web APIs in a single app? What’s possible in the future?

All of these benefits are core to bank APIs as well.

Types of Web APIs in Banking

With tens of thousands of fintech companies and banks around the world, the financial services industry is fragmented. There’s a near limitless combination of services in the space, which can feel overwhelming. This is one reason why web APIs are increasingly standard.

While the banking industry has widely used APIs for decades, web APIs are a more recent trend. All of the largest banks in the United States have implemented them, 53% of credit unions have, and 21% of community banks have, according to research from Cornerstone Advisors.

API Deployment Plans

Source: Cornerstone Advisors

There are two primary types of web APIs in banking:

  1. Private APIs, which link internal programs to other internal programs or internal programs to external programs via a paid partnership.
  2. Public APIs, which link internal programs to external programs via open standards and open data, with relatively few restrictions.

Private APIs

Internal

Anyone who’s worked in banking knows that data silos can be a monumental problem. In too many cases, business units and teams are separate from each other. This can result in a frustrating experience down the line for the customer, who might feel bewildered at the fact that certain units and teams seem completely disconnected from each other. 

Internal APIs can solve this problem by creating connections between units and teams. In this way, employees enjoy a more cohesive experience. These APIs can also make things easier for customers when it comes to viewing their mortgage, credit card, and other financial information through a single web portal.

Internal APIs enable banks, credit unions, and fintechs to choose how they want to use their data and services. The challenge is that internal APIs are often provided by different systems that, depending on the maturity of the institution, may or may not be centralized into a single API gateway. Not using a centralized gateway leads to low adoption of internal APIs across an organization as well as continued siloing of data and services. (More on that later in this guide.)

Partner

Partner APIs allow collaboration within banks and fintechs, or across organizations. By teaming up via an API, partnered organizations enjoy improved security, increased speed, reduced partner costs, and more. If done correctly, partner APIs end up creating a better experience for everyone involved: customers, financial institutions, and fintechs. In all of these cases, partner APIs enable players in financial services to do more together than they could do alone. 

Public APIs

Public APIs allow anyone to use them, though the consumer of the API may need to accept certain terms and conditions to gain access. In addition, the API provider may offer additional services, such as hosting, for a cost.

Public APIs also follow open standards and specifications. For instance, the Financial Data Exchange (FDX) standard can help replace screen scraping as a preferred aggregation method by using OAuth tokens, which a consumer generates on the financial platform and provides to the data aggregators and data intermediaries. These tokens are then passed via an API using FDX standards to gain access to a consumer's financial data. This enables data aggregators and data intermediaries to obtain consumers’ financial data from a financial platform provider.

Whatever the specifics of the process, public APIs are increasingly essential for financial services companies. As Scarlett Sieber, Managing Director and Chief Strategy & Innovation Officer at CCG Catalyst Consulting Group, writes, “For financial institutions to become truly engaged with fintech companies, an API strategy is required and it is best to have a proactive approach and strategy to open banking to differentiate from the competition.” In short, getting clear about public APIs is key to staying competitive.

Open Banking Terms & Definitions

There are several more key terms when it comes to bank APIs, including Open Banking, Open Finance, embedded finance, and banking as a service. We will cover the definitions below, but you can read more about open banking and open finance.

Open Banking is the structured and secure consumer-permissioned sharing of data via open banking APIs between financial service providers. The definition of Open Banking varies slightly from country to country, but it generally refers to using open APIs to share data between financial institutions and third parties.

Open Finance extends open banking to include customer data access for a range of services beyond the banking industry, including retail shops, hotels, airlines, car apps, and much more. A different term for this expansion is embedded finance, which highlights how APIs make the money experience omnipresent.

Another way to frame these concepts is banking as a service (BaaS). Just as software as a service (SaaS) allows people to use applications via the cloud instead of buying software and installing it on their computers, banking as a service is a plug-and-play model that lets financial services companies, retail companies, and consumers pick and choose which aspects of open finance they want to use. 

Open banking, open finance, embedded finance, and banking as a service allow for an unprecedented level of experimentation in product development across the financial services industry. 

It’s all driven by APIs. Want to learn more about how Open Banking works? Read the Ultimate Guide to Open Banking.

Benefits of Bank APIs

New Customer Insights and Revenue Streams

Put simply, APIs are the future of banking. As Vincent Bastid, Secretary General at Efma says, “The most successful banks will use open APIs to generate new customer insights and revenue streams, while also improving customer experience. Many banks currently use APIs internally to improve information flow between legacy systems. In fact, we are already seeing early adopter banks asserting their role in Open Banking by proactively making their systems and data available to third parties and creating new revenue streams.”

Allow for Greater Innovation and Experimentation

In a similar vein, banks and fintechs offer open APIs because they seek secure industry standards that allow for greater innovation and experimentation. Bradley Leimer, co-founder at Unconventional Ventures, writes that “the real prize in open banking is where bank APIs help banking fall to the background to people's everyday lives.” 

We see this around the world, particularly in China. Alipay from Ant Financial, for instance, is an amazing example of this. With more than a billion users and over 1,500 APIs, Alipay enables paying via scanning a QR code, investing in money market accounts, integrations with Stripe, personalized recommendations, incentive schemes for vendors, and much more. Ant Financial Chief Executive Officer Simon Hu says, “Building a one-stop digital lifestyle platform not only creates immense value for our users. It will also play an essential role in accelerating the digital transformation of the service industry and unlocking more growth opportunities.” 

WeChat Pay from Tencent Holdings mirrors this vision as well as many of these innovations. Innovations include the ability to skip checkout lines, shop via their phone in native languages while in other countries, consolidate rewards points across venues, unify the payment experience via the web and store, and much more. Like Alipay, WeChat Pay aims to be a one-stop platform.

As Jim Marous, editor at The Financial Brand, asks, “Why shouldn’t my bank combine my shopping, my travel, my hospitality — all the different components of my life — as it has all my overarching financial data to get me from point A to point B?” That’s what’s possible with Open Finance.

In the United States, FDX gives a range of examples of what Open Finance makes possible. Examples include:

  • Pre-filling tax forms
  • Aggregating accounts for PFM
  • Replacing physical documents with instant access to digital data for the lending process
  • Moving money
  • Automating the auditing process
  • Flagging fraudulent activity

Flexible Solutions for Customers

In addition, Apex Clearinghouse has changed the nature of investments in the United States via their suite of APIs and open developer portal. They enable financial institutions and fintechs to improve the relationship with their customers without forcing them to do it their way. They give a set of customizable tools and then let organizations and their customers work with those tools to design their own solutions. They position themselves directly against closed systems, saying that “closed systems attempt to own the end customer and control the intermediary,” and that they “dictate versus facilitate, with legacy systems built on legacy technology driven by legacy thinking.”

A Journey toward Open Finance with Bank APIs

Each of these examples showcases the range of what’s possible with open finance, as well as the urgency. If you aren’t set up to offer these services or integrate into the one-stop platform of the future, you risk becoming irrelevant.

Keep in mind that customer-permissioned data sharing via open banking is bi-directional, meaning that financial institutions and fintech companies receive data from the sources they connect with via API. This sets them up to use that data in creative ways to best serve their customers. 

To further understand these benefits, consider your own financial life. You likely have a combination of credit cards, debit cards, insurance products, retirement accounts, and more — all with multiple financial institutions and fintech companies. There’s a lot going on. Open Finance makes it easier to securely enjoy a single view of your accounts and even make direct payments from these accounts. 

Open Finance also lets you choose services from a wide competitive set and easily try out new financial products. You can link bank accounts to loyalty programs, share data with accountants and advisors, speed up the loan process by automatically and safely transferring data into application forms, and more. 

Open Finance tears down data silos by providing financial services companies with insights into held-away accounts and enabling data sharing across departments. It also helps create a unified approach to digital identity management and reduces data resale and data exhaust issues. 

Finally, Open Finance brings added security by replacing sharing credentials (such as username and password) with anonymized, single-use digital tokens. This means that bad actors can’t access the personal information of end users during a transaction. Tokens de-identify user data, greatly increasing the chances that personal data will not be subject to risk.

Want to learn more about how Open Finance? Read the Ultimate Guide to Open Finance.

Open API standards

With open finance, customers must give consent and permissions before their data is shared. These permissions are set on a case-by-case basis by the customer, so each customer chooses what they do and don’t want people to see. For example, customers setting up a budgeting app can grant permission to share a particular subset of data rather than share everything.

In addition, Celent shows three tiers of opportunities for banks and fintechs when it comes to Open Finance:

F83f3209 9e99 4cc7 80a8 9be777fdf285.jpg

  1. Immediate opportunities, including account aggregation and product switching.
  2. More specialized and complex services including better guidance on building financial strength.
  3. New models, including AI-driven financial services, such as personalized financial automation.

In short, Open Finance lays the foundation for the future of banking. The longer that financial services companies wait to move on it, the further behind they’ll fall on a range of fronts.

Bank API Use Cases from Financial Institutions

Let’s explore a variety of use cases, starting with APIs offered from financial institutions.

As late co-founder and CTO at MX, Brandon Dewitt, postulated, the number of financial institutions offering an open banking portal will likely climb from around 20 to more than 200 a year from now. Why? Because most of the biggest brands in the industry have already started implementing these portals and because many other financial institutions tend to be fast followers. “With many smaller community institutions I’ve spoken with this is certainly on their horizon,” Dewitt stated. “I believe that Open Banking is a major part of the future of serving their community as these communities become technically more proficient.”

Which institutions are leading the way on this front? Here are a few:

Citi

Citi’s Developer Hub enables developers from various digital companies to connect to Citi via API. Notably, Intuit uses this connection to authorize data sharing with Quickbooks and Mint, Quantas uses it for their credit card offerings, and SingSaver uses it for instant account verification with Citi cards. The offerings in the developer hub vary by country, but Citi allows account aggregation, access to transaction data, authorization, and reward information in many places. By creating this developer hub, Citi is positioning itself for flexibility and stronger connections for their customers who use third-party apps.  

CITI Developer Hub

Citi’s Account API returns a wide range of account data, including data on checking accounts, as shown here.

Capital One's DevExchange

Capital One launched DevExchange with the motto, “Use our stuff to build your stuff.” Capital One offers the ability to verify identity and move money via API calls. It also lets third parties connect customers with a view of their Capital One accounts and transactions via tokens rather than credentials. In addition, it gives third parties the ability to create accounts with Capital One directly within these third-party products. Use cases include integrating wedding registries with a Capital One account and opening a savings account directly within a money management app. 

Capital One API

Capital One gives businesses the option to use customer data held with Capital One to enroll customers in their service.

These examples from financial institutions represent the cutting edge in the United States. These forward-thinking companies are wisely anticipating the adoption of open finance and are preparing accordingly.

Bank API Use Cases From Fintechs

The use cases for partner APIs are myriad. Here are a few that could potentially be partner APIs or public APIs, depending on how things are rolled out. In every case, they amplify the banking ecosystem, setting it up to benefit consumers in a variety of industries.

Account Aggregation 

Currently, many aggregators are using screen scraping to bring financial accounts into a single view. This comes with many problems, the biggest of which is that these connections have to be continually updated as organizations update their websites and portals. In addition, screen scraping requires passing credentials (username and password), which can put a customers’ security at risk unless careful security protocols are in place. 

By partnering to create an official API connection, financial services companies can ensure that their customers no longer have to resubmit their credentials when the connection breaks. This is especially important for aggregators that don’t use multi-sourced aggregation, which enables deficient connections to be re-routed. As late co-founder and CTO at MX, Brandon Dewitt, said, “The only reason that fintechs screen scrape is because it is the only path for them to get to that data. Once you offer a more reliable, more secure and faster path, I think they’ll abandon it overnight.”

One potential downside here is that certain organizations might not open up all the necessary fields for data consumption via an API. That said, as long as partners are willing to recognize that the data belongs to the customer and that the customer should be able to access it as they want, these API partnerships are ideal in essentially every way.

This is why leading organizations are choosing the route of transitioning from screen scraping to white-listed APIs to owned API connections, which represents the future of account aggregation.

67e25c27 7b1c 4b82 87b5 Ccb87e1b3553.jpg

Instant Account Verification

Instant account verification (also sometimes called auth, authentication, and ACH account verification) replaces micro deposits as a way to verify an account. Micro deposits are a high cost verification method with high abandonment rates. 

Instant account verification (IAV) simplifies the movement of money from a held away account to a held account.
 Whereas a micro deposit requires four transfers (two into the account and two out of the account) at a price around 25 cents each, instant account verification simply verifies via an API call that returns the routing transit number and account number. 

This is closely related to identity verification (also sometimes called identity, account owner verification, and verification), which collects data on an account holder to verify they are the owner of the account. Most providers in the industry recommend having the user enter data and then comparing the data entered to data that has been aggregated to verify they are the account owner. A successful identity verification API call will return the first and last name of the account holder as well as address(es), phone(s), email(s) and/or date of birth if available.

Using these APIs brings enormous cost savings, while giving the added benefit of enhanced security and ease of use, resulting in lower abandonment rates.

13826874 Eb7b 48eb Ab96 7766f1fdee16.jpg

Using APIs to verify identification.

Integration Platform

An API-driven approach to integration enables financial organizations to grow into the future. 

Today, far too many financial services companies are tied to dated core banking products that aren’t innovative and ultimately hold institutions back. With this reimagined approach, financial organizations can seamlessly transition from core banking products to the products of the future. 

This approach is also focused on broader banking services, as well as internal accounts — particularly integrations that focus on orchestrating user, account, transaction, money movement, profile updates, bill payment, A2A, and other bank services for digital banking UX and other external system consumption. 

Above all, this approach puts a stop to vendor lock-in. Instead of putting an entire app in maintenance mode while you transition from one solution to another, you can “cordon off” a subsection of the app or even a subsection of the experience in maintenance mode, and keep the rest of the app still working as customers might expect. You can then transition not only between providers, but also between versions from the same provider. In this way you enjoy freedom from vendor lock-in, keeping you connected to enhanced product functionality and allowing you to continuously innovate to meet customer needs. You can unlock your customer data with a single quick-access API, provide the engine to power a more innovative mobile application, and expand platform availability by allowing user experience data to be exported via a single connection.

Data Enhancement 

Consumers often feel frustrated with unclear transcription descriptions. In a survey of 1,000 U.S. consumers, we found that 71% say they experience this frustration at least yearly and 17% say they experience it at least once a month.

Bank transaction data

Source: MX Research Survey of 1,000+ random US consumers

This frustration results in complaints to your call center and a negative perception of your brand. After all, when your users can’t understand a transaction description, they don’t get upset with the vendor or the card provider. They get upset with you. They dial in to your call center and drain your employee’s time. You can prevent this problem by cleaning all descriptions.

Fixing this problem brings major cost savings. In fact, when BECU introduced data enhancement into their mobile app, the credit union’s contact center experienced a steep reduction in telephone volume — from 8.8% total call volume growth in year one to 1.5% in year three as more and more people used the enhanced mobile app. 

In addition to wanting clean descriptions, your users are looking for help with their finances. They don’t want to spend all their time tracking their spending habits. By adding automatic categorization to your transaction feeds, you help these account holders better manage their money while improving user loyalty and driving revenue growth.

Enhancing transactions this way sets the right foundation for not only a better mobile experience but also for whatever the future may bring. For instance, if you want to offer voice-assistance or AI-enabled features, you need clean data since those features are useless without it. As Ron Shevlin, Managing Director of Fintech Research at Cornerstone Advisors, asks, “If you don't have good data and analytics capabilities, what good will an AI-first strategy do?” You have to lay the right foundation with data before you start dreaming of an advanced user experience.

Open Banking Portal

Open banking portal

An example of an open banking portal.

An organization might create a portal using APIs to showcase banking services, similar to how Expedia is a portal for customers to find deals on airlines and hotels in a single place. With banking, clients and customers can log in and see all their financial connections together, along with the ability to share or not share information with each connection. In this way you and your customers can easily choose who can and cannot access your data.

This also opens up the possibility for customers to quickly see which financial services companies — traditional financial institutions or fintechs — have the best offers on banking products and quickly make the switch to use those products, just like Expedia. 

Using APIs to aggregate consumer data

Using APIs to aggregate consumer data.

And this is where Open Finance becomes an absolute game changer. When consumers can log in to a portal and see everything at once, they suddenly have the power. They are no longer tied to an institution or a business simply because they’ve been a customer for years and don’t want to deal with the hassle of switching. They’ll simply switch. 

This change means that players in financial services can’t afford to be complacent. As Jim Marous says, “In the past, financial services asked for data, and used it for their own purposes to save them money. Now, banks must use our data to truly benefit us, to stay competitive.”

All of this hinges on your ability to offer the right API, which brings up an urgent question: 

How do you choose the right one?

Choosing the Right API

When choosing an API, you must consider two audiences: developers and customers. Developers should find the API easy to use. Customers should find the API secure and useful.

There are many things to consider when choosing an API, including protocols, documentation, and security.

Three API Protocols

Look for the ability to choose among three protocols.

  1. Real-time Protocol: A push protocol that’s sent at least hourly and places the timing of requests in API consumer’s control. The advantages are that transactions can be passed individually before the user logs in, which is optimal for the user, and the partner can push data whenever they get it (daily, hourly, immediately, etc.). The key challenge is that a partner generally must reconcile transactions — especially pending transactions — on their own.
  2. On-Demand: A pull protocol that places the timing of requests in the API provider’s control. The advantages of this approach are that it’s relatively easy for the partner to code to, that it’s stateless, and that it includes reconciliation such as ending transactions and changed/cancelled transactions within the timeframe of the pull. The challenges are that it can put a load on the partner’s system because of the frequent requests.
  3. Batch: A push protocol that works as an alternative to real time. It’s meant for large volumes of data, and it works as the API receiver uploads the file and the API provider receives it. The advantages are that it’s easier for some clients to integrate to since the process consists of passing of files rather than using API connections. In addition, in some cases, organizations might have no other option. The downsides are that batch processing is slower from a performance standpoint than real time, it does not allow for pending transaction reconciliation, and it is not scaled as well as other services.

In all cases, you’ll want an API partner that exhibits flexibility when it comes to protocols so you can be sure they’ll be able to grow along with your needs.

Documentation

Traditional organizations often use an outdated method for documentation that requires followup interviews with engineers each time they update something in the code. This method creates a gap between when code hits production and when it gets documented, leading to errors and needless rework.

That’s why you want APIs that use documentation that’s as close to the code as possible — also known as the docs-as-code approach. The docs-as-code approach means treating documentation similar to how developers treat code and using the same tools to capture changes.

This requires organizations to closely align coders and tech writers, which results in faster innovation and cleaner documentation.

Security

Bank security has seen major shifts over the past decade. In 2010, the industry was still unsure about the place of mobile in banking. By 2020, it was clear that mobile was the future. Likewise, in 2010, the industry was generally wary of cloud computing, while today more and more leaders in banking and fintech are choosing to use the cloud. In addition, there’s been a surge of advanced persistent threat (APT) groups that were only theoretical ten years ago.

How to Be Secure

  • Partner with fintech companies that have a view at a level above banks, so they can help you see where you might be targeted.
  • Implement identity-centric security measures that track not just your employees but also your customers, your technology assets, your services, and your connections.
  • Use threat-based security. The truth is that you won’t be able to secure yourself against every possible threat — but luckily, not everyone is after you. So invest where you know your adversary is, paying particular attention to any organizations that indicate they’re stuffing credentials, aiming to compromise business email, etc.
  • Bake security into software development and tech partnerships. Find risk advocates. 
  • Use the OAuth 2.0 standard. This gives customers the ability to see how their data is being accessed. 
  • Exceed the standards for PCI compliance. PCI compliance requires that every year you transition your API and encryption keys. This is a smart start, but it’s even more effective if you can transition your API and encryption keys with zero downtime fashion to swap it out in an atomic fashion without causing any impact to maintenance.

Above all, you want partnerships that have bank-level security. Anything less than that shouldn’t be up for consideration.

Conclusion

In an era with tens of thousands of financial institutions and fintech companies, the financial services industry can feel fragmented and disjointed. Bank APIs work to reduce friction and create a better money experience for everyone. In this way, bank APIs represent the future of banking.