Mobile apps, connectivity, and banking’s future

Many of the recent speeches out of the Federal Reserve concerning leading-edge developments, from fintech to blockchain to the “gig economy,” have come from Governor Lael Brainard. In late April she gave her latest such speech, “Where Do Banks Fit In The Fintech Stack?,” tracing how much financial services have evolved in a short time and in such unexpected ways. Brainard pointed out how much of the fintech revolution revolves around the iPhone and how even Apple itself had little realization ten years ago where the device’s capabilities would take the market.

“Apple was just trying to design an iPod that made phone calls,” Brainard remarked. Now over 2 million apps of all kinds can be obtained through Apple’s App Store.

Connections are everything in life

Connectivity between financial providers has evolved tremendously and Brainard spent much of the speech discussing the challenges faced by banks in choosing how their customers’ data is accessed and how their own services are accessed today. This was all in the context of what Brainard called “the increasingly interconnected world of financial services.”

The advent of open application programming interfaces (APIs) is one example Brainard cited to illustrate how conditions are changing. On one level, APIs made it possible for developers to tackle projects never imagined by smartphone makers, but made possible by the features of their devices adapted to multiple new uses. In the world of smart devices, 2 + 2 can equal more than 4.

At the same time, the ability of developers to assemble the APIs of other developers into fresh combinations provides a continuing rollout of new concepts that produce new businesses. Ride-sharing services, for example, rely on a succession of APIs to make their usability and convenience practical and possible.

A key point made by Brainard was that financial organizations don’t have a voice, or the only voice, in some aspects of that connectivity. The traditional boundaries between organizations has been eroding through market and technology forces in the U.S. She also reviewed how legislative and regulatory changes in the U.K. and the European Union have been bringing about changes not envisioned yet for the U.S., given different regulatory conditions and philosophies.

What happens after you “disrupt”?

And yet, as Brainard illustrated in her speech, banks and other financial players aren’t bystanders.

“For all of the talk of ‘disruption,’ I want to underscore an important point,” said Brainard, speaking at the Northwestern Kellogg Public-Private Interface Conference On New Developments in Consumer Finance: Research And Practice. “More often than not, there is a banking organization somewhere in the fintech stack. Just as third-party app developers rely on smartphone sensors, processors, and interfaces, fintech developers need banks somewhere in the stack.”

Brainard said banks prove essential for access to consumer accounts or related account data; access to payment systems; credit origination; and compliance management.

What sets banks apart from fintech and smartphone players is the regulatory angle, Brainard said, using a touchstone she has brought up before.

“While ‘run fast and break things’ may be a popular mantra in the technology field,” said Brainard, “it is ill suited to an arena where a serious breach could undermine confidence in the payments system.”

Added Brainard: “Some of the key underpinnings of consumer protection and safety and soundness in the banking world—that consumers should be exceptionally careful in granting account access, that in certain conditions banks could be presumed to bear liability for unauthorized charges, and that banks can be held responsible for ensuring that service providers and vendors do right by their customers—sit uneasily alongside the requisites of openness, connectivity, and data access that enable today’s app ecosystem.”

Community banks and three forms of connectivity

The rapidly evolving technology of apps, APIs, and connectivity presents a special challenge for smaller banks that Brainard devoted a portion of her speech to.

“Clearly, getting these connectivity questions right, including the need to manage the consumer protection risks, is critically important,” said Brainard. “It could make the difference between a world in which the fintech wave helps community banks become the platforms of the future, on the one hand, or, on the other hand, a world in which fintech instead further widens the gulf between community banks and the largest banks.”

The problem is that being small handicaps community banks in multiple ways. Brainard outlined three main connectivity options and their potential impact:

1. APIs. Developing interfaces to allow outside developers access to bank platforms, under controlled conditions.

Brainard noted that banks’ challenges with this approach can go beyond the technical issues of making things work. In a highly regulated industry such as banking, making such connections will be subject to third-party agreements. Those contracts may set differing levels of access to the bank’s system, with accompanying levels of security.

This tends to be a large-bank strategy.

2. Data aggregation. Banks can enter into agreements with specialized firms that act as middlemen.

This can help banks that don’t have the budgets to develop their own APIs or don’t regard them as a key business strategy. Data aggregators obtain consumer financial account data from banks and provide it to fintech developers, with the aggregators’ own APIs. Brainard said many banks had gone this way.

“By partnering with data aggregators, banks can open their systems to thousands of developers, without having to invest in creating and maintaining their own open APIs,” said Brainard. “This also allows fintech developers to build their products around the APIs of two or three data aggregators, rather than 15,000 different banks and other data sources.”

Bankers know of regulators’ concerns with third-party vendors. Brainard said that setting up the arrangement between bank and aggregator as an outsourcing deal would facilitate appropriate due diligence.

Brainard noted that some banks enter into more tightly controlled versions of these arrangements, giving the banks more specific control.

Regarding #1 and #2, Brainard observed that many community banks would find them out of reach, either financially or in terms of their IT arrangements.

3. Screen scraping. This is an old technology. It doesn’t cost banks a thing—they actually aren’t authorizing it—but may be unsatisfactory on multiple levels.

Third parties may receive the authorization of a consumer to obtain their information from financial providers as if they were the consumers themselves. Brainard said that some banks report that as much as 20%-40% of their online banking logins may be from data aggregators.

“They even assert that they have trouble distinguishing whether a computer system that is logging in multiple times a day is a consumer, a data aggregator, or a cyber attack,” she added.

This leaves smaller banks that can’t accommodate consumers wishing to use financial apps through a structured method in a potentially bad place.

“Some fintech firms argue that screen scraping—which has drawn the most complaints about security—may be the most effective tool for the customers of small community banks to access the financial apps they prefer—and thereby necessary to remain competitive until more effective broader industry solutions are developed,” said Brainard.

This, she reflected, may leave banks with some risks.

“Connectivity solutions that require intermediaries such as data aggregators and rely on screen scraping potentially create repositories of consumer credentials for hackers to target,” said Brainard.

The other side of this is the consumer. She warned that “it is not clear the extent to which many consumers understand the risks involved with sharing their banking credentials, the more limited liability accepted by many third-party developers relative to their bank or credit card issuer, and the fact that the third-party developers may in turn provide those credentials to others in some instances.”

Download Governor Brainard's speech