Fintech sandboxes: bring your own sand

Etienne Castiaux, Motive Labs

As institutions, the banks have been around for a long time. That may be why, set in their traditional ways, they have missed many of the benefits from widespread digital innovation in the financial services industry. The world is changing around big financial services organisations. The ones that adapt will be the ones who survive and flourish.

What exactly is pushing banks to adapt? Surprisingly, it is their own customers. Having enjoyed seamless ecosystems of modern integrated cross-platform solutions focused solely on customer experience (e.g. Apple, Uber etc), a similar experience is now expected of all service providers, including the financial institutions.

The pressure to “do something”

The pressure for financial institutions to play more actively in the digital space comes from many constituencies:

• Customers (retail and business alike) demand seamless experience, faster turnaround of financial transactions, digital access and transparency.
• Application developers are looking to build next generation financial services apps using API-based (preferably standardised) services stack, and get away from unreliable and often unsupported practices of information gathering (e.g. “screen scraping” or “html harvesting”).
• Regulatory bodies in Europe are pushing ahead with PSD2 and GDPR regulations, while the Americas and Asia are lagging. These unaligned regulatory demands force global financial institutions to quickly implement new services required for various compliance jurisdictions, which interferes with overall digital strategy.
• Banks themselves are pushing ahead with various initiatives balancing their current digital capabilities against customer demands and competitors’ progress.

Desperate to do something, many financial institutions have launched innovation programs and created development portals in order to attract outside talent for the creation of new value-added services. Almost every major bank now has an innovation lab and a development portal. Surprisingly, this vibrant variety is exactly the problem.

The electrical plug dilemma

If you travel around the world for business or pleasure, you probably have a little bag of various electrical plug adapters. Countries and continents failed to agree how electricity should be delivered to consumers. The same is currently the case with access to banking services and the development of exciting new digital products. As a result, the banking industry is best by a number of unfavourable conditions.

Taxing Isolation: Adhering to their traditional approach, financial institutions first attempted to solve the innovation problem alone. The result is a variety of developer portal solutions, similar in principle, but mostly incompatible with each other from the standpoint of services offered and access given to developers. Each bank’s developer portal (if they have one at all) requires separate registration, defines its own scope of services available, maintains its own application programming interfaces (APIs), and provides limited or no access to the test data, which is mostly required to be created by the developers themselves.

Standards: The situation with standards is dire. While every bank portal supports standard frameworks for digital access to information developed collaboratively by the internet community (RESTful APIs, Swagger API definitions, XML and JSON data structures, secure connectivity via HTTPS, OAuth-based authentication etc), the standards for actual financial transactions are not consistently implemented (e.g. OAuth based authentication is implemented inconsistently across the banks, metadata definitions are not the same etc).

Even worse, these standards are sometimes not implemented at all or simply do not exist (e.g. access to account transactions, payment initiation, loan initiation and servicing, consent management etc). Additionally, the lack of technical standardisation requirements in regulations like PSD2 does not help with the situation. Various groups are pushing towards common standards (ISO, STET, Berlin etc), but a common set of standards is still to emerge and be agreed upon.

Interoperability: Resulting from this lack of common standards, various development portals and bank APIs are not interoperable. Technically, every system can connect to each other and exchange information. Functionally, they don’t understand each other’s data because of different metadata definitions; they do not provide the same services, with some providing payment transactions for one account only, some for multiple accounts; and they do not follow the same workflows, as illustrated by the varied number of API calls required for achieving the same result.

Representative test data: Even within the boundaries of one development portal, banks are unable to provide developers with representative test data to simulate business transactions and test applications. Cross-bank test data simply do not exist, which significantly limits developers’ ability to create applications that are usable industry-wide. The problem exists on multiple levels – from the lack of standard test metadata definition, to the inability to provide test data based on real life business use cases using obfuscated production transactional data.

The Ying and Yang of fintech innovation

Banks find themselves in a vicious cycle of unrealised innovation potential. Banks realise that the majority of new products and services will come from the outside digital development community, yet attracting outside talent requires an upfront investment and a forward investment business case.

This shouldn’t be the case. The digital development community is looking for ways to develop industry-wide applications that enable seamless customer experiences across organisations, while financial institutions are looking for justification to invest in functionally-standardised, flexible, interoperable and data-rich development environments to attract outside development talent.

If enabled at the basic functional level, the banks could expand their services beyond just financial transactions and into the realms of monetisable data analytics and customer network services. This will unlock products and services such as matching merchant services with retail customer demands, providing instant lending services, netting payment transactions among merchants to free up otherwise committed funds, and optimising merchant cash flows based on payment pattern analysis. The key is establishing a framework that allows outside developers to build consumer friendly applications on top of those value-added API-enabled services.

Anatoli Arkhipenko, Motive Labs

How to get to the “promised land” sandbox?

A fintech sandbox is, simply put, a set of conditions that help fintech entrepreneurs create great products for participating institutions. Now put yourself in the shoes (or flip-flops) of the fintech application developer. What would the ideal sandbox look like?

• One portal. Having one portal would allow you to register and log in to a standalone sandbox environment, thereby allowing access to all the tools necessary to interact with multiple financial institutions seamlessly.
• One set of APIs. Your application should be calling the same consistent API to perform a consistent set of business transactions across various banks.
• Fewer data standards. A well-oiled sandbox should only have a handful of well-defined and agreed upon data standards for all functional transactions in scope. In a perfect ecosystem, a single set of data standards would govern all participants.
• Consistent security, user and consent management. Imagine a straightforward procedure to authorize your app and for users to perform services across financial institutions, while also providing a consistent experience (i.e. a “look and feel”) for obtaining and managing consent to perform financial transactions.
• Representative, live test data. An ideal sandbox would have flexible test data options available to the developer: from uploading your own test data to using realistic test data provided by the banks. It is extremely important for application developers that test data are representative of real production data and reflect actual customer journeys across many life and business scenarios. Such data enable applications to be extensively tested and seamlessly transitioned to production environments.
• Regulatory support. An ideal sandbox would have the necessary tools to perform registration, verification, and certification with respective regulatory bodies, making the app ready for deployment without delays.
• Seamless production deployment. All the above advantages would not matter if a developer cannot deploy the app using production APIs of the participating financial organisations. In the ideal portal world, target production APIs would work exactly the same way as the test ones; switchover to production would be as simple as changing the API base URL; and registration/certification process will be easy, straightforward and required only once for all the participating banks.

Building an environment that satisfies all the characteristics of an ideal sandbox is not a trivial task. It requires allocation of funds and other resources which banks have already committed to other projects and services.

Considering the current environment, such a sandbox is unlikely to emerge from one financial institution. It requires a coordinated effort of many banks to create a universal sandbox, made widely available for the development community and other financial institutions. If done right, this sandbox can ultimately become one of the de facto standards for fintech application development.

This poses the question: Who would benefit from a universal sandbox, and how?

Consumers: Although not visible directly to the consumers, the impact will be noticeable when applications providing services across financial institutions will start to emerge. Consumers will appreciate seamlessly integrated services across merchants, service providers and financial institutions. They will not miss the frustrating experience of switching apps, using multiple login IDs and passwords, retyping account numbers and, generally, the experience of juggling services that are not integrated.

Application developers: Developers will prefer an environment that supports functional development on an industry-wide scale and is unimpeded by incompatibility, inconsistent functionality and lack of test data. Developers will focus on creating seamless customer experiences that were previously unavailable or thought to be impossible, while significantly reducing time-to-market and functional stability of their applications.

The banks themselves: Banks will leapfrog the digital gap while reducing the cost of supporting the innovation development environment, which is too disparate and isolated within institutions. The banks will also gain access to aspects of their customers’ business interactions and life events that were previously unavailable, providing additional insights to support the development of new products and services. Early adopters and sponsors of the universal sandbox will enjoy additional revenue streams from providing sandbox functionality as a service to other financial institutions. Furthermore, the banks can test and develop their own innovative customer-facing solutions in the sandbox, expediting delivery timelines and taking advantage of the real-life-like test data-sets.

The race is on…

Multiple initiatives are currently evaluating or developing a universal sandbox solution of some sort. Both functional and regulatory sandboxes are being considered. While government organisations are creating regulatory sandboxes mostly for certification purposes, commercial and open-source projects are aimed at creating an industry-wide standard and jump-starting the development of industry-wide products and services.

A UK-based organisation, Industry Sandbox, initiated a process to collect requirements and opinions for functional and regulatory sandboxes. The consultation report was issued in May 2017. As of middle of April 2018, there are no updates on the website.

The Hong Kong Monetary Authority (HKMA) launched FinTech Supervisory Sandbox (FSS) in September 2016. As of February 2018, it has 29 pilot projects in the areas of biometric authentication, soft token, chatbots, distributed ledger and other technologies. Surprisingly, API access to core banking functions is not on the list of current pilot projects.

A number of organisations reached out to the US Department of Treasury’s Office of Currency Comptroller with their perspective on the industry-wide sandbox approach to innovation in the fintech area. The coalition is still in the early stages of making suggestions and stating opinions.

Th UK’s FCA is running a regulatory sandbox and has pushed three rounds of applications into sandbox testing. Although information on the exact functionality of the sandbox is scarce, it is meant to “allow businesses to test innovative products, services, business models and delivery mechanisms in the real market, with real consumers”.
Unfortunately, the availability of the regulatory sandbox for testing is limited due to strict selection process (out of three testing cohorts and 162 applications only 67 firms were accepted from July 2016). The focus of current testing is blockchain based payment services, regtech propositions, general insurance, AML controls, biometric digital ID and know your customer (KYC) verification. Again, API access to core banking services does not seem to be represented.

A notable initiative Open Bank Project has an extensive list of APIs and participating banks. The list of APIs significantly exceeds the APIs available directly from the participating banks’ own development portals, which suggests that most of them are not (yet) supported. Additionally, the list of apps based on the Open Bank Project APIs is relatively short (24 apps as of 12 April 2018 – some still in the prototype stage). The low number of production apps suggests limited support from the banking community.

What does the ideal solution look like?

Taking into account the problems addressed above, the ideal sandbox solution should aim to address the shortcomings of the existing and fragmented approach to the banking sandbox environment. It should be a multi-bank API sandbox operated by a standalone institution that works with the various stakeholders as partners.

Taking the leading global standards, it should enable partners to accelerate the creation and to facilitate the management of a fintech ecosystem, underpinning the next generation of financial technology.

A focused, partner-supported initiative has the best chance of delivering an industry-standard cross-bank sandbox solution, capable of addressing the problems outlined in this paper. It would enable developers to quickly implement innovative financial services solutions that span across multiple financial organisations, test them with production-grade test data reflective of real-life customer segment, and quickly deploy them into production.

This sort of solution would lay the groundwork for a true sandbox environment.

By Etienne Castiaux, CTO, and Anatoli Arkhipenko, director, at Motive Labs