Transformation Challenges in the Digital Banking Chain

Modernization of Banking Cores and API-fication

One of the most delicate points in the IT roadmap of most major banks, precisely because it involves their most mission-critical technological piece, is the modernization of their cores. We're discussing the components that underpin the most basic and crucial operations of a bank and are critical to elements as important as regulatory compliance, transaction processing, or security.

Due to this criticality, cores need to be as close as possible to the state of the art, as this modernization is necessary to support new business models, real-time data analytics, agile adaptation to regulatory or market changes, and the integration of increasingly complex and interrelated services. Having a modern core is essential for maintaining competitiveness in the modern environment.

Most banking cores are among the first pieces built in the IT infrastructure of financial entities, with some being veterans with decades of history, updated over time. The challenge is that, due to their operational core nature, any modifications tend to be as conservative as possible, to minimize business disruption risks. This means that, over time, cores inevitably become obsolete, both technologically and in their service capacity to new needs arising in the digital business.

Simultaneously, these new demands on banks' core systems start to form a complex web of services that need to be provided, becoming exponentially complicated with the number of these services, their control, and maintenance needs. To respond and organize, API-fication initiatives emerge, and API governance is defined within organizations.

Discussions around this topic were perhaps the most exciting at the Think Tank, as the challenges are both technical, involving classic issues of updating and migrating critical systems in large organizations, and cultural, concerning the organization around governance of these new service APIs.

However, the conclusions were clear: In terms of modernizing banking cores, a gradual and incremental approach should be applied. This allows for phase-by-phase migration, starting with non-critical functionalities less coupled with other services, to progress while keeping risk under control and ensuring everything is in order at each step. This incremental approach also allows for adjustments based on learnings or organizational priority changes during the lengthy modernization process.

This approach also gives business stakeholders flexibility to decide which pieces or services to prioritize in each new iteration, without having to 'foresee' future needs but rather responding to emerging ones.

This phased strategy enables defining a service governance that controls quality and communication, organizing how the multiple concurrent initiatives in entities access data and services of the cores. It facilitates internal organization and the management of security and regulatory compliance, without neglecting the increasingly pressing need for cost control in cloud environments.

Methodologically, there is consensus that the best practice is to cover existing systems with basic APIs that support the migration of parts of the core, adding business-related service layers vertically (Accounts, Cards, etc.). It is recommended to connect the new business model with pre-existing capabilities in a bidirectional model, but top down first, i.e., defining APIs first to best serve new capabilities, and bottom up second, connecting these APIs with the core's existing capabilities to provide necessary service.

This API covering will not only serve these new digital capabilities but also allow for a "breakdown by parts" of the core, creating new subsystems that partially replace core capabilities. This enables transparent updates to consumers of the APIs, updating the new core piece by piece, keeping risk and costs controlled and aligned with the entity's tactical and strategic priorities at any given time. This modularization of core functions has an added advantage, as it will facilitate future modernizations.

Of course, and this was also discussed, these types of projects involve a series of important precautions and considerations, including managing the coexistence of the legacy core with the new core and all aspects related to auditing and security, which must be a fundamental part of any project contemplating one of these modernizations.

Payments 4.0

If there's any technology or trend that seems to be moving “faster” than others within the dizzying world of the digital evolution of the financial industry, a strong candidate for this position is the area of payments, which, taking the terminology seriously, is undergoing its fourth revolution.

This “fourth iteration” of digital payment technologies and services involves multiple extremely critical derivatives both for the business per se and for competitiveness and monetization. This includes real-time infrastructures, data exploitation, service modularization, numerous geopolitical implications, a multitude of emerging risks from the increasingly universalization of services, the constant evolution of user experience, the ongoing struggle against increasingly sophisticated fraud systems, the widespread popularization of crypto-assets, their intersection with IoT, and all their implications...

Financial institutions find themselves at a crossroads between the need to balance the interest in maintaining the “state of the art” to remain competitive against new disruptive competitors in the fintech sector and to limit their risks in such a complex and constantly evolving environment. Additionally, in an environment where strong regulation greatly limits their maneuverability and erodes their abilities to compete with new “players.”

In this context, what are the most effective strategies for banks to balance innovation, user experience, and risk control in this new ecosystem? How can they identify business opportunities and tackle the necessary process of innovation?

The first consideration and conclusion of the working group was that the future European Payment Services Directive 3 (PSD3) should be considered an effective reality and work towards complying with it. For this, greater collaboration between the different actors in the payment ecosystem is evidently necessary to achieve an appropriate time to market. Actors who have not always been aligned and with this new regulation will have to advance in understanding their relationship more as a partnership and less as competition.

This will also increase the demand and standardization of APIs, which will require greater investment. Although PSD2 was already a significant push in this direction, many organizations have dragged their feet in this regard, seeing the requirement to provide access to their systems through these APIs more as a regulatory demand than as a business opportunity to exploit.

PSD3 has significant implications. On one hand, it opens new business opportunities as it covers transnational operations and will increase the variety of data and services that must be accessible through these APIs, potentially including insurance, investments, and other financial elements, potentially even including crypto-assets and DeFi. On the other hand, it will affect both the level of security required from participants in transactions, complicating and making operations more expensive, and in data protection and privacy, further limiting the possible exploitation of the data, which is one of the most evident collateral ways of monetizing these services.

In this line, the working team recommends defining a price per API call, which generates an incentive for financial entities and breaks the perceived asymmetry in this relationship, to prevent the evolution of these APIs from being solely destined to meet regulation and stay at a bare minimum that would seriously limit the possibilities for innovation and growth, both for end operators and for the entities providing these APIs.

Another significant challenge facing the industry is the public's reluctance to allow entities and companies in the ecosystem to access their data. In this regard, there is talk of the need to invest in educating and informing not only the end consumer but the entire network that participates in these services, so that the customer, who in many cases happily and without compensation gives those data to much more opaque and less regulated entities, perceives the value they can receive by allowing access to the entities through which their money passes and feels safe doing so. The blunt conclusion of the working group is that if value is not provided to the customer and the customer does not perceive it as such, adoption will not be achieved.

The situation created in the market by the very significant increase in payment options, which will evidently reduce the share of wallet, was also discussed. However, the opportunity associated with this challenge was also perceived, as it increases the chance for the emergence and establishment of new orchestration and routing products and services so that merchants can better manage these payment methods. In this sense, a more competitive but also richer ecosystem is foreseen.

Another conversation that was held was about the possible disappearance, at least as we know them, of the current credit and debit cards, in a much richer, more flexible, and varied ecosystem of options. The team wondered whether the end of these instruments, which in their original versions date back to the 19th century and have been used in a very similar way for over 70 years, is near.