How Safe Is Fintech?
Here, at the tip of Africa, we’re earning ourselves a well-deserved reputation as a leader in financial innovation. We have a wealth of “fintech” companies dedicated to solving the problems of moving money around an economy that is largely informal, and in which a significant number of people still don’t have cost-effective ways of banking and paying for things without cash.
With innovation, however, comes risk. How do you know that the brand-new payment gateway on your favourite website treats your data with the respect it deserves? If you enter your credit card number, will it be kept safe?
Take i-Pay, a South African startup that is looking to reach a global audience through its online money-transfer technology. i-Pay’s product automates the process of EFT transactions for online sales – instead of going through the rigmarole of taking down invoice details, opening up your online banking portal, sending a proof of payment and waiting for funds to clear, i-Pay does it all for you. An EFT payment becomes as quick and painless as paying by credit card, but with lower processing fees.
The problem i-Pay faces is that, in order to work, users have to trust the service enough to hand over the username and password for their online banking portals, and therefore allow i-Pay full access to their account.
Fortunately for i-Pay customers, the firm has credible backing from the likes of Investec and Nedbank. Chief technology innovation officer Mitchan Adams is extremely keen to avoid a reputation for carelessness that would harm future growth. But the issue remains: innovators don’t want to be in a position where they could compromise their customers, but the way online banking currently works doesn’t give them a choice.
The problem isn’t just around payments, either. Financial health apps that aggregate data from multiple bank accounts all work in the same way, as do business accounting programs that automate statement retrieval. With a few exceptions, they log into your banking portal and “scrape” the information they need in the background.
Looking to Europe
A solution is on its way, largely thanks to the European Union. Its latest Payment Services Directive (PSD2) is geared towards encouraging competition in fintech, while at the same time ensuring end user security.
Under PSD2, banks will be forced to allow third parties to access a user’s account through a secure set of programming interfaces called APIs. Among the benefits of API-level access are that you don’t have to give your banking credentials to third parties, and they have access only to the bits of the account you want them to.
PSD2 will also require fintechs that want API access to be licensed, and comply with other rules around security.
In South Africa, we’re a long way from API access finding its way onto the statute books, but banks are certainly watching what’s happening overseas. Standard Bank, for example, recently announced that it is creating a special account just for developers, called Root, which will come with features such as a programmable credit card and API-level access.
“Root allows any developer to build ‘life-enabling’ apps or solutions,” says John Campbell, head of Standard Bank: EDGE. “Instead of relying only on people who work for Standard Bank, we are giving any developer the power to create opportunities or solve everyday problems they experience.”
One day, all accounts will be Root.
The final Regulatory Technical Standards (RTS) for PSD2 haven’t been confirmed yet. The law will come into full force for all EU banks and fintechs 18 months after the RTS is agreed. Some countries, such as the UK, have already made progress on national API standards for open banking.