HSBC believes that it can differentiate itself from its competitors by building the best possible developer experience for anyone wanting to access and use its set of application programming interfaces (APIs).
Since coming into effect on 13 January 2018, the UK's open banking regulations have seen the nine largest current account holders in the country – called the CMA9 – forced to open up customer data to approved third parties via a set of secure APIs.
On top of this, banks must also comply with the European-wide second payments directive (PSD2), which came into full effect on 14 September 2019 and mandated compliance with the Regulatory Technical Standard (RTS), which includes an open API for third parties to connect to.
The idea behind the regulation is to create greater competition and foster innovation in the banking sector as fintech companies can utilise customer's data, with their permission, to offer better credit decisioning, for example, or to categorise all of their spending regardless of which banks they consume those services from.
It also will drive the banks to create competitive propositions as customer expectations change (more on that later).
HSBC's API approach
Speaking during the Dreamforce conference in San Francisco, John Phenix, chief API architect for commercial banking at HSBC, talked about the banks "API-only" strategy in reaction to the regulation.
"The API strategy is so much more than just how we deliver existing functionality; it's around building new ecosystems and offering new business models," he said.
As Phenix put it, the bank is breaking down "monolithic mainframe applications" into "smaller business logic".
This would allow third parties to include banking services, like a mortgage assessment, directly within a real estate website like Zoopla. Alternatively, HSBC can start to pull together those building blocks into a new application of its own to serve a new market, with far less of the heavy lifting than was involved before.
Building a best in breed developer experience
Phenix emphasised the importance of HSBC building a best in breed developer experience to allow it to stand out from its competitors, who all have to adopt APIs due to the regulation.
More specifically, HSBC is using Mulesoft's Anypoint API Community Manager tool alongside Salesforce's Community Cloud to build a developer portal which acts as a shop window for its various APIs.
HSBC is a longtime Mulesoft customer, predating the May 2018 Salesforce acquisition, and was preparing for the open banking regulation back in 2017 by building and publishing a set of APIs that were managed through Mulesoft.
Phenix said the bank could have more quickly built this capability with another vendor, but "would only have delivered what every other bank is doing".
This end-to-end developer experience isn't just providing the bare minimum APIs as defined by the open banking and PSD2 regulations.
HSBC wants to provide developers with an API catalogue alongside the test certificates, authentication credentials, a sandbox environment complete with realistic production data, and the support and community around those things to make the APIs as easy to implement as possible.
Going one step further, HSBC also wants to give non-developers a way to interact with its APIs.
"We really believe that there's a lot of value in our API portal for business people," Phenix said. "They want to find out – not really about APIs, that's just the plumbing – what they really want to know is, what the business value is, what the outcomes are." So HSBC has developed both a developer and a more guided business track for its API marketplace.
And why go to all this effort? "It's because, right now, APIs are relatively rare in banks. It will be a few years at most before APIs are table stakes," Phenix said. "How do we differentiate ourselves from other banks in a couple of years' time when everybody is doing APIs? That API experience is a key differentiator for us."
In terms of an industry-standard, Phenix referenced the American payments infrastructure success story Stripe, which offers "a wonderful experience, it's very simple to access their API catalog and click one button to access the testing environment," he said. "We need to do Stripe, but at scale. They have a few APIs, we will have hundreds if not thousands that we need to expose, but the same principles apply."
Opening up use cases
The building out of this API-centric approach is not just a regulatory exercise however. It will eventually drive multiple new use cases for retail and business banking customers at HSBC.
For example, HSBC has already been able to launch and shutter a test-and-learn smartphone app called Connected Money thanks to its new approach to software development. The bank launched the app in May 2018 before cherry-picking the best features and folding them into its core online banking app in June this year.
In the commercial bank where Phenix works, he is already seeing greater customer demand for real-time payments, where they can have better liquidity and also offer customers or contractors faster refunds or payouts, for example.
These APIs will also allow small businesses to better consolidate their finances with ERP and accounting tools from the likes of Xero or Freshbooks, for example.
"A lot of our customers don't have IT departments, they don't want to code against our APIs, they want to use vendor products. So we need to join with the partners that our customers use by giving integrated services," Phenix said.
Lastly, this API-centric approach is delivering operational benefits for the bank, according to Phenix, from being able to release daily instead of monthly, to greater developer efficiency.
"We took some really tough decisions about how we build our APIs," he said. "We decided to have one security pattern, one platform, one monitoring, one way of accessing our APIs. That was tough to do, it took away choice, but actually the huge benefit is reuse."