Subscribe to the Liminal Newsletter
Stay updated with the latest news, data and insights from Liminal
Why are banks adopting open banking solutions even when regulation isn’t requiring it? Join this week’s State of Identity podcast with host Cameron D’Ambrosi and Bose Chan, Head of Strategic Partnerships at MX to discuss what “open banking” is to banks, how it differs from end users or non-banking entities, and what to consider when it comes to building open banking capabilities.
Cameron D'Ambrosi, Senior Principal at Liminal
Bose Chan, Head of Strategic Partnerships at MX
Cameron D’Ambrosi [00:00:02] Welcome everyone to State of Identity. I’m your host, Cameron Ambrosi. Joining me this week is Bose Chan, head of Strategic Partnerships at MX. Bose, welcome to State of Identity.
Bose Chan [00:00:13] Hey, Cameron, how are you doing today?
Cameron D’Ambrosi [00:00:16] Fantastic. Really, really excited for the conversation, I think. You know, open banking is something that is obviously having a tremendous impact on the state of finance and hopefully is poised to have a greater an even greater impact as the amount of connectivity and those end points of the network, if you will, continue to proliferate. So really looking forward to our conversation.
Bose Chan [00:00:43] Likewise. I mean, you bring up a great point. It is a growing movement for sure, but it is a slow burn. It doesn’t take one silver bullet. It’s not like regulation will completely change the landscape. It really takes education across all stakeholders to get to that point, you know, to set those kinds of foundations for us.
Cameron D’Ambrosi [00:01:04] I couldn’t agree more. So without too much further ado, let’s dove into it to kick us off. Tell us just a quick hit, a couple of minutes on your background, how you came to join the team at Max. And for lack of a better word, what was the catalyst that got you excited about open banking?
Bose Chan [00:01:26] Yeah, glad to share a little bit about my history. I’m from Singapore. Came over to us. And really study finance. So that’s really my educational background. Did a few things in between and somehow got my way to Citibank where I was in the strategy team. So at which point I really got a foundation of consumer banking in the U.S. and Citi being a global bank. Half of my role was international as well, so really covered it from a pure finance consumer strategy point of view. And then Citibank started FinTech as a separate organization, and I was part of that movement as well. An interesting part of that was, you know, it was set up as a response to how would the banks operate in a new environment with fintechs taking out parts of the value chain and proliferation of the services that consumers were obviously looking for, that financial institutions were not providing or was not providing at a speed that they were looking for. So that came to my participation and the perspective of open banking. The challenge there, or the challenge I had ahead of myself at that point was we knew we had to build an API. We didn’t know how to build an API because the API was used by not end consumers, but by institutions or entities that we. Did not have a direct relationship with. So building an API is one thing, but building an API to serve a finance use case was a whole different ballgame. So that’s how I had that experience. Eventually, MX was one of the partners I was managing at that point, as with the other competitors that MX has and other consumer financial apps. I made the decision to come at MX because, you know, they had a mission that really aligned with me. And I think the foresight to get to that point, I wanted to be part of that story. So here I am leading strategic partnerships from a product standpoint.
Cameron D’Ambrosi [00:03:32] Love it. So maybe this is I mean, to some degree a bit silly of a question, but I think also really informative and instructive for shaping the narrative, which is, you know, what is open banking to banks. And then maybe how does the definition of open banking differ as we move around the ecosystem? Is there kind of a northstar of what it means or is this a case where, you know, it’s a bit of a chameleon and it kind of means different things to different people, whether it’s end users, financial institutions or kind of partners in the ecosystem.
Bose Chan [00:04:10] Have you hit the nail on the head? You know, open banking was a buzz word. Could still be a best word. The likewise the same for open data and open finance. I like to stick to the original concept of what open banking is and how it. Evolved, opened back and started in Europe 2014 around that era in Germany. The idea behind it was open source banking where you would have a developer getting an open API from banks and building the coolest, most innovative apps of banking data and providing new services that use that data to drive value back to consumers. The bank doesn’t exactly see it that way. With the advent of and the proliferation of screen scraping, screen scraping has always been around. But open banking soon became a regulatory framework to prevent screen scraping, or more specifically, the proliferation of external credential capture. So to put it into more simple terms, banks and regulators don’t want applications or fintechs out there to ask for usernames and passwords from consumers because that presents a security vulnerability. Right. So so by providing an open API, by providing the means for applications to then pull data without using credentials, it’s really what we’re trying to drive towards to see to kick that into effect, especially when we have GDPR as well, where, you know, the concerns of privacy became more pertinent to the industry and to really, you know, I would say put specific guidelines and requirements for banks to open themselves up. In Europe, we see that in the US to some degree the regulators has not responded in the same fashion as the Europeans did. But we see this happening across the world in Singapore and Hong Kong, in Australia with with consumer data rights. It is a trend around the world. However, in the U.S., it’s more of a industry led regulation because the industry recognizes that screen scraping is becoming a problem. However, the innovation driven by open data was still relevant. Therefore, the industry is pushing to get on both sides with banks and non-banks to drive towards an interoperable standard where consumers can still get the benefit of open data. But on the banking side, they too would then protect credentials for being from being, you know, proliferated throughout the ecosystem. So from the bank’s perspective, when you say open banking, it can mean many things, but open source banking is not one of them, which is the original meaning of it. To some, they call it in a if a regulatory framework too. For many of the businesses in banking, open banking to them is really API based banking. They are thinking about How do I create a new channel? How do you create new markets? How do I create new services for my customers and my consumers so that my consumers can get financial products through API based banking? This is not necessarily open banking, but to some folks, especially in product, especially in the heads of businesses and cards and or retail banking, those are the kinds of thoughts that they think of when they think about open banking. From a fintech perspective, open banking is really more around the idea of leveraging data from banking infrastructure so that they are able to them use that data to create value on top of that data back to consumers. So it really depends on which stakeholder you are talking to. They might give you variations and differences in the idea of what what open banking means.
Cameron D’Ambrosi [00:08:18] So when it comes to those stakeholders and how they are thinking about the challenges facing like different sizes of banks as well as maybe different, you know, stripes or positions within the market, whether it’s fintechs, whether it’s a regional bank, whether it’s kind of an international megabank, like who are those key stakeholders within those different levels of institutions and why do they care about open banking? I think to some degree, to your point, there is this notion that, you know, there’s only a certain set of people who maybe care about open banking and they’re concentrated, for example, in the growth portion of the bank and not necessarily other stakeholders. Is that what you’re seeing from a partnership perspective?
Bose Chan [00:09:11] Yeah, yeah, indeed. You know, I like I’m a I’m a product person by background, so I like to think about different personas within the bank and they do differ and bleed into each other the smaller the bank because. But when I think about it in context of larger banks, you know, like the cities and the wells and the chases and whatnot, there is one persona which is the business side. So they think about open banking from a growth perspective. How do I use data to better understand my customer so I can better sell to them, I can better engage them and provide services back to back back to my consumers. They are also concerned about customer attrition. If I don’t provide open banking, if I don’t provide open API to these customers, will they leave my bank or in other cases it’s not about closing their bank accounts, but moving the money away to other banks or not using their credit cards, but using another another banks credit card or another credit card type of wallet. So that concern is primarily from a more of a revenue driven perspective or a number of application perspective. From their perspective, they’re more inclined to open up the bank if it enables a user to use services outside the bank, but not moving their money away or not encouraging those users to use a different product. So opening up the banks is important. I can give a good example. You know, I like to talk about Citi. So from from, you know, one example that we’ve seen, you know, Citi and Costco has a merchant relationship. You know, they’re partners in that. So from a Costco standpoint, if you are a Costco customer, especially if you’re a small business customer, you might you might actually use QuickBooks to run your accounting, right? So in that context, you do need that data directly from from the bank itself. From a revenue standpoint, if I’m carrying the CEO hat or I’m carrying a product that I want to enable my customers to use, QuickBooks and Costco would definitely care about that. So there is a strong incentive to provide customers access to their own data in the applications that they prefer to use. However, it can also apply. On the flip side, let’s say, you know, there are investment bank investment platforms. Citi is obviously an interest in providing to you wealth management services. It doesn’t want you to move your money to a third party fintech provider. So their perspective of looking at open banking is in understanding that flow. Am I losing valuable assets and deposits to a third party? Could I be potentially offering something better? So getting a read on where that data is flying to or is progressing to would actually help them better serve their customers. So from a revenue standpoint, that’s also something that they that they do think about. So that’s like one persona, which is the more of the business mindset. The other mindset that I like to talk about is the technology mindset. So I think this is a pretty known fact, but in the inset, 40% of all activity in the internet are made by bots. Those are not human beings. The same applies to banks. If you think about the digital activity that happens on banks across not just Citi, but really from the smallest to the largest, about more than 50 to 60% of all digital traffic through banking websites are not made by human beings, they’re made by bots. The problem is, you know, if it’s a legitimate bot, is it a malevolent bot or a benevolent bot? So the challenge there is how do you make sure and control your traffic to ensure that all those data that is flowing through is going to a a good button, a good bot, i.e. an aggregator similar to what MX is that is truly delivering value back to the end user. So from a technology standpoint, the argument to be made there is I am I providing all this services and and and infrastructure to support bought activity and they most efficient and value add it way back to the user. So that’s really that concern about making sure they have control they know when to pull the plug. If that’s a security risk, I’m able to pull the plug. Do I know who these third parties are? These are what the technology side of the bank really cares about. And I did allude to the really the third persona, which is really critical in this conversation, is more of the regulatory and security posture. So it could be infosec, it could be fraud. They care about the ability to control data and making sure it’s getting to the right people, not just about the systems to support that kind of traffic, but really understanding the controls, the third party management aspects, those are where these third parties really care about open banking and making sure that the users kept safe, even though they are using a third party software and pulling Citibank base data or whatever bank it might be into those third party applications. So that’s where really their concerns and their idea and controls and concern. It’s about open banking really comes into play.
Cameron D’Ambrosi [00:14:25] This is, I guess, a bit of a follow on question. But, you know, in terms of the driving force behind the adoption of open banking, obviously in the EU and the UK, we had a big regulatory mandate, right, to effectively created a government approved list of APIs that all the stakeholders at the big banks were required under regulatory duress to put into place. Here in the U.S., we’ve taken a bit more of a, you know, an American laissez faire approach. And I think, you know, personally, I’ve been pleasantly surprised at the speed with which the market has kind of stepped in to fill that gap. I think when we envisioned the deployment of open banking in the States, there were a few applications that came to mind for me around, for example, the payments layer and certainly as a digital identity guy, the identity layer in reality, which of the stakeholders across this ecosystem have you seen really driving the adoption of open banking and implementation of open banking from your perspective?
Bose Chan [00:15:35] Yeah, in the US. I think the first movers to you know, I think it was two decades ago, there were massive press. Blow outs between the banks and into it on an on screen scraping. So so I think that’s where the story in the U.S. really started before PFC two was even the thing and the challenge there is into it is a large company, the many other large companies that require such data as well. But the complexity lies in well, these large companies are public as well and they require banking services themselves. So there’s a lot of push and pull in that area. I have seen that, at least in the U.S., the main driver of that is to really de-risk the system. So I think it started out with. Banking info, security officers are saying, hey, we need to deal with this problem. We cannot have credentials lying out there with users unwittingly providing their credentials to a third party. Putting both the user and the bank at risk of fraud. That is really the genesis that really drove it in the U.S. It’s I wouldn’t say it’s out of desperation, but a real security security threat. So that’s really what started it. The problem was if a bank or if a bunch of info security officers from the bank are asked to then cohesively create a standard of what data looks like. That’s not going to work because they’re going to put ten different levels of security protocols. They’re going to require insane requirements. And we’ve seen a little bit of that in GDPR and PSC, too. When PC 2/1 started, they had a concept of strong authentication. I would say 95% of all the banks couldn’t deal with that. They could, instead of the right level of infrastructure to convince support the level of security. And that’s only one part of the conversation. The other part was the fintechs cannot use that data. So what good is it if you have a if you have a security based protocol that couldn’t work? So, you know, the good folks at FedEx came together. There were a few other institutions, both in the bank side and non-bank side, who came together and said, hey, we need to solve this as an ecosystem, as an industry. It was very hard to get regulators involved at that point because then it becomes overly prescriptive. So it started out in What are we trying to solve from a consumer standpoint? What is the outcome that balances the needs of both bank and non-bank entities, given that the banks are regulated by the bank charter and the non-banking entities are just trying to deliver a service in the best possible way, they came together and started FDX Right. So, so that’s really, I would call it the industry self-governance approach. The banks have their own reasons for doing it. They want to control that data. They want to control the level scope of data that’s actually flying out. They want to control the traffic itself. They want identity of the traffic. They want legal relationships and third party management requirements that the CC that the ICC had required them to apply. Well, on the other side, you know, what the fintechs are then looking for is reliable data, doing it the right path and not going through a screen scraping because because for them, even capturing credentials is a security threat to the fintechs themselves. So they rather not go through that complexity. All they want is access to the data, not really the control over the data itself. So I think that’s a really key point from the interest of a fintech perspective, them coming together and to really talk it out and really fight it out, however slow it might be, is really the right way for us to go, at least in the US.
Cameron D’Ambrosi [00:19:40] From the perspective of those implementation practices we’ve obviously been talking about, you know, who cares about open banking and why they should deploy open banking when it comes to putting the rubber to the road? You know, how do you recommend that that your partners in the financial sphere actually implement open banking? Who is supposed to or maybe supposed to is the wrong word. But, you know, who do you recommend? Kind of owns this process from a key stakeholder perspective for maximum impact, shall we say?
Bose Chan [00:20:18] Yeah. It takes a village to get an API done. The larger the bank, the more complex it is. I like to think of large banks like Packman state the in as a little PAC man that just ate one bank and absorbed another bank and it acquired an on the bank and it split and acquired another bank. So the real challenge that we find in open banking, aside from the fact that there are multiple stakeholders, there is understanding the source of data itself. And then that would then inform you who should start working on this stuff. So every large banks has multiple lines of businesses from different legacy periods, build on different infrastructure. There might be multiple host systems in the back end. There might be a different authentication service in the back end. And then the challenge there is even to produce a single API to deliver really data across multiple systems. Someone there with that kind of knowledge needs to drive that right. So you might have a system that supports retail banking, another system that supports loans, another system to supports credit card for a single unified API to deliver a user’s accounts across all the multiple systems. That is where the challenge that these banks has and the challenges in educating senior management in that bank to say, well, these are all the different reasons, the business reasons, that technology reasons and the security reasons. That’s why you have to prioritize and that’s why you need to get the people who actually understands that these multivariate backend systems connect all of that, all of them together into an orchestration layer and provide an API. That’s why one part of the conversation. The other part of the conversation is that you need people who actually know finance. What are the users looking for? What are the financial applications trying to use that data to deliver? What specific services solve a specific customer? Now, building an API to fit those use cases is super critical. You can’t just build an API that provides data. It needs to provide data in a fashion that’s usable for the application itself. So. So, you know, I would still say that the driver to all of this is customer satisfaction. Do you want to keep your customer or not? So in order to open up the bank, what really drives this should be from a business standpoint, the business person, the CEO slash heads of businesses is looking for a strategy to better offer itself its products to be a digital first experience to the user. They have to recognize, Hey, this customer uses your bank for X, Y, Z, reason, and this customer also uses ten or 12 different fintech applications. Providing access to ten applications and more is actually a strong reason why this user wants to keep their money in your bank account. And getting getting a consumer profile or digital footprint of what this user is would actually benefit. So it needs to start from there, the business person pulling together, then the security, regulatory fraud and infosec side of the house with technology to then say, okay, we have this problem. This is the outcome that we’re trying to drive to. What are the different steps that we need? Why the systems that we have in the background? What are the what is the usual consumer profile that we need to then tie together to be able to achieve the API and drive that open banking agenda that you might have? So I hope that answers your question. It always starts a business. That’s that’s my take on it.
Cameron D’Ambrosi [00:23:55] I love it. So both in thinking about MX’s role in the ecosystem, I think we’ve been talking about open banking more as an abstract concept, but when the rubber actually meets the road in terms of what is the flow of information and who are those partners who are also playing a role? Obviously there’s MX and then there is groups like the Financial Data Exchange. Can you talk a little bit about what that flow chart looks like in terms of the role MX plays in connecting institutions, as well as relying parties within the open banking ecosystem and how you interact with groups like FedEx.
Bose Chan [00:24:36] Sure. I’m more than happy to. I think you really ask two questions. What is the role of Max and what the role of FDX is? Let me start about the value chain. Where does the data start and where does the data end and how does it really complete that loop? You know, all of this financial data starts with the bank, right? The other data source. So the data source as to financial institutions or really other fintechs could also play that role is the generation of data comes from consumer behavior. If I swipe a credit card, if I withdraw or I deposit money into my bank account, data is generated about this user so that the bank is being the bank themselves, the curator, and the vanguard of this data. The data belongs to the customer, but the bank plays an important role in making sure the data is clean and is generated in time and specific to that user in a fashion that the user understands now. The data that needs to be exported out the bank and done so securely and safely, it could go directly to a consumer application if the bank has a relationship or direct relationship with that consumer app. But this is where MX also plays an important role and makes ourselves. We provide applications to our clients who are fintechs and banks themselves. MX is also an aggregator, plays the role of an aggregator. What an aggregator does is provide the opportunity or the technology solution to allow fintechs and banks to then connect that data pipe. And not only that, do we not just connect that data pipe? The more important role that MX plays is ensuring that sources of data. Come together in a clean and usable format. So if you have data from Citibank is generated in a certain way and you have data that comes from Chase, it is just generated in a different way as well. Visa and MasterCard from the card networks, they generate their data in a different way and that also gets curated and stored into a bank. What MX does is we really have ten years of machine learning and analytics to drive all that data into a single black box. And I like to call it, you know, we in some form, we are the janitors. We clean different data sources and provide good, clean data that applications at the end of the day could use. So that’s really the role of the aggregators to aggregate different data sources. But what makes really does well is making sure that data is great. If you look at garbage in, garbage out, you want clean data into your application so that you can get good, clean insights and activate on those insights for the end user. So that’s really what the role of the intermediary place from a use case perspective. But there are other rules of thumb that many don’t really think about, right? We don’t only clean that data or connected data, we do so in a reliable and regulatory. Regulatory. Favorable manner. Handling financial data is not something two men in the garage could do. We have to sign agreements directly with the banks to get direct API access that comes with a Lego with a level of rigor and regulation. We need to have security protocols. We need to share those standards with the banks. The banks know who they have to trust, and that generates trust in the ecosystem for us to then handle data in a safe and secure manner as well. And not only that, when you look at the APIs, they need to follow certain security standards. They need to policies, certain user experience standards that would then enable users to understand where their data is actually going to. Who is it being handled by? And do you have a certain level of faith in the system that your data is not being used for other purposes that I have, not that the user I have not provided consent for? So that is other rules that we play. From a safety, privacy, security standard. And not only making sure that the function is good, but the way it’s being functioned is good. And data is is, you know, is really traveling to the right place at the right time. So those are those are the role that MX does. And all of the conversations I’ve started mean think about the data value chain from bank to intermediary to end user end user application. These protocols are determined to some level by how FDX is driven. When you have FDX. FDX is a form of of banking institutions and non-banking institutions, financial institutions as well, or financial services institutions and even other larger consumer applications coming together and saying, well, we all agree that the intermediary is supposed to play this role. We all agree that the user experience looks like that. We all agree that the data format for a specific type of account should have ten different data fields and not that data feel because it provides an additional security risk. FDX also says in other parts certification standards that the API has medicine standard and is providing the value that’s supposed to be providing. So so that’s where you what FDX does, which is all of the stakeholders coming together and determining what is best for the end user. And that’s really what we are driving FDX for.
Cameron D’Ambrosi [00:30:07] Bringing us on home here and a nice segway off of your your comment about kind of bringing folks together. I understand that MX is hosting the Money Experience Summit later this month, September 20th through 22nd. What’s the agenda and what types of folks should attend? Is there an opportunity for, you know, digital identity heads like myself to get involved in the open banking ecosystem here?
Bose Chan [00:30:34] Well, definitely. I think all of the topics and themes I talked about clearly articulated one important thing. Education. Education of what the consumer needs. Where the trends are going. The safety and regulations that are that concerns any kind of data flow. So MX hosts a summit every year for clients and partners. We invite regulators and we invite stakeholders like you into the industry. So do we all understand? What does it take the whole village of the fintech and banking ecosystem to come together to make data available for the end user and their own businesses as well? So we do this summit every year. We used to do it at Sundance, but we’re getting pretty popular and now we need a bigger place. So we’re going to Snowbird and where we talk about the product roadmaps that we have that’s on one level, but more importantly, where the industry is going and how is MX responding to that. So our FDX participants are joining as well because we are part of the board. I think the main goal this is really putting. Staking a ground and saying, well, we are trying to bring together the fintechs. Not only are we bringing the world of fintechs and banking in an API chain, but to in a forum and putting them in the same room and saying, Hey, do we all agree on common ground? What is the common ground? We are all competitors to some degree here, or we are all stakeholders in the ecosystem. I like to say that we’re all here to grow the pie, not fight for parts of the pie. It didn’t. At the end of the day, there’s more pie for everyone to go for. And we are serving part of that pie on the summit. So come and join us. Go to OMX dot com slash summit to learn more about us. And I’m sure that you will see that the lineup articulates really my perspective of what what the stakeholders are and who we care about. So, yeah, join us at the point.
Cameron D’Ambrosi [00:32:40] Amazing. And then last chance for a plug here. You know, if folks are listening and I think this is maybe going to be a good swath of our audience who are thinking about how do I get involved with MX? I want to be able to hook into the ecosystem and talk partnerships with you. What’s the best place for them to reach out and get in touch with you?
Bose Chan [00:32:58] Sure. I you know, LinkedIn is an obvious place to do that. But for more official channels, look at the events that MX is doing. You can pretty easily Google that, go to MX dot com and ask us questions. If you have something along the lines of partnerships, feel free to reach out. We are to open finance and open banking company. We have one mission which is to make the world financially strong. So leveraging data to drive that. Reach out any time. And I am sure that, you know, whatever events that we have in the U.S. and potentially beyond will be there and be more than happy and invite useful.
Cameron D’Ambrosi [00:33:37] Love it both. Thank you again so much for your time. Really, really appreciate it. And looking forward to circling back up with you to check in on progress across the ecosystem sometime soon.
Bose Chan [00:33:46] Any time.
Onfido CEO Mike Tuchen shares his insights on the digital identity space, and the challenges businesses and consumers face. Tuchen discusses the need for a privacy-first approach, the growing demand for reusable digital identities, and the shift towards user control of personal information.
Secfense Chief Technology Officer, Marcin Szary, joins host Cameron D’Ambrosi to explore the current authentication landscape. They discuss why FIDO Alliance has been a truly transformative moment for the death of the password, how Secfense sets itself apart in a crowded and competitive landscape, and Marcin’s predictions for the future.
Measuring the reach of digital advertising and smartphone app performance is a difficult task made more challenging by tightening data privacy regulations. Edik Mitelman, SVP & GM of Privacy Cloud at AppsFlyer joins host Cameron D’Ambrosi to discuss the current state of the consumer data landscape, how platforms must balance first- and third-party data usage, and why the death of cookies is a tremendous opportunity.
John Bambenek, Principal Threat Hunter at Netenrich, joins host Cameron D’Ambrosi for a deep dive into the current trends across the cybersecurity landscape, from ChatGPT and deepfake offensive threats to leveraging data analytics across your XDR, SIEM and SOAR technology stacks for improved defenses.
Vyacheslav Zholudev, Chief Technology Officer of Sumsub, discusses the current state of the identity verification market with podcast host Cameron D’Ambrosi. They explore the factors driving platforms to move beyond basic identity verification and into other aspects of the digital identity lifecycle. They also discuss the challenges of implementing artificial intelligence in regulated use cases such as anti-money laundering (AML) transaction monitoring.
Host Cameron D’Ambrosi is joined by guest Marcus Bartram, General Partner and founding team member at Telstra Ventures, to dive into his company’s digital identity investment thesis, its transition from corporate VC to an independent fund, Strata Identity’s right to win, and the expanding role of identity in the cybersecurity landscape.