We sat down with Willem Fisser, Tech Lead and Platform Owner at Investec, at one of our Programmable Banking Community meetups to hear more about what open banking is and why it’s a much safer, transparent process. We also discussed what’s happened with open banking globally, and where we’re at with establishing it in South Africa. Here’s what Willem had to say.
Transcript of the discussion
Welcome everyone to the first webinar format of our weekly meetup. I’m very excited and thank you for joining us. We’re talking tonight about open banking APIs, and we’re very lucky to have Willem Fisser of Investec here. Thank you, Willem, who is also a very avid member of this community. I want to start the conversation by sharing a quote from Devin Kohli, who’s Investec’s Co-head of emerging companies in the UK which was featured on the invitation. Devin called the move to open banking at the time, a seismic shift for banking, which is interesting, considering the impact and the potential for the various markets. But of course, these days we’re living through a seismic shift of a different kind, I imagine.
But tonight, I’m very excited to be chatting to Willem Fisser who is the technical lead and the founding member of Investec’s UK open banking delivery team since 2017. Willem is going to talk to us about his experiences on the project and hopefully give us some nice insights for the opportunities in the local market. Just a little housekeeping reminder for those who joined a bit late. There is a Q&A functionality on Zoom, where you can post your questions, we will answer them after the initial chat with Willem. And then if you have any comments or interesting things you want to share, there’s also a chat functionality on Zoom that you can use that for. So let’s dial-in. Before we kick off Willem, can you tell us a bit about yourself, and specifically, your role on the delivery team for Investec’s UK open banking implementation.
Sure. Good evening, everyone. And thank you for joining our discussion tonight. I think looking at the number of attendees there’s a lot of additional people that have joined. So welcome to our meetup and yeah, I guess welcome to my living room. COVID has even more of literal meaning to the living room as we knew it right. So I think before I get into your question, Anthea, I think I would like just to thank again, all of our community members for their continued support, for joining these meetings every week, despite everything that’s going on at the moment, and they like most of us are already overspending on that screen time as it stands. We do value your input, and also the demos that you guys present on a weekly basis is valuable. So thank you.
I think as you’ve mentioned, I’ve had quite a bit of involvement with the delivery of our open banking offering in the UK region, especially the initial version of it. And I will share some views in that regard. But as you have requested a little bit about myself, I joined Investec back in 2011 as a contractor and essentially taken care of whatever activities Wayne and his team would dream up for me. This was very exciting, and also a time where the Agile methodology had taken some proper traction within the organisation. I can remember daily stand-ups back then was quite amusing, especially with everyone being stressed out and falling behind on deadlines as usual. And just generally bringing good energy to the floor so I guess not much has changed since then.
Obviously, the landscape back then, as well as the tech stack looked very much different from now. RestfulAPI has essentially taken over the world and, now has become the norm. Coming into Investec, I was mainly specialising in building information systems using the Silverlight and wF frameworks, which as most of you know, is redundant today. So I guess, for the young ones here count yourself lucky that you’ve missed that era. Back then, MVC had taken off quite a bit. And if memory serves me right, it was Wayne still writing dodgy code back then, who was experimenting with the idea of using the controller part of an MVC app, divorce it from the view portion, and repurpose the leaner version of the apps as RESTful API as we know today. And yeah, this was, in essence, my introduction into RESTful APIs. And it has been a focus in my career since then.
I think from an organisational point of view, back then, our digital channels division did not exist yet. It was still a mere sparkle in the eye of our now Global Head of Digital and Tech, Lyndon, who back then was heading the IT division of our wealth and investment business. And I think it was nearing the end of 2011 with Lyndon, Wayne and a few other individuals. Aaron’s part of this chat tonight as well, we essentially set out to start building a mobile application that will allow our clients to trade on the JSE from the comfort of their couch. It was quite an interesting experience in itself as I had very limited experience of the financial markets at that stage. So it was quite an interesting learning experience. But as it stands today, that initial team of about eight people has grown into a global team of around 130 individuals, essentially responsible for Investec’s digital client experiences, the estate of channel APIs, mobile and web applications. Needless to say, the world has moved on quite a bit since then, especially from an architectural and tech point of view.
So just getting back to your question, how did I get involved with banking? I strongly believe it’s generally because I’m a sucker for punishment. But I’ll start with shedding some light on what open banking is, which should hopefully provide some context around why we chose to take part at that stage. Open banking essentially stemmed from the PSD2 directive, which is essentially an EU directive passed by the European Commission back in 2015, as an initiative to provide a level playing field between payment providers and users. So it’s probably to stimulate competition, innovation, and the rest.
So from a UK point of view, the CMA, which is the Competition and Markets Authority essentially, enforced this regulation onto the CMA9, which is the big nine retail banks in the UK. So obviously, Investec being a very niche bank, we obviously did not form part of the CMA9. However, we started looking into this and figuring out whether it will be valuable to pursue in any case.
Just back to the CMA9, instead of them each going, figuring out and translating the EU directives and legal terminology, into endpoints and payload schemas they chose to initiate and fund a separate organisation called Open Banking Implementation Entity abbreviated as OBIE, and this is basically because in short, the PSD2 is quite a lumpy document, stipulating a bunch of legal terms that define what the financial institutions should provide or should be implementing, but unfortunately, it left out all the chapters on how it should be provided.
So, it was mostly up to interpretation, and it makes it a bit difficult to understand if you are compliant or if you are not compliant. I also think primarily it’s not useful if everybody goes and does their own thing. For them, it made very good sense to have one implementation entity that governs the technical standards and the rest. So that’s exactly what OBIE did. The long and short of it is, as long as you implement the regulatory technical standards, you should as a financial institution, have a PSD2 compliance solution.
Then looking at the potential from our side, especially the potential and the purpose behind PSD2, we didn’t want to be left behind. I think it was in 2017 not sure whether it was towards the beginning or end, but essentially our leaders made the decision for us to take part and join those nine retail banks in becoming PSD2 compliant. I am not sure who’s familiar, but essentially you got three actors. That’s your account information service providers, your payment initiation service providers, and then your accounts services and payment service providers, which is essentially banks or payment providers. Account information services providers usually are account aggregators, and your payment initiation service providers are generally the guys that are going to do payment initiation and the rest. So to finally answer your question, I form part of the development team in building this out in the capacity of technical lead and software engineer.
Thanks, Willem, that’s very interesting. Two things from that. The first one is obviously Investec as a niche bank and not a retail bank, looking at the opportunity that this framework offered them and seizing that, that’s how you win in the future—so investing in the opportunities to create now for the future. And then the second thing is just a point of clarification. So the CMA9 that you refer to, all those nine large banks in the UK, that legislation specifically targeted them. Thank you so much for that. Thank you also, for touching on the actual team, I want to dial into the technical part of the implementation. So can you give us an idea of what you and your team worked on to deliver?
So I think the silver lining there, as you’ve mentioned, is the fact that the OBIE had already gone through all the hard labour in defining it as a standard, what is this going to look like? So luckily for us, we didn’t have to go and reinvent the wheel. Essentially, we just pursued this route of becoming PSD2 compliant by implementing the regulatory technical standards as defined by the OBIE. I think my initial focus was bending my brain around PSD2, the regulatory technical standards and all the frameworks, concepts and protocols presented such as OAuth2, OIDC JWS, JWK, financial API standards and the rest. My initial days were mostly spent on reading, building context, maybe a prototype here and there just to understand how the data would flow and essentially how everything would fit together in our architecture and our tech stack and essentially the channel APIs that we had at that stage. So during this process, we quickly realised that the implementation of an API gateway would be required, especially for the OAuth portions.
Because of time constraints and capacity, we didn’t want to go and reinvent the wheel. We wanted to leverage as much as possible. This is basically where we started benching our initial prototypes against the various potential gateway providers, such as Apogee, Mule soft, Amazon, and IBM, which was, to be honest with you, quite a tedious process, because all providers follow mostly the same concepts from an API gateway point of view, such as proxies, products, apps, scopes, and the rest. But they do differ quite a lot in terms of how you would go about implementation there off, so it’s kind of baking the same cake four times in a row using four different recipes if you know what I mean.
But eventually I think it was nearing the end of January 2018 we made the decision to go with Apogee API gateway and essentially, we got it presented to our global architecture forum for approval, which then, in turn, allowed me to divert my focus towards getting the relevant foundations in place that would facilitate the OAuth and intent flows as defined by the technical, regulatory standards and that basically in essence, would allow third-party providers with the ability to request access to our client’s data with their consent of course, and in turn then allow those third-party providers with the ability to obtain account data transactions, balances, and even remit scheduled and once-off payments.
Which is the crux of open banking? That our cash flows well. Willem, if you have nothing to add to that, then I’ll move on. I think it’s very interesting when we look at the implementation in the UK. And now obviously, you’ve moved on from that onto exciting other projects based here in South Africa. But when we look at the local players, we’ve seen very few so far embrace open banking. And last year, we had one of the big four retail banks who decided to open up, so to speak, but no other progress. So can you give us some insights into your thoughts on whether open banking, the framework is possible in South Africa?
To be honest, I don’t think we can afford not to pursue open banking or even open APIs for that matter. You know, the world is being translated into APIs, and it makes good sense for us to follow suit. Take, for example, the Australian Consumer data standards; they are truly in the process of defining every sector of the economy as an API. And I believe we should as well. But having said that, there are quite a few risks to be mindful of here. Especially, taking into consideration that we don’t have a technical working group here in SA such as the OBI and the DSB, which in essence, is the Data Standards Board responsible for the consumer data standards in Australia. Mentioning that just brings those conversations from last week to mind, with Louw at Root attempting essentially the same thing within the insurance sector, and even then, no common data standards, either.
I think this is quite a risk and he had mentioned that as well last week. Therefore, you know, it’s quite imperative for us, you know, especially being the early players in the market to probably try and align to more established standards. Because at the end of the day, you also do not want to get into a position where a developer has to deal with a multitude of implementation standards, one for every organisation, essentially just wanting to do the same thing.
So it should remain fairly intuitive for somebody that wants to build an app or wants to consume an organisation or API. It should be fairly intuitive in terms of how the security standards work, how the request APIs are structured, how the payloads are structured, and I think that’s where we can look towards the open banking and Australian common data standards. Yes, there are other standards in Europe as well, but I think at the end of the day, they’ve broadly based it on the financial API standards, open API standards, and just API full standards already defined, they didn’t go and reinvent the wheel.
Apart from aligning to or providing a common integration standard, I also believe that it might even be more important to focus on building valuable APIs. At the end of the day, an API, in essence, is just a tool, and if it is not being used, it will become a very expensive prototype. And mentioning that, back in the day, the 333 rule came up quite evident.
And that basically just stipulates that a developer should be able to find your APIs within 3 seconds. It shouldn’t take a developer more than 30 seconds to gain a basic understanding of how your APIs fit together, how to get a session in terms of OAuth and the rest. And it’s three (3) minutes to get a session and data result. We accomplished that with our open banking implementation by using common tools, such as developer portals, and sandbox environments. So that will basically allow you to easily find our API’s and start consuming sandbox environments, even the box-box API endpoints, but it would give you an idea as to how difficult it is to consume this organization’s API.
So at the end of the day APIs should be easy to understand and implement. I think at the end of the day just bringing South Africa back into context we as a nation, we’ve got an amazing technical capability, and we have an abundance of extremely talented individuals. We are naturally driven to explore tinker and bolt. So I strongly believe this is something we should pursue.
Thank you for that. I think it’s important what you said about being useful and making sure that the common standards are applied. But also, I love the idea that we cannot afford not to pursue this approach, which at the same time creates an opportunity for many other players in the field. Before we wrap up or run to questions from the audience, I have one final question. You’re currently working on Investec’s programmable banking project, which is a thriving community and also the reason why we’re all here tonight. You mentioned to me earlier during a chat that you believe open banking and programmable banking go hand in hand. Can you give us a very short answer? Why do you think that?
As I’ve mentioned, APIs are merely tools that allow for the system to system integration at the end of the day. I believe with this project we are taking the open banking concept to the next level. And why I’m saying that is because the open banking standards primarily focus on shall I say stimulating competition in the market by giving third-party providers access to client’s data. I think what we are doing here is giving clients access to their data.
So essentially, if you can get it, then I think this is extremely powerful and what we are doing currently with the programmable banking project is just the beginning of what will come. I also think what we’ve done in collaboration with Root, providing our clients with a programmable card platform, our clients have more control over their card’s transactional flows. This is becoming the norm. I think it’s key to remain relevant in this day and age. I think programmable banking, however, is at the end of the day, more than the open API and programmable card platform, these are just tools. I think, for us, programmable banking is about our community, about our clients and also for making a real positive impact within the South African tech sector.
Thank you. I love that. I think it reminds me of a line on the Investec website where it sums up the potential for open banking well. Which is “it’s an initiative that gives consumers control of their data and finances” and with programmable banking obviously, we’re doing that with the dev community. So that’s very exciting. Thank you, Willem. And we have quite a few questions in the Q&A. Just a reminder to everyone on the call that you can add your questions there. We’ll try and work through as many of them as we can. Let’s go to the first one. It’s from Justin Bradshaw, he’s asking to what degree was PSD2, approached from a compliance point of view versus an opportunity to reimagine business models.
Okay, cool. It goes hand in hand, right. So from a strategic point of view, we wanted to play along to get to the place where we do have the tools in place, we are allowed to play within the UK region because we are compliant. I think that was just the first step. Getting a suite of open API PSD2 compliant is just a step. What we see now we are on that side; we are still in the beginning phases of third-party providers reaching out and onboarding onto our APIs.
And that’s why I’m very positive about what we are currently doing in the SA sector because I think historically and still current, this is a nation that adapts very quickly, and we are very early adopters of new technologies. In the UK I think it’s still gaining momentum there. I think as with most of these projects, it’s getting it out there and then waiting for people to break down the door and the reality is, people are still getting their minds around it and they’re still building momentum on that side. However, we didn’t want to get caught behind, so as it stands it’s picking up momentum, we are there. We’re running shoulder to shoulder and if you want to consume our API’s, and you are also compliant, an ISP or a PISP point of view, you would be able to onboard onto our platform and consume our APIs.
Thank you for that. I have a few questions that speak to, you know, the local banking landscape and why companies haven’t joined the movement, I’m going to ask the one posed by [Agasha Naidoo] who is also a very active member of this community. So Willem, can you please tell us why do you think the other banks have not yet joined the movement to open banking specifically in South Africa?
To be honest with you, I cannot talk on their behalf, right. So I can maybe just share our own experiences. At the end of the day, an open API, if you think about it conceptually, you need to get a session and then start consuming data, right? It sounds very basic until you start delving into the deeper, like the belly of the beast-like integrating into legacy systems sitting behind closed doors, that’s been running there for years. Then it becomes quite an interesting exercise.
So I think from a monetary point of view, it is quite a big commitment. And it’s something that, at the end of the day, you can provide an API, and it’s cool, but if nobody’s using it, it has no purpose. I don’t know why I think potentially if I had to make an obvious guess the fact that we do not have a governing body like the Australian Data Standards Board looking at their economy and understanding that, you know, APIs are the future.
Basically, you have Root, they are in the process of making insurance company APIs. If you look at projections, just people envisaging the future like everything has got to be an API. So I think it’s very risky at this point not to get those basics in place because it’s going to be very difficult to catch up. And there is movement there is momentum. I would imagine it’s probably because there’s no common standard as yet.
Yeah, no common standard and of course, it takes a huge amount of investment to make this happen. Two questions if you can answer in quick succession. So the first one is, how is open banking different from APIs provided by aggregation services such as Yodi and I think we touched on that during our earlier conversation. So can you jump into that one first?
Okay, cool. From a SA perspective, Yodi is very much still screen scraping, right? So if you had to allow Yodi to consume your platform, so that your clients can link on to their account, it’s a very long process. So we literally just went with a similar process with the asset management split. So, in essence, the turnaround time of Yodi is about three 3 to six weeks. And that is one code complete, right? So that is like signing off on the physical HTML structure of your application or your website and then the turnaround time, all that is quite heavy. From a UK perspective, however, Yodi is one of the signups, third party providers, so they are already compliant from an OBIE perspective. They have been onboarded onto our API platform and yeah good to go.
So just back to the question, what’s the difference? So I guess at the end of the day, right, with an open API, you’re on board, you get your AWS credentials. You’ve got your client ID secret; you consume open API, you say, give me a bearer token. And you start consuming data. That’s it. And all RESTful API is standardised JSON payloads. It’s versioned. At the end of the day, when there’s a substantial change, I think the screen scraping is still suboptimal, to be honest.
The related question, which was posed by Thabang Qabbani. He wants to know is it legal how 22 seven and Yodi are accessing user data in the way that is currently taking place?
I would imagine they would have probably been liquidated by now if it weren’t legal. So the way that it works is basically you provide consent, right? You provide consent for them to, utilise your credentials and start scraping your profile to just get to those numbers, right. But it’s legal. As I mentioned, it’s just a very sub-optimal process.
I think one of the benefits that you get with an open API, for instance, is our clients can online revoke access to a third party. Today, you can essentially grant access to a third-party provider to essentially get access to your accounts and transactions for the last 30 days. You can restrict them from initiating payments and the rest and then tomorrow you can just go and revoke it if you want and instantly, they won’t be able to consume your data any longer.
The data they’ve already had access to is that all gone. Do they have it on their system?
To be honest with you, so in essence, the person owning the money or whatever, and that’s, a separate, negotiation or contract between you and the third-party provider. Why? If you look at how the consent process works, it’s essentially driven from the third-party provider. So you are essentially browsing the third-party provider’s app. You’ve got your credentials there.
And then through the use of three-legged OAuth, so essentially what we’ll do is, if you would, for instance, use a budgeting feature on that third party provider app that third party provider will say is cool we are integrated with the following banks. Investec is one of the banks, and essentially you say, okay, cool, I’m banking with Investec and then stipulate, what information they’re gonna ask for, for how long and the rest. If you buy into that, that’s when what they call the three-legged OAuth flow kicks in, where essentially the third party provider app, then hands you over into our world because obviously, we’ll let you log in with your Investec credentials on a third-party providers app. They hand you over to us and you go with your normal credentials.
And we essentially playback that consent request from the third-party providers stipulating exactly the same permission structures. And then essentially, you accept those terms, you apply it to certain accounts within your profile, and then essentially after performing the second factor, we hand you back to the third-party provider with their OAuth authorization code. And essentially, then they can obtain bearer tokens and carry on with life. But you can as a client revoke that access at any point in time.
You’re making a hard case for why open banking APIs is a much safer transparent process for both the third party and for the provider and the consumer. I wanted to ask some quick questions around the Investec programmable banking and beta. So can you briefly give us your view on a question from [Richard O'Brien], what is your end vision or Investec’s end vision for Investec’s programmable banking program? And what type of core features do you currently envision releasing?
Okay, cool. So I’ll keep it limited considering the people. I think for us the primary concern, there is a vision. Obviously, there is this roadmap. But I think when we basically went on this journey, in fact, one of the key principles with the team was we were not gonna go and deliver a bunch of things that people might need.
So our roadmap is very much community-driven at this stage. And that’s why the community is so important to us, and especially their input. And that goes not only for the programmable banking platform, but it also goes for the open API platform as well. At the end of the day, we’re not going to spend days in and out just building stuff that people might need. We want to do valuable stuff. It’s important for us to invest in things that people will love using and will continue to use and that’s the important part for us. From a vision point of view Yes, I think there’s a great vision there. And yeah, it’s to be shared over time. I think I’m going to hold a few cards close to my chest in that regard for now.
I love that. Thank you. And we have a question from Malan, and he’s asking when do you think, if it’s in the pipeline, this is one that’s been set up, will the same programmable card/APIs be available on Investec’s Business Banking?
Shall I go with, it is not off the cards for now.
Cool. That’s fine. Happy with that one. And the next question just yes or no with a short answer if you can. We have way too many questions, and we won’t be able unfortunately to work through all of them. Do you think SA can catch up to the UK/EU in terms of open banking? Yes, no. And why?
Flip, I hope it’s a yes. Right. It’s impossible to say, right? It’s impossible to say whether we would be able to catch up. The reason why I feel we would be, I think just going back to what I said earlier in terms of tech adoption if you look at the mobile technology adoption in SA it’s like insane. And just in general, we are, we’re a nation that likes to explore, we like to challenge, we like to experiment, we like to take risks. So, you know, hopefully, the broader industry will follow and because I think that the sooner we do that, the better or, the sooner we can you get all the creative minds, you know, building apps and building the South African economy. My hope and dream is that we will surpass them.
You mentioned the lack of sort of an oversight/regulatory body to enforce this in South Africa. Again, yes or no and why. Do you think that the regulators should mandate participation by banks, so set up a body and then mandate open banking in South Africa?
Yes. But I think broader than that; I think we shouldn’t contain it to just banks. We should go and think about essentially the insurance sector, the telecommunication sector, there’s a lot of opportunities here. People want to build apps, people want to drive the economy with apps, but essentially, it’s very difficult if you’ve got this amazing idea, but there’s no point of entry. That’s when you have to rely on stuff like screen scrapers and the rest. So not to elaborate too much, but I think it will be helpful. Because I also think then, other players will come into the pool and start participating because they know that this is the standard. At this point in time, we are leveraging all our standards, and it’s everybody kind of for himself, moving hopefully in the right direction.
Yeah. Willem, final question and maybe just one off the cuff. What is your elevator pitch when you’re trying to sell programmable banking to someone who knows nothing about it? 30 seconds or less?
Remember the days we all used elevators hey. I can’t even remember how one looks inside. But anyway, at the end of the day, my elevator pitch for open banking or open APIs is: It’s a key component of having innovation; without it, how are you going to build those apps? And how are you going to innovate them, and how are you going to drive this economy? So I would say, come along for the ride, I know it’s corny, but that’s it. So the sooner you collaborate, the sooner we can make a real impact and the sooner we can start driving this economy.
Thank you very much, Willem. I think there’s a huge opportunity here being realised, in areas like the UK, but also obviously for South Africa. Thank you for your time. And thank you for being so candid, and we ran over time a little bit. So thank you for staying with us. I am going to hand over now to Ben. The second half of the program or the next few minutes, we are going to be spending with the community of the programmable banking community with a demo. And then also some updates. So if you want to join, please do. But if those new joiners that joined us today if you want to hop off feel welcome. Thanks again, Willem.