Mark Twain once said: “The mania for giving the Government the power to meddle with the private affairs of cities or citizens is likely to cause endless trouble”. If this is true, at the heart of this “endless trouble” is the role of regulation, a topic that has been dividing opinion for many years in nearly every country across the globe.
Theoretically governments act on behalf of the people, imposing regulation in order to protect their citizens from the negative effects of unfettered exploitation by business. However, events such as the global banking crisis in the last decade have reinforced the fact that governments are quite capable of imposing the “wrong” sort of regulation, focusing too heavily on laissez-faire macro-level frameworks without dealing with the possibility of catastrophic failure through a series of compounded errors (subprime mortgages being the most salient example). In circumstances such as these, it's easy to question the role of regulations and whom they are meant to protect: Again, the banking crisis showed how regulation could allow the banks to operate at risk while citizens, as both homeowners and taxpayers bore the brunt of the consequences.
As the API economy continues to grow and the hubris around the opening of banking becomes deafening, this debate provides the backdrop to a dialogue increasingly characterized by the avid interest of government and industry bodies who see a need to standardize and regulate API providers or, in some cases to just compel entire industries to embrace APIs as a manifest of interoperability. This need appears to derive from a number of goals:
- Protecting consumers in industries where technologies are subject to either a nascent regulatory effort or no regulation at all (Bitcoin being the most obvious example of such a technology);
- Promoting open data in industries like banking and healthcare to foster innovation in new products, improvements in services, and reduction of cost;
- Introducing standards to to ease integration and introduce industry-wide approaches to product and service delivery where APIs are the point of delivery.
Standards and regulation can be viewed as two sides of the same coin, working together to ensure compliance with laws and legislation across many industries:
- Regulation sets the legal framework service providers have to abide by in order to operate in regulated industries;
- Standards provide the bulk of the technical and operating frameworks for regulated industries. They are both the yardstick by which service providers are measured and the means by which a degree of commonality can be applied to services.
In the majority of cases regulating APIs actually means extending or redrafting existing legal frameworks to incorporate the use of APIs in order to safeguard the consumer or ensure the good behavior of API providers. However, in some industries entirely new legal frameworks are being created to regulate APIs where previously there were none: Moreover, the creation of standards in regulated industries where APIs already exist will cause disruption for API providers already in the market. Such providers will be forced to reengineer their APIs to comply with standards or risk falling foul of the regulations.
While the influence of such government meddling holds the potential to drive inorganic growth of the API economy, regulations and standards are also likely to cause some disruptions to it as well. We've taken a look at a few examples.
Banking APIs and the opening up of banking (and by implication, consumers banking data) continues to be a hot topic in the API economy across the world and especially in Europe. While the Payment Services Directive 2 (PSD2) is holding most of the limelight in terms of debate, speculation and conjecture in the European fintech press, the General Data Protection Regulation (GDPR) will also have a profound and far reaching impact on the regulatory landscape and affect the operating model of many API providers.
GDPR specifically lays out the legal obligations for data protection that European Union governments must adhere to in a manner “fit for the digital age”: This regulation will inform and shape anything that is implemented as a result of other EU directives, especially PSD2. PSD2 is a forthcoming directive from the European Union that specifically uses APIs as a means for stimulating innovation in the banking industry and opening up customer account data and payment instruments to third parties (with the requisite authorization). Each country in the European Union is obliged to act on PSD2 and implement it as they see fit, with the banks under their jurisdiction forced to comply.
Any early movers and protagonists in banking APIs (for example, BBVA, Open Banking Project) may therefore be severely impacted by the need to meet both regulatory obligations on data usage and to standardize according to one or more country’s PSD2 implementations. However, one could argue that the disruption to the few already in the market is far outweighed by the benefits PSD2 will bring to bank customers, with GDPR providing the safeguards to protect their data.
However, Europe does not hold the monopoly on regulation forcing standards across banking. In the United States, the Dodd-Frank Act has introduced many measures that impact financial services and in particular will boost the open data movement. It allows the Consumer Financial Protection Bureau (CFPB) to enact legislation that ensures consumers have access to their own financial data, with Congress also authorizing the CFPB to introduce standards for this information. While this does not appear to be on the scale of GDPR and PSD2, it does show how regulations and standards will work together to make consumer’s data much more accessible. It stands to reason that such information is likely to be made available using APIs.
Regulations and standards do not, however stop at governments imposing them on particular industries or subject matter: They can be used more widely, enforcing compliance on government agencies and service providers who provide APIs in an effort to regulate themselves.