A finance director rang us last quarter, slightly embarrassed. Her team had spent four months building a direct host-to-host API connection to their primary bank, because the board wanted something "modern" to replace the weekly Maybank2E batch upload. Three weeks after go-live, she discovered her treasury accountant was still logging into the corporate banking portal every morning. Urgent supplier payments, foreign currency drafts, one-off director reimbursements — none of those fitted the API flow cleanly, so the manual portal had quietly become the exception channel. The API was beautiful for the 80% steady-state. The 20% of edge cases were eating her team alive.

That conversation captures the honest version of this debate. Bank payment files and direct API integration are not "legacy versus modern". They are two operating models, each with a personality, and the wrong fit hurts whichever side you choose. Before you sign off on either, it is worth understanding what you are really buying — and what stays on your finance team's desk regardless.

Key Takeaways

A few points to anchor the rest of this article before we get into specifics:

  • File-based upload (BNM-format batch, .csv to Maybank2E or similar) is still a perfectly respectable answer for many SMEs and mid-market finance teams.
  • Direct bank API (host-to-host, Open Banking style) pays off when volume, exception complexity, and reconciliation cadence cross a clear threshold.
  • Neither model rescues a weak approval matrix or messy beneficiary master data — it only industrialises what you already do.
  • The deciding question is not "which is better technology" but "where does our recon discipline break first?"

When Bank Payment Files Are Actually the Right Answer

There is a tendency in board papers to treat file upload as embarrassing — something to apologise for. It is not. For a sizeable share of Malaysian SMEs and even mid-cap groups, a clean batch file workflow gives you most of the automation benefit at a fraction of the integration cost, with the bank portal acting as a known, audited control point.

The kind of finance team this suits

Picture a property management company paying around 60 vendors a month — cleaning contractors, lift maintenance, security, utilities. The accounts team raises bills in the ERP, finance approves, and on the 25th of each month the system exports a BNM-format batch. The accounts manager uploads it to Maybank2E, the CFO releases under maker-checker, and an MT940 statement comes back the next morning for reconciliation. The whole cycle takes about ninety minutes of human time. Building a host-to-host API for that volume would be solving a problem they do not have.

File-based works well when several of the following are true:

  • Payment volumes sit comfortably in the dozens-to-low-hundreds per cycle, not thousands per day.
  • The bank portal is already a trusted, well-controlled release point your auditors are comfortable with.
  • Your exception payments (FX drafts, urgent ad-hoc transfers, refunds) are infrequent enough to be handled manually without drama.
  • The integration budget is better spent elsewhere — usually on ERP data quality or approval workflow before automation.

If three or four of those describe your reality, file-based is not a compromise. It is the sensible answer, and the API conversation can wait for a future phase when volume genuinely changes the equation.

When Direct API Integration Genuinely Pays Back

The case for host-to-host or API-based payment instruction becomes compelling once you cross a volume and exception threshold where humans simply cannot keep up with status checking. The honest test is not "do we want to be modern" — it is "how many hours a week does someone spend logging into the bank portal to chase rejected, pending, or returned payments?"

Take a corporate trustee firm running about 8,000 unit-holder distributions a quarter across multiple funds. With a file-upload model, the operations team would spend days reconciling RPP and DuitNow returns against the master register, chasing each failed payment in a spreadsheet. With a direct API, every payment instruction returns a structured status — accepted, rejected with reason code, settled — straight into the ERP. The same team handles three times the volume without growing headcount, and the CAMT.053 end-of-day statement reconciles itself overnight.

Signals that API is now justified

Before we recommend the API path, we look for a cluster of these signs in the current operation:

  • Someone in finance spends more than two hours a day inside the bank portal checking status, not approving payments.
  • Rejected, pending, and returned payments live in spreadsheets and email threads rather than in the ERP record.
  • You operate multiple entities, branches, or funds that need centralised control and a consolidated view of cash position.
  • Audit or regulators are asking for time-stamped proof of creator, approver, submitter, bank response, and reconciliation outcome on every transaction.
  • Settlement cadence is shifting toward same-day or near-real-time (RPP, DuitNow Transfer), and end-of-day batches no longer match how the business operates.

If three or more of those resonate, the recurring cost of manual reconciliation is almost certainly outpacing the one-off cost of the integration. That is the moment the business case for host-to-host writes itself.

The Hidden Costs Nobody Puts in the Slide Deck

Both options have costs that surface only after go-live, and they are worth naming before the budget is fixed. File-based looks cheap because you mostly pay for the export module, but the ongoing cost is human — someone owns the upload, someone owns the portal release, someone manually marks paid items in the ERP from the MT940. Multiply by 12 months and the "cheap" option is not as cheap as it looked.

API integration looks elegant on paper, but the bill includes things rarely mentioned upfront. There are bank onboarding fees (some banks charge for sandbox access, certificates, and per-transaction API calls). There is middleware to host and monitor. There are certificate rotations, IP whitelisting reviews, and the awkward reality that not every payment type your bank offers is exposed through their API — so you may still keep a portal login for FX, foreign telegraphic transfers, or one-off cases. Plan for that hybrid reality from day one rather than discovering it in month three.

Where file-based actually costs you

Manual portal release time, spreadsheet reconciliation of returned items, and the slow drift of beneficiary master data as people copy-paste account numbers between systems. Each is small; together they are a full-time job.

Where API actually costs you

Middleware licensing and hosting, certificate and credential governance, exception payment types that still need portal access, and the discipline to monitor the connection 24/7 so a failed handshake at 11pm does not delay payroll the next morning.

The Control Layer Is What You Are Really Buying

Here is the part finance leaders sometimes miss. Neither a file nor an API creates control. They industrialise the control you already have — or expose the control you do not. If your beneficiary master data is messy, your approval matrix is informal, and your segregation of duties exists only in goodwill, both models will surface that weakness, and the API will surface it faster and more publicly.

Before we connect anything to a bank, we walk the finance team through five questions: who creates a payment batch, who can change a beneficiary, who approves, who submits, and who reconciles. If any of those five answers is "the same person" or "it depends", the integration conversation pauses and the workflow conversation begins. Sequencing matters here. Control first, channel second.

A Real Decision: When We Recommended File, When We Recommended API

Two clients, same quarter, opposite recommendations — because the underlying operations were different in ways that matter.

The first was a Klang Valley property developer with around 80 active supplier accounts and a monthly progress-claim payment cycle. Volumes were low, the CFO personally reviewed every batch, and their bank portal already enforced dual approval. We recommended staying with a BNM-format batch upload to Maybank2E, with two improvements: a clean export module from the ERP that eliminated copy-paste, and an automated MT940 import that matched paid items overnight. Total project cost was modest, payback was under six months, and the audit committee was happy because the bank portal remained the release control they understood. No host-to-host. No regrets.

The second was a licensed trustee firm administering quarterly distributions to unit holders across several funds — peaks of 8,000 payments in a four-day window, with strict same-day settlement promises to investors. File upload was breaking them; the operations team was working weekends to chase RPP rejects through a spreadsheet, and one missed return had triggered an investor complaint. We recommended a host-to-host API integration with structured response handling, automated CAMT.053 reconciliation, and a separate exception queue for the small number of returns that needed human judgement. The project cost more than ten times the property developer's, and it was still the right call — within two quarters, the operations team had stopped working weekends and the firm onboarded a new fund without adding staff.

Same country, same banks available, opposite answers. The difference was not technology preference. It was volume, exception profile, and the cost of reconciliation failure.

A Practical Readiness Checklist Before You Commit

Whichever direction you lean, the foundations are the same. Get these in order first, then the choice between file and API becomes much clearer:

  • A clean, owned beneficiary master with documented change control — not a shared spreadsheet.
  • An approval matrix that varies by entity, payment type, and amount, signed off by the audit committee.
  • Genuine segregation of duties between creator, approver, submitter, and reconciler — enforced by system roles, not trust.
  • Audit logs that capture submission, bank response, rejection reason, cancellation, and final reconciliation status.
  • A security policy covering API credentials, certificate rotation, IP whitelisting, and monitoring — even if you have not yet decided to use an API.

If you can tick all five today, you have the option to go either way and the decision can be made on volume and economics. If you cannot, fix the gaps first; a payment channel built on shaky control is a faster way to lose money, not save it.

The Honest Bottom Line

The most expensive mistake we see is treating this as a technology procurement decision when it is actually an operating model decision. Boards push for "API because modern", finance teams quietly retain portal logins for exceptions, and the organisation ends up paying for both channels without consolidating control on either. The cheaper, calmer path is to start from how your finance team actually works on a Tuesday morning — the volumes, the exceptions, the reconciliation cadence, the people — and then choose the channel that fits that reality.

If you take one thing from this article, take this. The right answer is whichever model your finance team can run cleanly, audit confidently, and grow into for the next three years. For some of our clients that is a well-disciplined BNM batch file uploaded to Maybank2E with an MT940 coming back. For others it is a host-to-host API streaming CAMT.053 statements into the ERP overnight. Both are professional answers. Neither is a confession.

For the CFO reading this: if your team cannot tell you, within five minutes, exactly who approved every payment that left the bank yesterday and whether each one settled — fix that first. The file-versus-API question becomes much easier once that visibility exists, and much more expensive if it does not.