All Debut features should be implemented as openly-published APIs first. These APIs should be used by all interfaces (e.g. staff apps, customer-facing internet banking and mobile banking).
APIs should conform to open banking specifications where possible. They should be freely usable by individual customers as well as third-party integrators (although you may consider charging for third-party access). All banking APIs at present require a convoluted registration process even to access only your own data. All web apps can be seen as clunky APIs already anyway (as evidenced by POLi and Yodlee).
Customer-facing applications should be open-source. This allows broad innovation, and public scrutiny will lead to improved security. You are in the banking business, not the bank web app business! JS fat clients effectively have their source published anyway, and nobody is doing server pages anymore.
Every company that publishes APIs and embraces an ecosystem has a tremendous competitive advantage. The incumbents are waking up to this incredibly slowly, but are still too cautious. There is still a first-mover advantage here! Get amongst, and unseat them!