Securing APIs In The Open Banking Ecosystem


Open banking opens customer data to external third-party providers (TPP) via application programming interfaces (APIs) that are designed to spur innovation and increase competition. In most modern applications, composed of functions and services, developers rely on APIs to communicate between applications and their components, to share data and to drive functionality. These applications are mobile and distributed, and they have instances in the cloud and on premise. Gaining a consolidated view of their configuration and security parameters is challenging at best. Many of these applications change frequently and may include open source modules. In many cases, security becomes an afterthought.

According to Radware, in 89% of organizations, the information security team does not own the budget for security solutions.

In this white paper, we examine the implications of open-banking APIs on application security and identify best-practice recommendations for securing these APIs in both cloud and onpremise deployments.

What Is Open Banking?

Open banking, driven largely by regulation, opens closed and proprietary deposit-taking banking customer data to external third-party providers (TPPs) securely through publicly available APIs.

imgIn traditional banking, all customer data is controlled by the parent bank. In open banking, the customers own their data, which is securely exposed to TPPs via APIs if consent is provided by the customer. The TPPs use these publicly exposed APIs to provide financial technology (fintech) services traditionally not available through the customer’s own bank.
Prior to open banking, many innovative fintech providers used screen scraping to gain access to customer data, including user credentials, without knowledge of the parent bank. Open-banking APIs move to streamline the legal implications of sharing customer credentials and information through APIs, consent, and regulatory authority.
Open banking allows for the secure transmission of account data authorized by the customer to a TPP. Technically, this access is provided as a collection of REST APIs. Access to these APIs is available in the public domain for subscription through a certifying authority.

According to a 2018 Celent study, the number of U.S. financial institutions that have open-banking portals to facilitate TPP access to consumer financial and other data is expected to grow from 20 to more than 200 by the end of 2021. As of the first quarter of 2020, there were more than 300 TPPs registered under Payment Services Directive 2 (PSD2) in the U.K. Other countries, such as India and Australia, have followed the EU’s approach and have a thriving openbanking ecosystem.

Who Are the Participants in Open Banking?

imgRegulatory Authority
This includes policymakers that regulate banking and promote competition, data sharing and security. For example, in Europe the Financial Conduct Authority (FCA) maintains a register of companies authorized for open banking and issues eIDAS certificates under its Strong Customer Authentication Regulatory Technical Standards (SCA-RTS). These TPPs must adhere to the General Data Protection Regulation (GDPR) as well.

Payment Service User
This describes a consumer initiating a transaction.

Account Information Service Providers (AISPs)
These are registered account aggregators that are authorized by the customer to use (but not modify) their bank account data.

Payment Initiation Service Providers (PISPs)
These are registered providers that are allowed by the consumer to initiate payments directly from a customer bank account.

Account Servicing Payment Service Providers (ASPSPs)
These are banks that are responsible for making APIs available to TPPs, allowing them to initiate payments or gain access to customer bank-transaction information.

Financial institutions collaborate with TPPs and use APIs to enable new services and connect financial institutions’ applications to merchants, consumers and companies. Data aggregators collect data and feed it into TPP apps such
img as Venmo, Betterment and Chime. For example, Plaid delivers an API platform for TPPs to connect to financial institutions for account access and authentication, while Finicity provides access to financial data in real time. UK, one of the leaders in open banking, currently lists 300+ regulated providers, 230+ TPPs and 80+ account providers, including Plum, Moneybox, Currensea and many others.

What’s Driving Open Banking?

Open banking is a trend driven by regulation, the pace of innovation in financial technology and consumer demand for more control over how their data is used. Open-banking regulations are disrupting the conventional way of doing business for traditional financial institutions by forcing them to open access to their customer data to third parties via APIs. Open banking is one of the biggest threats traditional banks face, but interestingly, it is also one of their biggest opportunities. Many nimble and innovative fintech companies with access to customer data are enabling new and innovative products to offer more choice to the consumer.

In 2015, the European Union mandated open-banking APIs under its PSD2 and GDPR to govern data protection and privacy for all EU residents. PSD2 requires financial institutions to provide third-party providers with access to customer data via open APIs. It also mandates that financial institutions and their TPPs implement related data security controls.

Innovative and Competitive
The pace of innovation and ease of use for the consumer are big drivers of open banking. Companies such as Venmo, Currensea, Plum, Betterment and Rocket Mortgage offer customers easy ways to make payments, spend, invest and understand their finances and get approved for a loan.

Europe (and the UK in particular) is an early indication of the open-banking revolution. There, TPPs have grown from approximately 100 to more than 450 in under two years, and their focus has expanded from payments and transactional retail banking to encompass the entire financial value chain.

According to Accenture, built on data sets covering 20 of the largest economies responsible for over 75% of global GDP, as much as US$416 billion in revenue will be at stake as the open-banking data wave arrives.

While interfaces are nothing new, more modern formats such as JSON and RESTful APIs are lighter, more flexible and require less bandwidth – making them ideal for a mobile-first world. Traditional banks are also modernizing and rearchitecting their applications to compete against neobanks and fintechs.

COVID-19 has affected nearly every business, some rather dramatically. Many sectors, including finance and banking, are still adjusting operations. The pandemic has accelerated remote workforces and driven the demand for a contactless economy. This is driving network and application rearchitecture as well as adoption of and transition to the cloud while increasing the use of open APIs for many services, including open-banking APIs for financial services.


Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center