Securing APIs In The Open Banking Ecosystem

Open banking opens customer data to external third-party providers (TPP) via application programming interfaces (APIs) that are designed to spur innovation and increase competition. In most modern applications, composed of functions and services, developers rely on APIs to communicate between applications and their components, to share data and to drive functionality. These applications are mobile and distributed, and they have instances in the cloud and on premise. Gaining a consolidated view of their configuration and security parameters is challenging at best. Many of these applications change frequently and may include open source modules. In many cases, security becomes an afterthought.

According to Radware, in 89% of organizations, the information security team does not own the budget for security solutions.

In this white paper, we examine the implications of open-banking APIs on application security and identify best-practice recommendations for securing these APIs in both cloud and onpremise deployments.

Open banking, driven largely by regulation, opens closed and proprietary deposit-taking banking customer data to external third-party providers (TPPs) securely through publicly available APIs.

In traditional banking, all customer data is controlled by the parent bank. In open banking, the customers own their data, which is securely exposed to TPPs via APIs if consent is provided by the customer. The TPPs use these publicly exposed APIs to provide financial technology (fintech) services traditionally not available through the customer’s own bank.
Prior to open banking, many innovative fintech providers used screen scraping to gain access to customer data, including user credentials, without knowledge of the parent bank. Open-banking APIs move to streamline the legal implications of sharing customer credentials and information through APIs, consent, and regulatory authority.
Open banking allows for the secure transmission of account data authorized by the customer to a TPP. Technically, this access is provided as a collection of REST APIs. Access to these APIs is available in the public domain for subscription through a certifying authority.

According to a 2018 Celent study, the number of U.S. financial institutions that have open-banking portals to facilitate TPP access to consumer financial and other data is expected to grow from 20 to more than 200 by the end of 2021. As of the first quarter of 2020, there were more than 300 TPPs registered under Payment Services Directive 2 (PSD2) in the U.K. Other countries, such as India and Australia, have followed the EU’s approach and have a thriving openbanking ecosystem.

Regulatory Authority
This includes policymakers that regulate banking and promote competition, data sharing and security. For example, in Europe the Financial Conduct Authority (FCA) maintains a register of companies authorized for open banking and issues eIDAS certificates under its Strong Customer Authentication Regulatory Technical Standards (SCA-RTS). These TPPs must adhere to the General Data Protection Regulation (GDPR) as well.

Payment Service User
This describes a consumer initiating a transaction.

Account Information Service Providers (AISPs)
These are registered account aggregators that are authorized by the customer to use (but not modify) their bank account data.

Payment Initiation Service Providers (PISPs)
These are registered providers that are allowed by the consumer to initiate payments directly from a customer bank account.

Account Servicing Payment Service Providers (ASPSPs)
These are banks that are responsible for making APIs available to TPPs, allowing them to initiate payments or gain access to customer bank-transaction information.

Financial institutions collaborate with TPPs and use APIs to enable new services and connect financial institutions’ applications to merchants, consumers and companies. Data aggregators collect data and feed it into TPP apps such
as Venmo, Betterment and Chime. For example, Plaid delivers an API platform for TPPs to connect to financial institutions for account access and authentication, while Finicity provides access to financial data in real time. UK, one of the leaders in open banking, currently lists 300+ regulated providers, 230+ TPPs and 80+ account providers, including Plum, Moneybox, Currensea and many others.