The Open Banking Challenge: Ensuring Compliance with API Standards for the Financial Industry

By Jamie Beckland, Chief Product Officer at APIContext

For banks, retailers and enterprise businesses, open banking and application programming interfaces (APIs) are a powerful combination that streamlines how financial data is exchanged. Moreover, APIs reduce IT complexity and simplify financial transactions for the financial industry.

However, as this landscape evolves, particularly with API usage increasing, meeting regulatory and compliance requirements for API reporting poses a significant challenge for financial institutions. Regulations such as the forthcoming EU PSD3 and US CFPB 1033 aim to address the big issue in how APIs are being built and deployed while ensuring quality and security are maintained throughout the API lifecycle. And, for the first time, they will include technology speed and availability requirements.

In the UK, should issues arise with APIs, open banking regulations require that they are reported to industry regulators. Issues can happen if the API is not aligned with the specification to which it was created, is not available in the valid format it is supposed to be, or if the data in the API is not accurate. The UK has been at the forefront of the global open banking revolution due to the proactive attitudes of regulators which created an Open Banking ecosystem that provides the UK with best practices in the implementation of API-based Open Banking that many other jurisdictions are looking to as a framework.

The US is seeking to adopt new open banking regulations dedicated to ensuring API quality and security standards are being met. While the UK has already adopted the Financial-Grade API protocol (FAPI), the US is currently in a listening period for new regulations – but those within the industry know those new regulations are fast approaching.

FAPI is a specialised set of standards and guidelines that aim to ensure the security and reliability of APIs used in the financial industry. It is defined by the OpenID Foundation, an industry body that’s been working on creating hardened API standards that work for sharing financial information, managing transactions, making payments, checking balances, and more. It uses OAuth 2.0 and OpenID Connect as its base and then adds technical requirements for the financial industry and other industries that require higher API security. Indeed, the goal of FAPI is to provide a “higher level of security than provided by standard OAuth or OpenID Connect.”

Security is a concern with APIs because as the number of APIs exposed increases, so does the exposed surface area. Should an API be poorly created or not maintained, gaps will appear with an increased likelihood of exploits. Since security around finance transactions is paramount, many look to FAPI to set the standard for API security.

In addition, API regulatory reporting requirements exist to ensure all APIs are compliant throughout their lifecycle, and not just when they are first created. For instance, annual reports for APIs are obligatory for organisations in the UK and any time there is a violation these must be immediately reported.

Unlike the annual reporting requirement in the UK, the US is likely to demand reporting to be conducted more frequently or even continuously. Globally, meeting API standard compliance continues to be a hot topic. Countries such as Australia, Brazil, Mexico, India and the UAE have either implemented regulatory requirements or are in the process of enforcing a certain version of the technical standard – meaning all businesses within that country will need to conform to that standard.

Organisations need to have monitoring capabilities in place for APIs to ensure they are compliant and conformant, especially to industry standards in locations where they conduct business. Yet, monitoring APIs and checking for API compliance can be slow and painful for businesses that don’t have the right tools, with much of it being a manual process. Furthermore, proactive API security and governance will be crucial to the future of open banking’s success otherwise this could potentially cause problems with regulators and industry standards groups.

Therefore, organisations should implement robust controls for current API services, including real-time and automated API monitoring, access management, testing, and governance checks to gain the full context of the performance of APIs in use. This will assist organisations with potential service outages and security or conformance issues before customers, partners or regulators find out.

Ultimately, API performance is critical to ensure a strong user experience for core digital use cases like payment processing and transfers. Implementing these steps will help inspire customer confidence and ensure the organisation’s Open Banking services are delivered efficiently, safely and securely.