Application programming interfaces lay the framework for the exchange of financial information. Indeed, APIs now power both savings and monetization. While 56% of banks expect APIs to help reduce costs, 69% anticipate greater revenue.
Open APIs expand the impact of these interfaces. These publicly available solutions can be used and modified as developers see fit. This saves finance IT teams the work of building basic functionality; instead, they can use existing frameworks to create custom software connectors.
The public nature of open APIs, however, introduces potential risks. For banks, making the most of APIs means finding a balance between how interfaces operate, what data they use and who can access this information.
EXPLORE: Integrate your apps with CDW APIs for fast business exchanges.
What Are Open APIs?
Open APIs facilitate interoperability through the use of shared data dictionaries, entry catalogs and information exchange models that handle both data transmission and receipt. The result is a level playing field: Any bank, of any size, can use open APIs to facilitate finance functions and to interact with other services or software that use the same interface type.
Using identity access frameworks, banks can control who has access to APIs and what actions they’re allowed to take. For example, IT teams can set information as read-only for customers or frontline staff, and read/write for data engineers or IT administrators.
The Challenges of Open APIs
While open APIs are powerful and flexible, they also come with challenges.
The first is visibility. Given the scope and scale of many banking APIs, companies may have thousands of users sending data from one application to another. This naturally limits visibility, which can lead to compromise if malicious actors manage to slip under the radar.
Second is verification. It’s not enough for banks to authenticate user identities; they must also navigate the level of authorization and access given to each user. Netflix is a good example: Historically, the streaming service relied on login and password data for access. But to tamp down on password-sharing, the company has adopted location-based services to determine where requests are coming from and to tailor access based on this information.
It’s also worth noting that API security isn’t a one-and-done process. Instead, it takes months or years of work. Consider the exchange and validation of account information. Data such as routing numbers help facilitate wire transfers, but this process also depends on connections with legacy systems that may use old code libraries or lower levels of cryptography.
In practice, this could mean thousands of connections to review and secure, making open API security an ongoing effort.
Click the banner below to subscribe to our newsletter for the latest financial services IT insights.
Three Best Practices for API Management
To close the gap between open APIs and effective protection, banks should consider three best practices:
- Deliver APIs on demand. Distributed denial of service attacks can knock APIs offline and cripple banking communications. To avoid this, it’s worth using a spin-up, spin-down public cloud platform model that delivers APIs on demand rather than leaving them always-on.
- Conduct ongoing assessments. API access and security aren’t static. Banks should conduct regular code assessments, load balancing, penetration testing and input validation to ensure data is trustworthy, authoritative and accurate. Assessments can be carried out in-house or with the help of a trusted IT provider.
- Implement robust third-party management. By using open APIs, banks can easily connect to and use third-party services. These third parties, however, pose potential risks if left unchecked. To reduce this risk, banks should rely on a shared-responsibility model that identifies exactly what data elements are being exchanged, how data is secured, how it is retained, and where else it is transmitted.
Open APIs offer customization to facilitate communication and drive increased banking revenue. They also open the door to potential security risks. The solution? Creating access, authentication and appropriate-use policies that prioritize visibility and help drive value.
This article is part of BizTech's EquITy blog series.
