While Open Banking makes banking services more accessible, it also brings some challenges. Open Banking drives innovation in banking industry. TPPs (third party providers) can access traditional banking services on customer behalf in a secure way and get a chance to provide better services and user experience.
Open Banking answers questions like; “How can banks share customer data with TPPs in a secure way?” and “How to allow TPPs to make banking operations on customer behalf?”
Challenges like data privacy, fraud/thread protection, continuous development, resilience, and traceability are emerging.
Before the idea of Open Banking, financial data was only shared with the bank’s own applications. When we start thinking about sharing data and give grants to third party applications (TPP applications), data privacy gains importance. We can say TPPs are new players in the banking industry with Open Banking. At this point, from a bank’s perspective, they must make sure that they are sharing data with authorized TPPs, and protect such data based on customer consent, filter data content, and respect the time allowed for access to the data in accordance with the consent given by customers. This can be achieved by applying best access management practices (OAuth2.0, OpenID Connect, Multi-Factor Auth, Signatures, PKCE, etc.) to ensure privacy.
Threat protection and fraud prevention are two other huge topics in financial industry. There are various ways to increase security level of APIs. Security aspects on API Management need to be tightened. Injection attacks, replay attacks, request validation, rate limiting, throttling must be taken into account.
Given the sensitivity and openness that Open Banking brings to banks, its operations must be protected adequately. This means that they need to be, to the very least, integrated into existing fraud prevention system and hardening, for example, there could be some payment operations that exceed the daily transfer limit and additional authorizations need to be applied (Multi-Factor Auth). This is in addition to any hardenings required by the standard itself such as mutual TLS and any other Open Banking specific security requirements.
If the bank has already a channel approach like mobile, internet, branch, etc. Open Banking should also be considered as a separate banking channel and an openly available channel. It should be treated differently from in house closed channels and have its own threat protection and fraud prevention standards that in many cases will be stricter than the ones that are applied to closed channels.
Continuous Development, Resilience, and Traceability
Since Open Banking drives change and innovation in banking industry, extension of the existing API ecosystem is inevitable. To be able to adopt change, good development and deployment strategies are needed.
Monitoring and gathering metrics of the APIs and implementing event driven reporting is needed to preserve a healthy and resilient Open Banking system. It is paramount for the bank to be aware of how the API Management platform performs, check its real-time status, response times, error status, etc. to be able to offer a good quality of service to their customers and TPPs. This will also help to mitigate any issues and complains as well as cut down costs of ownership and operational support which also includes continuous integration and continuous deployment costs.
In conclusion, a well-defined and organized API Management environment on which the Open Banking APIs sit will speed up time to market, increase flexibility and market value and most importantly will protect the end customer against threats as well as protecting the bank itself from abuse and fraud.