Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Banking

The Open Banking Challenge: Ensuring Compliance with API Standards for the Financial Industry

Published by Jessica Weisman-Pitts

Posted on July 11, 2024

Featured image for article about Banking

By Jamie Beckland, Chief Product Officer at APIContext

For banks, retailers and enterprise businesses, open banking and application programming interfaces (APIs) are a powerful combination that streamlines how financial data is exchanged. Moreover, APIs reduce IT complexity and simplify financial transactions for the financial industry.

However, as this landscape evolves, particularly with API usage increasing, meeting regulatory and compliance requirements for API reporting poses a significant challenge for financial institutions. Regulations such as the forthcoming EU PSD3 and US CFPB 1033 aim to address the big issue in how APIs are being built and deployed while ensuring quality and security are maintained throughout the API lifecycle. And, for the first time, they will include technology speed and availability requirements.

In the UK, should issues arise with APIs, open banking regulations require that they are reported to industry regulators. Issues can happen if the API is not aligned with the specification to which it was created, is not available in the valid format it is supposed to be, or if the data in the API is not accurate. The UK has been at the forefront of the global open banking revolution due to the proactive attitudes of regulators which created an Open Banking ecosystem that provides the UK with best practices in the implementation of API-based Open Banking that many other jurisdictions are looking to as a framework.

The US is seeking to adopt new open banking regulations dedicated to ensuring API quality and security standards are being met. While the UK has already adopted the Financial-Grade API protocol (FAPI), the US is currently in a listening period for new regulations – but those within the industry know those new regulations are fast approaching.

FAPI is a specialised set of standards and guidelines that aim to ensure the security and reliability of APIs used in the financial industry. It is defined by the OpenID Foundation, an industry body that’s been working on creating hardened API standards that work for sharing financial information, managing transactions, making payments, checking balances, and more. It uses OAuth 2.0 and OpenID Connect as its base and then adds technical requirements for the financial industry and other industries that require higher API security. Indeed, the goal of FAPI is to provide a “higher level of security than provided by standard OAuth or OpenID Connect.”

Security is a concern with APIs because as the number of APIs exposed increases, so does the exposed surface area. Should an API be poorly created or not maintained, gaps will appear with an increased likelihood of exploits. Since security around finance transactions is paramount, many look to FAPI to set the standard for API security.

In addition, API regulatory reporting requirements exist to ensure all APIs are compliant throughout their lifecycle, and not just when they are first created. For instance, annual reports for APIs are obligatory for organisations in the UK and any time there is a violation these must be immediately reported.

Unlike the annual reporting requirement in the UK, the US is likely to demand reporting to be conducted more frequently or even continuously. Globally, meeting API standard compliance continues to be a hot topic. Countries such as Australia, Brazil, Mexico, India and the UAE have either implemented regulatory requirements or are in the process of enforcing a certain version of the technical standard – meaning all businesses within that country will need to conform to that standard.

Organisations need to have monitoring capabilities in place for APIs to ensure they are compliant and conformant, especially to industry standards in locations where they conduct business. Yet, monitoring APIs and checking for API compliance can be slow and painful for businesses that don’t have the right tools, with much of it being a manual process. Furthermore, proactive API security and governance will be crucial to the future of open banking’s success otherwise this could potentially cause problems with regulators and industry standards groups.

Therefore, organisations should implement robust controls for current API services, including real-time and automated API monitoring, access management, testing, and governance checks to gain the full context of the performance of APIs in use. This will assist organisations with potential service outages and security or conformance issues before customers, partners or regulators find out.

Ultimately, API performance is critical to ensure a strong user experience for core digital use cases like payment processing and transfers. Implementing these steps will help inspire customer confidence and ensure the organisation’s Open Banking services are delivered efficiently, safely and securely.