How API Consumption Management Aids Financial Compliance

Financial APIs Consumption Trends

‍

The world of finance is adopting more and more APIs. At the heart of this trend is open banking. Largely driven by regulations, the movement is opening up authorized access to consumer financial data to third-party providers. This is revolutionary, as APIs enable a newfound approach to data-sharing that is far more streamlined than previous methods.

‍

Global open banking regulations, such as PSD2, the UK's Open Banking, Open Banking Brazil, Mexico's FinTech Law, and others, have ushered in a new era of bank APIs at a mammoth scale — for instance, the Open Banking Tracker currently catalogs over 500 APIs from various financial institutions worldwide.

‍

Although open banking APIs enable similar behaviors, standards around API design vary significantly from bank to bank. Therefore, intermediaries have emerged to help app developers bridge various financial institutions simultaneously, greatly aiding the API integration experience. Yet, compliance with data privacy and security remains a challenging prospect in the world of highly connected financial ecosystems.

‍

Third-party API consumption management presents a compelling method to bring better security and compliance controls to a sprawling inventory of financial APIs. Below, we'll consider why aggregation is essential for financial app developers and see how the practice of API consumption management can help mitigate security risks involved in overseeing countless open banking APIs.

‍

Why API Aggregation Is Essential for Financial Apps

‍

These days, developers building financial applications aren't just integrating with a single bank API — they're often building services that must connect to various bank APIs on the backend. Many apps, such as fintech, insurance companies, and financial dashboard tools, require pulling data from multiple sources. Yet, API standards differ from bank to bank, making creating many point-to-point integrations challenging.

‍

Using an intermediary grants incredible benefits. As such, various banking API aggregators have emerged. Aggregators like TrueLayer, Neonomics, Tink, Plaid, and others provide access to multiple banking APIs, delivering a standard method for similar functions, like checking the availability of funds or balance information.

‍

Outsourcing the financial API integration hurdle brings incredible development efficiency for app developers. For instance, a bank API aggregator could combine hundreds of bespoke payment initiation APIs into a single, standardized payment API. This would allow developers to seamlessly support payments across multiple financial institutions, unlocking an advanced connected financial user experience.

‍

The Problem Facing Universal Finance APIs: Security and Privacy

‍

A concerning issue with bank APIs is potentially leaking user credentials when account linking. Financial apps also handle personally identifiable information (PII), which could easily violate local jurisdictions if used or stored inappropriately. Yet, bank API aggregators don't always have a great window into the intricacies of the regulatory compliances of the jurisdictions in which banks operate. Without a scope of the regulatory impact across geographies, bank API aggregators often tend to operate in a single country or region.

‍

Some banks have even outright banned the usage of their APIs by aggregators due to privacy concerns, preferring developers consume their APIs directly instead. "Banks have also struggled with distinguishing data aggregators from hackers trying to conduct fraudulent behavior," writes Justin Kuepper for Investopedia. "Some large banks had responded by banning data aggregators from accessing their websites."

‍

Although API-based data sharing is much more secure than screen-scraping, it still poses challenges, especially for aggregators looping in APIs from multiple financial institutions. These platforms must ensure authentication and authorization are enforced across all integration points and that PII isn't misused. Otherwise, they may face considerable fines and a loss of user faith.

‍

How API Consumption Management Secures Financial Aggregation

One method that could help secure financial API aggregation is incorporating a layer dedicated to managing external integrations. Third-party API consumption management is a new form of API management that provides greater awareness around the external APIs an organization consumes.

‍

A layer for third-party API consumption management would be an ideal location to insert the logic required to meet compliances and regulations around financial data sharing. Such a gateway could especially help bank API aggregators set standard controls across their portfolio, helping all stakeholders meet financial compliances and, most importantly, protect the integrity of sensitive end-user data. Let's review some of the capabilities this layer could enable.

‍

PII Masking

For instance, a third-party API gateway could obfuscate potentially sensitive data, such as account numbers, social security numbers, credit card numbers, addresses, and other information that might be accessible through a person's financial account. This would ensure app developers don't have access to this information or potentially leak it.

‍

Allow/Block Listing

API consumption management could also set boundaries at the application level to dictate which banking APIs developers can integrate with by employing allowlisting or blocklisting. Taking that a step further, such a layer could also set guardrails at the method or endpoint level to offer a more fine-grained approach to what fields developers can or cannot access.

‍

Logging and Auditing

Addressing errors in APIs is an endless battle. And often, it helps to have a central location to log and audit interactions for offline access. Conducting such auditing is important for compliance with service-level agreements. An external API consumption layer could help safely store logs and expunge any PII that might be captured in the process.

‍

API Key Management

Banking infrastructure has stringent security mechanisms involving complex authentication processes for API access. An API consumption management layer can safely store keys and tokens to manage authentication, creating a centralized platform for key management. This layer could also mask the real API key from developers to avoid misuse or leakages. A 2024 report from Escape found 18,000 API secrets publicly exposed, underscoring the need for more competent API key management practices.

‍

API Payload Inspection

Developers tend to blindly trust the data they receive from APIs. But, these responses could contain vulnerabilities in the form of malformed code. The lack of proper input validation for API payloads is a top reason behind API10:2023 Unsafe Consumption of APIs, a new risk added to the OWASP list of top API vulnerabilities as of 2023.

A mediation layer for third-party API management is also an excellent area for performing a deep inspection of API calls. This could involve inspecting the actual data, such as JSON or YAML, within API requests and responses to ensure it conforms to expectations.

‍

Deeper Visibility

Overall, you can't secure what you don't know. Empowering developers with more awareness can only benefit a security posture involving financial services. By utilizing better inventory management and watching real-time API traffic, you could grant deeper visibility across the organization to detect usage abuse, anomalies, and traffic spikes. 

‍

Final Thoughts on Third-Party API Management For Open Finance

The burgeoning field of third-party API management could benefit open finance in numerous ways. Beyond security and compliance, the financial sector could use API consumption management in other areas, like comparing pricing across monetized APIs, streamlining integrations for their customers, or improving the developer experience surrounding aggregation.

‍

Most importantly, a better understanding of third-party APIs can aid privacy and compliance. Digital services must already contend with data privacy laws such as GDPR, HIPAA, and CCPA, and regulatory compliance is only heightened in a financial context, given the sensitive nature of the data involved. An API mediation layer could greatly assist aggregators by enabling a separation of concerns philosophy, helping create a buffer between the APIs they integrate and the app developers that utilize these services.

‍

***

Bill Doerrfeld is a tech journalist specializing in state-of-the-art technologies in the cloud software space. He is the Editor in Chief for Nordic APIs, a knowledge center for API practitioners. He also contributes to various enterprise tech publications. Through his work, he strives to tackle complex problems to advance the industry. He lives and works with his family in Portland, Maine.

‍

Lunar.dev is your go to solution for Egress API controls and API consumption management at scale.With Lunar.dev, engineering teams of any size gain instant unified controls to effortlessly manage, orchestrate, and scale API egress traffic across environments— all without the need for code changes.