Keeping up with API Industry Standards for Financial Services

It's never been more challenging – or necessary – to stay on top of financial regulations and API standards.

application-programming-interface-software-development-api

In the modern banking era, every company is a software company. APIs have been foundational to the rapid innovation being experienced within financial services and at the heart of regulatory and market-driven advances in the sector.

With the growing adoption of APIs, open banking services are becoming more widely available, and organizations interested or mandated in promoting greater competition can offer various capabilities through APIs making it easier for fintech companies to participate in the industry. At its core, the initiative is centered around consumer experiences and affording consumers the benefits brought by consent-driven data access, improved market competition, and interoperability standards between service providers – both traditional and the newer fintech companies. As of 2020, 24.7 million people worldwide use open banking services, and industry forecasts predict usage to surpass 132 million by 2024.

Services offering access to financial data have been around for decades. Prior to the adoption of open banking APIs, such services were based on file exchange or screen-scraping techniques, the latter posing material industry concerns regarding security. To remove the barrier to secure innovation, many related initiatives are underway aimed at improving standardization.

Keeping track of the advances in the industry and how API standards play a role can be a little conflated and geographically dependent.

It’s Global

Open banking and the move toward standardization across the financial industry is happening on a global scale. In the EU, open banking standards are being fuelled by the second edition of the Payment Services Directive (PSD2). This regulatory directive requires companies to open API access in order to promote customer choice and unlock customer data in a way it can be consumed by third-party developers building financial service experiences or platforms. Most of the directive is aimed at payment and account information and has led to the creation of new regulated entities, for example, an “Account Information Service Provider.” Fintech companies granted such permissions are allowed to access a bank’s open banking APIs. Some entities driving PSD2 standards within the EU are The Berlin Group, STET in France, and PolishAPI in Poland.

Within the UK, simultaneous efforts initiated by the Competition and Markets Authority (CMA) on the back of investigations related to lack of competition within the retail banking industry requires banks to meet their PSD2 obligations through a common API. The Open Banking Implementation Entity (OBIE) was formed by the CMA to deliver APIs, data structures, and security architectures to enable easy and safe interoperability between banks and third parties.

Regulatory initiatives can also be found in Australia where the Consumer Data Right from 2020 grants consumers access to their banking data. Other examples of regulatory-driven API standards or open banking-related legislation can be found in Brazil, Mexico, and India.

Market-driven approaches are also evident across many jurisdictions. In the U.S. and Canada, the Financial Data Exchange is committed to unifying the financial services ecosystem around a common, interoperable technical standard for financial data sharing. There are over 200 participating entities, and it’s likely that the standard will be hardened by some level of regulation in the future.

That’s just the tip of the iceberg, as hybrid approaches where part market-driven, part regulatory requirements can also be found across Africa, the Middle East, Latin America, New Zealand, and Japan.

Source: Platformable’s Q2 2022 Open Banking Open Finance Trends Report

According to Platformable’s report on Q2 2022 Open Banking trends, a total of 74 countries have a regulatory process either in place or in discussion!

Open Banking and Finance – The Evolving New Normal

With open banking becoming more widely adopted and ingrained within the industry, additional innovation toward an open everything mindset has led to momentum in the concept of open finance. Interest in open finance is also backed by the government with the likes of the Financial Conduct Authority in the UK playing a coordination role in soliciting feedback and interest from the wider community. Open finance is not separate to open banking; its intention is to be an evolution of it and increase the footprint of access relating to more data and more banking functions than originally scoped through open banking.

The most important benefit related to open finance again sits with the consumer, and at its core, involves robust consent management, giving consumers full control to permit or deny access to their data by third parties. These “smart data” concepts are necessary to ensure the proper safeguards are in place to stimulate adoption and further innovation.

The network effect of such openness and innovation has challenged many traditional institutions to reconsider how they bring their value propositions to the market. With an abundance of rich experiences and platform offerings, the concept of embedded finance has also gained traction. As traditional players no longer control the end-to-end consumer experience, a way to participate in the wider economy has been to provide their value propositions also in the form of APIs. Doing so enables them to benefit from transactions at a much broader level which otherwise would be out of reach through proprietary channels.

The need to expose value through API products additionally makes organizations acutely aware of the need to cater to the consuming developer experience (DX). Ensuring developers can discover, onboard, and integrate an API is increasingly important for the future success of many participants in the digital economy. As a result, adoption of API industry specifications like OpenAPI has accelerated across the financial services industry as they contribute to improving the standards of produced APIs, better documentation for consumers, and overall improved automation potential across the API lifecycle because of rich tooling support.

Security

As the number of APIs exposed across the industry increase, so does the exposed surface area. More surface area means an increase in attack vectors, and API attacks are on the rise across all industry verticals. Security around finance transactions is imperative and a suite of standards that aims at improving API security for financial services is – The Financial-grade API (FAPI) Profile. FAPI is a working group of the OpenID Foundation, responsible for enhancing OpenID Connect so that it can bring enhanced security to new API standards centered around PSD2 and open banking regulations. According to FAPI, its goal is to provide a “higher level of security than provided by standard OAuth or OpenID Connect.”

OpenID Foundation Working Groups and Financial-grade API stack

FAPI uses OAuth and OpenID Connect as its baseline. To summarize in this context:

  • OAuth ensures that the end-user (human owner of the data) does not have to give their confidential credentials (e.g., username + password) when sharing data with a third-party application. Through a delegated authorization/access model, OAuth ensures that the third-party application must instead use an access token to obtain the data. The access token will expire and can be revoked to prevent future access.
  • OpenID Connect adds additional proofs-of-authentication to this model to enable the app to both obtain an access token to access data on behalf of the end-user and proof that the end-user is also authenticated.

On top of the above, FAPI incorporates four standards that combine hardened OAuth and OpenID Connect with new, more secure means of requesting authentication of an end-user. Adoption of FAPI is important to provide more secure implementations across open banking ecosystems. The standard will continue to evolve as security concerns and vulnerabilities do not stand still.

Data Model Standards

Along with security enhancements, there are several standards and initiatives aimed at unifying the data level structures at play across the domain. Again, much of the rationale is to reduce the taxonomy burden and improve collaboration and interoperability at scale by having a single source of truth when it comes to data structures and formats.

ISO 20022 aims at improving cross-border payments capabilities and removing the friction caused by incompatible data formats or varying data structures within payment messages. The big players in the payment world, like SWIFT, have committed to transitioning their global cross-border payments community to ISO 20022 by 2025.

Other industry initiatives, like the Banking Industry Architecture Network (BIAN), provide common service domain definitions and additional supports aimed at accelerating high-quality participation in modern banking and financial services.

A Lot is Done but More to Do!

After more than a century of doctrine over the end-to-end consumer experience, especially within banking by traditional players, a combination of regulatory and market-driven approaches has led to a more competitive landscape and rightfully for the benefit of consumers. The move toward openness, consistent data sharing, and regulation around consent is a global trend.

Financial services are benefiting from embracing the growth of the API ecosystem. Consumers are much more aware of data ownership, so standards around data exchange, the security of the exchange mechanisms (e.g., the APIs), and owner consent are more relevant than ever. Standards relating to APIs and security are key in democratizing engagement for new participants. With this increasing move toward open standards, the OpenAPI Initiative (OAI) has created several special interest groups (SIGs) which focus on the usage, adoption, and potential enhancement of the OpenAPI Specification (OAS) for specific industries, such as finance. It will be interesting to track how these groups continue to operate and consult with other standards groups. They offer a compelling opportunity to move OAS and the OAI community forward. This will probably influence multiple API specifications, not just OpenAPI.

Open finance regulation additionally focuses on increasing financial inclusion aimed at having positive impacts on society, local economies, and the environment. Yet, there is no defined reporting mechanism to monitor and share data to determine how well the industry is progressing toward such objectives, so work remains. Similarly, improvements are needed around improving the developer experience offered by the established players to drive innovation and integration for the benefit of the end-user. So keep an eye on how the OAI Special Interest Group can support enhancing the developer experience moving forward.

Frank Kilcommins

Frank Kilcommins is API Technical Evangelist at SmartBear. He has over 15 years of experience in the technology industry, his roles spanning from software engineering to enterprise architecture. His mission is to inspire, engage with, and support the API community as well as SmartBear customers across the end-to-end API development lifecycle and management space. Prior to joining SmartBear, Frank’s most recent roles have been focused on API-led digital transformations and architecture modernization within multi-national enterprises.


Frank Kilcommins is API Technical Evangelist at SmartBear. He has over 15 years of experience in the technology industry, his roles spanning from software engineering to enterprise architecture. His mission is to inspire, engage with, and support the API community as well as SmartBear customers across the end-to-end API development lifecycle and management space. Prior to joining SmartBear, Frank’s most recent roles have been focused on API-led digital transformations and architecture modernization within multi-national enterprises.