Open banking has emerged as a focal point for policymakers aiming to foster competition and innovation in the financial services and fintech sector by enhancing the availability of financial data.

The Labour party, in its recent Financial Growth Review, underscored the significance of open banking, designating it as one of its six principal policy priorities. This acknowledgment stems from the realisation of its transformative potential within the financial services industry. The substantial increase in open banking transactions, reaching 11.4 million payments in July 2023 with an impressive year-over-year growth of 102%, serves as a testament to its swift adoption.

However, amidst this rapid growth lies a pressing concern. For the UK to maintain its leading position in open banking, financial institutions must address a glaring vulnerability – their exposed APIs.

The future of open banking is likely to see a significant boom in the coming years. But if the UK is to maintain its leading position, financial institutions should develop an API security strategy before they begin to scale.

Scaling open banking

Financial institutions are racing to implement open banking APIs to meet emerging regulations and customer demand. However, scaling without a clear security strategy can harm the whole UK financial sector’s progress towards API growth.

Many organisations lack full visibility into their existing APIs. Open banking APIs are proliferating at a rapid rate which is faster than the ability of DevOps teams to release patches or keep up with their API inventory. As the sector shifts to an API first approach, trying to gain visibility into APIs at a later stage of development will be a significant challenge.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Retail Banker International.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

As the number of APIs in open banking grows so does the complexity of the relationship between all APIs in a network. Most APIs are interdependent and call on each other to perform functions. Finding a vulnerable API will be like looking for a needle in a haystack.

Take for example the Optus attack where one exposed API endpoint resulted in the personal details of 10 million customers being exposed. By addressing these visibility gaps now, financial institutions can get ahead of the problem before it escalates out of control.

The stakes are high, as one successful attack on an open banking API could ripple through the entire financial sector. Customer trust is crucial in banking, and a high-profile breach could sow doubts about open banking as a whole, which could set back adoption and innovation in the space.

Proactive API security and governance will be crucial to open banking’s success. Institutions must inventory existing APIs and implement robust controls around new ones. Monitoring, access management, and testing methodologies tailored for APIs are required. Failing to address API vulnerabilities early on could jeopardise sensitive customer data and the future of open banking. By taking steps today to gain visibility and control of their API landscapes, financial institutions can inspire customer confidence and deliver innovative services safely and securely.

A good API security strategy is centred around three fundamental building blocks that enable a threat detection and incident response (TDIR) approach to eliminating cyber threats.

API governance for visibility

Effective API TDIR cannot be implemented without API governance. Good governance means identifying ways for DevOps teams to discover existing APIs and setting policies and standards for how API properties should be operating as more APIs are developed.

Once policies that address API design standards, security measures, documentation requirements and usage guidelines are set, processes must be put into place around API lifecycle management. These will ensure APIs are continuously updated, the right users have access to them, and APIs adhere to various regulatory frameworks and data protection standards.

Mature API governance transforms discovery into actionable KPIs and metrics to gauge security posture. From there, companies can leverage findings to continuously improve API security through measurable progress tracking.

Improving cross-team collaboration

API security requires close collaboration between development and security teams, yet many organisations struggle with siloed teams and ambiguous responsibilities. DevOps focus on rapid innovation and rely on security teams to identify vulnerabilities, while security teams expect developers to implement remediations. The lack of clarity results in API security falling through the cracks.

With APIs forming the connective tissue between applications, systems, and users, a lack of cross-team alignment on API security poses significant risk. It slows detection and remediation of vulnerabilities that attackers can exploit to breach valuable data and disrupt services.

To remedy this, organisations must foster a shared sense of ownership over API security between development and security teams. Processes like regular joint reviews of APIs and threat models, integrated tooling, and shared metrics and incentives will help bring teams together around a common goal.

Security should provide developer-friendly guidance to design secure APIs, while developers implement recommended controls and practices. By improving collaboration, banking firms can close operational gaps that allow API vulnerabilities to compromise the integrity of their service. Shared responsibility across the software lifecycle is imperative for robust API protections.

Taking a multi-layered approach

As APIs become ubiquitous, a perimeter-only approach is insufficient. Attackers are adept at gaining authenticated access through social engineering and purchasing access. Insider threats also pose a major risk, with authorised users deliberately abusing privileges. As a result, traditional web application firewalls (WAFs) cannot detect malicious actions from authenticated users, as their requests appear valid.

Securing APIs requires a multi-layered strategy that identifies threats beyond the perimeter. For example, multi-factor authentication, enhanced monitoring, and privilege management help restrict insider access. While application-level controls provide visibility into full request-response payloads to identify anomalies. This supports the detection of unknown threats that bypass perimeter defences by operating within expected parameters.

Essentially banks must implement layered API protections that span the perimeter, network, application, and data layers as relying solely on network controls provides a false sense of security. A holistic API security approach will defend against both external and internal threats.

The future of open banking is very promising as adoption accelerates and authorities are backing growth initiatives. Customers could benefit from greater transparency, control, and innovative services. However, progress depends on overcoming a number of challenges and security is at the top of the list. If the financial services sector can address API security end-to-end, open banking stands to enable a more open, collaborative, and customer-centric financial ecosystem.

Andy Grolnick is CEO, Graylog