Open APIs threats
By Eiichiro YanagawaSecurity measures and user protection
From a systems perspective, open APIs mean that a new communications path is being established to link the information systems of financial institutions with the outside world. This brings new risks including data leaks, data fraud, and illicit transactions. There is also the possibility that data relating to user account information and settlement instructions will be exposed to the risks of leaks, tampering, and fraud via handling by TPPs.
First and foremost, when financial institutions open up their APIs to TPPs, the fundamental system risk relates to the reliability of information regarding user (bank customer) identity verification and the account as well as account-related instructions. Today, financial institutions face an intractable problem when it comes to their information systems: how to ensure that they can correctly determine that authentication and account instructions are genuine.
Fundamentally, the security risk is that a TPP makes an error, and the bank is held responsible, either by regulators or customers.
In the case of Japan, the Japanese Bankers Association’s Review Committee Report on APIs details the fundamental principles of user protection and security measures. Regarding security measures, the report calls for continuous improvement, review, and advancements in the following areas:
- API connection suitability and eligibility of third parties.
- Measures to prevent unauthorized external access.
- Measures to prevent unauthorized internal access.
- Measures to handle incidents of unauthorized access.
JBA and the industry groups seek the formulation of standards regarding user-protection principles and ensuring industry compliance. These include the following:
- API connection suitability and eligibility of third parties.
- Explaining and displaying information, and obtaining user consent.
- Preventing unauthorized access.
- Preventing incidents and the spread of damage when they do occur.
- Disclosing and clarifying responsibilities and compensation for users.
From a security perspective, open APIs also serve as an opportunity to revisit and review the relationships between financial institutions and technology vendors. Indeed, this will presumably be an opportunity to fundamentally restructure relationships due to the sheer increase in the number of financial institutions offering open APIs, the scope and scale of APIs provided by financial institutions, the services offered through APIs, the diversification of industries and external companies such as TPPs with which partnerships are formed, as well as advancements in API use relating to financial institutions, TPPs, companies, and consumers.
In the open API era, financial services and their security will not be able to be maintained and managed by financial institutions alone. Rather, continued development and evolution by industry groups and across the entire value chain should be expected. Japanese financial institutions are also at a point where they should consider when the optimal time would be to externalize security overall and to use external certification bodies for security.
Strategic alignment of risk awareness, tolerance, and positioning
New business environments always come with potential upsides and downsides. The flip side of a business opportunity is that it can be accompanied by unexpected pitfalls. In planning the “migration” plan to the “new world” of open APIs, Celent believes that it is key to find a risk tolerance level suitable for your company, optimize positioning in the value chain, and strategically align your company’s core competencies and existing assets.
In particular, consistency and alignment between core banking systems and authentication platforms, including core internal and external system APIs, might best be metaphorically regarded as an engine powering your company on the long road from open APIs to open API banking.
New competition from nimble third parties who access customer data
It might seem as though vertical division of labor and horizontal disintegration have already proliferated enough. But new financial service providers that are not the traditional financial institution are deftly using new technologies to engage customers, and to secure a new customer base with products and services across financial infrastructure segments, and, in the process of doing so, forming a new community around these activities.
In the competitive environment of the new financial services industry, opportunities for traditional financial product service operators will erode as TPPs (distributors and new service providers) deprive them of opportunities to engage in dialogue with customers.
That involves more than the temporary deterioration of the revenue environment for traditional financial institutions. It also includes the risk of losing future business opportunities due to changing customer needs and the loss of core customers.