Open banking is the future, so let’s secure the APIs
(2021/01/20)
- Reference: 1611131408
- News link: https://www.theregister.co.uk/2021/01/20/open_banking_is_the_future/
- Source link:
Sponsored The future of banking is digital, of that there is no doubt. It may be at an early stage, but we can already see that future, as, all over the world, the banking community moves to embrace open banking.
We’re already using connected financial services, digital payments and the like, and banks are allowing cloud-based fintechs to use financial data to develop innovative services. Critical to the success of this vision is the need for the financial ecosystem to be entirely secure, always available and operate with no delays.
[1]
The path to this secure and available ecosystem isn’t an easy one, however, partly because it comes with the need to use APIs to exchange financial data.
Adrian Mountstephens, business development, payments and banking at Equinix, says that in fact the entire digital future of banking is linked to APIs. “APIs are an enabler of that digital future, they allow you to deploy quickly, to innovate, to launch quickly in new territories,” he says.
[2]
He gives the example of banking as a service as one innovation that is dependent on the use of APIs - providers deconstruct what a bank does and make each function available as a single API call, so any brand can use it. It means an airline or a retailer for example could issue credit cards in their name and customers could use it through an app on their phone.
APIs and security
But the use of APIs comes with a number of issues - the first one being security. As Lance Homer, global head of digital payments and banking ecosystem at Equinix, comments: “APIs open up an opportunity for innovation for the financial services industry, as banks allow fintechs to connect to their data and customers on a permission basis. But doing this also opens up holes in the security perimeter that can be exploited by third parties. The challenge then is how can you allow the good people in securely and keep the bad people out?”
Moreover, the primary way that the banks and fintechs connect is via the public internet. It’s ubiquitous and easy to implement, but APIs exposed over the public internet create an attack surface. DDoS attacks are among the most common type of cyber-attack, and either block the traffic between a bank and a fintech or make the connections unstable. Financial institutions are also frequently targeted by DNS hijacking or redirection, which routes traffic to another address, and BGP or IP hijacking, which is the takeover of groups of IP addresses by corrupting internet routing tables.
And the risks are very real – the Carnegie FinCyber Project recently chronicled about [3]200 major cyber incidents that targeted financial institutions since 2007, and warned that cybersecurity risks to the financial system are growing, the threat landscape is worsening, and state-sponsored attacks on financial institutions are growing more frequent. It’s also worth noting that the Carnegie list is by no means complete.
There are also concerns from the banks themselves that the open banking model - which allows a customer-authorised third party to access a bank’s data - could bring security risks.
In the EU, this concern has been at the root of the delay to the delivery of the secure customer authentication (SCA) (or two-factor authentication on payments) aspect of the EU’s payment services directive PSD2, which addresses open banking. The deadline for compliance with PSD2 was September 2019 but SCA implementation has been extended to September 2021 because banks aren’t comfortable with opening up payments in their systems without extra authentication.
Not all APIs are equal
In addition, not all APIs are the same. As Homer explains: “Open banking allows two participants potentially to connect to each other without having to go through a centralised infrastructure. The challenge is that even if the participants have each written APIs to allow access to accounts or initiate a payment, there will be slight variations in implementation.”
A number of API aggregators - such as Plaid - are positioning themselves as the answer to this issue by sitting on top of different APIs to provide a single point of implementation.
Another concern for safety and security of the developing financial ecosystem is the way that fintechs use data once they have it. JP Morgan Chase is one bank that has already tried to address this. In early 2020 it announced it would ban fintech apps from using customer passwords to access their bank accounts, so forcing tougher security standards. As Homer comments: “That may work for Chase, which is a global bank, but smaller community banks and local banks are not going to have the same power to negotiate.”
The use of the public internet itself is also a problem for the developing financial ecosystem. It may be the cheapest and easiest way to move data, but we know it’s not always secure, and not always immediate. Importantly, there’s no control over routing, as Homer points out: “An Australian fintech connecting with a UK bank will have an infinite number of ways its traffic can be routed. Some routes will be less optimal from a latency point of view, some routes may take you through geographies you may not want that traffic to go through.”
The role of private connectivity
Historically, banking institutions have run centralised infrastructure, run with very costly long-term contracts, which are cost prohibitive for fintechs. Open banking means they must focus on highly connected systems available to everyone to access with low latency in a secure environment.
No wonder then that Equinix is seeing strong growth for its Equinix Fabric connectivity tool, which acts as a neat compromise between the pricey private circuits available from a telco and the free-for-all of the public internet. Says Mountstephens: “Using Fabric takes sensitive traffic off the public internet and moves it through private connections. It reduces the security risk as well as improving performance and reliability.”
This private software-defined network solution is key to the future of open banking at scale, Equinix believes, and Homer says that banks are already building their payment hubs inside Equinix data centres. “It’s not just the real-time payments operators, or cross-border payments systems, or blockchain-based settlement systems. We have the infrastructure to connect to partners, the firewalls, the routers, the perimeter. It’s a great place for banks to put their open banking API gateway. They can secure their connectivity to fintechs.”
Homer adds that he envisages that the financial ecosystem system of the future will be one where participants can build their services and pay for them on a daily basis. They will be able to turn up a virtualized router and firewall in any Equinix data centre around the world: “Equinix’s customers can build a payment hub in a new Equinix location tomorrow with virtualized servers, routers and software define networks. And then they could tear it down a few days later and only pay for the few days’ worth of infrastructure. 10 years ago it would have been a hugely expensive 18-month project.”
Mountstephens sums up: “Open banking is still in its early stages. Banks have picked a cloud platform, built capability into the cloud, opened their APIs to fintechs. As the relationships with the fintechs mature, and as the data scales and customers connect to services, the banks are realising they may need change the way it’s plumbed together and make it optimised for scale. We're reaching a point now where scale, security, and reliability are becoming key issues.”
[4]
Sponsored by Equinix.
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x250&tile=2&c=2YAgNRLP8tUfoAnQzhtLf@gAAABQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x250%7C300x252%7C300x600&tile=3&c=33YAgNRLP8tUfoAnQzhtLf@gAAABQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dtop%26test%3D0
[3] https://go.theregister.com/k/protecting_financial_stability_timeline
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x100%7C300x250%7C300x251&tile=4&c=44YAgNRLP8tUfoAnQzhtLf@gAAABQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
We’re already using connected financial services, digital payments and the like, and banks are allowing cloud-based fintechs to use financial data to develop innovative services. Critical to the success of this vision is the need for the financial ecosystem to be entirely secure, always available and operate with no delays.
[1]
The path to this secure and available ecosystem isn’t an easy one, however, partly because it comes with the need to use APIs to exchange financial data.
Adrian Mountstephens, business development, payments and banking at Equinix, says that in fact the entire digital future of banking is linked to APIs. “APIs are an enabler of that digital future, they allow you to deploy quickly, to innovate, to launch quickly in new territories,” he says.
[2]
He gives the example of banking as a service as one innovation that is dependent on the use of APIs - providers deconstruct what a bank does and make each function available as a single API call, so any brand can use it. It means an airline or a retailer for example could issue credit cards in their name and customers could use it through an app on their phone.
APIs and security
But the use of APIs comes with a number of issues - the first one being security. As Lance Homer, global head of digital payments and banking ecosystem at Equinix, comments: “APIs open up an opportunity for innovation for the financial services industry, as banks allow fintechs to connect to their data and customers on a permission basis. But doing this also opens up holes in the security perimeter that can be exploited by third parties. The challenge then is how can you allow the good people in securely and keep the bad people out?”
Moreover, the primary way that the banks and fintechs connect is via the public internet. It’s ubiquitous and easy to implement, but APIs exposed over the public internet create an attack surface. DDoS attacks are among the most common type of cyber-attack, and either block the traffic between a bank and a fintech or make the connections unstable. Financial institutions are also frequently targeted by DNS hijacking or redirection, which routes traffic to another address, and BGP or IP hijacking, which is the takeover of groups of IP addresses by corrupting internet routing tables.
And the risks are very real – the Carnegie FinCyber Project recently chronicled about [3]200 major cyber incidents that targeted financial institutions since 2007, and warned that cybersecurity risks to the financial system are growing, the threat landscape is worsening, and state-sponsored attacks on financial institutions are growing more frequent. It’s also worth noting that the Carnegie list is by no means complete.
There are also concerns from the banks themselves that the open banking model - which allows a customer-authorised third party to access a bank’s data - could bring security risks.
In the EU, this concern has been at the root of the delay to the delivery of the secure customer authentication (SCA) (or two-factor authentication on payments) aspect of the EU’s payment services directive PSD2, which addresses open banking. The deadline for compliance with PSD2 was September 2019 but SCA implementation has been extended to September 2021 because banks aren’t comfortable with opening up payments in their systems without extra authentication.
Not all APIs are equal
In addition, not all APIs are the same. As Homer explains: “Open banking allows two participants potentially to connect to each other without having to go through a centralised infrastructure. The challenge is that even if the participants have each written APIs to allow access to accounts or initiate a payment, there will be slight variations in implementation.”
A number of API aggregators - such as Plaid - are positioning themselves as the answer to this issue by sitting on top of different APIs to provide a single point of implementation.
Another concern for safety and security of the developing financial ecosystem is the way that fintechs use data once they have it. JP Morgan Chase is one bank that has already tried to address this. In early 2020 it announced it would ban fintech apps from using customer passwords to access their bank accounts, so forcing tougher security standards. As Homer comments: “That may work for Chase, which is a global bank, but smaller community banks and local banks are not going to have the same power to negotiate.”
The use of the public internet itself is also a problem for the developing financial ecosystem. It may be the cheapest and easiest way to move data, but we know it’s not always secure, and not always immediate. Importantly, there’s no control over routing, as Homer points out: “An Australian fintech connecting with a UK bank will have an infinite number of ways its traffic can be routed. Some routes will be less optimal from a latency point of view, some routes may take you through geographies you may not want that traffic to go through.”
The role of private connectivity
Historically, banking institutions have run centralised infrastructure, run with very costly long-term contracts, which are cost prohibitive for fintechs. Open banking means they must focus on highly connected systems available to everyone to access with low latency in a secure environment.
No wonder then that Equinix is seeing strong growth for its Equinix Fabric connectivity tool, which acts as a neat compromise between the pricey private circuits available from a telco and the free-for-all of the public internet. Says Mountstephens: “Using Fabric takes sensitive traffic off the public internet and moves it through private connections. It reduces the security risk as well as improving performance and reliability.”
This private software-defined network solution is key to the future of open banking at scale, Equinix believes, and Homer says that banks are already building their payment hubs inside Equinix data centres. “It’s not just the real-time payments operators, or cross-border payments systems, or blockchain-based settlement systems. We have the infrastructure to connect to partners, the firewalls, the routers, the perimeter. It’s a great place for banks to put their open banking API gateway. They can secure their connectivity to fintechs.”
Homer adds that he envisages that the financial ecosystem system of the future will be one where participants can build their services and pay for them on a daily basis. They will be able to turn up a virtualized router and firewall in any Equinix data centre around the world: “Equinix’s customers can build a payment hub in a new Equinix location tomorrow with virtualized servers, routers and software define networks. And then they could tear it down a few days later and only pay for the few days’ worth of infrastructure. 10 years ago it would have been a hugely expensive 18-month project.”
Mountstephens sums up: “Open banking is still in its early stages. Banks have picked a cloud platform, built capability into the cloud, opened their APIs to fintechs. As the relationships with the fintechs mature, and as the data scales and customers connect to services, the banks are realising they may need change the way it’s plumbed together and make it optimised for scale. We're reaching a point now where scale, security, and reliability are becoming key issues.”
[4]
Sponsored by Equinix.
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x250&tile=2&c=2YAgNRLP8tUfoAnQzhtLf@gAAABQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x250%7C300x252%7C300x600&tile=3&c=33YAgNRLP8tUfoAnQzhtLf@gAAABQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dtop%26test%3D0
[3] https://go.theregister.com/k/protecting_financial_stability_timeline
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x100%7C300x250%7C300x251&tile=4&c=44YAgNRLP8tUfoAnQzhtLf@gAAABQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0