API Security Best Practices for the Financial Industry
Share this on:
The Regulatory Landscape
With the advent of Europe’s Revised Payment Services Directive (PSD2), the bar was raised on the importance of improving payment services for consumers. Part of the innovation is for banks to open their payment services to third-party Payment Service Providers (TPPs). This innovation leads immediately to an increased usage of APIs. You may have heard of Open Banking. Open Banking is roughly the UK equivalent of PSD2.
Another aspect of PSD2 is further securing transactions. Along with innovating the methods available, this security involves an increased number of secure payment options, such as 2FA.
In the US, the Consumer Financial Protection Bureau (CFPB) noted that Section 1033 of the Dodd-Frank Act would “require consumer financial service providers to give consumers access to financial account data in a usable electronic format.” Electronic access is often performed currently by screen scraping and credential-based access, but APIs, while costly, if implemented properly, would be superior to these methods.
Regulations are major drivers of technological protection. With the increasing privacy protections worldwide, the cascade effect will affect every company everywhere before too long.
Increasing innovation, privacy, and security requirements are a cause for financial institutions to be aware of what APIs are attached to their infrastructure. This is especially pertinent as more people want financial service institutions and fintech companies to join with financial institutions to provide convenient services and access, all made possible precisely because of APIs.
3 Types of APIs
There are 3 types of APIs to keep in mind – Private, Partner, and Public.
Public (aka Open) APIs are perhaps the best known. They are provided by companies to allow anyone to connect to their services. A few finance-related Open API examples are Marketstack, Plaid, and Financial Modeling Prep.
Partner APIs are those that are shared between contracted business partners and are not available publicly. An example would be one bank allowing other financial institutions to connect to its services.
Private (aka Internal) APIs are used only within a company, and only for the company’s use for internal services and teams.
With these frameworks and terms in mind, let’s proceed to four important areas to monitor.
1. Know Your Resources
Think People, Processes, and Technology when counting resources involved in and required for an API plan.
Let experts design and implement APIs. Because APIs are proliferating in terms of technologies used and advancing in how quickly they change, employ API experts for development and implementation. In the development stage, make sure that all stakeholders (e.g., Compliance, Marketing) are involved so that all bases are covered. Experts could include full-time in-house personnel or as-needed external trusted advisors.
A Software Development Lifecycle (SDLC) keeps application development consistent. Whether using something such as a Shift Left or a holistic East-West approach, the SDLC should integrate security standards.
Make and maintain an accurate inventory. Know which APIs you have and what state they’re in. Are all APIs in use? Are any in need of updating or replacing? An updated inventory will make regulatory, security, and privacy compliance – not to mention reputation – much easier than any ad hoc method.
Keep data classification in scope. What kind of data traverses which APIs? The type of data transmission will govern how much effort is used in protecting and maintaining that API. Classification is required by many regulations and frameworks, so determining what data type is used where, and over which channels it’s transmitted, is vital to securing APIs.
2. Know Your Roadmap
Where is the company going with technology? Are there new markets to enter? Design with the end in mind. If an org has a unified security strategy and a positive security model, handling changes – whether industry, technology, or regulatory – will be feasible.
If possible, implement an official ISMS (e.g., ISO 27001). This can be a costly course, but it has a lot of leverage in putting security standards in place that must be funded consistently to maintain (helping secure future budgetary needs).
3. Know Your Regulations
What standards are you following, and what might you be held to? Do the markets on your roadmap require new regulatory compliance measures?
Knowing where the business is going will determine what regulations need to be followed in the future, whether near or far. And having solid counsel on what legislation is up-and-coming, or even possible, is necessary for designing an API strategy.
4. Know Your Risks
The average number of annual deaths in the US from cows is 22, while the average annual deaths worldwide from sharks is 10. But which animal gets a whole week dedicated to them? And which one is more people afraid of? The greater actual risk is obvious from the statistics, but not so obvious from the media coverage. Get a handle on real risks, not just promoted risks.
The burgeoning API economy – especially within fintech, financial institutions, and financial services providers – provides numerous aspects for consideration. APIs make perfect sense for including in business strategies, but they also provide much to be concerned about. Keeping resources, roadmap, regulations, and risks in mind will go a long way in growing business and trust as customers look to you to provide the latest and greatest while keeping their information secure and private.
Knowing what’s ahead in cultural and societal shifts will help guide your business, which will help guide what technology you use, which will determine how that technology is secured. And this knowledge is the foundation for growing business revenue and trust.
About the Author
Ross Moore is the Cyber Security Support Analyst with Passageways. He was Co-lead on SOC 2 Type 1 implementation and Lead on SOC 2 Type 2 implementation, facilitated the company’s BCP/DR TTX, and is a HIPAA Security Officer. Over the course of his 20 year IT career, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2’s SSCP and CompTIA’s Security + certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible/Counseling from Johnson University.