Avoiding API security issues

Increasingly, application programming interfaces are the engines driving online and mobile banking innovation. But what are the security considerations of this more open approach to financial services?

By Colleen Morrison

There may be nothing more crucial to the future of banking as the application programming interface, or API.” So says the World Retail Banking Report 2017.

APIs facilitate the sharing of specific data and information, which simplifies the development of new banking products. With the fintech boom, APIs have grown from an outlier solution to an integrated part of bank offerings. For instance, by pulling in GPS technology, an API could enable ATM locators in your community bank’s mobile banking app.

“APIs are not exclusive to larger financial institutions,” notes Brian Laverdure, director of emerging payments at EPCOR, a payments association in Kansas City, Mo. “I know of many small credit unions and banks currently engaged in active API implementation.”

Quick stat: 69.5%

The percentage of banks that cite data security and customer privacy as top-ranking API concerns

Case in point: MainStreet Bank, an $800 million-asset community bank headquartered in Fairfax, Va., uses APIs to support its high-tech customers. “The ability to offer payment processing interfaces using APIs enables MainStreet Bank to win business,” says Dan Miner, CTP, senior vice president and director of payment systems. “Our unique set of high-tech and high-volume clients requires that we offer APIs to interface with the bank directly, securely and efficiently.”

Security considerations
As community banks get more skin in the API game, security remains top of mind. In fact, the World Retail Banking Report reveals that 69.5 percent of banks cite data security and customer privacy as top-ranking API concerns. And with high-profile hacking incidents becoming ever more common, this concern is for good reason.

“[Let’s say] I give you an API to go to the first room in my bank and get the data in that room,” says Joe Casali, senior vice president of New England ACH Association (NEACH). “A programmer could alter that to say, ‘I really want you to go to the basement and look around and see what’s in there.’ You want to make sure the API cannot be rerouted within your system. You have to define an API’s code in such a way that it restricts access to other parts [of the system].”

Generally speaking, community banks will rely on their processors to offer protection, and processors consider that part of their responsibility. “Our role is to support community banks that have customers interested in using APIs by providing them with the toolkits and technical support to make integration quick and complete,” says Jerry Federico, sales director of business development at ProfitStars, a software and technology provider.

He uses API-based payment processing as an example. “Our APIs integrate into a complete payment platform that allows institutions to accept these payments while managing the risks associated [with them] and protecting their payment processing.”

Due-diligence considerations
As with other third-party services, a bank must conduct due diligence on the vendor’s technology, platform and encryption approach to address the issues of liability and reputational risk. If an API-assisted transaction goes awry, what are the legal ramifications? Who holds the responsibility? “It’s the biggest topic in the press today,” says George Throckmorton, managing director, network development and strategic initiatives for NACHA—the Electronic Payments Association and head of the API Standardization Industry Group. “There is a back and forth about what happens when things go wrong. There are a lot of voices in that conversation. When it comes to liability, I don’t think we have an answer yet.”

The reality is, if account information is leaked, no matter which party holds the legal responsibility, the customer is going to look at their bank through narrowed eyes.

Following API security best practices will also ensure that banks ask the right questions, and choosing API standards can create certainty around the industry’s strongest solutions.

“For community banks, [standardization] is everything,” says Throckmorton. “It’s what creates the even playing field. If you’re going to allow either fintechs or other banks into your system, you want to do it in the most cost-effective and safe way that you can. Standardization allows you to do that.”

“The ability to offer payment processing interfaces using APIs enables MainStreet Bank to win business.”
—Dan Miner, MainStreet Bank

Adding bells and whistles to your mobile banking app is just scratching the surface of what APIs can do. For example, the European Union’s Payments Services Directive 2 (PSD2) mandates that customers have access to their bank accounts through third parties and the ability to initiate payments—and APIs make that possible. This regulation also introduces APIs as a simple way to move bank accounts from one institution to another. “It’s not account switching as much as, ‘How do you make your account usable and friendly?’” Casali says.

Even with their limitations, most experts agree the benefits of APIs outweigh the risks. “Think about it offensively versus defensively,” Throckmorton recommends. “How could you use data if you had it today? Look at APIs as a competitive advantage.”

Regardless of potential opportunities or downfalls, APIs have embedded themselves in the banking infrastructure. With reports indicating that this more open approach to technology exemplifies tomorrow’s banking world, it’s up to community banks to determine exactly what role it will play in their own offerings.

Colleen Morrison is a writer in Virginia.