Securing Open Finance in 2025: Essential Insights for Financial Institutions

APIs sit at the heart of open finance. They facilitate the sharing of financial data between banks, FinTechs, and third-party apps, enabling consumers to access innovative services with ease. However, because they serve as the "front door" to sensitive systems, APIs are also prime targets for attackers.

Key threats:

• Insufficiently protected APIs can allow attackers to intercept or steal sensitive data.
• Exploits like injection attacks, broken object-level authorization (BOLA), or improper authentication can grant unauthorized parties access to customer accounts or financial systems.

In a recent tech blog posted on the JPMorganChase website, titled An Open Letter to Third-Party Suppliers, the company’s CISO stated, “We stand at a critical juncture. Providers must urgently reprioritize security, placing it equal to or above launching new products.” These third-party provider (TPP) networks of which the CISO speaks are what open finance depends on. While these collaborations and partnerships between TPPs and financial institutions drive innovation, they also create additional entry points for attackers. A security vulnerability in a single partner’s system—no matter how small—could compromise the entire ecosystem.

Many financial institutions now include cautionary statements on their websites advising consumers to exercise care regarding TPPs, such as aggregators, due to potential associated risks. These warnings remind consumers that the sharing of their credentials is contrary to the terms of their agreements, and that financial institutions will not be responsible for any harm that results from credential sharing.

Key threats:

• Vendors that are inadequately vetted or fail to meet compliance standards could introduce vulnerabilities that make users susceptible to exploitation within the system.
• Over-permissioned access granted to third-party developers can expose sensitive financial data or functionality.

Sharing sensitive consumer information—such as financial transaction histories and account balances—across multiple platforms is a fundamental requirement of open finance. While this data sharing underpins new services, it also increases exposure to threats like breaches and misuse. Additionally, consumers expect greater data privacy and compliance with regulations like the European Union’s General Data Protection Regulation (GDPR), Payment Services Directive 2 (PSD2), and strong open finance-related API standards, like Financial Data Exchange (FDX).

Key threats:

• Data breaches resulting from insufficient encryption or improper sharing practices.
• Legal and reputational damages from failing to protect consumer privacy.

Because APIs are central to open finance, protecting them should be a top priority. Securing APIs ensures the integrity of connections between financial services institutions, third parties, and end users.

Actionable steps to strengthen API security include:

• Strict authentication policies: Use industry standards for open authentication, such as OAuth2.0, mutual TLS, or other strong protocols to authenticate API users and prevent unauthorized access.
• Real-time monitoring: Use solutions to identify irregular API activity or potential abuse before they escalate. Consider solutions with code-based and traffic-based discovery and inspection, and external attack surface assessment (domain scanning).
• Streamline governance: Employ solutions that can help with API inventory management, like easily adding newly discovered APIs to inventory. Also, incorporate API compliance analysis and better track compliance posture changes via automatic alerts.
• Encryption standards: All API traffic should be encrypted using protocols like TLS 1.3 to ensure data is secure in transit.
• Regular testing: Perform routine penetration testing to identify and fix vulnerabilities in your API architecture. Consider solutions that offer API testing before runtime.

Insight: APIs may facilitate the innovation behind open finance, but they also present the greatest opportunity for exploitation. Treat APIs as you would any critical digital product: continuously monitor, secure, and optimize them. Consider solutions that incorporate comprehensive runtime protection such as WAF, API protection rules, rate limiting, and data guards.

The third-party nature of open finance requires financial institutions to collaborate with the vendors and developers that interact with their systems and data. Ensuring these partnerships are secure is essential to reducing overall risk.

Actionable steps to secure third-party relationships include:

• Rigorous vetting: Perform comprehensive due diligence before onboarding FinTech partners or third-party vendors. Evaluate their security protocols, compliance history, and technical certifications.
• Real-time monitoring: Adopt tools that monitor third-party activity within your API ecosystem, flagging unauthorized actions or unusual behavior.
• Granular access controls: Limit third parties to the "minimum necessary" data and access levels required for their function, reducing risk from over-permissioning.
• Contractual security clauses: Reinforce partnerships with clear contractual agreements that require regular audits, accountability for breaches, and adherence to your security standards.

Insight: Your open finance ecosystem is only as secure as its weakest link—which, in many cases, will be a third-party partner. Apply a "trust but verify" framework to all vendor relationships.