Are you falling behind the rapidly evolving open banking movement? FinTech companies are speeding time to market and driving the innovation that your customers want.
The use of third-party APIs is revolutionizing the way that customers interact with financial institutions.
But the massive volumes of API calls generated can cause security issues—in addition to increasing costs in legacy environments. Plus, ensuring compliance with strict regulations—such as the European PSD2 (Payment Services Directive 2) directive for electronic payment services—gets more and more challenging every day.
Embracing the Global Open Banking Growth Opportunity
Open banking is ripe for API innovation. Learn the top 8 imperatives for success.
There’s no doubt, you can’t have open banking without high security efficacy in place, but many banks and financial services organizations are wondering if their current security solutions are ready for the increasing risks associated with open banking. This concern was highlighted in a 2020 survey of officials at BFSI firms. When asked to rank the “four most important factors to consider before integration with an API,” security (71.0%) placed near the top.2
The Rise of API attacks and their impact on open banking security
Financial services data is among the most sought-after types of data for cyber attackers. Gartner has predicted that by 2022, API abuses will be the most frequent attack vector against enterprise web applications—resulting in data breaches. That’s why it’s more critical than ever to secure APIs and safeguard your applications and the data within them—without stifling innovation.
How Do You Properly Secure APIs?
Research conducted by F5 Labs shows that APIs are highly susceptible to cyberattacks. OWASP even has a Top 10 Vulnerabilities list for APIs because in their words, “Without secure APIs, rapid innovation would be impossible.” The most frequent problem is a complete lack of authentication in front of API endpoints, followed by broken authentication and broken authorization.
O’Reilly Media Web Application Security eBook
Available compliments of F5, this O’Reilly Media eBook features practical security tips that can save your company millions from data breaches and advice that your development and security teams can use right away.
Open Banking regulatory challenges rooted in security
While the United States has yet to experience regulatory intervention in the open banking arena, other parts of the world have already implemented such initiatives. In Europe, the EU has enacted the Second Payment Services Directive (PSD2), which requires banks to create mechanisms—most commonly APIs—to provide data quickly, securely, and reliably to third-party providers with the consent of their customers. Other countries, such as the UK, Canada, Hong Kong, Japan, Mexico, and Australia, likewise are progressing with open banking standards. Compliance with regulatory challenges requires an investment to mitigate compliance risk that can result in costly fines.
Twimbit's Open Banking Maturity Matrix maps the relative position of 22 major countries across two distinct criteria: regulatory initiatives and market initiatives.
La serie de infografías sobre banca abierta global de Twimbit
Twimbit, with the help of F5, took a look at the world of open banking—how it works, the opportunities available, global key players, regulatory challenges, and more.
Other attack vectors adding stress in open banking—OFX and screen scraping
Standard APIs are not the only threat surface that require urgent attention in open banking. Traditionally, third parties and financial aggregators who have required access to consumer data have leveraged two mechanisms:
- OFX (Open Financial eXchange), which was initially built to connect consumer financial applications (e.g., MS Money, Intuit QuickBooks) to a user’s financial institutions.
- Screen scraping, where consumers provide their banking credentials to a third party, and the third-party logs into and scrapes that information from the financial services web channel.
OFX can be utilized as a channel for adversaries to do large-scale credential stuffing/account validation and takeover—both directly and via financial aggregators.
Financial services organizations experienced the highest proportion of password login security incidents, at 46%. Breaking these out, 5% were reported against APIs for mobile apps, and 4% hit Open Financial Exchange (OFX) interfaces.3
Los agregadores de datos FinTech forman parte de una nueva y emocionante frontera en los servicios financieros. Permiten mejorar las experiencias generales de los consumidores e incluso reforzar las propuestas de valor mediante sinergias para las organizaciones tradicionales y las FinTech.
But they also introduce security vulnerabilities as API use rises in FinServ, which can negatively impact application performance.
Providing third parties with credentials for screen scraping exposes those credentials to the security posture of that third party. These mechanisms do not provide the consumer with fine-grained consent and control over what information the third party has access to, leaving billions of transactions at risk and the increased potential to lead to extremely costly security breaches
Proteger la API FDX para defender los datos en Open Banking
Principales tendencias del impacto que tienen los agregadores de datos FinTech en los servicios financieros en 2022
This eBook explores the increasing value FinTech data aggregators offer financial services—and how to mitigate the associated challenges they bring.
Open APIs enable banks to partner with fintechs to build new and better digital experiences.
This practice also generates security issues. In this lightboard lesson, you’ll learn how the right solutions can provide security and efficiency for open banking initiatives.
Watch the video
Explaining Open Banking and API Security
Best-of-breed open banking security solutions you can count on
API gateway security alone is largely inadequate for exposed APIs. F5’s holistic API-centric security solutions, which includes a high-performance API gateway, offer API security efficacy that API gateways simply can’t deliver alone. Like our WAF solution supporting ingestion of OpenAPI/Swagger files to enable the most precise API security controls. Moreover, F5 security solutions authenticate third-party provider traffic, a compliance requirement under EU's PSD2, and is mitigating API fraud and abuse and other illegitimate bot traffic often associated with OFX and screen scraping.
What makes F5 open banking security unique?
Be at ease with the complete open banking security solutions you need to stay protected.
Putting open banking security first regardless of infrastructure
F5’s open banking security solutions can effectively secure APIs and the infrastructure used to host them, regardless of architecture preferences. You’re never locked into the constraints of any single environment, whether it’s cloud-hosted or on-premises infrastructure. Our open banking solutions scale into the future and support secure and scalable API service for all your financial requirements.
Open Banking Approach Adds Customer Value in a Secure Environment
When looking for ways to create new opportunities for their account holders, African Bank looked to open banking but faced challenges around security and allowing for always-available interfaces. With a focus on building out microservices type architectures, it allowed them to best deliver on what their customers wanted. Their API-driven open banking approach led to additional revenue and added value for their customers.
Learn more about the
African Bank Customer story
Organization addresses open banking regulatory challenges with F5
Like many in Europe, an organization in Greece faced new PSD2 requirements that would cost them heavy fines if found out of compliance. They turned to F5 for a solution. With F5 BIG-IP APM (Access Policy Manager), your organization can authenticate TPP (Third Party Provider) before accessing your OpenBank API and can forward the QWAC (Qualified website authentication certificate) to your app for further processing, with no changes on your app.
Pylones Hellas, utilizing F5’s APM solution, responds to the new PSD2 directive
¿Quiere ver cómo funciona?
Discover how NGINX App Protect is used for securing Open Banking APIs and prevents L7DoS attacks.
[1] Allied Market Research, “Global Open Banking Market Expected to Reach $43,152 Million by 2026"
[2] Postman, “2020 State of the API Report"
[3] F5 Labs, “2021 Application Protection Report: Of Ransom and Redemption"
Pruébelo gratis
Protect your applications and APIs wherever they run with market-leading security that spans data centers, clouds, and architectures. Contact us to learn more about starting your free trial.
GRACIAS
Hemos recibido su solicitud. Nos pondremos en contacto con usted en breve.
Seguridad de los servicios financieros
Una seguridad sólida para los servicios financieros es fundamental. Es por eso que 15 de los 15 principales bancos de EE. UU. utilizan soluciones de F5.
Banca abierta
El Open Banking está revolucionando la forma en que la gente de todo el mundo interactúa con su banco. Pero también está abriendo los servicios financieros a nuevas amenazas de seguridad y problemas de rendimiento.
Transformación digital
La transformación digital es la clave para lograr una mejora con respecto al legado anterior y limitaciones de rendimiento y ofrecer así a los clientes las excepcionales experiencias digitales que esperan.
Gestión, riesgo y cumplimiento (GRC), y gestión del fraude
La protección de sus aplicaciones y el cumplimiento de las normas son esenciales para tener una presencia en línea de confianza. Uno de los retos es que las instituciones financieras son uno de los objetivos más lucrativos para las sofisticadas redes de delincuencia organizada.