Are you falling behind the rapidly evolving open banking movement? FinTech companies are speeding time to market and driving the innovation that your customers want.
The use of third-party APIs is revolutionizing the way that customers interact with financial institutions.
But the massive volumes of API calls generated can cause security issues—in addition to increasing costs in legacy environments. Plus, ensuring compliance with strict regulations—such as the European PSD2 (Payment Services Directive 2) directive for electronic payment services—gets more and more challenging every day.
Embracing the Global Open Banking Growth Opportunity
Open banking is ripe for API innovation. Learn the top 8 imperatives for success.
There’s no doubt, you can’t have open banking without high security efficacy in place, but many banks and financial services organizations are wondering if their current security solutions are ready for the increasing risks associated with open banking. This concern was highlighted in a 2020 survey of officials at BFSI firms. When asked to rank the “four most important factors to consider before integration with an API,” security (71.0%) placed near the top.2
The Rise of API attacks and their impact on open banking security
Financial services data is among the most sought-after types of data for cyber attackers. Gartner has predicted that by 2022, API abuses will be the most frequent attack vector against enterprise web applications—resulting in data breaches. That’s why it’s more critical than ever to secure APIs and safeguard your applications and the data within them—without stifling innovation.
How Do You Properly Secure APIs?
Research conducted by F5 Labs shows that APIs are highly susceptible to cyberattacks. OWASP even has a Top 10 Vulnerabilities list for APIs because in their words, “Without secure APIs, rapid innovation would be impossible.” The most frequent problem is a complete lack of authentication in front of API endpoints, followed by broken authentication and broken authorization.
O’Reilly Media Web Application Security eBook
Available compliments of F5, this O’Reilly Media eBook features practical security tips that can save your company millions from data breaches and advice that your development and security teams can use right away.
Open Banking regulatory challenges rooted in security
While the United States has yet to experience regulatory intervention in the open banking arena, other parts of the world have already implemented such initiatives. In Europe, the EU has enacted the Second Payment Services Directive (PSD2), which requires banks to create mechanisms—most commonly APIs—to provide data quickly, securely, and reliably to third-party providers with the consent of their customers. Other countries, such as the UK, Canada, Hong Kong, Japan, Mexico, and Australia, likewise are progressing with open banking standards. Compliance with regulatory challenges requires an investment to mitigate compliance risk that can result in costly fines.
Twimbit's Open Banking Maturity Matrix maps the relative position of 22 major countries across two distinct criteria: regulatory initiatives and market initiatives.
The Global Open Banking Infographic Series by Twimbit
Twimbit, with the help of F5, took a look at the world of open banking—how it works, the opportunities available, global key players, regulatory challenges, and more.
Other attack vectors adding stress in open banking—OFX and screen scraping
Standard APIs are not the only threat surface that require urgent attention in open banking. Traditionally, third parties and financial aggregators who have required access to consumer data have leveraged two mechanisms:
- OFX (Open Financial eXchange), which was initially built to connect consumer financial applications (e.g., MS Money, Intuit QuickBooks) to a user’s financial institutions.
- Screen scraping, where consumers provide their banking credentials to a third party, and the third-party logs into and scrapes that information from the financial services web channel.
OFX can be utilized as a channel for adversaries to do large-scale credential stuffing/account validation and takeover—both directly and via financial aggregators.
Financial services organizations experienced the highest proportion of password login security incidents, at 46%. Breaking these out, 5% were reported against APIs for mobile apps, and 4% hit Open Financial Exchange (OFX) interfaces.3
FinTech data aggregators are part of a new and exciting frontier in financial services. They lead to better overall experiences for consumers, and even strengthen value propositions through synergies for legacy organizations and FinTechs alike.
But they also introduce security vulnerabilities as API use rises in FinServ, which can negatively impact application performance.
Providing third parties with credentials for screen scraping exposes those credentials to the security posture of that third party. These mechanisms do not provide the consumer with fine-grained consent and control over what information the third party has access to, leaving billions of transactions at risk and the increased potential to lead to extremely costly security breaches
Secure the FDX API to Defend Data in Open Banking
Top Ways FinTech Data Aggregators are Impacting Financial Services in 2022
This eBook explores the increasing value FinTech data aggregators offer financial services—and how to mitigate the associated challenges they bring.
Open APIs enable banks to partner with fintechs to build new and better digital experiences.
This practice also generates security issues. In this lightboard lesson, you’ll learn how the right solutions can provide security and efficiency for open banking initiatives.
Watch the video
Explaining Open Banking and API Security
Best-of-breed open banking security solutions you can count on
API gateway security alone is largely inadequate for exposed APIs. F5’s holistic API-centric security solutions, which includes a high-performance API gateway, offer API security efficacy that API gateways simply can’t deliver alone. Like our WAF solution supporting ingestion of OpenAPI/Swagger files to enable the most precise API security controls. Moreover, F5 security solutions authenticate third-party provider traffic, a compliance requirement under EU's PSD2, and is mitigating API fraud and abuse and other illegitimate bot traffic often associated with OFX and screen scraping.
What makes F5 open banking security unique?
Be at ease with the complete open banking security solutions you need to stay protected.
Putting open banking security first regardless of infrastructure
F5’s open banking security solutions can effectively secure APIs and the infrastructure used to host them, regardless of architecture preferences. You’re never locked into the constraints of any single environment, whether it’s cloud-hosted or on-premises infrastructure. Our open banking solutions scale into the future and support secure and scalable API service for all your financial requirements.
Open Banking Approach Adds Customer Value in a Secure Environment
When looking for ways to create new opportunities for their account holders, African Bank looked to open banking but faced challenges around security and allowing for always-available interfaces. With a focus on building out microservices type architectures, it allowed them to best deliver on what their customers wanted. Their API-driven open banking approach led to additional revenue and added value for their customers.
Learn more about the
African Bank Customer story
Organization addresses open banking regulatory challenges with F5
Like many in Europe, an organization in Greece faced new PSD2 requirements that would cost them heavy fines if found out of compliance. They turned to F5 for a solution. With F5 BIG-IP APM (Access Policy Manager), your organization can authenticate TPP (Third Party Provider) before accessing your OpenBank API and can forward the QWAC (Qualified website authentication certificate) to your app for further processing, with no changes on your app.
Pylones Hellas, utilizing F5’s APM solution, responds to the new PSD2 directive
Want to see how it works?
Discover how NGINX App Protect is used for securing Open Banking APIs and prevents L7DoS attacks.
[1] Allied Market Research, “Global Open Banking Market Expected to Reach $43,152 Million by 2026"
[2] Postman, “2020 State of the API Report"
[3] F5 Labs, “2021 Application Protection Report: Of Ransom and Redemption"
Try It Out For Free
Protect your applications and APIs wherever they run with market-leading security that spans data centers, clouds, and architectures. Contact us to learn more about starting your free trial.
THANK YOU
We received your request. We'll be reaching out shortly.
Financial Services Security
Robust security for financial services is essential. That’s why 15 of the 15 top U.S. banks use F5 solutions.
Open Banking
Open banking is revolutionizing the way people across the globe interact with their bank. But it’s also opening up financial services to new security threats and performance issues.
Digital Transformation
Digital transformation is the key to getting past legacy scalability and performance constraints and giving customers the exceptional digital experiences they expect.
GRC and Fraud Management
Protecting your applications and staying compliant are essential to being a trusted online presence. One challenge is that financial institutions are one of the most lucrative targets for sophisticated, organized crime rings.