From Open APIs to Open Banking, Part 2
Open API Threats
Security Measures and User Protection
From a systems perspective, open APIs mean that a new communications path is being established to link the information systems of financial institutions with the outside world. This brings new risks including data leaks, data fraud, and illicit transactions. There is also the possibility that data relating to user account information and settlement instructions will be exposed to the risks of leaks, tampering, and fraud via handling by TPPs.
First and foremost, when financial institutions open up their APIs to TPPs, the fundamental system risk relates to the reliability of information regarding user (bank customer) identity verification and the account as well as account-related instructions. Today, financial institutions face an intractable problem when it comes to their information systems: how to ensure that they can correctly determine that authentication and account instructions are genuine.
Fundamentally, the security risk is that a TPP makes an error, and the bank is held responsible, either by regulators or customers.
In the case of Japan, the Japanese Bankers Association’s Review Committee Report on APIs details the fundamental principles of user protection and security measures. Regarding security measures, the report calls for continuous improvement, review, and advancements in the following areas:
- API connection suitability and eligibility of third parties.
- Measures to prevent unauthorized external access.
- Measures to prevent unauthorized internal access.
- Measures to handle incidents of unauthorized access.