Getty Images
What developers need to know about open banking
Open banking has made financial transactions easier and more secure for those with multiple banking accounts; however, vulnerabilities within open APIs raise security concerns.
It's easy to talk in the abstract about open banking, an idea that encourages the use of open APIs to share data between financial services apps. In practice, things are more difficult. To deliver fully on open banking's promise, developers must overcome a variety of challenges related to security, API management and data synchronization.
In this article, we'll explore some of the basics of open banking, including its major benefits, the major challenges it presents and some resources to help developers embark on open banking initiatives.
What is open banking, and what are its benefits?
Historically, financial services companies haven't been keen to share much information with each other and, even if they wanted to, lacked a way to do so securely. Therefore, if a customer had accounts with four or five separate banks, each account would live within its own silo of stored data.
Now, imagine this customer wants to find some way to attain a single view of all their account balances without having to navigate between each bank's application. Without a way for banks to share that data openly, this is a dubious prospect. However, this is the kind of issue open banking is meant to resolve.
Open banking is the practice of allowing financial service applications to share and exchange account data through open APIs. For instance, a bank that adopts open banking might expose a certain customer's account data via open APIs (if the customer allows it) so that other banking applications can have upfront access to it.
Proponents of open banking see several key benefits to both financial services companies and their customers. Here are a few specific examples of the benefits those in the finance industry hope to realize through open banking:
- Allow customers to track financial information from multiple accounts in a single, centralized application.
- Eliminate the need for customers to import financial data manually to spreadsheets or other finance tracking tools.
- Speed up loan approval processes by allowing lenders to pull the totality of a customer's financial information without the need to manually collect data from each bank individually.
- Help banks detect and prevent fraud by increasing visibility into each customer's financial activity and using open banking APIs to monitor for suspicious activity.>
Technical challenges in open banking
There are more than a few big challenges when it comes to open banking, many of which revolve around the need to share account information in a secure and reliable manner. Specifically, there are four major hurdles software teams will need to tackle -- data security, access control, user identity management and data synchronization -- which we'll review in this section.
Data security
Data security is likely the most obvious technical challenge of open banking, as software teams must ensure that data is secure as it moves between the various financial applications that both are and aren't under their control. Vulnerabilities within the APIs that enable data sharing -- or the apps that consume them -- could allow sensitive financial information to fall into the wrong hands. On top of infuriating customers, a breach could potentially trigger heavy regulatory fines.
There's no simple way to guarantee secure open banking, but secure API design is a good first step. The ability to monitor API requests to detect malicious activity provides another important layer of protection against the abuse of open banking services. Scanning and testing banking applications at all stages of the delivery lifecycle can detect vulnerabilities and risks that could create security problems.
Access control
Open banking requires particularly rigid and granular access controls that can prevent unauthorized use of customer data. Developers need to ensure that any application that requests access to a customer's financial data is authorized to do so by either the customer or the bank that manages their account.
This kind of access control requires highly granular management of the actions that open banking users or APIs can perform or the data they can request. For example, there may be one application that grants users permission to move funds within an account, while another app only makes data available on a read-only basis.
User identity management
In many cases, user identities are not consistent across banking apps. Usernames and birth names are likely to vary for each individual, so they are not a particularly reliable method of keeping track of who is who. For instance, a user might register for one app using their maiden name, and later sign up for a different app using their married name.
As such, developers must implement ways of identifying users reliably and consistently across applications. Establishing standards about user identification or building directory services that can be shared by apps is one way to do this, though these approaches will require extensive cooperation between banks.
An alternative method is to require customers to generate unique digital identities that are not specifically linked to any individual bank or account but are used by banks solely for the point of interacting with that user through unified applications. This approach requires more upfront effort on the part of customers, but a unique user identity means banks would not need to manage identities or establish shared user directories.
Data synchronization
Because part of the value of open banking is the ability to share financial data instantly and seamlessly, it's critical for open banking APIs and apps to ensure that data is up to date. This means that caching data or periodically pulling data from different sources is not an ideal approach to open banking. Those practices could mean that different applications return a different status for the same account, leading to inconsistencies and inaccuracies.
For this reason, developers must find a way to keep data in sync across all applications, in real time, while also ensuring that data synchronization and lookup processes don't interfere with open banking application performance.
Development resources for open banking
There is no set way or singular tool to address the open banking technical challenges described above. However, it may help for developers to try the following resources:
- API standards. OpenAPI and AsyncAPI specifications can be useful for the design of secure APIs that can be shared between businesses and development teams.
- API gateways. Useful to manage API requests and enforce governance rules, gateways provide an added layer of security for open banking APIs.
- API monitoring tools. These detect suspicious activity within API requests and can help push alerts to users when needed.
- Open authorization protocols. OAuth can be useful for the purposes of sharing access credentials between open banking applications.
