The Labour party, in its recent Financial Growth Review, underscored the significance of open banking, designating it as one of its six principal policy priorities. This acknowledgment stems from the realisation of its transformative potential within the financial services industry. The substantial increase in open banking transactions, reaching 11.4 million payments in July 2023 with an impressive year-over-year growth of 102%, serves as a testament to its swift adoption.

However, amidst this rapid growth lies a pressing concern. For the UK to maintain its leading position in open banking, financial institutions must address a glaring vulnerability - their exposed APIs.

The future of open banking is likely to see a significant boom in the coming years. But if the UK is to maintain its leading position, financial institutions should develop an API security strategy before they begin to scale.

Scaling open banking

Financial institutions are racing to implement open banking APIs to meet emerging regulations and customer demand. However, scaling without a clear security strategy can harm the whole UK financial sector’s progress towards API growth.

Many organisations lack full visibility into their existing APIs. Open banking APIs are proliferating at a rapid rate which is faster than the ability of DevOps teams to release patches or keep up with their API inventory. As the sector shifts to an API first approach, trying to gain visibility into APIs at a later stage of development will be a significant challenge.

As the number of APIs in open banking grows so does the complexity of the relationship between all APIs in a network. Most APIs are interdependent and call on each other to perform functions. Finding a vulnerable API will be like looking for a needle in a haystack.

Take for example the Optus attack where one exposed API endpoint resulted in the personal details of 10 million customers being exposed. By addressing these visibility gaps now, financial institutions can get ahead of the problem before it escalates out of control.

The stakes are high, as one successful attack on an open banking API could ripple through the entire financial sector. Customer trust is crucial in banking, and a high-profile breach could sow doubts about open banking as a whole, which could set back adoption and innovation in the space.

Proactive API security and governance will be crucial to open banking's success. Institutions must inventory existing APIs and implement robust controls around new ones. Monitoring, access management, and testing methodologies tailored for APIs are required. Failing to address API vulnerabilities early on could jeopardise sensitive customer data and the future of open banking. By taking steps today to gain visibility and control of their API landscapes, financial institutions can inspire customer confidence and deliver innovative services safely and securely.

A good API security strategy is centred around three fundamental building blocks that enable a threat detection and incident response (TDIR) approach to eliminating cyber threats.

API governance for visibility

Effective API TDIR cannot be implemented without API governance. Good governance means identifying ways for DevOps teams to discover existing APIs and setting policies and standards for how API properties should be operating as more APIs are developed.

Once policies that address API design standards, security measures, documentation requirements and usage guidelines are set, processes must be put into place around API lifecycle management. These will ensure APIs are continuously updated, the right users have access to them, and APIs adhere to various regulatory frameworks and data protection standards.

Mature API governance transforms discovery into actionable KPIs and metrics to gauge security posture. From there, companies can leverage findings to continuously improve API security through measurable progress tracking.

Improving cross-team collaboration

API security requires close collaboration between development and security teams, yet many organisations struggle with siloed teams and ambiguous responsibilities. DevOps focus on rapid innovation and rely on security teams to identify vulnerabilities, while security teams expect developers to implement remediations. The lack of clarity results in API security falling through the cracks.

With APIs forming the connective tissue between applications, systems, and users, a lack of cross-team alignment on API security poses significant risk. It slows detection and remediation of vulnerabilities that attackers can exploit to breach valuable data and disrupt services.

To remedy this, organisations must foster a shared sense of ownership over API security between development and security teams. Processes like regular joint reviews of APIs and threat models, integrated tooling, and shared metrics and incentives will help bring teams together around a common goal.

Security should provide developer-friendly guidance to design secure APIs, while developers implement recommended controls and practices. By improving collaboration, banking firms can close operational gaps that allow API vulnerabilities to compromise the integrity of their service. Shared responsibility across the software lifecycle is imperative for robust API protections.

Taking a multi-layered approach

As APIs become ubiquitous, a perimeter-only approach is insufficient. Attackers are adept at gaining authenticated access through social engineering and purchasing access. Insider threats also pose a major risk, with authorised users deliberately abusing privileges. As a result, traditional web application firewalls (WAFs) cannot detect malicious actions from authenticated users, as their requests appear valid.

Securing APIs requires a multi-layered strategy that identifies threats beyond the perimeter. For example, multi-factor authentication, enhanced monitoring, and privilege management help restrict insider access. While application-level controls provide visibility into full request-response payloads to identify anomalies. This supports the detection of unknown threats that bypass perimeter defences by operating within expected parameters.

Essentially banks must implement layered API protections that span the perimeter, network, application, and data layers as relying solely on network controls provides a false sense of security. A holistic API security approach will defend against both external and internal threats.

The future of open banking is very promising as adoption accelerates and authorities are backing growth initiatives. Customers could benefit from greater transparency, control, and innovative services. However, progress depends on overcoming a number of challenges and security is at the top of the list. If the financial services sector can address API security end-to-end, open banking stands to enable a more open, collaborative, and customer-centric financial ecosystem.

Andy Grolnick is CEO, Graylog