Paul Dignan, Systems Engineering Manager at F5 Networks and former ‘ethical hacker’, tells Open Banking Expo Magazine why holistic API management is key to unlocking open banking’s vast potential.
Despite the ongoing Covid-19 challenges, there remains plenty of optimism about Open Banking’s disruptive credentials. It is easy to see why.
Despite the current market challenges, chatter about the potential of Open Finance persists because it has already been an innovation catalyst, enabling better user experiences, streamlining lending, automating accounting, and pioneering new payment options.
With this in mind, OBE Magazine, asked Paul Dignan what he believes the future holds and how can we resolve some of the challenges that remain on the horizon?
How would you describe the Open Banking experience in different regions around the world?
Asia is already enthusiastically embracing the concept, buoyed by a slew of countries digitalising in real-time, a large base of tech-savvy consumers and digital payment platform ubiquity. Europeans are slightly more circumspect, though. The biggest hurdle to date is consumer sentiment. There is still a reluctance to share personal information, which is partly a cultural mindset, but this is also a reaction to the prevalence of data breaches.
Can you touch on some of the concerns or reasons behind this slow uptake?
Awareness is a pressing concern. According to a Splendid Unlimited study on the state of Open Banking, a mere 22 per cent know what it is. Open Banking services were used by just 9 per cent of survey participants. EY’s Open Banking Opportunity Index predicts it will take around three to five years to really get going. That said, the Open Banking Implementation Entity (OBIE) said the number of users has doubled in the past six months. More than one million customers have made use of Open Banking technology in the past two years.
Is regulation hindering progress and development as businesses find it difficult to break through red tape?
Actually, regulations continue to drive the pace of the Open Banking rollout. In Europe, the European Union’s Second Payment Services Directive (PSD2) will continue to resonate. In effect since 14 September 2019, the directive aims to promote innovation, help banking services integrate new technologies, and ensure payments are secure. The UK’s Open Banking Directive is effectively the country’s implementation of PSD2, though timeframes for full implementation have recently been extended.
Importantly, PSD2 includes new requirements for multi-factor authentication when executing bank operations. The value of EU consumers’ data is further elevated by the EU General Data Protection Regulations (GDPR). Markets such as Australia, Canada, New Zealand, Mexico, Argentina, Nigeria, Hong Kong, Japan and Taiwan are all monitoring the situation closely and poised for regulatory shifts.
Tell us more about holistic API management and why this is important?
In simple terms, an API is a set of routines, protocols, and tools for building software applications. An API basically specifies how software components should interact. In the banking realm, the use of open APIs enables third-party developers to build foundational technologies for applications and websites that provide greater financial transparency options, ranging from open data to private data, for the financial institution’s account holders.
PRETA has launched an initiative called Open Banking Europe that made public a directory listing all publicly available open APIs in the EU.
The Transparency Directory, as it is called, now contains over 1,500 banking-related developer portals and many more are expected to be added as other banks and financial institutions contribute to the list over the coming months.
Where does the responsibility for these developments lie, and can you give some examples?
The onus is now well and truly on infrastructure, operations, and DevOps teams to define, publish, secure, monitor, and analyse APIs.
API management solutions enable authors to publish APIs to various environments such as production, test, or staging. This ensures consistency for each environment and prevents misconfigurations. Key examples include:
- API gateways. API gateways secure and mediate traffic between backend API consumers. API gateway functionality includes authenticating API calls, routing requests to appropriate backends, and applying rate limits to prevent system overloads. It can also mitigate DDoS attacks, handling errors, and exceptions, and offload SSL/TLS traffic to improve performance.
- Microgateways. Traditional API gateways may be inefficient when handling traffic in distributed environments (for example, microservices or handling IoT traffic to support real time analysis). An additional software component – a microgateway – is required to process API calls in these types of scenarios. Microgateways are still API gateways but are more lightweight and suited to microservice architectures.
- Analytics. Today’s solutions can provide deep visibility into operational metrics on a per API basis, enabling new levels of troubleshooting and performance optimisation.
- Security. There are no shortcuts here. API infrastructure security should encompass authentication, authorisation, role-based access control (RBAC), and rate limiting (imposing a limit on the number of requests a caller can make during a defined period).
- Developer portals. A well designed developer portal is pivotal to the success of any API program. It should facilitate the rapid onboarding of consumers and include a catalogue of external APIs, comprehensive documentation, and sample code. Some solutions also provide a mechanism for developer interaction.
Development and deployment demands are more pressurised than ever, especially as DevOps methodologies start to permeate mainstream operational processes.
Over and above some relative regional sluggishness, open APIs are definitively the future. They are now virtually impossible for anyone with open banking aspirations to ignore. In order to harness their true power, DevOps operatives need to make use of API gateways, analyse their APIs’ traffic, and secure them using up-to-date cybersecurity methodologies. Watch this space.