Open Finance has redefined how financial institutions, fintech, and consumers interact with financial data. Regulatory mandates like PSD2 in Europe and the U.S. Consumer Financial Protection Bureau’s (CFPB’s) new Section 1033 rule are accelerating the shift toward API-driven ecosystems, unlocking innovation, transparency, and consumer empowerment.
But, as the Open Finance model scales, so does the complexity of the security landscape.
At the center of this evolution is trust; trust that the data consumers share with banks, aggregators, and third parties remains secure. APIs are the connective tissue of Open Finance. But increasingly, they are also its greatest vulnerability.
According to Akamai’s 2025 API Security Report, a staggering 88.7% of financial services firms experienced an API-related security incident in the past year, the highest of any sector. In the U.S., the average cost per incident exceeded $830,000, factoring in downtime, legal costs, regulatory penalties, and remediation. These numbers are not just metrics; they are a wake-up call for the financial services industry.
So, what’s driving these attacks? In short: visibility gaps, architectural sprawl, and legacy defenses that were never designed for today’s API-first financial ecosystem.
Only 28.5% of financial institutions report having a full inventory of APIs and knowing which return sensitive data. That leaves massive blind spots, particularly with shadow APIs, aggregator abuse, and bot-based automation increasing in sophistication.
Over a quarter of firms said their network firewall failed to catch the last attack. Another 22.5% said their API gateway didn’t stop it either. Even well-known security layers like WAFs and mid-tier solutions are proving ineffective against the evolving techniques threat actors use today, unless they’re built to adapt to complex architectures with real-time threat detection across hybrid cloud, multi-CDN, and edge environments.
This breakdown in traditional controls isn’t just a security problem, it’s a business one. Nearly one in three organizations reported increased scrutiny from internal leadership following an API incident, with loss of trust and reputational damage topping the list of long-term impacts. More than a quarter cited fines, productivity loss, and customer churn, highlighting that API incidents erode business value far beyond the IT perimeter.
Part of the problem lies in how API security is still often treated as a bolt-on solution rather than an embedded discipline. While 73.5% of financial services firms claim to have some inventory of APIs, only a fraction monitor and test them in real time. Weekly and monthly testing remains the norm, and that cadence simply isn’t fast enough to match the speed of modern threats.
The gaps don’t stop at detection. Many organizations also struggle to define normal API behavior, making it difficult to spot anomalies that may indicate an attack in progress. The growing use of AI and automation only compounds the problem, enabling adversaries to launch high-frequency, low-and-slow attacks that bypass static defenses. Combine that with the increased reliance on aggregators and third-party APIs, and financial institutions are managing a sprawling, interconnected digital footprint that few fully understand.
As Open Finance reshapes the financial ecosystem, security architecture must evolve. The foundational challenge is no longer just keeping attackers out, it’s about understanding how data flows, who interacts with it, and where trust boundaries exist in a dynamic, API-driven environment.
Leading financial institutions are rethinking their approach, investing in real-time API discovery to surface undocumented or forgotten interfaces, often referred to as shadow APIs, that can expose sensitive data or become soft entry points for abuse. Visibility is step one, but visibility without action is not enough.
Strong identity and access controls, including mutual TLS (mTLS) and programmable authorization rules, are increasingly being adopted to ensure that even trusted third-party connections are governed by least privilege principles. The complexity of financial data-sharing demands controls that can scale, not just across applications, but across partners, geographies, and compliance mandates.
At the same time, machine learning and behavioral analysis are being used to monitor for deviations in API behavior, such as unexpected traffic spikes, credential stuffing attempts, or anomalous data access patterns. These techniques help institutions detect emerging threats, not just known ones, and enable faster containment before incidents become breaches.
Finally, secure integration with cloud platforms and infrastructure partners is critical. As financial institutions build and scale Open Banking services in hybrid and multi-cloud environments, security must travel with the workload. That means ensuring consistent controls, from pre-production testing to live API traffic, and aligning with regulatory frameworks like PSD2, DORA, and Section 1033 from the start.
This is a new model for financial data security: proactive, embedded, and adaptive, designed to support innovation without sacrificing trust.
Regulatory alignment is another major benefit. As frameworks like PSD2, DORA, and the CFPB’s Section 1033 rule continue to evolve, institutions need controls that can demonstrate compliance without slowing innovation. By reducing the scope of audits and automating policy enforcement, teams can prepare for scrutiny, from internal stakeholders to regulators, with clear data and actionable insights.
The broader implications are hard to ignore. Open Finance is reshaping how consumers access, manage, and control their financial lives. But its success depends on whether institutions can keep that experience secure at every point of contact. As the 2025 data shows, nearly nine in 10 financial organizations have already experienced the downside of insufficient API protection. Those numbers are only expected to climb as the ecosystem grows.
The time for half-measures has passed. Financial institutions must treat API security not as an IT concern, but as a strategic imperative. This means moving beyond periodic scans and reactive policies toward continuous, adaptive protection that evolves alongside the digital services it supports.
The WEF emphasizes this shift as part of its broader call for systemic cybersecurity reform. It encourages global collaboration between industry, regulators, and security providers to address the risks of API exposure in an increasingly automated world. That call includes greater investment in shared threat intelligence, standards development, and integrated risk management, all areas where Akamai is actively partnering with leading organizations worldwide.
Ultimately, compliance is no longer a checkbox. It’s a capability, and a competitive one. Institutions that can demonstrate proactive API governance, strong consumer protections, and rapid incident response will not only reduce risk, but they will also differentiate themselves in an industry where trust is currency.
Open Finance is here to stay. Let’s build it on a foundation of trust.
Akamai is an Event Partner of Open Banking Expo USA, which takes place on June 26, at the Hilton Midtown in New York. Find Akamai at Stand 2 in the Expo Hall. Click here to find out more about the agenda, speakers, partners and exhibitors.
