PSD2, the Future of Open Banking, and API Security

Open Banking Has Accelerated the Use of APIs – and the Need for API Security

The landscape of open banking is rapidly evolving, fueled in no small part by the EU’s Revised Payment Services Directive (PSD2) aimed at enhancing authentication and regulating third-party access to financial data. Yet, despite its noble intentions, the journey towards widespread adoption has been fraught with challenges, notably the proliferation of APIs and the resulting fragmentation in the market. As APIs have surged to the forefront, API security remains a top concern for financial organizations.

Recent statistics from the Open Banking Impact Report reveal a surge in open banking usage, with one in nine U.K. citizens now embracing the concept. However, while payment volumes have doubled, provider adoption hasn’t matched the pace anticipated. The European Commission’s report on the application and impact of PSD2 sheds light on this disparity, highlighting concerns over API variability and functionality.

APIs form the backbone of open banking, enabling secure access to backend data required by financial services. However, the report’s findings paint a disconcerting picture, citing significant discrepancies in API standards across banks. These inconsistencies hinder interoperability, forcing third-party providers to navigate a complex web of connections, thus impeding innovation and efficiency.

Moreover, the emergence of so-called “premium APIs” further complicates matters. Premium APIs are private APIs that banks can sell to their corporate customers and provide additional access to data beyond standard APIs. However, this threatens to create a two-tier system that undermines the standardization envisaged by PSD2, since premium APIs may not be regulated by PSD2. The absence of a unified API standard has led to concerns about unfair competition and data security.

While the concept of a global API standard garners support from a majority, qualitative interviews suggest apprehension among stakeholders. Some fear stifled innovation and commercial constraints, advocating instead for a more market-driven approach.

Nevertheless, the prevailing sentiment underscores the urgent need for regulatory intervention to address API sprawl and API security in order to restore confidence in the open banking ecosystem.

Incentivizing banks to invest in robust API infrastructure is paramount to fostering security and innovation. Current regulations lack sufficient incentives for banks, leading to suboptimal implementations and access restrictions. The imbalance in investment and access privileges underscores the necessity for regulatory reform and enforcement.

As European regulators contemplate the future of PSD2, stakeholders must brace for stricter regulations and heightened scrutiny. Addressing API sprawl and promoting standardized practices will be pivotal in realizing the full potential of open banking while safeguarding consumer interests.

While the journey towards open banking holds immense promise, it is imperative to address the challenges of API sprawl to ensure a secure, efficient, and inclusive financial ecosystem.

We’ve previously written about open banking and associated challenges with API security in the U.S. here. Regardless of what the future holds with open banking, it’s clear that a focus on API security is needed. Financial services organizations will need to know what APIs they have in use, ensure that those APIs are compliant with API specs and are clear of known vulnerabilities, and that they’re protected from attacks. The Cequence Unified API Protection platform is the only solution that unites discovery, compliance, and protection across all internal and external APIs to defend against attacks, targeted abuse, and fraud. Learn more and get started for free with an API security assessment.