Why open banking regulations and security matter to credit unions

Account holder digital expectations are often being driven by innovative fintechs and credit unions have turned to open banking as an effective way to meet this demand through partnerships with third-party providers (TPPs). Open banking relies on the use of application programming interfaces (APIs) to boost performance and reduce latency, and as with any digital data-sharing process, security and consumer privacy are of top concern.

The most recent F5 Labs research shows that the number of API security incidents is growing every year, and most API incidents during the last two years were related to a low level of security maturity, which is often caused by tool sprawl.

Why APIs Matter in Open Banking

APIs offer many benefits. They give account holders more choice, control, and convenience when sharing their data with TPPs. Credit unions also reap benefits—not only by achieving data-sharing efficiency but also by getting a more comprehensive view of their members’ financial lives.

Without API-centric security, the benefits of open banking will never excel over other data-sharing technologies. Earlier this year, the Office of the Comptroller of the Currency (OCC) issued a supplement to OCC Bulletin 2013-29: Third-Party Relationships, in which it cites APIs as an efficient and secure portal through which banks can share sensitive consumer data with data aggregators. According to the OCC, financial institutions that establish bilateral agreements with data aggregators can use APIs to reduce the use of less effective methods like screen scraping while also allowing their account holders to better define and manage the data they wish to share.

APIs don’t require members to provide their account login credentials to third-party entities. The ability to safeguard their personal information provides an added comfort level for consumers who enjoy the convenience of using popular financial apps like Venmo, Mint, and others, but because of privacy concerns would prefer not to share usernames and passwords beyond their core banking usage.

The Open Banking Regulatory Outlook

The USA has yet to implement any regulations governing the use of open banking standards, although the OCC has sent out an Advanced Notice of Proposed Rulemaking (ANPR), which would indicate that regulations are on the horizon. The Consumer Financial Protection Bureau is also preparing an ANPR in the area of consumer-authorized access to financial records, though the Bureau’s approach to date has been to allow the industry to develop standards in this area without direct regulatory intervention.

With North America yet to experience regulatory intervention in the open banking arena, globally it is a different story. In Europe, the EU has enacted the Second Payment Services Directive (PSD2), which requires banks to create mechanisms—most commonly APIs—to provide data quickly, securely, and reliably to TPPs with the consent of their customers. Other countries, such as the U.K., Canada, Hong Kong, Japan, Mexico, and Australia likewise are progressing with open banking standards.

Without official regulations in the U.S., the banking industry is moving forward to advance the use of API protocols. Competitive forces are compelling many of the larger banks, such as Wells Fargo and Bank of America, to prioritize implementation of their own API solutions. Joint industry efforts also are underway and may serve as a template for the eventual regulatory standards that dictate the use of APIs.

Achieving Open Banking Standardization

There are signs that federal financial regulators and other government agencies are encouraging industry-driven efforts as a means of enhancing security, privacy, and innovation. The most notable industry effort has come from the Financial Services Information Sharing and Analysis Center (FS-ISAC), which in 2018 launched the Financial Data Exchange (FDX) as a consortium of financial services institutions working together to define, standardize, and secure data transfers.

The mission at FDX is to define an API framework that will put the consumer “in the driver’s seat” regarding how they control and share their financial data. A big step toward that goal occurred earlier this year, when the consortium introduced FDX API 4.0, an updated API standard designed to enhance interoperability and performance for a full range of supported use cases that will enable consumers to have greater control over their savings, investments, digital payments, and tax history.

A Sense of Urgency Around Open Banking

Competitive forces, as well as the potential for imminent regulatory action, provide a sense of urgency around credit unions exploring refined approaches around their APIs. One way to proceed efficiently with the development of an evolved API strategy is to call on an outside expert and deploy the right solutions.

Look for a high-performance, low-latency API management solution and a secure API gateway solution, which permits credit unions to leverage modern security protocols to support microservices-based apps.

Open banking is the way forward in this era of fintech. By being proactive about advancing their open banking initiatives, credit unions will have a leg up on the competition.

F5 has been working closely with our financial services customers worldwide on their Open Banking initiatives. F5 and the analyst firm Twimbit recently collaborated to publish research on the worldwide trends in Open Banking.