Meeting the expectations of today’s consumers is more challenging than ever before, especially in the financial services industry. Although your customers use multiple institutions for various banking products like mortgages, business banking, credit cards, insurance, etc., they expect everything to work together, smoothly and in real time. Fail to deliver on those expectations, and it’s relatively easy for consumers to move from your offerings to those of your competitors.
The key to delivering what your customers want lies in integrating your financial products and accounts into the consumer lifestyle. By enabling your end users to seamlessly interact with many different service providers, you empower them to manage their accounts in ways tailored to their individual situations, thus taking control of their financial lives.
The higher the level of personalization you’re offering, however, the higher amount of sensitive data you’re potentially serving up—and the higher the security risks. Financial institutions are notoriously attractive targets for bad actors, as bank robber Willie Sutton apocryphally explained, “because that’s where the money is.” In today’s digital age, “the money” translates to a wealth of personally identifiable information (PII) and other sensitive data that hackers and other malicious individuals would love to exploit.
To protect from breach while meeting consumer expectations of ease and flexibility, finserv companies are increasingly turning to secure APIs that are focused on improving the end user experience. Customer financial APIs create the pathways that allow you to provide customers with what they want, and when they are properly secured against the risks introduced by this new potential attack vector, your institution reaps the benefits of deeper customer engagement.
Customer Financial APIs
APIs are nothing new to banks, insurance companies and other financial institutions. We’re in the midst of a virtual explosion of APIs, with roughly 75% of organizations developing both internal and public-facing APIs, according to a recent SmartBear report. Your enterprise likely has operations APIs for efficiency in areas like customer support and HR, product APIs for financial products and apps that talk directly to another system in real time through an API integration, and partner APIs for limited use cases where you might, say, require a VPN connection to access.
This article focuses on a specific type of APIs: customer financial APIs. This set of APIs gives you a way to serve your customers what they want with regards to their own accounts and financial needs. For example, when a user initiates payment with a merchant, the merchant can use a bank API to execute the transaction, and your enterprise can add an additional security factor to the workflow before allowing the payment to go through. The higher level of authentication assurance not only reduces fraud, but also results in customer benefits like detailed authorization requests so the customer knows what they’re approving. Customer financial APIs help you deliver:
- Freedom. Today’s consumers expect financial freedom and the ability to use fintech and insuretech offerings in whatever way speaks to them.
- Flexibility. Your customers want options and want to decide for themselves which financial products and services combine to provide the best value.
- Personalization. No two people are managing their money in the exact same way. They want to know you understand them and can give them different features and offers that are relevant specifically to them.
When you open up visibility across multiple institutions and providers so your customers can manage their financial lives, they respond with loyalty and trust. Therefore, it’s up to you to meet your customers where they are and wherever they go. You’ll find them in places like the personal budgeting software application You Need A Budget, online finance management app Mint, and the payments platform Stripe for your corporate customers. These apps exist whether your financial institution is involved or not, but you can become integrated and embedded in the financial app ecosystem when you offer open APIs (also known as web APIs or open web APIs) that are accessible openly by any third-party developer who registers for access.
By doing so, you help your customers with real-time, seamless experiences, reducing the brittle nature of integrations across financial institutions. Customers also gain the ability to manage and revoke consent to share their data and direct payments with third parties directly from the online banking portals you give them, empowering them through transparency and control of their account and data privacy.
APIs Can Help Stop Screen Scraping
Consider a current use case that could be greatly improved with customer data APIs: account aggregation & dashboards. Aggregation services, which compile information from different financial accounts into a single place, have been around for more than a decade, and it’s fair to say that every bank wishes they were the aggregators themselves. But in the absence of customer account data APIs, these aggregators use the risky practice of screen scraping. It works like this:
1. Your customers hand over their credentials for all their financial institutions, the keys to their entire financial life.
2. The aggregator stores your customers’ account credentials in their database, which is a single point of failure that can expose all your different accounts.
3. When customers refresh their dashboard view, the financial data aggregator replays those logins to scrape transaction data directly from your web application.
Screen scraping is, simply put, scary. While it’s likely that the aggregators are encrypting the data they scrape, those security policies are out of your control, and it only takes one vulnerability to cause an overwhelming amount of damage. But if you try to block screen scraping and don’t offer an alternative for getting customer data out, your customers will go elsewhere. They likely aren’t aware of the overall security risks, and if they’ve been with your financial institution for a while, they’ve probably built up trust that you’re securing their money for them.
You can continue to earn that trust through APIs. By giving data aggregators a more secure channel to get that data instead of asking for your customers’ banking credentials, your customers still own their data privacy. At the same time, you can better granularly scope and limit the data being shared, plus capture customer consent and step-up authentication during setup if you wish.
API Security through Identity
Financial APIs are among the most popular API categories, which isn’t surprising when you consider that nearly all commercial enterprises need to be able to initiate payments—and the financial industry holds the most data of use to these organizations. Some financial enterprises are even “productizing” APIs, treating them as new sources of revenue and charging third parties for valuable direct integration.
But as the volume of financial APIs continues to grow, so do the security risks. Since APIs drive direct access to sensitive and critical business logic, applications and data within your financial systems, it makes them attractive targets for hackers. And since some APIs are external facing and the developers accessing them aren’t controlled by your security policies, these APIs are highly exposed, which introduces complexity in management and security beyond what an API Gateway alone can handle.
Identity and access management (IAM) plays a critical role in the emerging financial API economy by enabling security, openness and innovation for your financial enterprise. IAM means the right people access the right applications, services and APIs seamlessly and securely, with the right balance of strong user experience and optimal security.
The Ping Intelligent Identity Platform delivers six key IAM capabilities that are essential for ensuring API security:
- Authorization server. Ping Identity provides the leading authentication authority, PingFederate, which can act as the authorization server in an open financial API access workflow. As a modern federation hub with many use cases, it has broad support for all of the protocols including OpenID Connect, making it a solid foundation for authenticating financial customers who are seeking access to their data through third-party applications and services.
- Resource server. PingAccess can act as the resource server in an OAuth model that receives all API calls, validates the tokens and evaluates access control policies before allowing third-party client access. A centralized policy engine for controlling access to APIs and applications, PingAccess provides a single set of policies that support access security for both applications and APIs, and is built on modern standards such as OAuth 2.0.
- Multi-factor authentication. PingID is an adaptive, contextual multi-factor authentication (MFA) solution that gives organizations a strong way to prevent fraud, authenticate users and confirm their informed consent when they are delegating access to sensitive account data and functions to a fintech app or retailer through an API. It integrates with a wide spectrum of authentication methods and can be embedded directly into your mobile banking, insurance or wealth management app for user convenience, seamless brand image and biometric security features such as fingerprint-based authentication.
- Directory and data store.PingDirectory, which is more data store than pure user directory, securely stores authorization history, identity data, consent records and other user and application data, allowing the flexibility that an enterprise requires for securing open APIs. For instance, financial enterprises that offer account aggregation apps to their customers can use PingDirectory to store the access tokens and credentials that they’ve received from their customers’ other financial institutions.
- Data governance: PingDataGovernance adds a data protection layer for data owners, security teams and business analysts to build data access policies and helps test and enforce policies, while limiting the data being returned by the API at a granular level. It also enforces the user’s explicit consent to their data sharing, enables policies governing data for regulatory compliance and internal controls, and double checks the user’s authorization before allowing API data to be accessed.
- API cybersecurity. PingIntelligence for APIs protects your APIs from cyber attacks with AI-powered API security that automatically detects and blocks suspicious activity in real time. It uses artificial intelligence and machine learning that self-learns expected API behavior on a per-API basis without humans having to write all the rules, manage policies or update API attack signatures.
By using Ping’s comprehensive IAM solution to enable financial-grade API security, you can take the lead in API innovation without risk of breach and fraud holding you back.
Financial APIs for Better Customer Experiences
Consumers can open new accounts from any smart device in a matter of minutes. This doesn’t mean they are going to leave your institution for greener pastures, but today’s customers are likely to have more open, less exclusive relationships with financial service companies.
So give them the seamless experiences they want through APIs, intelligently secured on the backend through reusable, modern access management services. By leveraging Ping’s API security, you can provide customers with more personalized, flexible and innovative experiences.