The Tyk team recently hosted a roundtable event entitled “Solving fintech issues one API at a time”.
The main goal of the event was to make sure that everyone attending walked away with at least one or two new ideas to apply in their API management or API development journey. But, we didn’t want to just limit those valuable insights for people who were able to attend the event.
That’s why we’ve cobbled together some of the big insights from the panel discussion and from industry experts. Read on to find out more about API Management and the role it plays in modern financial institutions.
Reality check: The fintech issues of today
We kicked off the day’s event by outlining five of the most pressing industry challenges fintechs faces. These include:
- Securing Data
- Securing Access to APIs
- Compliance and Regulatory Obstacles
- Thoughts on Scaling
- Adoption and Integration
Thoughts on securing data
Securing data is critical, meaning Tyk takes it very seriously at every stage. With all Tyk components, banks and FinTechs have full support for AES and SSL/TLS encryption, meaning that as data moves over the wire it’s doing so in a secure fashion.
When you think about the vulnerabilities within the fintech industry, and how companies might lose reputation, it’s usually after they’ve suffered from a data breach or failure to secure that data. This leads financial institution (FI) clients to look at PCI DSS (Payment Card Industry Data Security Standard) requirements for guidance.
For example, Requirement 7 on PCI DSS states: “To ensure critical data can only be accessed by authorised personnel, systems and processes must be in place to limit access based on the need to know and according to job responsibilities.”
API Management, (which is essentially the plumbing that sits within a financial organisation), requires an understanding of where the responsibility lies and making sure that the FI is appropriately and efficiently using data security tools like cypher suites.
From our panel discussion, it was pretty much unanimously agreed that API security is top of mind for FIs as they run financial services alongside regulatory environments, requirements, and even other financial organisations. With an API Management mindset, FIs can gain oversight about how certain tools can allow specific functionalities more quickly than necessarily implementing changes directly into the code itself.
Thoughts on securing access to APIs
The discussion transitioned from considering the importance of securing data to chatting about why securing access to APIs is equally as important. A handful of participants explained they primarily use OAuth (the industry-standard protocol for authorisation) in their organisation.
That said, in regards to superior access API security, there was also discussion among the attendees who support bearer tokens, HMAC signatures, and other support jobs, (for example, JSON Web tokens being used to secure and govern access). The key point here though was that methods to secure access to APIs don’t have to be used in isolation.
In fact, the discussion highlighted that there are two different models: the Perimeter APIs and External APIs. As we increasingly move towards a world of open banking that’s very heavily regulated, access models require a very explicit user consent model that goes beyond anything previously encountered.
Banks and their development teams can now kind of cherry-pick how they want to secure access. While there are huge amounts more than work and a structure needed to control access the ability to weigh all the different authentication models is exactly the kind of thing FIs need to find the best fit for them.
Thoughts on fintech compliance issues and regulations
An API Management tool or a powerful API gateway can really help to facilitate compliance and the ability to proactively follow financial regulation.
Keeping up with government regulations and compliance standards is crucial for creating a sustainable and profitable business. For people who have worked in the finance world, you’ll know that failing to do so is where the big fines and trouble can appear.
In the banking industry, it’s critical that FIs are able to choose tools that give flexibility over where data is stored because data sovereignty is a huge deal when it comes to the best practice in the industry.
When it comes to choosing an API gateway that preserves data sovereignty, it’s important to know:
- By fronting an API with a proxy layer, where can edges be deployed?
- Does the cloud provider have a Point of Presence?
- Is there linear scalability and fault-tolerance within the API?
- Will a shared state-run efficiently without compromising performance?
Most interestingly of all, when talking about accountability regarding compliance issues, FIs cannot simply outsource responsibility in the instance a data breach happens in an external part of their service. As an integral part of their solution, the FI is on the hook to resolve the issue.
Thoughts on scaling
Customer experience and business growth are aided by properly planned scaling. Even if you’re in the early stages of growing your organisation’s API portfolio, it’s very important to seriously consider your growth trajectory when creating an API Management programme.
Commonly, API Management programmes start very localised to a single team and grow to include multi-team that adopt the product and introduce their own governance requirements. FIs anticipating internal API expansion should consider multi-team support, role-based ethics, and role-based access controls as a starting point.
The challenge for FIs is whether to combine API capabilities or keep applications separate. Choosing the right API Management tool early allows for the flexibility to scale should the need ever arise.
Thoughts on adoption
Thinking about adoption in terms of the overall product, FIs and emerging fintechs must internally socialise newly adopted APIs with the right groups in order to move away from old or out-of-date legacy technology towards new and potentially more innovative systems.
Typically FIs have two main options when it comes to integrating and adopting new tech solutions. Firstly, using their development team to build an API solution from scratch and build through communities of practice. Or secondly, combining a number of different API solutions together to create a tailored and bespoke system to suit your FI’s unique needs.
Tyk has a developer portal that enables FIs to easily onboard users. This can really assist with adoption and be set up easily. The flexibility created by Tyk creates the real potential to lead to internal developers adopting different APIs available within the API catalog. Our portal may also mean that third parties can also browse the catalog and easily adopt an available API. Win!
Discover the Tyk way today
As the leading API and service management platform that’s always evolving, we’re here to help make big things happen in your business. At Tyk we encourage a creative, open and curious mentality. We don’t just solve problems, we seek them — tinkering, tweaking and hacking are in our DNA.