Ayman Jaber is the chief internal auditor of the Halab Saudi payment company, one of the leading FinTech companies in Saudi Arabia. In this article, he discusses API governance and risk management.
Post the pandemic, a new tech company is opening up every other day. During the lockdown, customers had limited access to banking services and started demanding more digital channels. This is where the change in customer behavior started to take place. The demand for a more personalized experience also increased compared to traditional financial services. This is where open banking and open APIs came into the picture. These changes come with their challenges and risks associated with them.
Open banking enables the third party to access customer information and data that used to be in a strong vault in traditional banking. Customer consent is required for sharing this information with third-party or FinTech. Open access is not something that standard banks are used to. Banks have their core systems, data, and applications with internal or closed APIs. But banks started engaging with third parties to keep up with the changes. To enable third-party partners to access their data, banks had to work in open APIs, allowing different systems to talk to each other. This is where the Open Banking initiative started kicking out. Security and regulatory frameworks are required for Open Banking.
Open Banking Challenges and Risks
- Data Security – People are concerned about where the data is stored, how it is transferred, and who it is accessible to and shared with.
- Financial Fraud – Identity thefts are a form of financial fraud and a huge risk to open banking.
- Regulatory non-compliance
- Operational Disruptions
- API Misuse
Mitigating Risks of Open APIs in Open Banking
- We need to establish a clear and consistent API governance framework to counter these challenges and risks.
- Develop a governance charter that outlines the objectives, policies, and procedures for API governance.
- Assign roles and responsibilities for API governance to different stakeholders, including financial institutions, third-party providers, and regulatory bodies.
- Establish a governance committee responsible for the API governance framework’s ongoing review, management, and enforcement.
- Implement robust and effective security and risk management processes.
- Implement multi-factor authentication for API access and usage.
- Implement data encryption for sensitive data in transit and at rest.
- Develop a security incident response plan that outlines how to handle security breaches and unauthorized access.
- Regularly monitor API access and usage for suspicious activity and conduct security audits.
- Implement effective testing and validation processes.
- Develop test cases and test scripts for functional and non-functional testing.
- Conduct user acceptance testing with representative customers to ensure the APIs meet their needs.
- Develop clear and consistent documentation for the APIs, including user guides and reference materials.
- Regularly update test cases and documentation as the APIs change.
- Implement a consistent and clear API management process.
- Develop a process for managing and updating APIs, including a change management process.
- Regularly review and update the APIs to ensure they continue to meet the needs of the customers and the financial institution.
- Monitor API usage and performance to identify any issues and make changes as necessary.
- Implement an effective BCM and DR.
- Implement a Business Continuity Management (BCM) plan to ensure the continuity of critical business processes in case of an API outage or other disruptions.
- Implement a DR (Disaster Recovery) plan that outlines the steps to recover from a disaster that causes an outage.
- Conduct regular resilience testing of the APIs to ensure they can handle the expected volume of transactions and to identify any potential issues before they cause disruptions.
- Ensure that any third-party vendors involved in providing APIs have their own BCM and DR plans and that they are regularly tested and reviewed to ensure they meet necessary standards.
Service Level Agreements and Contract Terms
Before engaging with third-party providers, establish SLAs and Contract Terms. The things that you need to look for are –
- Service availability
- Response time
- Data privacy and security
- Security level credits
- Compliance and regulatory requirements
- Scalability and performance
- Customer support and incident management
- Governance and risk management
- Intellectual property
- BCM and DR
- Termination and Renewal
Board and Top Management Involvement
The board and top management need to be stakeholders in this process. They must
- Set strategy and direction
- Establish an API governance framework
- Ensure proper resources and controls
- Monitor performances, risks, and effectiveness of the controls
Also, the control and assurance function must look after risk management, cyber-security, compliance, and internal audit.
We cannot talk about governance and risk management without mentioning the regulators. Regulators are key players in open banking and ecosystems. Their role is to establish regulations and guidelines. Supervision and enforcement are also important.
Last, but not least, we must adopt artificial intelligence and machine learning to enhance API analytics and enhance security