API Security & Identity

API Governance and Risk Management

Image by Mohamed Hassan from Pixabay

Ayman Jaber is the chief internal auditor of the Halab Saudi payment company, one of the leading FinTech companies in Saudi Arabia. In this article, he discusses API governance and risk management.

Post the pandemic, a new tech company is opening up every other day. During the lockdown, customers had limited access to banking services and started demanding more digital channels. This is where the change in customer behavior started to take place. The demand for a more personalized experience also increased compared to traditional financial services. This is where open banking and open APIs came into the picture. These changes come with their challenges and risks associated with them.

Open banking enables the third party to access customer information and data that used to be in a strong vault in traditional banking. Customer consent is required for sharing this information with third-party or FinTech. Open access is not something that standard banks are used to. Banks have their core systems, data, and applications with internal or closed APIs. But banks started engaging with third parties to keep up with the changes. To enable third-party partners to access their data, banks had to work in open APIs, allowing different systems to talk to each other. This is where the Open Banking initiative started kicking out. Security and regulatory frameworks are required for Open Banking.

Open Banking Challenges and Risks

  • Data Security – People are concerned about where the data is stored, how it is transferred, and who it is accessible to and shared with.
  • Financial Fraud – Identity thefts are a form of financial fraud and a huge risk to open banking.
  • Regulatory non-compliance
  • Operational Disruptions
  • API Misuse

Mitigating Risks of Open APIs in Open Banking

  • We need to establish a clear and consistent API governance framework to counter these challenges and risks.
  • Develop a governance charter that outlines the objectives, policies, and procedures for API governance.
  • Assign roles and responsibilities for API governance to different stakeholders, including financial institutions, third-party providers, and regulatory bodies.
  • Establish a governance committee responsible for the API governance framework’s ongoing review, management, and enforcement.
  • Implement robust and effective security and risk management processes.
  • Implement multi-factor authentication for API access and usage.
  • Implement data encryption for sensitive data in transit and at rest.
  • Develop a security incident response plan that outlines how to handle security breaches and unauthorized access.
  • Regularly monitor API access and usage for suspicious activity and conduct security audits.
  • Implement effective testing and validation processes.
  • Develop test cases and test scripts for functional and non-functional testing.
  • Conduct user acceptance testing with representative customers to ensure the APIs meet their needs.
  • Develop clear and consistent documentation for the APIs, including user guides and reference materials.
  • Regularly update test cases and documentation as the APIs change.
  • Implement a consistent and clear API management process.
  • Develop a process for managing and updating APIs, including a change management process.
  • Regularly review and update the APIs to ensure they continue to meet the needs of the customers and the financial institution.
  • Monitor API usage and performance to identify any issues and make changes as necessary.
  • Implement an effective BCM and DR.
  • Implement a Business Continuity Management (BCM) plan to ensure the continuity of critical business processes in case of an API outage or other disruptions.
  • Implement a DR (Disaster Recovery) plan that outlines the steps to recover from a disaster that causes an outage.
  • Conduct regular resilience testing of the APIs to ensure they can handle the expected volume of transactions and to identify any potential issues before they cause disruptions.
  • Ensure that any third-party vendors involved in providing APIs have their own BCM and DR plans and that they are regularly tested and reviewed to ensure they meet necessary standards.

Service Level Agreements and Contract Terms

Before engaging with third-party providers, establish SLAs and Contract Terms. The things that you need to look for are –

  • Service availability
  • Response time
  • Data privacy and security
  • Security level credits
  • Compliance and regulatory requirements
  • Scalability and performance
  • Customer support and incident management
  • Governance and risk management
  • Intellectual property
  • BCM and DR
  • Termination and Renewal

Board and Top Management Involvement

The board and top management need to be stakeholders in this process. They must

  • Set strategy and direction
  • Establish an API governance framework
  • Ensure proper resources and controls
  • Monitor performances, risks, and effectiveness of the controls

Also, the control and assurance function must look after risk management, cyber-security, compliance, and internal audit.

We cannot talk about governance and risk management without mentioning the regulators. Regulators are key players in open banking and ecosystems. Their role is to establish regulations and guidelines. Supervision and enforcement are also important.

Last, but not least, we must adopt artificial intelligence and machine learning to enhance API analytics and enhance security

Ayman Jaber

Ayman Jaber

Chief Internal Auditor & Audit & Compliance Committee Secretary at HALA
Astute, experienced and certified audit leader with almost 14 years of sustained success in roles such as Chief Internal Auditor, Director of Internal Audit and Senior Audit Manager across real estate, government, financial services, telecom, and oil & gas sectors. Proven ability in shaping internal audit strategy and methodology, and providing strong leadership to achieve operational, financial, and compliance objectives. My experience also includes serving as the Secretary of Audit & Compliance Committees and leading successful Audit Quality Assurance and Accrual Accounting Transformation Programs. Skilled in managing the end-to-end audit process and in developing assurance controls that minimize risk and drive value, I am able to guarantee efficient operations and accurate programmatic and financial reporting. My systematic approach to risk management and problem solving, coupled with my ability to strike a balance between fast development and compliance requirements, enables me to regularly meet and exceed targets, while fostering a performance-driven culture. I always seek to build a strong team environment and strategic client partnerships focused on trust and business ethics, to achieve organizational growth.

APIdays | Events | News | Intelligence

Attend APIdays conferences

The Worlds leading API Conferences:

Singapore, Zurich, Helsinki, Amsterdam, San Francisco, Sydney, Barcelona, London, Paris.

Get the API Landscape

The essential 1,000+ companies

Get the API Landscape
Industry Reports

Download our free reports

The State Of Api Documentation: 2017 Edition
  • State of API Documentation
  • The State of Banking APIs
  • GraphQL: all your queries answered
  • APIE Serverless Architecture