How do API management providers support open banking implementations?

There are three main ways: 

• Regulatory compliance
• Embracing new partnerships and competition 
• Data protection and security

We can see how this plays out in practice by looking at Sensedia. The Brazil-based (but now globally-focused) API connectivity and integration solution provider offers a variety of products to help businesses modernise their integrations. Their Open Banking Platform aims to support the four pillars of open banking – API design & building, new partnerships, governance & compliance, and security & consent – and covers all aspects of open banking and open finance.

API management for regulatory compliance 

Open banking regulations such as Europe’s PSD2, Australia’s Consumer Data Right, and Brazil’s Open Banking framework require that banks share their customer data (with their consent) with accredited third-party providers. These frameworks force banks to create an effective mechanism to modernise their legacy infrastructures. In some jurisdictions, regulators have also encouraged a unified approach to open banking implementation by setting their own country-level standards (as seen in the UK, Australia, and Brazil). 

In countries where open banking regulation is still in a nascent stage, industry standards bodies like the Berlin Group, Financial Data Exchange, and Open Banking Nigeria are helping guide API design best practices. As open banking regulations continue to evolve towards open finance and beyond (not to mention other legislation specifically governing the financial sector), effective API management will help banks to stay compliant.

Sensedia also prefers a regulation-first approach. With every new client, regulations are considered during the initial data-gathering phase. It’s important to Sensedia that RegOps are given as much consideration as Tech or SecOps since regulation adherence is a proactive process that requires both Sensedia and their clients to be on the same page. This is especially important since different regulatory environments call for different approaches. In Brazil, open banking and open finance regulation are still maturing, so additional attention must be given to application compliance amidst this changing landscape. This is less of a concern in the European market, where the PSD2 is likely to remain constant for a while.

API management to stay competitive with new partners

One of the main objectives (and benefits) of open banking and open finance is to bring the focus back to the end consumers. The open banking ecosystem provides the opportunity for banks to partner with third-party providers (fintechs, other banks and non-financial institutions) to develop API-enabled innovative products and services that are personalised to consumer needs and enhance the customer experience. In this context, API management providers can help bridge the gap between technical and business requirements during planning/designing and implementation, as well as make sure the new API-enabled architecture is developer-friendly and meets the intended strategic goals.

From Sensedia’s experience, open banking is indeed more than just compliance. Beyond adherence to regulations, many of Sensedia’s clients are looking to leverage open banking to stay competitive in the market. Updating their legacy architecture allows them to offer customers previously unavailable products and services.

According to Sensedia, in-house implementation is unsustainable. In a rush to comply with regulations, many European banks have chosen to update their legacy architecture on site. However, the requirements of this implementation soon became unsustainable due to the necessity of ongoing updates – such as managing certificate validation – that are needed to keep the system running. Sensedia helps these clients integrate their applications into Sensedia’s existing open banking software, so banks can remain compliant while lessening the strain on their internal resources.

API management for data protection and security

APIs help to address cybersecurity by making security design the first order of concern when designing digital systems. Security and privacy can be built in as part of the design of APIs rather than ‘tacked on’ at the end of the process. 

Data exchange systems can be secured and data privacy upheld by using API and digital government security best practices. APIs can embed dynamic identity management controls to provide identity authentication, determine access privileges in real-time and enable identities to be tracked throughout digital environments. API service management platforms make it easier to monitor large data flows and scan continuously for any anomalies that may represent security or fraudulent threats.

As discussed above, DevRegSecOps is taken into consideration during requirement analysis early on in Sensedia’s planning stage – when building business requisites. Regulation by design is the same as security by design – regulations are built into the requirements. As-is architecture is also mapped out so improvements can be made.

Key takeaways from Sensedia’s process and experience

How to map necessary changes to make banks API-ready

According to Gibson Pasquini Nascimento, Sensedia’s Head of Solutions for EMEA, “[Open banking implementation] is not a checklist, it’s more of an understanding.”

For every client, Sensedia starts by understanding their existing architecture. Banco Topazio and Banco Originale, for instance, were more advanced in their digitalisation journey and already had a strong developer team ready to talk through APIs. Both are adopting the BaaS model.

Banks that align architecture with business strategy go deep into tech requirements during the initial meeting. Then an additional hands-on meeting occurs between Sensedia and the bank’s tech team to understand how the bank is organised in terms of tech, software, dev and evolution. During this meeting, a Sensedia consultant will typically ask specific integration questions to combine the tech and business requirements. They’ll discuss how the tech requirements can meet the business requirements and will explain to the bank what they need to do next. That meeting drives the rest of the process and helps plan the next steps. 

Typical stages in an API-tech modernisation process 

Phase One: Initiation (approx. 2 - 4 weeks)

Sensedia starts by sitting down with a new client to gather data on their bank’s tech stack. They discuss the bank’s current architecture, how the bank is organised (technology, software, development and evolution), and their regulation needs. They also help the client determine if complete application modernisation or a microservice layer is the best route for open banking readiness. During information gathering and proposal creation, Sensedia involves their relevant teams – such as security and development – so they can ensure their solution covers all of the client’s requirements. For instance, if the client has a modular structure, Sensedia has a channel for them to communicate with, a ledger that keeps track of accounts, card management systems, SWIFT, and clearing and settlement networks.

Phase Two: Creation and implementation (approx. 6 to 8 months)

After the client has approved Sensedia’s proposal and the specifics are agreed upon, all teams involved in the process get started. The complexity of applications and microservices can vary widely depending on each bank’s needs, but every solution is built and tested with development, regulation, security operations and business requisites in mind. After the application has been created and implemented, tests are conducted for performance, validation and regulation adherence. Depending on a bank’s willingness to modernise their applications or just enable them for APIs, the timeline of this phase can vary greatly.

Phase Three: Follow-up (timeline ongoing)

Sensedia provides ongoing client support after their new applications or microservices are in place. Regulations are monitored to ensure the bank remains compliant with any regulatory changes and all newly created APIs are monitored to ensure they’re being properly exposed to open banking.

Which metrics to use to monitor the new API-enabled architecture

Sensedia measures the success of enablement by latency testing the bank’s existing legacy processes to confirm they’re working as well as they did before the modernisation.

A regulatory dashboard also helps Sensedia’s clients keep track of the changing regulatory landscape. The dashboard compiles data metrics like API calls, errors and the number of APIs available per product.