This overview provides key data points that measure the enabling environment for open banking APIs. In particular, we look at:

• Regulations that create the framework to encourage open banking adoption
• Standards that enable stakeholders to scale faster
• Security technologies and impacts that can protect stakeholders and build trust and confidence in open banking
• Developer experience strategies that enable fintech and businesses to build fast enough to bring new financial services and products to market.

Methodology: Platformable reviews progress and activities of all open banking regulations around the globe and assesses whether current actions are being implemented, under review or in consultation made, or are stalled.

By the end of Q4 2020, open banking regulations were driving the economic context in Australia, New Zealand, UK, Europe, India, Israel, Egypt, Japan, South Korea and Hong Kong. Some countries have introduced consultations to help drive industries towards open banking APIs, notably Colombia, China and Indonesia. In Mexico, U.S., Nigeria, Kenya and Rwanda, initial efforts to introduce open banking APIs have stalled. For the U.S., we plan to update the tracking from "stalled" in Q4 to "planned/consultation phase" for Q1 in 2021. In late October 2020, the U.S. Consumer  Financial Protection Bureau announced a review of consumer access to financial records, which would cover API access to financial services, such as account information.

Open Banking Platforms: Use of API Standards (N=563)

METHODOLOGY: Platformable tracks all banks globally and tallies those that have established an open API platform. We then review how many API products are made available by each bank and tally them according to category, and measure other API characteristics such as standards and specifications used, developer experience strategies employed, and business model/monetisation approaches. We review each bank at least once every three months.

Globally, while there is no clear API standard that is used to build all bank APIs, the majority of banks (especially in Europe) are moving towards referencing The Berlin Group API template as a standard.

Some countries have their own national standards. The UK, for example, has embedded use of the UK Open Banking Implementation standard into their regulatory framework. Australia has taken a similar approach with the Australian Consumer Rights Standard.

Industry segments with security incidents in Q4 2020 (N=34)

METHODOLOGY: Platformable reviews data from the apisecurity.io industry newsletter, tech media, and other sources to tally major API-related security incidents occurring each quarter.

Drawing on a range of datasets, but in particular the exemplary work of apisecurity.io, we found that 9% of security incidents (that is, 3 cases) occurring in Q4 2020 involved the fintech, insurance and banking sector. The three cases included an insurance breach in the United States; a cryptocurrency exchange (Liquid) in Japan; and a crypto-based digital wallet service (Ledger) that is not accredited to use open banking APIs, that operates in Europe. While these three cases did not nesssarily involve open banking APIs, they can impact on consumer trust in the open banking sector.  For example, an API key was hard-coded into the Ledger source code for a client application, which allowed a hacker to access the fintech's user database and post email and account information publicly. This could reflect on the open banking ecosystem, as it could be used as evidence that "APIs aren't secure" rather than focusing on the poor security hygiene and lack of industry best practices that created this particular problem.

Authentication Protocols and Security Technologies Used in Open Banking (N=563)

METHODOLOGY: Platformable tracks all banks globally and tallies those that have established an open API platform. We then review how many API products are made available by each bank and tally them according to category, and measure other API characteristics such as standards and specifications used, developer experience strategies employed, and business model/monetisation approaches. We review each bank at least once every three months.

Overall, while the majority of open banking platforms are moving towards OAuth 2.0 as an authentication protocol standard, there are no current common approaches to other security technologies being adopted by banking platforms. Several banks do offer multiple security technologies, while it was unclear if others had any specific security controls in place.

Open Banking Use of OpenAPI Specification format (N=563)

METHODOLOGY: Platformable tracks all banks globally and tallies those that have established an open API platform. We then review how many API products are made available by each bank and tally them according to category, and measure other API characteristics such as standards and specifications used, developer experience strategies employed, and business model/monetisation approaches. We review each bank at least once every three months.

As discussed in our API industry trends summary, using the OpenAPI Specification can be an enabler that supports developers to build products and services more quickly. This can help fintech and other businesses that are building with open banking APIs to become commercially viable faster.

In Europe, there is strong support for using an OpenAPI Specification file to describe what an API does, in a machine-readable form. Other regions are seeing some uptake, but it is far from being an accepted industry norm at present. This is particularly concerning in regions such as Latin America, where countries like Brazil are working to introduce open banking regulations quickly this year. It would be ideal if banks were able to make use of an API specification standard like OpenAPI Spec to help fintech consumers build new solutions faster as open banking APIs become available.

Keep up to date with our open banking quarterly trends reports. Subscribe now for access to a downloadable data deck and for early adopter access to our interactive dashboard and API.