PSD2 & Open Banking: The Role of API Management
PSD2 is upon us! From a technical point of view, now is the time to ensure the implementation of a dedicated PSD2 interface. In the previous articles in this series, we had a look at PSD2, some of its main technical challenges and implications, and how emerging standards can help with the implementation of a dedicated PSD2 interface.
In this last article, we will see what vital role API management solutions play when it comes to creating a compliant, secure, and resilient API interface – and how they effectively manage that interface.
With the regulatory standards having been adopted by the European Commission, banks within the EU now have until March 2019 to provide a version of their PSD2 interface that will allow Third Party Providers (TPP) to analyze its documentation and execute connection and functional tests.
Exactly what interface a bank will offer is determined by many factors, an important one being their strategic decision regarding PSD2 and open banking in general: What role does the bank envision for itself? While we know of some banks that have taken a firm decision to embrace regulation and seek out new business opportunities, the vast majority seems hesitant, which may have them end up playing a role that is a far removed from their envisaged one.
In addition, and probably influenced by these strategic considerations, the banks have to decide about the actual technical implementation of the PSD2 interface. As was outlined in earlier articles in this series, this interface is widely expected to be API-based, as APIs offer an effective way to quickly and securely expose business capabilities to whichever consumer audience they are intended to be shared with. Moreover, the use of APIs allows for delegation of a significant part of the technical implementation to specialized API management solutions.
What value will an implementing party derive from the use of an API management solution? This obviously depends on the selected solution; not all vendors offer the same depth and breadth in terms of API management capabilities. In the following paragraphs, you’ll find an overview of what you may expect from an enterprise-grade solution – for example, the Akana API Management Platform.
Considerations for API Management in Open Banking
First, whether approaching open banking from a perspective of mere compliance or whether expecting substantial business value from it, an API management solution may be expected to provide great help in terms of ease-of-implementation and interface flexibility. For example, it will allow APIs to be published in a simple and consistent manner, where the solution may even allow for alternative versions based on different OB/PSD2 standards (simultaneously or over time).
Considering the mandatory security requirements that come with OB/PSD2, such as the use of PKI and OAuth 2.0, these are notoriously hard to properly implement. An enterprise-grade API management solution that provides strong security capabilities should support these out-of-the-box.
Next to security, the Regulatory Technical Standards (RTS) place strong emphasis on a bank’s PSD2 interface in terms of its availability and stability – in other words, banks are required to adhere to strict service level agreements (SLA) with their interface consumers. This in turn requires the bank to be able to carefully monitor the performance of its APIs and ensure scalability of its interface while carefully auditing the request messages being processed – the latter also of indispensable value when it comes to fraud monitoring and prevention. Again, these are capabilities that an API management solution (such as the Akana API Gateway, in particular) should offer.
Furthermore, an API management solution may be expected to address security-related and operational aspects that are not explicitly addressed by the RTS or the PSD2 API specifications, but that should be taken into account nevertheless, for example:
- Additional security threats like distributed denial of service (DDoS), compromised message integrity, etc.
- Monitoring and management of consumer ‘behavior’, as a means to protect downstream systems (think of mitigating actions like traffic rate limiting or throttling)
Obviously, implementers should also expect their API management solution to offer a number of additional benefits; in particular, capabilities that will help them to effectively manage the APIs themselves, for example:
- API Lifecycle Management – API development lifecycle, API consumption lifecycle, API versioning
- API Analytics – API intelligence, consumption trends, etc.
From a wider, strategic perspective, an API management solution will also provide indispensable support for non-mandatory APIs - in particular relevant for those banks that approach PSD2 as a business opportunity rather than a regulatory obligation, or more generally as part of an enterprise’s digital transformation process.
As a final thought, delegation of the PSD2 interface implementation to an API management solution can be taken even further, literally delegating this to a distinct interface implementation partner. Where this partner would host and manage the interface for the bank, it would allow the bank itself to concentrate on the underlying business services. We have already seen some promising initiatives by organizations to create a centralized PSD2 interface or hub, for example in Poland.
PSD2 and open banking bring opportunities as well as challenges. In this series of articles, we have looked at the technical challenges in particular, and how these challenges may best be approached. Creating a OB/PSD2 compliant interface is far from trivial, but fortunately quite a number of essential implementation aspects can be delegated to specialized API management tools like the Akana API Management Platform. Having such an architectural component in place provides the required robustness and reliability in terms of security and availability, at the same time offering the required implementation flexibility. With PSD2 standards still being in flux, this flexibility may well prove to be among the principal benefits.