Banking & Finance Digital Security

The Fed says banks need to know where their APIs are. An API marketplace can help reduce risks.

The Fed says banks need to know where their APIs are. An API marketplace can help reduce risks. blog image

Do you know where all your APIs are – or how many you have? If someone visited your bank’s headquarters today and asked to see them, would you be able to produce a list on the spot?

It’s not such a far-fetched scenario. In my discussions with financial institutions, a common concern is how to get a single source of truth for their digital assets.

As banks integrate newer technologies and innovate with fintechs, unmanaged APIs can become a serious security concern: a 2022 analysis of more than 16.7 billion API transactions found that 31% of the malicious requests targeted unknown, unmanaged, or unprotected APIs.

Beyond the security risk, not knowing where your APIs are is now a regulatory concern too: the U.S. Federal Reserve system laid out SR 21-14 two years ago, issuing guidance on authentication and access to financial institution services and systems. A key provision of this guidance is a need to know what you have.

What you need to know about SR 21-14

SR 21-14 offers guidelines for risk reduction in banking and applies to financial institutions supervised by the Federal Reserve, including those with $10 billion or less in total consolidated assets.

Per the Federal Reserve Board:

“This guidance acknowledges significant risks associated with the cybersecurity threat landscape that reinforce the need for financial institutions to effectively authenticate users and customers to protect information systems, accounts, and data.”

The letter details the importance of risk management practices that can support oversight of user and customer identification, authentication, and access solutions. It points to how input from various business functions and units can help build a more integrated, enterprise-wide approach to risk reduction.

It also highlights the need for periodic risk assessments and explicitly calls out the importance of inventorying every part of your information systems.

“Inventory all information systems and their components, such as the hardware, operating systems, applications, infrastructure devices, APIs, data, and other assets, that require authentication and access controls.”

Notably, the Fed makes it clear that the responsibility for risk management falls to you, whether the bank itself is providing data and authentication controls, or whether you’re doing it through a third party.

What does this mean for me?

If you are a bank that’s using APIs – whether large or small – SR 21-14 means you can’t afford to have an unclear picture of your API landscape.

When banks are audited for compliance purposes, Federal Reserve examiners will typically ask to see your IT assets and how they are governed. If there isn’t a clear view and you cannot succinctly show the auditor what you have and how you’re managing risk, that will reflect negatively in your organization’s audit report.

As mentioned previously, lacking clarity on where your assets are and how they’re being accessed is a major security concern – you cannot manage what you don’t know exists. And federal oversight now makes that clarity a compliance issue, too.

Visibility into your APIs isn’t just a “nice to have” anymore. In order to enhance trust in the financial data ecosystem you’re building, you need to be able to demonstrate strong business control.

Trust is everything

I recently had the pleasure of participating at the FDX Global Summit on a panel with other industry experts including our partner, Anil Mahalaha, Open Finance – Chief Evangelist at Akoya. One highlight of the conference for me was a speech by Michael J. Hsu, Acting Comptroller of the Currency.

While he discussed open banking specifically, his point – that a loss of confidence is a bank’s greatest vulnerability – applies to the entire financial services industry.

“In banking, trust is everything. It cannot be engineered or manufactured or bought,” Hsu concluded. “It must be earned, carefully maintained, and vigorously protected. An open banking culture that recognizes that and puts trust above other objectives, including growth and profit, will succeed and thrive over time.”

In our day and age, banks are transitioning from custodians of money to true custodians of data and trust. And if customers – and regulators – are going to trust banks with data, it’s essential that banks keep track of the data and how it’s being accessed.

The value of an API marketplace for banks

Banks today use APIs for anything from payment processing to fraud detection or loan origination. The possibilities are extraordinary, but as organizations develop and expose more APIs, they can run into complexity and governance problems.

For example, larger organizations typically start by leveraging an API developer portal – or several – to manage their APIs. But as the number of APIs grows, different teams and regions can end up siloed, and enterprise architects may struggle to have a clear view of the organization’s API portfolio.

This is an issue even if a bank is only using internal or private APIs for the moment. And if it’s a concern at this stage, the problem will be compounded when banks look to open up to the larger financial ecosystem, connecting with partners, aggregators, fintechs, and more.

It’s essential to be able to keep a handle on where your assets lie. That’s why Amplify Enterprise Marketplace gives banks full visibility into all API adoption, usage, and performance, as well as other metrics for both API consumers and providers.

Build your own API marketplace with Amplify Enterprise Marketplace

With a universal API management platform as its foundation, Marketplace can give enterprise architects a clear picture of all APIs – no matter where they are deployed or which vendor gateway houses them.

With Marketplace, organizations benefit from discovery of unmanaged APIs, automated identification of non-compliant services, clear access controls, and prebuilt security policies to protect their customer’s data and hard-earned trust.

And when you’re ready to open up your APIs to leverage a richer ecosystem and discover new business models, Amplify Enterprise Marketplace makes it possible to centrally group and package APIs, laying the groundwork to treat APIs as products and even monetize them.

Round up all your APIs for better visibility to strengthen your bank’s security posture, make smarter API decisions, and pass compliance audits with flying colors.

Discover why business leaders, IT leaders, app developers, enterprise architects, and others stand to gain tangible benefits by building their own API marketplace.

Key Takeaways

  • Unmanaged APIs pose a significant security risk, with one study revealing that 31% of malicious requests targeted unknown, unmanaged, or unprotected APIs.
  • SR 21-14, a guidance issued by the U.S. Federal Reserve, emphasizes the importance of knowing and managing all APIs, making it a regulatory concern for financial institutions.
  • Maintaining trust in the financial data ecosystem requires banks to track their data and how it's being accessed, transitioning them into custodians of data and trust.
  • Amplify Enterprise Marketplace provides visibility into API adoption, usage, and performance, helping banks manage their API portfolio, ensure compliance, and strengthen their security posture.