API Security Takes Center Stage as EU Financial Services Regulations Heat Up
Earlier this year, the European Commission published its proposal for revising the EU’s payments legislation, PSD2. The new PSD3 proposal outlines several significant changes and developments that will affect third-party providers, such as banks and PSPs.
Financial services firms employ an intricate blend of technologies, applications and processes to cater to customers and address deep structural challenges within organizations. As a result, the banking landscape heavily depends on APIs to the extent that they have become business-critical. APIs enable financial institutions to engage with their ecosystem, inspiring developers to build new products, enhance existing services and operate with greater efficiency.
Legislation to Safeguard the Sector
This is perhaps why regulators are stepping up with an array of cyber-related legislation to safeguard the sector’s integrity as cybersecurity vulnerabilities are connected to the rise in API use.
However, there is a lack of API standards in the market today. The European Commission’s PSD3 proposal along with the Payment Services Regulation, seeks to foster continued growth in open banking while tackling concerns related to API quality, providing authorities with the necessary tools to assess the dedicated API interfaces offered by banks and other financial institutions more effectively.
This marks the first time APIs have been explicitly targeted this way in the legislation, underscoring their significance. The new standard ensures that regulators consistently address the security requirements of the payments industry, advocate for security as an ongoing process, and improve validation processes.
The financial industry will need to prepare for these regulatory changes to remain compliant and competitive. There are some important recommendations for financial organizations to consider in 2024 to secure their APIs, protect their cloud-based applications and improve overall API security.
Authentication
API authentication and authorization are critical components of API security in financial services. Authentication ensures that only authorized users can access your APIs, while authorization controls what actions authorized users can perform. Implementing strong authentication and authorization mechanisms can help prevent unauthorized access to your APIs and protect your cloud-based applications.
Encryption
Leveraging best encryption practices is an essential component of API security. It ensures that data transmitted between financial systems is secure and cannot be read by hackers if intercepted. The right encryption for your APIs can help protect against data breaches and ensure that sensitive data is transmitted securely.
Inventory
IT Security’s major mistake is underestimating how difficult it is to get an accurate system of record of all their APIs because of the nature of cloud services. API discovery, monitoring and logging, particularly with always-on runtime capabilities, can help detect and prevent attacks on your APIs. By monitoring dynamic API usage and traffic and logging events, you can detect suspicious activity and take action before an attack.
Vendor Risk Management
Financial organizations must assess the security posture and reliability of third-party API providers before integrating into their systems. Evaluating factors such as the provider’s track record, security certifications, data protection practices and disaster recovery capabilities are critical for minimizing software supply chain risks. Review of software bill of materials (SBOMs), as well as continuous security testing, vulnerability scanning and code review are good hygiene practices for firms’ third-party APIs.
Protection
Finally, API run-time protection can help prevent attacks such as DDoS and brute force attacks. Adding customized checks and policies that block API requests that attempt to break business logic can help prevent exploitation. Rate limiting restricts the number of API calls that can be made within a specific time frame, while throttling limits the rate at which requests can be made – together both can help with brute force and denial of service attacks.
APIs have emerged as the standard means of connectivity and data exchange in contemporary financial services environments, and this trend is expected to persist. Bearing this in mind, ensuring the security of APIs, both before production and after, is crucial for securely navigating our digitally-oriented banking realm.
Consequently, financial services entities should collaborate with an API security platform provider capable of providing robust API security and assisting in meeting compliance and governance standards. In this changing regulatory landscape, such collaboration will empower organizations to implement a resilient API strategy encompassing discovery, posture management, runtime protection and API security testing.
