I recently wrote a blog on a Financial Brand article promoting Open Banking. In that article, I highlighted the value of APIs while making the point that you don’t need an Open Banking solution to gain value from what APIs offer. Subsequent to writing that article, I read another Financial Brand article that offered some additional information regarding elements of APIs about which financial institutions should be aware. These can best be described as “unintentional consequences” of APIs, which by definition allow access to banking data by 3rd party applications. But what if bad actors can redirect an APIs access to achieve a result to their benefit? A recent Financial Brand article highlighted this issue by using the example of the claw hammer. Invented over 250 years ago, the claw hammer was designed to both drive in nails and pull nails. Yet the same action of the claw hammer that can drive a nail can also crush a human skull, but there was no intent for the claw hammer to be used as a murder weapon. The point is that while something can be created for a specific, positive purpose, there is always the possibility for that same thing to be misused with a criminal intent. Recent examples suggest that APIs can in fact be the target of criminal activity, and it’s not necessarily the ability to thwart the interface itself. Take for example an API that was created to encourage customer referrals and earn a cash bonus. Hackers instead used the API to create fraudulent accounts, then used those fake accounts to refer other fake accounts. This went on for months before the hack was discovered due to the fact that there was nothing abnormal about the velocity of traffic that was occurring over the API. To avoid situations like this, additional monitoring of the data flowing through the API must be deployed, and new tools such as AI can be used to provide earlier identification of suspect fraudulent activity. Given that many APIs must handle non-public information (NPI) as a part of its intended function, then a breach of the API would reveal customer data. Data breaches are often cited as a reason for customers to close accounts. Yet many financial institutions and the vendors from which they procure APIs are not providing detailed tracing of the activity occurring through the APIs. Perhaps APIs should be treated as a system subject to risk management no different than the software systems for which they connect. There is no question that each API has a specific purpose, and FIs would be wise to catalog to what systems it is connected and what is the data that is produced or harvested as a result of its purpose. Given that large banks can have in excess of 2,500 active APIs across all systems, this can be a monumental task. But at a minimum, community banks need to be aware of the risks associated with APIs and ensure that the appropriate controls over the API is written into 3rd party vendor contracts. Some say that the security issue of data flowing across APIs is overblown due to data being encrypted during transit across an API. But according to Richard Bird of Traceable AI, “We have a 40-year body of history that shows that encryption really stinks. It hasn’t saved us from anything.” He sees the heavy reliance on the internet and APIs as “putting the fox in the henhouse.” His advice is to ensure that high level technology management and compliance professionals are aware of the security issues that APIs represent and to enact the appropriate monitoring and oversight of the APIs and the data they access. My take is that APIs are an important tool for community banks that can level the playing field against their larger competitors. While the risks associated with use of APIs must be understood and controlled, in no way should these manageable risks cause a financial institution to not deploy APIs in applications that are strategic for the institution’s future success. Resources https://thefinancialbrand.com/news/banking-innovation/banks-apis-bring-innovation-but-also-risk-179019/#:~:text=APIs%20Are%20the%20Building%20Blocks,enough%20attention%20to%20the%20downsides%3F The views expressed in this blog are for informational purposes. All information shared should be independently evaluated as to its applicability or efficacy. FNBB does not endorse, recommend or promote any specific service or company that may be named or implied in any blog post.