Improve Your API Processes to Secure Your Fintech Integrations

Implementing and configuring your API gateway is critical to securing your fintech integrations.

Analyst perspective

API gateways configured to maximize their advanced capabilities are critical.

Modern banks are moving away from internal systems that provide many of their product and service capabilities. In their place, they are rapidly shifting toward a composable infrastructure approach that increasingly utilizes external fintech service providers. This approach enables banks of all sizes to choose the fintech partner that offers the best solution.

As products and services shift toward fintech-based providers, the use of external API integration capabilities is becoming an increasingly critical capability. In banking, the most crucial element of external API integration capabilities is security. As banks open their traditionally closed environment to partners, the potential for dangerous security breaches increases exponentially.

API security must be a top priority for a bank’s security investments. API security is a broad and technical topic where the devil is in the details. One of the cornerstones of external API integration is API gateways. Some banks choose direct point-to-point integrations to enable their fintech ecosystems and forego the use of an API gateway. This approach is problematic for many reasons.

Choosing the right API gateway and deployment model is only the beginning of your API gateway journey. Your bank must also ensure that you are enabling and configuring your API gateway to maximize its benefits. Properly configuring the advanced security capabilities of your API gateway will dramatically enhance your external fintech security.

Principal Research Director
Financial Service Industry Lead
Info-Tech Research Group

Executive summary

Your Challenge

Your bank needs to use external fintech products and services that require externally facing APIs. You must ensure it is done securely, but the breadth and complexity of external APIs are overwhelming.

You’re struggling with fintech integration security because:

• You’ve realized that your bank doesn’t know about all the APIs that may be in use.
• API-based security threats have experienced a dramatic increase in sophistication from use of AI and machine learning (ML)-based threats.
• There are so many elements to API that you’re unsure of where to start and which security investments will deliver the greatest improvement to your fintech API security.

Common Obstacles

Your bank is fearful of enabling external APIs because of the potential security risks and the process of securing the APIs seems complex.

Banks are struggling with API security because:

• It’s difficult to understand the entire API landscape. You don’t have a way to survey your APIs in production.
• Your bank is unsure what an API gateway is and what benefits it can bring to your fintech security.
• Banks that have an API gateway don’t have a tool to evaluate its current state of maturity.
• It’s difficult to understand how to reconfigure and improve your API gateway without understanding your gateway’s current state.

Info-Tech’s Approach

Your bank can’t secure what it doesn’t know exists. Your API security journey begins by finding all APIs in production. Then catalog, manage, and operate them using best practices.

To securely enable external APIs, your bank needs to:

• Discover, catalog, and document all APIs in production with a special focus on capturing previously unknown or undocumented APIs.
• Adopt an API gateway that has advanced security capabilities.
• Review your current API process using the Info-Tech model API transaction example.
• Establish the baseline of your current API gateway using Info-Tech’s API Gateway Maturity Assessment Tool and create a gap improvement plan.

Info-Tech Insight

Enabling external APIs is essential for your bank’s future success. You can ensure your external APIs are secure by discovering all the APIs that are in use, as well as through the adoption and use of an advanced API gateway that is configured to use the latest API security best practices.

Your challenge

You’re exposing more APIs to fintechs, and you’re concerned about your security.

• Greater external API exposure increases the potential for security challenges. As banks expand their product and service offerings, they are increasingly using external partners. Many of these services are delivered through API channels. As the number of external products/services increases, so does the number of externally exposed APIs, leading to growing security risks.
• Most organizations are unaware of all their APIs. It is estimated that 68% of organizations have shadow APIs that are not cataloged/documented (ERP Today, 2023). It is impossible to secure APIs that you don’t know about.
• Your bank may not be using an API gateway. Your bank may not be using an API gateway to manage and secure its external APIs. Some banks have chosen direct integrations with partners and rely on application-level security, which can be ineffective and lack timeliness.
• Your API processes may have become outdated. Whether your bank uses an API gateway or not, many banks have not updated their API transaction processes. This leaves your bank at risk as the threat environment continues to evolve.

Common obstacles

API processes are complex and have many components that you need to address.

• A lack of understanding of best practices. The technologies and methods used to secure external APIs are constantly evolving, becoming more complex, and increasingly rely on externally provided capabilities. These changes make it difficult to understand what the best practices are for securing externally facing APIs.
• Not having access to tools to evaluate your current state impartially. The growing complexity of external API security and the continuous level of change make it difficult for organizations to evaluate their current security capability impartially. Having access to a tool that aligns with best practices across the API lifecycle is important to understand your current state and what needs to be done to improve.
• API transactions have many elements that need to be secured. As threats evolve, the detailed steps of your API transactions need special attention. Having a guide to current best practices can make securing your API transactions easier.

Leading-edge API security is critical

Fintech integrations are essential for modern banking but increase security threats.

• Fintech APIs present different security challenges. The threats are mostly invisible because the APIs connect two businesses. Fintech APIs are different from business-to-customer APIs, where security issues can be more visible.
• API security is not just one thing. There are many technical aspects to API security, but unlike other security topics, there isn’t a definitive list of items to address.
• Bad actors are increasingly looking to APIs. The growing use of fintech capabilities in banks has created a new opportunity for criminals to attack banks.
• AI and ML are escalating API threats. Bad actors are using advanced tools such as AI/ML to adapt traditional techniques to circumvent existing security. AI and ML also deliver new levels of intelligence and bots to find new areas of APIs to exploit.
• Current API security can overlook existing APIs. Most modern API security approaches focus on modernizing current infrastructure and processes. Limited attention is given to APIs that are already in use.

API security is a top priority (45%)

A 2022 security survey identifies APIs as a top priority (“The State of API Security,” Black Duck).

APIs represent 57% of dynamic internet traffic

A 2024 API security report demonstrates how much data APIs move (“2024 API Security and Management Report,” Cloudflare).

Info-Tech’s approach

Securing external fintech integrations should begin with an API gateway.

• You need to identify all your APIs before you begin the process of securing them. Most organizations have APIs in production that they are not aware of. The security risks associated with this are obvious. Bad actors are using AI/ML tools to scour your API endpoints and may understand them better than you do.
• Your bank’s API gateway is a critical capability. You don’t know what you don’t know! By doing a maturity assessment of your API gateway, you can understand your current state.
• Use your current state analysis as the basis for your future improvements. Having reviewed your API gateway maturity and the details of your API transactions, you now have a clear understanding of what needs to be improved. This gap analysis will become the basis for the work you will undertake to improve your API gateway and API process capabilities.

Secure your fintech APIs

Externally facing API use is growing. So are the security risks.

Info-Tech’s Approach

Your bank must identify all its APIs and then evaluate them to determine suitability for migration to your API gateway. The risk department must approve nonconforming APIs, and alternate security measures must be put in place. The remaining APIs need to be migrated to your API gateway and upgraded to conform to current standards.

Focus on:

Maintaining a complete inventory of APIs, so you are aware of all potential threats and can ensure ongoing updates.

Migrating conforming APIs to your API gateway, where they can benefit from the security benefits of the API gateway.

Adopting the latest security approaches to meet the continually evolving and escalating threats confronting your APIs.

Your Challenge

Your bank is experiencing:

A lack of awareness of all its APIs. There are APIs in production that you’re not aware of (shadow APIs).

Not all APIs are using the API gateway. If you don’t have an inventory of your APIs, then they can’t be using your API gateway.

API-based security threats are increasing. New AI/ML threats are challenging traditional API security techniques. You need to enhance your API process security, but you're unsure of the best approach.

Action Steps

Most banks are not fully aware of all the APIs operating in their environments. Without an inventory of all APIs, you can’t protect them. This inventory can be used to migrate APIs to your API gateway. Some APIs may not be suitable for use through an API gateway, and you need to determine which are not and why. APIs not using the API gateway must be approved by your risk department.

Evaluate your API gateway and its configuration.

While building your API inventory, evaluate your API gateway to ensure that it is capable of supporting the security needs of your bank’s APIs. You can use the API Gateway Maturity Assessment Tool to determine your API gateway’s state of maturity based on specific criteria.

Analyze API transactions for best practices to guide gateway configuration.

To deliver deep API security, your bank should evaluate its API process against a model consisting of best practices. You may need to update your API processes to elevate your security.

Before you proceed

Ensure that you have engaged everyone involved in your API-related activities.

• You will require a broad constituency. API security involves many areas and groups within your bank. To effectively evaluate your API security, you will need to assemble individuals from the business, external partners, infrastructure, enterprise architecture, IT, and, most importantly, your bank’s risk department. Solicit a broad range of input to ensure that your fintech security is comprehensive and effective, meets risk compliance, and doesn’t impede the business functions that it is meant to protect.
• Prepare for cross-functional teams. Work as a group to transform and improve your fintech API security. The groups involved may be siloed. Your fintech API security program must ensure that information and changes are broadly disseminated so that everyone is informed about the changes across all areas of API capabilities.
• Prepare to train your employees. Depending on the current state of your APIs and API security, the magnitude of the changes required will vary. If your organization requires deeper API transformation, you will likely need to invest in upskilling and training your employees to acquire the current knowledge and skills necessary to elevate your API security, enhance security, and remain compliant with risk.

No API gateway, no problem

Our approach and tools will help you assess your needs and requirements.

• Learn about critical API gateway capabilities. If you don’t currently have an API gateway, our tools and methodologies will help you rapidly learn about the ten essential security capabilities to consider when selecting an API gateway to improve your fintech integrations.
• Choose the correct deployment method. How you choose to deploy your API gateway (on-premises, SaaS, cloud) is a critical decision. You can learn the pros and cons of each API gateway deployment to help you choose the one best suited for your bank.
• Understand and improve your API transactions. We will help you understand the detailed steps required to enable secure fintech API transactions. As threats from AI and ML continue to escalate, these steps grow in importance. We’ll walk you through a best-practices-based secure API transaction.

Securing fintech APIs has many facets

You must identify, catalog, document, and test your APIs – then secure their execution.

• Securing your fintech APIs is part of a broader and continuous security journey that your bank must take. The dynamic nature of the API threat environment, driven by AI/ML, means that banks must continually evaluate their current security state and take appropriate steps to modernize.
• The following resources can help you mature related areas:
  • If you need to begin your bank’s data journey, see Create a Data Management Roadmap.
  • API security relies on effective data management: Discover and Classify Your Data, Secure Your High-Risk Data.
  • If you need to elevate your overall security, see:
    • Design and Implement a Business-Aligned Security Program
    • Embed Security Into the DevOps Pipeline
    • Embed Privacy and Security Culture Within Your Organization
  • API security works hand in hand with identity management:
    • Fight Financial Crime With Effective CIAM
    • Develop a Comprehensive IAM Improvement Strategy
    • Assess and Govern Identity Security

Info-Tech’s methodology to mature your bank’s fintech API security

Insight summary

You must identify all your APIs and move them to an API gateway

No fintech API security program can exist without a complete inventory of all external APIs in production. Few banks are aware of all their APIs. AI/ML-based tools can help with the discovery of all APIs in production. Moving as many as possible to your API gateway is critical.

Data moved by APIs has become the second largest source of internet traffic

The amount of data moving through the internet by APIs is growing exponentially. If current trends continue, API-based data will become the largest source of data on the internet. This highlights the need for APIs and their related processes to be secured.

API-based security threats have become a focus for bad actors

The growing use of APIs has made them a primary target for bad actors. APIs hold the potential for bad actors to access massive amounts of data. In many cases, API-based data breaches go undetected for extended periods due to process weaknesses in API security.

API security techniques have rapidly evolved in the last few years

Techniques used to authenticate and transmit data, as well as monitor APIs, have significantly improved over the past few years. Software development and testing techniques (that include API development) have also experienced an increased level of focus on security (DevSecOps and shift-left approach).

Mastering APIs and fintech integrations are essential functions

Beyond the immediate need for API security, the mastery of API-based security (especially for externally facing APIs) is an essential capability for all banks. Banks are increasingly moving toward composable infrastructure, which is heavily reliant on external providers that deliver services using APIs. APIs (and consequently API security) are essential enablers of digital maturity and digital transformation.

Report and deliverable

This report is accompanied by the API Gateway Maturity Assessment Tool and the API Process Maturity Example to help you accomplish your goals.

Key deliverable

The report and deliverables will accelerate your success

API Gateway Maturity Assessment Tool

Assess the security-related capabilities of your API gateway against the most current requirements.

API Process Maturity Example

Compare your existing API process steps to current best practices.

Case Study

A large international bank is actively engaged in API gateway and process security improvements.

INDUSTRY

Financial Service

SOURCE

Info-Tech Interview

Challenge

A large national bank recognized an increase in more complex API-based security threats. It is implementing a robust API gateway solution accompanied by API process improvements to enhance its API security.

Before this current activity, much of the bank’s API security relied on application-level security, which is becoming inadequate and offers protection only after an API breach has occurred.

The bank was unaware of all APIs in production, so while implementing the API gateway, it also discovered and documented its APIs.

Solution

The bank initiated an API security improvement program that involved business partners, risk management, infrastructure, enterprise architecture, and the API security team.

They performed API discovery and believed they were aware of 70% of the APIs in production.

They implemented a cloud-based API gateway that manages both their on-premises and cloud-based API endpoints.

They are evaluating API suitability for migration to the API gateway, as well as improving transaction-level API elements during the migration.

Results

The implementation of the API gateway had an immediate positive impact on the bank’s API security.

The most immediate benefit is the ability to monitor API traffic for each API. These statistics were not previously available.

As more APIs are migrated to the gateway, security is vastly improved as it now begins at the API level rather than the application level.

The bank is also evaluating additional advanced API management tools that will coexist and interact with the API gateway.

Measure the benefits of securing fintech APIs

Trust in banking is invaluable – securing fintech APIs is key.

• Enhanced security capabilities reduce overall security risk.
  Securing your external-facing APIs is critical. The highly sensitive nature of banking data makes API security even more essential. As well, the rapidly growing amount of data exchanged via API elevates the need for the strongest API security possible.
• Improved security infrastructure.
  The addition of an API gateway improves your bank’s overall security level. In the absence of an API gateway, much of the security burden resides at the application level. As threats continue to evolve, application-level security may be too little, too late. An API gateway moves security to the API level.
• Deeper API control and intelligence.
  By migrating as many of your external-facing APIs as possible, your bank will gain a much deeper level of control over your API processes. Your bank will also have much deeper, clearer, and more timely insight into external API use. In many cases, monitoring your API gateway’s activity levels will be one of the first indications that something unusual and potentially inappropriate is occurring.

Measure the value of this report

How can you measure the value of following Info-Tech’s approach?

Fintech integrations present a significant risk to most banks. The presence of shadow APIs, poor processes, lack of governance, and outdated technologies exposes banks to elevated levels of risk. The absence of a broad-based approach can lead to potential reputational risk and fines from regulators.

This report and assessment tools will help your bank secure its fintech integration.

Reach out to Info-Tech’s industry advisory services for assistance as you work through the report and assessment tool, or request a workshop engagement and let us do the heavy lifting.

Securing your fintech APIs has many benefits

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins long the way would help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Executive & Technical Counseling

"Our team and processes are maturing; however, to expedite the journey we'll need a seasoned practitioner to coach and validate approaches, deliverables, and opportunities."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all five options.

Guided Implementation

Put your lifecycle-based API security modernization plan into action.

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 4 to 8 calls over the course of 4 to 6 months.

Leverage skilled facilitation

Info-Tech Research Group provides tabletop facilitation through its workshop product.

To enhance the effectiveness of the external API gateway and API process maturity implementation, consider involving a skilled facilitator with training and experience in conducting tabletop exercises.

Their expertise can help:

• Guide participants through the scenarios.
• Create dynamic discussions that respond to participant feedback.
• Ensure appropriate participants stay active.
• Provide insights on leading industry practices and potential improvements to your external API gateway and API process maturity implementation during and after the exercises.