Senior Fintech Analyst in the South African Reserve Bank's Fintech Unit focused on 

​open finance and financial inclusion, and co-leading the IFWG's Innovation Acce​lerator

Application programming interfaces, or APIs, are a technological solution that supports open finance by enabling different computer applications to talk to each other over a network using a common language that they both understand. Editor-in-Chief of ProgrammableWeb.com, David Berlind provides a useful description of APIs as “electrical sockets that have predictable patterns of openings" into which, other applications that match those patterns can “plug in" and consume them in the same way electrical devices consume electricity.

Figure 1: Example of basic functioning of APIs

While the benefits of integration among different technical systems using APIs can be obvious, there is still the question of how open such systems should be. A meaningful way to explore this is to consider private versus public or open APIs. Private APIs can either be internal APIs, offered to facilitate within-firm integration and operational efficiency across an organisation or external APIs that are highly customised and designed specifically for partners who want to interface directly with their suppliers or customers. These private APIs are already commonly used by financial institutions, including banks, and provide immense value to an organisation and its affiliated network of partners.

On the other hand, public or open APIs are accessible by almost anyone and available to use with “little or no contractual arrangement" – beyond agreeing to the terms and conditions put forward by the API provider.  This allows organisations that provide open APIs to create digital economies or business platforms, through which, communities of innovators can develop API-consuming applications.

In payments for example, such 'open' or 'external' APIs, have been used by card networks to integrate their infrastructure with selected e-commerce partners providing a better online customer experience, or to offer more functionalities in mobile applications such as in-APP purchasing.

Banking institutions globally have also utilised external APIs to extend their reach to other platforms and increase their sales by enabling authorised third-party access to some of their services (e.g., money transfers, credit granting functionality, etc.). South African banks are no exception to these developments, with many using APIs to improve internal operations and some using open APIs and even launching API marketplaces to connect with third-party organisations in the last decade.

With great opportunity comes great risk

APIs can help accelerate innovation, improve business efficiency, and forge new lines of revenue by offering a standardised way of integrating disparate systems, without the need to change them. For consumers, API integrations improve customer experiences by enabling consumers to access a range of financial services in a more seamless, convenient, and more tailored manner.

With these benefits and opportunities, however, APIs do come with a number of risks that need to be minimised and mitigated. With every small feature getting linked with other software or products for a seamless user experience, APIs are increasingly becoming a target for security breaches and hacks.

According to research by Human Security[​1​​​​​​​], on many websites and applications, more than 75% of login requests from API endpoints are malicious. On some applications, as much as 20% of all product page API requests are malicious. Overall, 10-15% or more of all API requests come from malicious sources. This represents a significant shift in how attacks are happening. According to Human Security, these API attacks are growing quickly in volume and intensity across a wide range of applications in different sectors of e-commerce and media.

In a 2022 study by EMA Research titled “State of API Security", which polled 203 individuals in Europe, Asia, and North America, the threats depicted below were the most common threats to APIs reported by respondents in their organisations:

Figure 2: What are the most common threats you've seen on your APIs?

The increasing reliance on APIs by businesses, coupled with the increasing challenges for current systems to protect them against new attack trends, mean organisations need to shift from traditional security practices and last-generation tools to a modern security strategy that addresses security at every stage of the API lifecycle and provides a broad range of protections that foster collaboration across teams.[​2]

API standardisation as an enabler for accelerated ecosystem development

API standards are configurations of technical specifications related to an API's rules (protocols), languages (formats), data dictionaries, and security features that find a degree of common adoption in the industry. These standards help streamline the exchange of information internally and externally by setting the benchmark for best practices, conventions that developers should follow, and all-around standards that should be adhered to with APIs. Having API standards in place is beneficial as a guide for all users and enable partners to consume APIs quickly and easily - thus supporting accelerated ecosystem development. 

Technical API standards may be industry driven, with market actors converging on a particular configuration of technical specifications over time on their own accord, or through a facilitative process convened by authorities or technical standard-setting bodies.

Despite the longstanding use of APIs in a variety of contexts, fragmentation is prevalent, and standardisation of APIs is relatively nascent. Fragmentation of API specifications may create friction for the party using multiple services, as they will need to invest in translating between the different formats used by different APIs (e.g., possibly developing separate APIs for each third-party interface). This increases costs as a result of longer processing and development times and introduces additional risks.

Multiple jurisdictions across the globe have introduced public and private sector led initiatives to establish API standards. While there are specific nuances that need to be acknowledged, the different API standardisation approaches taken globally can be summarised as:

Table 1: Summary of approaches to developing API standards

 ​​Furthermore, in reviewing the approaches and high level characteristics of the API standards in the different markets, there are some commonalities which can serve as lessons for API standardisation:

1. Collaboration with industry and experts is key: Collaboration between regulators, financial institutions, fintechs, thought leaders, etc., is exceptionally important for ensuring that the API standards are developed in an inclusive, effective, tailored, and collaborative manner. As shown, although different approaches can be taken, ranging from strongly regulator to strongly industry led models, the consistent thread across these models is that industry played an integral role in designing the specifications.
2. API standards are designed using common protocols: There is a plethora of protocols used in the APIs adopted in the different jurisdictions. However, the literature as well as available information from the existing API standards point to some common protocols which have been adopted such as Rest APIs, OPEN ID and FAPI, OAUTH 2, JSON and XML, ISO 20022, etc. These common protocols are important to consider in ensuring that any standards developed are in line with international best practice and broadly aligned with other jurisdictions.
3. API standards are designed based on common principles: API standards are developed and published using different methods, however, there are some common principles which underpin many of the API standards adopted globally. These include:
   

To conclude, open APIs provide several opportunities for South Africa by promoting greater ecosystem integration, improving efficiency, and enabling competition through open finance. These opportunities have to be balanced with the risks associated with APIs, as more and more sensitive data will be exchanged between holders of the data and third-party providers. It is therefore important to ensure that the approach taken in South Africa embraces the potential benefits of APIs as highways towards innovation, but also builds an appropriate regulatory framework to mitigate risks, including through further consideration on APIs and APIs standardisation.  Under the IFWG, the Open Finance Integration Working Group continues to support the ongoing open finance regulatory journey in South Africa by conducting research on open finance aspects, including the approach to APIs, and providing recommendations for further consideration by relevant members of the IFWG in developing a coherent response to open finance in South Africa.   

[1]https://www.humansecurity.com/learn/blog/api-bot-attacks-the-hidden-threat-to-application-security​​

[2] SALT LABS, 2023, State of API Security Q1 2023​​​