Financial Institutions are increasingly vigilant of perceived external security risk yet frequently disregard how there APIs are designed for security. With the constant change of regulation and the heavy fines involved with non compliance. Organizations not only need to ensure that they have appropriate licensure but that there APIs at least meet secure programming criteria that are in line with global cybersecurity standards for secure APIs set forth by ISO.
Globally it is estimated that regulatory spending exceeds $ 80 billion per year and will surge to $120 billion within the next 5 years. This is due to the increasing demand to secure customer information, data, and the flow of money across international borders; Thereby, necessitating the need for enhanced and ongoing cybersecurity protection. Regulatory bodies in Europe recognized this need and the increasing capabilities of bad actors to penetrate and manipulate data by using simple measures to entice employees to make mistakes and/or circumvent company policies resulting in data breaches. Not to mention constant cyber attacks on financial organizations and banking accounts of everyday people.
The european union under the direction of the european banking authority found it necessary to implement regulation that would identify and track the flow of money within Europe, while enabling new forms of payment services to be offered. Resulting in the birth of the Payment Service Directive 2 (PSD2) in 2015. The purpose of the directive not only monitors and secures the flow of payments through europe but it requires banks to open up there data to fintechs who provide innovative solutions using this data and collaborating with banks. In this article we will explore the evolution of Regulation-as-a-Service using PSD2 as the example that can be applied to any financial regulatory directive that requires specialized licensing and/or oversight handed down by the regions financial regulatory body. Including international regulatory laws that apply to privacy like GDPR, investment banking such as MiFiD and Anti-Money Laundering.
Organizations participating in the business of payment or remittances are subject to the consequences of failing to meet financial regulatory requirements. In Germany BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht) the countries’ federal financial supervisory authority regulates Banks, financial institutions and fintechs. As such they work in alignment with the European Banking Authority, selective financial services working groups and lobbyist to create regulations, provide standards and enforce the compliance of such regulation. With this comes a wide set of problems and ambiguity. Primary example being the implementation deadline of PSD2 that was initially set to take affect Sep. 14, 2019 within the EU. Due to the lack of a universal set of standards for PSD2 compliant APIs most banks were unable to meet the looming deadline and requirements; and in turn, blocked fintechs from accessing needed data to sell their products to bank customers. In an effort to ensure that regulatory bodies like BaFin were aware of the conflict between the big banks and fintechs lobbyist across the EU advocated for an extension to the implementation deadline, clarity on suggested requirements to ensure that payment APi’s adhere to PSD2 strong Customer Authentication criteria.
In Germany some financial institutions are also third party providers (fintechs) that have special licensure to offer payment initiation services and account information services issued by BaFin. This licensure can be passported to other companies allowing them to meet the regulatory requirements to provide payment services and handle customer account information. This coverage is extended to companies under the auspice of Regulation-as-a-Service. Enabling companies to remain innovative, agile and the ability to offer new products and services to customers while renting the required license to meet compliance standards. Saving the organization time and money while the fintech scales.
In order to combat unintended cyber attacks regulators have worked to ensure security measures are intertwined into financial regulatory components that adhere to international cybersecurity standards. Such as requiring strong customer authentication, the use of tokens and use of electronic certificates that verify domains and identities amongst other requirements set forth in the PSD2 directive. By understanding the value of data privacy many organizations are starting to realize that the APIs they create must be done with a secure API mindset. Ensuring that technologies used for Open Banking and PSD2 are compliant thus safeguarding services offered to EU citizens assuring not only product innovation but secure APIs.
As mentioned earlier BaFin in partnership with the European Banking authority extended the PSD2 deadline in Germany while allowing for fintechs to continue to operate as normal while still remaining complaint. Unfortunately, some banks across the EU have found ways to circumvent PSD2’s primary initiative to share data with fintechs and have blocked fintechs from using Bank data. This is an ongoing fight in which the European Banking Authority and regulatory bodies are working to resolve within the EU.
The evolution of fintechs, rapid technical advancement and the constant flow of money across borders has made it essential for organizations to provide their products and services internationally while adhering to the strict privacy and data protection laws set forth by the EU. Yet, many fintechs do not have the money nor time to apply for specialized licensure from regulators. Thereby, these organizations are seeking alternative means to operate while remaining compliant. Regulation-as-a-Service allows fintechs the ability to innovate rapidly and partner with banks to offer new products to the market. I predict that over the next three years Regulation -as-a-Service will become common place within the industry allowing companies to rapidly enter new markets. Due to Regulation-as-a-Service providers who incorporate risk analysis, AI based compliance training and API standardization and testing. Facilitating the expansion of services and offerings in the financial sector. In turn organizations will become diligent in securing APIs to safeguard data and privacy of customers. Culminating in the rethinking of APIs.
Originally posted on December 3, 2019 for API Conference Berlin Blog https://apiconference.net/blog/artikel/regulation-as-a-service-rethinking-apis/