By Samah Chowdhury
Application program interfaces are in high demand in the banking sector because they enable smooth data exchange and offer customized services to consumers. But without clear API practices and processes, banks risk security breaches, non-compliance penalties, and operational inefficiencies as they scale. Many banks adopted APIs without establishing parameters to effectively manage them. Now, more aware of the risks, banks are pursuing remediation efforts.
This article is part of ABA Banking Journal’s bank tech trends for 2025 special report.
- Since 2020, nearly 72 percent of banks have reported an increase in the integration of corporate banking APIs.
- One of the largest core banking providers, Fiserv, offers a staggering 900 unique APIs. Jack Henry and FIS also have an expansive list.
- Nearly 90 percent of developers use APIs, of which 69 percent use third-party APIs and 20 percent use internal or private APIs, suggesting a wide variety of APIs being used, each potentially with different rules and guidelines.
APIs have become the backbone of modern banking infrastructure. They enhance system interoperability by enabling banks and third-party services to interact for expanded capabilities. This is true for internal APIs, which are private interfaces that facilitate communication and data exchange between different software components, and external APIs, which allow third-party applications to interact with and access a bank’s services. Both internal and external practices need effective governance to help banks navigate the complexities of evolving technological and regulatory circumstances.
Why API governance matters
API governance controls the technology, the process, and the people involved. It places guardrails for the API’s design (the technology), the business around the API (the process), and the users of the API (the people). What happens if one of your vendors changes their API practices? How do you evaluate the feasibility of emerging trends and technologies across your operations? API governance offers controls that help your IT teams standardize API usage, ensure compliance, and support your broader banking strategy. Part of that strategy should boost the landscape value of your APIs, which is the sum of the value of all versions of a single API. Measuring and managing this well means your developers can update APIs without breaking older versions for users.
While placing governance around your APIs is a necessary strategic goal, this will take on added importance with an anticipated increase in consumer-permissioned data sharing brought about with the CFPB’s forthcoming finalization of its regulation implementing Section 1033 of the Dodd-Frank Act, sometimes dubbed “personal financial data rights” or the “open banking” rule. In open banking, banks and fintech firms provide access to their APIs to exchange financial data with their customers’ consent. This collaboration enables the development of new applications and services; however, given the sheer volume of data expected to be exchanged under the rule, complex security challenges remain a concern. “We should be mindful that the 1033 proposed rule technically uses the term ‘developer interface,’” writes ABA VP Ryan Miller. “While APIs are currently the best means of compliance, this could change if another technology proves more effective.”
Today, open banking’s API reliance makes APIs prime targets for cyberattacks. API governance can help manage API proliferation by preventing redundancies, maintenance issues, and security vulnerabilities which ultimately could result in reduced data breaches. Your bank’s infosec team will thank you.
Getting started
To prepare for the opportunities and challenges presented by technology-driven models, banks must start with key API governance workflows. First, a set of architectural standards can serve as the foundation for consistent and interoperable APIs, enhancing user experience and operational efficiency across platforms. Second, centralized policies, managed by a dedicated team, can safeguard sensitive data and enforce access policies. Third, the lifecycle management process can ensure quality assurance from an API’s creation to its retirement. Lastly, monitoring and analytics can offer valuable insights into API performance and self-service usage for informed decision-making and proactive issue identification. By focusing on these four key areas, your bank can enhance operational efficiency while paving the way for incremental innovative changes.
Click to enlarge.
A simple exercise to help your bank assess its API quality and governance is to ask if the current APIs are useful, findable, usable and predictable. In general, APIs have their own design principles and standards. Organizations like Financial Data Exchange can help with API specs for the data sharing required under Section 1033. (The CFPB will be taking steps to recognize a standard-setting organization, such as FDX, that will be responsible for data formats under the forthcoming Section 1033 regulation. In the meantime, building consistent API designs can enable easier application at scale, autonomy and efficient coordination.
The bottom line
Effective API governance will ensure your bank’s responsiveness and resilience — it’s your ticket to smoother tech advancements and a grip on the tech-business-people triad. Clear standards can fast-track your market entry with new APIs, be it for structural changes, regulatory needs, API monetization, or open banking readiness. Most notably, API governance practice will up-level your API quality, consistency, security, and compliance, which will ensure every API in your bank’s portfolio delivers its maximum value.
Samah Chowdhury is senior director of innovation strategy in ABA’s Office of Innovation.
