Open Banking and API Security: An evolution to modern business relationships

By March 18, 2020 No Comments

* Leonardo Santos

What is Open Banking?

Following the context of digital transformation and mobile development, the Open Banking promises to transform the financial landscape, impacting and at the same time creating endless opportunities for banks, fintechs and service-oriented companies.

The concept of Open Banking it allows other companies, such as e-commerce portals, to have access to customers' bank details through explicit authorization and through a secure information exchange channel (famous APIs). In other words, bank details belong to customers and they can choose which companies they want to share the data with in order to bring more convenience to their daily lives.

In Portugal, a great example of this new context would be the Conta Azul platform, which, through a partnership with Banco do Brasil, integrates with the accounts of small and medium-sized companies, helping in the financial management of businesses, saving up to 85% of accounting work.

O Open Banking has already been regulated in Europe through PSD2 (Payment Services Revised Directive 2) which determined that banks should open their platforms and allow third parties to access via APIs, provided that it is categorically authorized by the customer.

On the national scene, the Central Bank of Brazil launched a public consultation (CP 73/2019) to hear opinions on this topic. Many agree with the initiative and believe that the model will bring benefits and convenience for the entire chain, and especially for the end customer.



From the point of view of information security, there are two major challenges to be overcome. The security of APIs, which allow the exchange of data between systems, not being something specific for the financial market, or specifically for Open Banking, and the protection of customers' personal data, in compliance with current privacy regulations.


API Security

The major problem in APIs is related to its poor elaboration and / or consequently, the lack of application of security controls, being responsible for data privacy violations.

The vast majority of modern APIs are called API REST and API SOAP, with REST APIs being those that use the representational state transfer architecture. With this architecture, the HTTP protocol is used for web communication, being compatible with the TLS protocol, which keeps private connections by default and verifies that the data transferred between systems is encrypted and unaltered. Another advantage of the REST APIs is the use of JSON, which optimizes data transfer between browsers. Through this set of utilities and protocols, REST APIs are much faster than SOAP APIs.

SOAP APIs use protocols WS Security (Web Services Security). These protocols establish rules guided by confidentiality and authentication. They use a combination of XML encryption, XML signatures and SAML tokens to verify user authentication and authorization, in addition to being compatible with OASIS and W3C standards.

Because they are more comprehensive in security measures, SOAP APIs are the most recommended for companies and businesses that deal with confidential data.


Best practices for API security

APIs, like any application, need measures that value the security of your information. Together with personal data protection laws, data security will be a critical point for developers. Some of the recommended measures are:

  • Use of Tokens: Control access to services and resources using tokens assigned to validate user credentials.
  • Encryption and digital certificates: Use the encrypted connection and ensure that the user has a certificate necessary for authentication and transaction of their information.
  • Identification of vulnerabilities: The best way to anticipate incidents and information leaks and to know and monitor your environment. The use of Sniffers it is also welcome in this scenario.
  • Establish a request limit: A large number of requests for an API can come from an attacker. Setting limits for these processes can prevent successive attacks that can interrupt the continuity of operations.

For more information, we recommend using the OWASP API Security Top 10 2019 as a reference in your API security program.



Following the development of modern commercial relations, the Open Banking it will provide customers with the convenience and freedom of choice of how, when and where to use their financial data and consume those services that best suit their needs.

It literally makes customers the sole owners of their data. However, integration with third parties raises major concerns about the security of transactions. API security is undoubtedly one of the key points for the concept to be implemented and fully used by customers.

In a scenario of great competition, security will be a determining factor in establishing trust and will increasingly be a competitive advantage for companies.

* Leonardo Santos - GRC and Information Security consultant at [Safeway]


Regarding the [SAFEWAY]

THE SAFEWAY is an Information Security company, recognized by its customers for offering high added value solutions, through Information Security projects that fully meet business needs. In these years of experience, we have accumulated, with great pride, several successful projects that have earned us credibility and prominence in our clients, which constitute in large part, the 100 largest companies in Brazil.

Today through more than 17 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.

Let's make the world a safer place to live and do business!