There is no authorised access for third parties to data through APIs. Banks use private APIs to feed mobile applications, however third parties can still access these APIs with valid customer credentials. This is Wild West scenario without clear rules and security standards and creates challenges for FIs to recognize the accessing party and to prevent fraud.
Goals and Objectives
- Improve security in the ecosystem by making sure only authorised/ certified parties can access data.
- Define clear rules and agreements on data access, data storage, and certificates to increase clarity and accountability in the ecosystem.
- Increase transaction security and reduce fraud through tokenization.
- Ensure that customer consent applies at any time and has not been withdrawn.
- Optimized billing and tracking of third party access for API monetization.
- API Gateway, XS2A Platform
- Identity management platform
Use Case Summary
Identification of third parties accessing internal infrastructure via APIs based on certificate issued by qualified certification authority or in compliance with bank’s own rules. This includes definition, monitoring and access management of unlicensed third parties. With API monetization this will also be essential for billing and tracking of traffic.