How to Reduce Operational Risk in Banking with API Governance and Lifecycle Management
This post looks at how to reduce operational risk in banking with proper and automated API governance and lifecycle management. Done right, it can also provide a competitive advantage and accelerate digital initiatives in your bank.
Banks are using APIs (plus Events and Services) to unlock value from data, launch innovative products, enter new digital ecosystems, comply with regulations, and build successful partnerships. With thousands of APIs built, reused, and managed to represent business and IT functions, the API-First transformation:
- bridges the gap between legacy applications and new cloud based apps
- rapidly adapts applications to support new digital business processes
- reaches economies of scale that seamlessly and economically support additional users, data flows, and transactions.
But without proper API governance and lifecycle management, and visibility into both banks face operational risk and increased regulatory pressures. Here’s how to ensure that risk is reduced.
Banks face operational risk from improper API governance and lifecycle management
The Office of the Comptroller of the Currency (OCC) issued the new Model Risk Management booklet of the Comptroller’s Handbook for banks in summer 2021.
In the booklet, the OCC sites potential increased operational risk from poorly constructed APIs and weaknesses in the controls throughout the API development lifecycle:
“Operational risk can increase when the information technology (IT) environment supporting the bank’s models does not have appropriate internal controls. Security weaknesses, including poorly constructed application program interfaces (API) and weaknesses in the controls for the access, transmission, and storage of sensitive customer information, could expose a bank to increased operational risk. Weak or lax controls can compromise the confidentiality or integrity of sensitive customer data.
Third-party risk management weaknesses related to a bank’s use of third parties providing models or related products and services could increase operational risk, particularly when management does not fully understand a third-party model’s capabilities, applicability, and limitations. New technologies, products, and services, such as AI and data aggregation, can increase third-party access to banks’ IT systems. When a bank allows third parties to connect to the bank’s models and systems and to access customer information, there can be substantial operational risk. Poorly drafted contracts could increase operational risk. Important considerations include the ability of the third party to resell, assign, or permit access to the bank’s data and IT systems to other entities and how the data will be transmitted, accessed, and used.”
This guidance has immediate and growing impacts for banks. The OCC is of course focused on US banks, but impacts will be global.
Banks have already transitioned to APIs…
Banks have already transitioned to APIs. Activities such data sharing with fintech apps now use APIs instead of screen scraping techniques. For banks that have taken these steps, the recent OCC requirements to provide third-party traffic reports of companies that are scraping data will be significantly easier:
“Agreements for sharing customer-permissioned data: Many banks are establishing bilateral agreements with data aggregators for sharing customer-permissioned data, typically through an application programming interface (API). Banks typically establish these agreements to share sensitive customer data through an efficient and secure portal. These business arrangements, using APIs, may reduce the use of less effective methods, such as screen scraping, and can allow bank customers to better define and manage the data they want to share with a data aggregator and limit access to unnecessary sensitive customer data.”
…and as APIs are scaled within banks, the governance load grows too
Your number and types of APIs are growing – think in thousands. The governance load associated with this scale will be significantly more expensive if not done correctly.
APIs are cheaper and more controlled than the manual impacts of screen scraping, but don’t exactly move the needle for a bank with digital aspirations. Banks that are creating open banking platforms and embedding functionality like payments into their ecosystem are assigning expensive resources to building APIs. But without proper and automated governance, banks risk not being able to respond to increased regulatory compliance demands, just like those detailed in the Risk Management handbook.
And it’s not just regulatory compliance demands, check out our previous post where we looked at examples of potential breaches due to improperly secured APIs, including reading financial records, deleting customer accounts, and taking over any account.
But some Banks are getting ahead using effective API lifecycle management with automated governance
Banks getting ahead of increasing OCC Risk Management on APIs means fewer risk assessments and faster digital responsiveness. To do this, they’re using best-of-breed extended API lifecycle management tooling, with automated governance.
Enterprise API Lifecycle management architecture targets reuse and efficiency across the application ecosystem. Extended lifecycle tooling (such as the ignite platform) that’s integrated with your CI/CD pipelines, runtimes and API marketplaces, can provide end-to-end lifecycle management that enables scale and a governed way of developing these critical assets that meet two core criteria:
- APIs are aligned to business needs, compliant, and well-governed across all stages of the API Lifecycle and through 5 areas of Risk Management Framework – visible over all API types.
- APIs are organized (and tracked through their evolution) in a catalog where they are discoverable to the entire organization for reuse, investment decisions to deliver new capabilities and accelerate consumption, and recombination supporting new digital offerings.
As discussed in a previous blog, API Lifecycle Management “is the process of managing your organization’s APIs across their entire lifecycle, from planning and creation, through to retirement. An effective API lifecycle emphasizes the plan, design, and build stages of APIs with active data integration through the entire lifecycle. Governance, standards, and frameworks should be automatic and baked-in to the process, to deliver consistent, reusable, and compliant APIs that meet business requirements.”
Effectively managing the lifecycle means ensuring APIs are compliant with governance models across each stage of the lifecycle, while being visible to stakeholders and in-sync across changes in lifecycles, environments, and deployments. A full lifecycle management also ensures APIs are business-led and can be reliably made available for consumption by other users to power products, applications, and services that support your customers’ needs (often they need to be consumable by partners and other players in your digital ecosystem too).
A fully integrated lifecycle also connects to upstream and downstream platforms to automate more of the process for faster time to market, reducing developer friction during API development, and building an abstracted catalog and bridge between legacy applications and new cloud-based apps. This means developers can focus on business and application logic rather than hand-crafting APIs and hoping they align to business standards. And, this means the audience of the API portfolio expands to the business and IT, with product owners and lines of business owners having more collaboration with developers and API providers.
Learn how ignite can help with proper API governance and lifecycle management
The ignite platform is being leveraged by large banks to drastically reduce time and cost of regulatory requirements surrounding APIs, as well as accelerating their digital initiatives. Book a demo here to see how your bank can reduce operational risk and gain:
- a single source of truth
- extended lifecycle management
- consistent and compliant APIs
Differentiate Your Digital Enterprise Now
Learn how it can help your enterprise accelerate digital transformation