Home / Digital Bank / If you’re API and you know it, block aggregators

If you’re API and you know it, block aggregators

I bumped into a real API marketplace the other day.

It gained a few nice comments like:

“So people could stock up on spaghetti code and sandbox toys” from Alex Kuznetsov; and

“It doesn’t actually stock anything. Just lets you connect to other stores more easily to get what you need” from Ron Miller

Regardless of the humour, APIs are in vogue and in controversy after JPMorgan Chase made a decision that third parties can now only access customer data via APIs.

The decision is an interesting one, as it’s in keeping with the idea of Open Banking as per the UK and EU approach. In particular, Europe resisted the idea of the Yodlee aggregator view of the world, where customers give their passwords to third parties. America allowed this, and screen scraping cut and paste, but the security of such access has always been questionable for many.

Therefore, it does not surprise me that a major bank like JPMC is setting a deadline for moving away from screen scraping to APIs. According to Reuters, third party payments providers (TPPs) must sign a deal with the bank by July 30 committing to API access, and dropping password access, if they want to continue providing services to JPMC’s clients.

It does not mean the customer has to drop aggregators who use password access by July 30. Just that their providers must commit to transition across by that date.

“We’ve been working on this with aggregators and fintechs since 2016 because our secure API is the best way to help our customers make smart money decisions more easily and safely,” Paul LaRusso, managing director of digital platforms at Chase, said in a written statement to Reuters. “Customers can still use their favourite apps and websites while these companies migrate to our API.”

Interestingly, a few folks are making a big deal out of this.

FinTech Futures spoke to Canadian start-up Cinchy, which is trying to eliminate the replication of data in banks. CEO Dan DeMers says “even APIs create a spaghetti infrastructure” which is susceptible to security breaches because the technology still has to replicate data like the bank’s siloed, legacy systems.

He may have a point as, over the last two years, there has been a dramatic shift in the number of cyber-criminals targeting APIs in an effort to bypass security controls, according to the new State of the Internet report that Akamai released today. Akamai’s report observed an astonishing 85 billion credential abuse attacks in the two-year period from December 2017 to November 2019. A significant proportion of these attacks were against hostnames clearly identified as API endpoints, which totaled over 16 billion hacking attempts.

The report indicates that APIs are being used primarily as a weapon against the financial services industry, with almost 500 million attacks targeting financial organisations. In addition, the attacks against the finance sector in this two-year period were not exclusively API focused; Akamai recorded the single largest credential stuffing attack against a financial services firm in the company’s history, consisting of over 55 million malicious login attempts.

The solution?

According to Cinchy it is to use a networked approach, where all data is available to all without replication.

Interesting idea, but probably resisted by many today. A bit like the idea of using cloud a decade ago, the idea of networked data rather than replicated data is a difficult cultural barrier to overcome. Longer-term maybe Cinchy’s idea will work … but today, this is a tough sale.

About Chris M Skinner

Chris M Skinner
Chris Skinner is best known as an independent commentator on the financial markets through his blog, TheFinanser.com, as author of the bestselling book Digital Bank, and Chair of the European networking forum the Financial Services Club. He has been voted one of the most influential people in banking by The Financial Brand (as well as one of the best blogs), a FinTech Titan (Next Bank), one of the Fintech Leaders you need to follow (City AM, Deluxe and Jax Finance), as well as one of the Top 40 most influential people in financial technology by the Wall Street Journal’s Financial News. To learn more click here...

Check Also

Forget Where’s Wally, Where’s Jack?

With Jack Ma disappeared and Alibaba and Ant Group possibly nationalised, China’s government is dictating …