Even though APIs have become a common denominator of digitization over the past few years, only 30% of the FIs were actually using APIs as of early 2021, suggests PYMNTS. So where is the challenge? To explore the growth potential, C-suite executives must also be aware of the global open banking situation. In this article of three-part series on open banking, we explain the challenges and opportunities of adopting API banking business model.

Matt Naish, head of the product strategy at FISPAN, a fintech company offering differentiated banking experience, says, “the lack of integration, generally speaking, is not a technical problem. The problem is with change management and process management.” He adds statistics to emphasize that “50% of customer relationship management (CRM) implementations fail — not because of the software but because of the inefficiencies of layering new systems over legacy infrastructure.”

Deloitte in its 2021 report, Open banking: Unleashing the power of data and seizing new opportunities underscores that data sharing is among the most critical challenges of open banking. The wariness to share data lies not just at the bank’s end, but also among the customers. The report says that cybersecurity and data protection are the top concern areas across all age groups, followed closely by wariness towards third-party access to data and transparency on data usage.

About 70 percent of survey respondents feel that greater emphasis should be made on data protection by institutions. More than 80 percent of respondents (who include multiple Financial Institutions, including banks and FinTechs, and customers) are uncomfortable with sharing the transaction history of accounts hinting toward a need for all FIs to assure customers that their data is secure.

So, we can safely say that the critical challenges of open banking are across 3 areas (Fig. 1)

• At the organizational level: Change Management & Process Management
• At the technology level: Running APIs with FI’s older tech infrastructure
• At the security level: Implementation based on regulatory favourability, industry maturity, cybersecurity, and data protection.

 

Open Banking Scenario in India: Case Study

India’s open banking or API banking scenario stands on a hybrid foundation. The retail banking industry and the government have collectively been involved to fuel financial development, and at the heart of this is an ambitious project called India Stack- an initiative that comprises several APIs and is aimed at bringing developers, businesses, fintech start-ups, and government at a unified software platform.

India Stack is a set of APIs (Aadhaar, eKYC, UPI, Digilocker, and eSign) that allows governments, businesses, startups, and developers to utilize a unique digital Infrastructure to solve India’s hard problems towards presence-less, paperless, and cashless service delivery.

“We believe Open Banking represents the next “UPI moment,” opening up new capabilities empowered by data,” TCS’ Report suggests. The strategic imperative for banks will be to figure out the implications stemming from the widespread consent-driven sharing of financial information.

From an operational perspective, banks will need to invest in technology for evaluating and acting upon large volumes of diverse data.

Despite the anticipated marketplace shifts, banks are well positioned to deliver solutions with deeper functionality, especially in areas such as corporate and SME banking, which requires deeper, contextual financial advice and expertise beyond what fintechs, telecom companies, and technology firms can typically provide. In these specialist segments, banks will likely continue to thrive.

HSBC’s Open Banking APIs and ICICI’s API banking are two successful examples of open banking. While HSBC’s open banking APIs enable third parties to begin integrating their financial services into merchant’s applications, ICICI’s payment APIs enable the complete payment lifecycle from registration to making transactions, checking status, and de-registering.

The Road Ahead

There are different ways in which financial services companies can approach the adoption of API banking or open banking. One way is to build APIs in-house, or they can also buy APIs and then bring them in-house. The second way is to integrate with platforms and partners like Valuebound.

A collaborative model can help banks future-proof their technological pursuits, given that it is still hard to say where the banking industry will go in a decade or half from here. By engaging with platforms and partners, FIs get an opportunity to position themselves for growth in real-time data exchange, embedded banking, and real-time payments.

Partnering with a product engineering company reduces a traditional organization’s time to market by adopting an agile product development and deployment. If you wish to spin off a successful, agile, cost-effective digital operation, get in touch with us to learn how we can accelerate your business model towards API banking or open banking.

In the next insight of our three-part series, we shall talk about the key tenets of open banking that form the pillars of a successful open banking ecosystem and a market-ready strategy for implementing an open banking business model by solving the challenges mentioned in this insight.

Financial data Application programming interfaces or APIs are one of the emerging innovation triggers of the banking and financial services industry as per the Gartner Hype Cycle for Digital Banking Transformation, 2022. APIs help financial institutions (FI) create products that can meet customer demand in the times of fintech penetration into the mainstream. API-based open banking is a mechanism wherein traditional retail banks open their application programming interfaces for third parties to create new apps or services.

The percentage of banks and credit unions that have invested in developing APIs has grown from 35% in 2019 to 47% in 2021, says PYMNTS data.

Open banking using APIs is a way for incumbent financial institutions and banks to partner with fintech rather than holding a competition with them. In this first part of our three-part series of API-based open banking insights, we shall holistically discuss-

• What is Open Banking or API Banking?
• How do banking APIs work
• Why incumbent financial institutions must move from the status quo?

CMOs, CIOs, and C-Suite executives of financial services companies and retail banks can gain usable insights from this series of open banking to build an API-enabled digitally advanced product or service platform.

What is Open Banking or API Banking?

Open Banking or API-based Banking is defined as APIs (XML/JSON codes) for allowing bank and client servers to communicate securely with one another. API banking makes data transfer between these entities seamless and ensures secured integration between the bank and customer’s systems. This capability of APIs enables customers to carry out their banking transactions without toggling between their Enterprise Resource Planning or ERP platform, and the bank.

How do Banking APIs Work?

Non-banking companies are developing and facilitating a range of core financial services to clients by connecting with APIs of financial services companies, FIs, and retail banks. This has led to the emergence of platforms connecting clients with bank APIs. These platforms pitch themselves as banking-as-a-service (‘BaaS’) or middleware.

At the back end, an intermediate layer connects with banks and regulated entities. On the front end, it hosts various fintech companies and non-bank entities (Fig. 1). So, the API platforms act as the infrastructure. In contrast, non-banking enterprises and fintech companies integrate financial and banking services in their non-financial offerings.

Why Move From the Status Quo?

According to Accenture, 29% of banks’ traditional retail products-based revenue streams are at risk. Most bankers expect a 10% increase in overall organic banking growth. While, in 2020 alone, there was a 55% boost to banking revenue from new opportunities created by open API-enabled services.

The adoption of open banking or API banking has gained traction over the last decade across the globe. There has been a significant difference in its interpretation, reception, and adoption from one country to another. Yet, if we mainly speak about market readiness in India, there has been a significant surge in the FinTech space.

Pertaining to the competitive landscape, financial institutions have taken active steps to educate the customer, invested in increasing distribution, and offered rewards to drive customer behavior. Account aggregation use cases are expected to scale up.

Key Takeaway

Whether the banking industry also continues to thrive in the retail financial services segment will depend entirely on how well they navigate the next few years along with open banking. The success stories will be those that can stand the ground with flexibility and imagination to create offerings by meticulous use of APIs and bringing together multiple domains, within and outside of financial services. To explore the growth potential, C-suite executives must also be aware of the global open banking situation. In the next part of this series, we explain the challenges and opportunities of adopting an open banking business model.

In the first part of this two-series insights, we looked at why retail banks must ride the Banking as a Platform or BaaP wave to create revenue streams, enhance customer satisfaction, and build partnerships with fintech companies to walk toward new-age automation in finance.

McKinsey reasonably points out that “Banks are better served to get ahead of and define the trend rather than waging a futile battle to repel it.” Given that many CMOs, CIOs, and C-Suite Executives are interested to upend the status quo and explore possibilities that move past their set patterns of vertically integrated, closed-loop offerings, this blog will offer insights into a strategic roadmap for retail banks to compete in a platform world (Fig. 1)

Adopt API-Powered Platform Strategy

After a retail bank has demonstrated its maturity at the level of emerging or the intentional emergence stage on delivering a product set that involves APIs, it can go on to a more specific level for leveraging and monetizing APIs.

In order to adopt an API-fuelled platform strategy, banks must be ready to face organizational and technical challenges. At the organizational level, banks must bring a change in functional mindset through multidisciplinary team creation, redesigning customer expectation strategies, and reshaping business architecture. At the technology level, banks must pursue process automation, experimentation with rapid prototyping, updating development approaches, and maintaining APIs at the internal level.

Generate Platform Exclusivity

More than 50% of the banking executives in the World Retail Banking Report said that the critical challenges to maintaining brand exclusivity are- the multi-home nature of platforms, and the ability of partners to participate in multiple ecosystems. The survey also suggests that nearly three-quarters of the executives are worried about brand dilution in such an ecosystem.

Therefore to understand how banks can build and maintain exclusivity, they are also looking toward those industries which are taking the platform path. For instance, Amazon boosts homing costs by charging third-party sellers higher fees for orders not placed on the retailer’s marketplace. One way in which Banking as a Platform or BAAP can gain exclusivity is if they lock Fintech company or software development company in the strategic investment ecosystem.

Confront Brand Dilution

CMOs and CIOs, they can create strategies that are separate from core bank offerings. This way, they can ensure that their exclusive offerings get top billing and that the brand does not get diluted. An example in India is the digital application platform of HDFC Bank which provides loans against securities- mutual funds. It meshes an exclusive offering of loans into its exclusive digital application platform.

Avoid Product Cannibalization

Cannibalization is a chief concern of several bank executives, the survey in the World Retail Banking Report explains. Competition with fintech companies is a direct result of the digitization of financial services. But, one strategic way to avoid cannibalization could be to ensure that the partner products do not sit in direct competition with the bank’s product offerings. This will prevent the fintech companies from eating into the bank’s core business. Another method could be to avoid cannibalization, bank CMOs must work to ensure that they don’t invite third-party vendors with direct competition into their own ecosystem.

Meet Customers’ Lifestyle Needs

When banks seek to differentiate their Banking as a Platform or BAAP and build intense customer journeys through platform banking, they can mesh traditional offerings with lifestyle products that are non-financial in nature. Targeting lifestyle solutions that can drive customer engagement without jeopardizing bank offerings to a lower position in the chain can be a way to hit equilibrium.

For example, CaixaBank, a Spanish multinational financial services company, offers non-financial services like educational content, shopping, games, music, and video through its lifestyle banking platform while complementing its core financial offerings. After one year of launching its lifestyle banking platform, the mobile-only digital bank got hold of 3.1 million customers.

In this context, Zac Maufe from Google Cloud says, “embedded finance will be critical within the futuristic banking equation, where financial institutions are available whenever customers require financial services.”

Prevent Platform Leakage

Banking platform ecosystem can increase its value for customers and partners through cobranding arrangements and preferred pricing to ensure that there is no erosion in the banking ecosystem. To avoid third-party partners circumventing their banking platform and engaging directly with the bank’s customer base, CMOs can also offer support services to third parties. So this means that what begins with the banking platform must also stay there.

One example of preventing platform leakage can come from another industry, for instance, India’s travel and accommodation agency, OYO. They prevent customer leakage from its ecosystem by supporting partner hotels with advertising, financing, and brand management.

Measuring the Success of a Banking Platform

Banking as a Platform is a wave that’s still rising, and to which incumbent banks are not yet accustomed. The platform world operates in a different mindset than what retail banks are used to. So what is the right way to measure the success of a banking platform? “The accurate measure of an ecosystem will be the net impact of a consumer on the parent and associated entities,” said Raghuram Iyengar and David Reibstein, professors of marketing at the University of Pennsylvania’s Wharton School.

Effective metrics include network effects, customer acquisition rate, the effectiveness of engagement in the market, and asking internal questions like how diverse the platform is in their offerings and partnerships.

“The ripple effect of a single customer journey will be throughout the ecosystem. It can help derive the value that a particular customer brings in and the value that the customer can get driving engagement and network effects,” add Raghuram Iyengar and David Reibstein.

Future of Banking as a Platform as We See It

The nature of Banking as a Platform or BAAP is to grow gradually through an ecosystem of complimentary offerings through services and solutions. Hence, cross-platform offerings or hybrid business models such as Amazon pay-Icici Bank partnerships make way for the business.

If you’re interested in embedded banking into the platform and are looking to partner with a digital experience company, learn how Valuebound can assist you in carving a successful BAAP journey. 

Banking as a Platform (BAAP), or platformification of banks is increasingly becoming an accepted business model for several banks to cultivate, monetize, and leverage APIs. BAAP or Platform Banking is not a new concept, a World Retail Banking Report by Capgemini explains. For example, a 2021 study by the European Banking Authority found that 97% of banks in the region used platforms to market and distribute products and services, while 83% reported exploring opportunities to use platform models to diversify and expand beyond their primary geographic markets.

India’s digital banking platform market was worth USD 776.7 million in the year 2021, according to BlueWeave Consulting Study. The study underscores that the market is estimated to grow at a CAGR of 9.8%, earning revenue of around USD 1,485.5 million by the end of 2028.

This growth of Banking as a Platform is attributed largely to faster digitization in the country. Another factor is the faster adoption of growing technologies like artificial intelligence (AI), cloud computing, the Internet of Things (IoT), and the use of APIs- all of which leads to automation in finance, higher customer satisfaction, and increased business revenue.

Bank’s CMOs, CIOs, and C-Suite executives can gain usable insights from this blog for building customer-led journeys and a data- and technology-driven product or service platform. But before we dive deeper into the subject, it is essential that we know what is Banking as a Platform or BAAP.

What is Banking as a Platform?

Banking as a Platform is defined as a business model where third-party developers build products or services for banks. These developers can be from a fintech or any other software/technology company, and they embed APIs into platform functionalities, while a banking platform can itself manage data exchanges, authentication, and compliance.

Is Banking as a Platform & Banking as a Service the same?

In layman’s terms, a fintech or any other software/technology company can develop a product or service and “rent” it to a bank. Banking as a Platform cannot be used interchangeably with Banking as a Service (BAAS) because banking institutions enable fintech and non-financial businesses to provide financial services in the latter. So these are two exact opposite terms. In fact, BAAP is a business model that fits perfectly into the modern-day financial ecosystem, where fintech companies can enable banks and work in conjunction rather than as two separate bodies, to enhance customer experience.

Banking as a Platform is hence, largely being accepted to embed banking into the broader ecosystem journeys of customers to empower inclusivity and sustainability. Banking as a Platform or BAAP is also known by other names like Platform Banking, Open Banking, and Ecosystem Banking.

Speaking specifically of India, the digital banking platform market is segregated into two types- based on their deployment. These include- on-premises and cloud segments. Cloud deployment of Banking as a Platform product has more market capture due to better traffic, faster access to data, and improved efficiency. Also, cloud deployment of BAAP offers faster rectification and tracking of issues, which in turn, reduces the risks of reputation damage.

A third of retail banking customers were interested in platform services offered by their primary lender, a Deloitte survey conducted in the United States said. 34% of customers surveyed said they were willing to use platform banking service they were willing to use platform banking services, whilst 25% said they were neutral.

Younger customers, both Gen Z and Millennials are more inclined towards financial superstore app, with an overwhelming 75% and 67% approval, respectively. 54% Gen X and 33% Boomers showed interest in a digital banking platform whilst on a cumulative level, 55% of all respondents had shown interest in India.  
While prolific growth is highlighted in this business model across all geographies, there are still some reservations due to the traditional way of working. So why should banks consider BAAP?

Moving Past the Status Quo: Why Banks Must?

“The key question incumbents must ask themselves is whether banking is a destination or an enabler? As an enabler, banks can go beyond their products/ services and embed themselves within customers’ lives, paving the way for ecosystem banking,” says Christopher Young, Director, Financial Service Strategy, Adobe.

Banks that embrace Open Banking trends could profit from a potential revenue uplift of 20 percent, whereas those failing to do so risk losing 30 percent to disruption by the end of 2020, per one study from Accenture.

All parties are in a triple win-win situation when they adopt a BAAP model.

• Customers- They are still owned by banks, and by adopting a BAAP model they win because of better, newer, and tech-advanced services from banks.
• Banking as a Frontend- Banks win in this model because they can increase customer engagement, customer satisfaction, and revenue, while also saving development and support costs.
• Fintech- Fintechs are well integrated into the banking platform with the help of APIs. So, banks are powered by fintech companies. Meanwhile, fintech companies win because they can sell their product to a reputed and established institution for a profit.

Benefits of Banking as a Platform

Apart from focusing on the core business, banks can leverage platformification with major benefits as mentioned below:

• Reduced cost and time that goes into development of a product
• Maintenance costs are being borne by the fintech company or software development company
• BAAP introduces a new way of banking for customers, where they find new services
• Platform banking strengthens a bank’s position in the market
• Open banking or BAAP increases customer engagement and satisfaction

Banks can make use of the platform in a different way according to geographies, demography and market competitiveness. For example, in a highly competitive market or region, more importance is given to differentiation. So banks can have their SWOT analysis and build a platform or ecosystem around it. In a less competitive environment, BAAP can adopt the opposite strategy. It can become a one-stop shop by offering all possible services on a single platform.

RazorpayX: A Successful Use Case of India’s Neobanking Platform

RazorpayX is the neobanking platform belonging to the unicorn Razorpay. This neobank has already served more than 10,000 businesses- helping them process payroll using Opfin, paying expenses using a Corporate Card, and paying business vendors in real-time using the underlying payouts layer.

RazorpayX allows customers to open and operate fully functional current accounts, which come with standard banking features like debit cards, account statements, and cheque book. This platform has API banking capabilities, along with insightful reports, and approval workflow. RazorpayX also helps with automation in finance by refunding Cash on Delivery orders using Payout Links.

Future of Platform Banking

Embedded analytics will become the undercurrent of platform banking, along with key differentiators of AI and ML to enhance customer experience. The DNA of Banking as a Platform (BAAP) shall be defined through API strategy and how agile a bank is to fully use APIs.

While the future of BAAP or platform banking is still in a nascent phase, strong strategic planning and a roadmap can help trail retail banks’ path to a complete platform world. Hence, it’s a ripe time for the banks to consider consolidation for newer business models which would help them compete in the present business environment.

In our next blog of this two-part series, we put the idea of BAAP to the next level, explaining strategies for retail banks to compete in a platform world.
 

Banking 4.0 can be defined as the foundation of creative destruction that came through fintech companies, transitioning innovation, and traditional retail banks reorganizing their business models on new-age digital principles of platforms, apps, data intelligence, and embedded finance. This radical reordering brings a promise of platform-based banking to deliver experience-driven customer satisfaction through the optimum channel.

CIBC, the Canadian bank, for instance, has seen customer acquisition rates in three primary lines of business increase by 65% due largely to personalization efforts, a Capgemini report suggests. In the present financial ecosystem, hyper-personalized and growth-oriented digital environment, the competition for retail banks lies in customer trust, delivery channels, and data.

“Bank 4.0 is essentially embedded, ubiquitous banking built into the world around us through technology layer,” says Brett King, a global best-selling author, and a FinTech futurist, in his statement to Economic Times. Hence, banking 4.0 is essentially about shifting the financial service orbit by demolishing long-standing practices and experimenting with that which hasn’t been done yet.

At the heart of this transformation are today’s chief marketing officers (CMOs) and chief information officers (CIOs) who are also evolving in their role as chief customer strategists. This insight is for such new-defined roles in the retail banking sector that are trying to leverage technology to orchestrate unique customer experiences by coordinating technology, compliance, and data. Leaders who’re aiming at breaking data silos and ensuring that banks of the present finance ecosystem have capabilities to deliver real-time data-driven experiences will find our insight useful as we explain how banks can deliver value now, and what they can learn from fintech companies.

Why Banks Must Move From Status Quo?

In Brett King’s book entitled Bank 4.0: Banking everywhere, never at a bank, the description says that in 30-50 years when cash is gone, cards are gone and all vestiges of the traditional banking system have been re-engineered in real-time, what exactly will a bank look like? How will we reimagine a bank account, identity, value, assets, and investments?

“Banks have historically focused on capturing value and have forgotten about customer experience. Capturing value and profit is not contradictory if a bank focuses on long-term customer relationships,” says Alexander Weber, Chief Growth Officer of a German neobank.

95% of banking executives in The World Retail Banking Report highlight that legacy systems and outdated core banking modules inhibit efforts to optimize data- and customer-centric growth strategies.

Evolving consumer tastes, a hyper-competitive landscape, and increasing regulatory scrutiny around data usage among some other factors (Fig. 1) are critical present contests that challenge banks in their abilities to digitally grow and evolve. The report also highlights structural challenges across the customer lifecycle (Fig. 2) and data challenges (Fig. 3) that incumbent banking institutions face.

It is on the lines of these pain points that incumbent banking institutions can compete in the fintech environment with a vision of futuristic banking 4.0 and move from the status quo.

Bank 4.0: A 4-Pronged Vision of Future Banking

The last two years have been quintessential in pushing the Banking, financial services, and insurance (BFSI) sector faster into the future. With the penetration of fintech companies as we move forward, financial services will be entirely driven by virtual facilities through platform-based models, cloud data storage, blockchain technology, digital channels, and other futuristic changes. Comparing the customer acquisition cost between digital and branch shows that the former has a cost of $5 per customer, while the latter has a cost of about $350 per customer. So, the digital acquisition cost of customers is another modality that’s driving the future of retail banking towards Bank 4.0.

In the section below we explain a 4-pronged vision of how Banking 4.0 will unlock hyper-personalized engagement and drive revenues for traditional working retail banks.

The banking 4.0 vision should include recasting the business model with platform-based solutions, revamping customer perception, strengthening data capabilities, and increasing impetus between fintech and traditional banking (Fig. 4)

Recast Business Model with Platform-Based Solutions

Bank executives and customers fall in a similar bracket of expectations from the distribution channel. About 80% of both groups continue to view the website as a critical point of interaction. Mobile apps were cited by 77% of consumers, compared to 91% of executives, while branches were valued more by customers (75%) than executives (58%) in the survey done for The World Retail Banking Report 2022.

Platform-based products and services are promising for filling capacity holes and expanding retail banking revenue. However, banks are still at the cusp of technological reforms, and the executives struggle with cannibalizing products through ecosystem partners, preventing brand dilution, and maintaining ecosystem exclusivity for partners.

While new fintech players can accelerate customers’ expectations around the convenience, transparency, and speed of digital products and services, banks still have a few dominant areas where they can respond to position themselves for the future.

Revamp Customer Perception

Creating a positive brand perception on the grounds of low latency, and low friction, with an element of experience design, and ZeroOps is needed to redefine and revamp customer perception. Bank 4.0 is about capturing value by introducing relevant and low-priced innovative products, enhancing API and cloud capabilities, and strengthening internal processes for frictionless omnichannel experiences.

To change customer perception, the following recommendations can work well-

• Engage customers through VR/AR immersive experience
• Reinforce the commitment of the brand towards green banking by integrating ESG parameters into banking products
• Embrace models that bundle financial service, and non-FS together
• Drive collaboration and co-innovation to expand the banking product portfolio
• Embrace cloud and APIs for a robust digital foundation to improve internal processes
• Synchronize digital and physical channels to shift from multi-channel engagement to an omnichannel experience

As an example, Canada’s CIBC embraced a third-party experience management solution that uses first-party cookies to help build a more scalable and relevant digital platform. This platform allows it to prioritize and push targeted mobile promotions to customers and synchronize data to create models that can update product pages quickly and at scale. The platform also enables the bank’s busy customers to set up direct deposit payments, request financial relief, or apply for credit card rate reductions or mortgage payment deferrals in seconds.

Result? Mobile conversion rates increased by 50% and website conversions more than doubled. Bank leaders have credited digital investments made in 2021 and a cloud-first strategy for CIBC’s adjusted year-over-year revenue growth of 7%.

Strengthen Data Capabilities

At the turf of a retail bank brand, is the data that CIOs and CMOs can defend and use to succeed in this competitive environment. Retail banks have access to huge transactional, behavioral, and financial data, which they can use to create profitable customer relationships and understand customer behavior. But the point is- are you investing in technological capabilities to harness this data for your advantage?

The enormous volume of customer data that is supplemented by information from data ecosystems and third parties can strengthen any incumbent brand to leverage this ability and drive customer engagement and revenue. Structuring and organizing data silos with a centralized repository, such as a customer data platform (CDP) can help in generating deeper customer insights. Retail banks can also leverage large volumes of internal data to gain customer insights and a competitive advantage against fintech.

Increase Impetus between Traditional Banking and Fintech

The staggered tech shift in last few years calls for an increased partnership between traditional retail banking and fintech. Technology can be a force multiplier for a traditional bank. Hitesh Sachdeva, Head of Startup Engagement, Innovation and investments at the ICICI Bank, India, emphasized, “We realize that innovation has two broad approaches. One is you keep building a lot of innovation inside the bank. But it has its own limitations. And the other way to capture the innovation is to tap into the innovation happening in the outside ecosystem, and amalgamate it inside the bank with platforms, partnerships, and collaborations with start-ups, to create innovative products, which are in alignment with our digital roadmap, for rapid prototyping experimentation and then make it the core of the bank.” So this way, fintech companies can play an influential role as the ‘enabler’ of traditional banks, rather than the ‘competitors’.

In a Nutshell

Banks can clearly deliver value by shifting from monolithic broadcasting models to engaging interactive service delivery of fluid experiences to customers. There has to be a shift from brand custodians to brand experience custodians. Bank 4.0 innovations can hence help shape a growth trajectory around four critical areas- product, customer experience, data, and technology.

The recipe for new-age digitization lies in a coherent and integrated strategy. Bank CMOs and CIOs keen on delivering personalized experiences to customers or orchestrating bank 4.0 innovation, can get in touch with the Valuebound product engineering team to learn how we can help to convert your revenues by turning customers into brand evangelists. 

75% of customers in the World Retail Banking Report 2022 opined that they are attracted to FinTechs’ cost-effective and seamless services focussed on automation in finance. This significantly raises their digital banking expectations. Oracle's study finds that nearly 81% of customers use digital channels while interacting with banks to avoid physically going to the bank. Retail customers of nearly all banks have reported Internet and Mobile banking outages. This is because all traditional banks in India are built on the foundation of security rather than scalability, and most banks are still not comfortable with cloud migration. This is where new-age, next-gen FinTech companies are overpowering traditional retail banking in India.

For starters, technology and fintech have challenged the status quo of conventional retail banking- impacting their revenue as well. With the future of fintech in India becoming more relevant, it’s about time that automation in finance becomes a central theme across all banking services in India.

In our insight, we explain the core themes that can drive new business models in the retail banking industry in India.

The Metamorphosis of Retail Banking in India

Consumers have better expectations regarding customer service, reduced app or web downtime, and core functions like investments, savings, payment facilities, and credit across segments, but topping them all with the seamless user experience across various platforms.

Financial inclusion became a keyword a few years ago, which penetrated technology and fintech into the banking services, leaving the conventional firms wondering if their time is up. In a simple definition, financial inclusion means an act where all consumers across the length and breadth of India are included in the banking services. The digital literacy divide among the Indian audience is a major pain point among IT security, regulatory uncertainty, and differences in management and culture.

Most Gen Z and Millennial Indians have started calling fintech the primary financial service provider. Hence, it doesn’t matter whether a new product or service comes to the market or not- fintech has captured the mind share and market. Regarding the impact of fintech on Indian retail banking, fintech companies have not replaced the traditional banking model- they’ve only introduced new services and products in the market. This has fundamentally metamorphosed supply and demand for financial services. So where does that leave the traditional retail banking industry in India?

Technology and Fintech: A Game-Changer for Traditional Banking Model in India

The regulatory authorities in India realized that technology could be a game changer for financial inclusion in India. Institutes like the National Payment Corporation of India (NPCI), the Institute for Development and Research in Banking Technology (IDRBT), and the India Stack became the key pillars to set the foundation of fintech in India with the intent of driving digital transformation in finance and advancing the motive of financial inclusion.

To combat the pain point of the digital divide, schemes like NFS, UPI, Aadhar, and Digital India set the foundation for financial literacy and inclusion, which led to automation in the financial landscape of the country. Against these grounds, it might become useful to comprehend the impact of fintech on retail banking in India.

There are 6 core themes that Valuebound observes regarding the impact of fintech on Indian retail banking-

Customer Experience & Customer Engagement at the Core

Channel diversification has become the key driving factor in the retail banking sector in India. Critical reasons for this include growth in the number of mobile users. As per Deloitte's analysis, the demand for smartphones in India is expected to reach about 400 million in 2026 from 300 million in 2021. Increased use of web-based platforms is another strategic reason for channel diversification to cater to a larger audience. Mobile-first approach to reaching out to the customers, and offering mobile applications to the clients for banking-at-the-doorstep is an investment that most traditional banks are now making to enhance customer experience substantially.

Integration & Collaboration

Fintech incubation programs and captive accelerator programs have increasingly become popular among traditional banks in India to foster innovation and create a safer environment for customers. One such example is the SBI Fintech Innovation Incubation Program (SBI FIIP), which runs with an overarching purpose to promote a culture of FINTECH innovation and entrepreneurship in India.

While the traditional banking models remained upended due to the fintech ecosystem 5 years ago, they’re now actively introspecting how they can be a part of disruptive innovation. Account Aggregators under open banking architecture are another notable change in India’s retail banking ecosystem.

Establishing Win-Win Partnerships

The win-win partnership between new fintech entrants and traditional banks gives a direct benefit to the country’s financial ecosystem with customers at the center. Potential opportunities could include expanding infrastructure capabilities by banks and enhancing knowledge of product design and IT development.

Access to lending is set to be democratized, the lending models will be subject to greater regulatory scrutiny. While overall credit card penetration will increase, the role of non-banks is unclear; to be shaped by regulation, which explains the need for win-win partnerships. These developments bring banks, NBFCs, and Fintechs closer, as collaborators and not as competitors.

Building Strong IT Infrastructure

In December 2020, Shaktikanta Das, the RBI Governor urged banks to invest more in IT infrastructure and technology to remain competitive with Fintech companies. The retail banking sector in India does not lack the capital to invest in technology- there’s a lack of vision and business leads that could take strong decisions. Yet, the metamorphosis of retail banking we talked about in the previous section is visible now.

In 2021, HDFC Bank created its own Digital and Enterprise Factories to enhance the digital banking experience of customers. This enterprise factory aims at upgrading legacy infrastructure, decouple existing systems, and build its own capabilities by embracing open-source to build resilience and scale.

“The Digital and Enterprise factories will help us realize the strategy of ‘running’ the bank, while ‘building’ the bank for the future,” says Parag Rao, Group Head – Payments, Consumer Finance, Digital Banking & IT, HDFC Bank. He also adds, “we have led the digital transformation of the Indian financial services sector and continue to invest in technologies.”

Mitigating Cyber Security Risks

Cyber security risks erupt when external APIs interact with banks’ IT systems, leaving the bolt open for vulnerabilities and information breaches that transverse the positives mentioned above. The banks are now partnering with IT organizations to address such challenges. However, cloud sourcing increases risks of money laundering, data security, customer privacy, and cybercrime- all of which can be addressed with strong decision-making and advanced technologies in place.

Compliance and Regulations

Reliability of APIs and the cloud has increased interconnectedness amongst banks and third-party apps, which may not be subject to equivalent regulations and compliances. Banks cannot risk non-compliance with data privacy and security. But if vetted technically and through the right channels, traditional banks can utilize this in their favor- something where fintech companies would lag behind.

Wrapping Up

These developments bring Indian banks, NBFCs, and Fintechs closer, as collaborators and not as competitors. The success of innovation and amalgamation between retail banking and fintech largely depends on regulations and compliance. In spite of the long way to go, the impact of fintech on retail banking in India shall emerge for the highest good of digital transformation of financial services and customers. 
 

In June 2021, providers of unified payments interfaces (UPI) in India recorded a total of 2.8 billion digital payment transactions worth over five trillion Indian rupees. This was an increase compared to May 2021, according to Statista research. It also underscores that in the financial year 2022, digital payments in India reached a total of over 239 billion Indian rupees. This marks a significant increase from 20.7 billion Indian rupees in the financial year 2018. The emergence of UPI or unified payments interface is an initiative by the Government of India to introduce a standardized protocol where banks, bank-like organizations, and non-bank entities could communicate with one another so as to make India’s payment system digital native.

What is UPI or Unified Payment Interface?

Launched in 2016, UPI is a National Payments Corporation of India (NPCI) payment system that allows online payment and cashless money transfer using a simple mobile system.

UPI works on the concept of virtual payment addresses, which makes it interoperable- the greatest advantage that changed the payment landscape in India. UPI leverages the present infrastructure for authentication and enables one-click payment. By eliminating the need for sharing sensitive information like bank account numbers and One-time passwords (OTP), UPI has facilitated a safe, secure, and game-changing digital transition toward India’s nearly cashless economy. Unified Payment Interface is a platform that is both backward compatible as well as futuristic. Yet, when we speak of safety, there are a few things that are at stake.

What’s at stake during UPI Transaction?

A two-way payment transaction begins with a need for the sender or an entity that needs to transfer money to the receiver or second entity. Both entities could be either individuals or merchants or even government organizations. Three core requirements to be met for completing a payment transaction using UPI include sender authentication, receiver identification, and authorization. During these steps security at the infrastructure remains a major pain point of the UPI. Banks do not have a core competency of safely transmitting information, and placing the entire burden of two-factor authentication on the banking systems leads to insecure communication channels and non-standard authentication processes among different institutions.

So even while the reason for UPI’s success is a modern unique identifier for every individual, there are certain things that remain at stake, which are-

• Virtual payment addresses & Individual’s Digital identity
• UPI ecosystem that’s built and integrated for provisioning services
• Security of the identity, transaction information, and data over the network
• Response Time since the speed of transaction is the highest

Some of the other things also include regulatory compliance, financial and reputational aspects, and confidence of customer and market trust.

Ensuring UPI Security

Cyber security of Unified Payment Interface is targeted towards four main offerings which include process controls, functional controls, technology controls, and vulnerability detection. Across these four offerings, a product owner should consider the following points for UPI security-

• Ensure that the UPI environment and interfacing systems are secure
• Security of identity on mobile devices must be ensured
• An organization must introduce new security tools in context with the changing business model
• To ensure effective monitoring and analysis of security risks, advanced and smart analytics tools must be used
• Compliance with regulations and adopting industry standards help in further strengthening the security of UPI

OWASP Mobile Top 10 2022 for UPI Security

The Open Web Application Security Project (OWASP) is a non-profit foundation which provides remediation guidance to improve software security. OWASP Mobile Top 10 provides a ranking and most critical security risks for mobile application, alongside suggestions on how to remain protected against these attack vectors. The top 10 attack vulnerabilities OWASP Mobile Top 10 in 2022 are-

• M1: Improper Platform Usage
• M2: Insecure Data Storage
• M3: Insecure Communication
• M4: Insecure Authentication
• M5: Insufficient Cryptography
• M6: Insecure Authorization
• M7: Client Code Quality
• M8: Code Tampering
• M9: Reverse Engineering
• M10: Extraneous Functionality

Security Considerations: 5-Step Roadmap to Create Secure UPI Product

The proportion of UPI transactions in the total volume of digital transactions grew from 23% in 2018-19 to 55% in 2020-21 with an average value of ₹1,849 per transaction. The volume of UPI transactions calls for security considerations in place to create a secure UPI product that ensures customer trust and retention. Valuebound recommends following UPI security considerations to ensure benefit-realization of the product (Fig. 1).

Web Protection

This includes protection from cyber fraud and safeguarding digital identity. Google Pay, for instance, suggests prerequisites for integrating it with a site. These include-

• Ensuring that business channels are verified merchants by NBFC/ banks
• Ensuring that all details needed to accept payment using UPI ID are available
• Ensuring to have required APIs from the bank to check payment status
• Ensuring that every transaction uses a unique transaction ID

Fraud Detection

Early detection tools can reduce Mean Time to Detect (MTTD) for new-age frauds like Distributed Denial of Service (DDoS), ransomware, application vulnerability exploits, merchant frauds, spam, reconnaissance attacks, software supply chain attacks, and account takeovers.

Secure Design

Embedding security needs or adopting the DevSecOps model in the development programme helps in putting cybersecurity at the central part of the production pipeline.

Technology Design Review

Encryption and authentication strategies like public key infrastructure (PKI) and hardware security modules (HSM) help secure UPI product.  Network architecture, application program interface (API) and interface security form an integral part of technology design review.

Operations Readiness

A new UPI product should have compliance with National Payments Corporation of India (NPCI), Reserve Bank of India, and IT Act guidelines to avoid compliance and regulatory hiccups. UPI security also includes log maintenance and advanced log analytics.

Conclusion

In 2021, out of the 2.8 billion transactions, PhonePe had a share of 46 percent and GooglePay a share of 35 percent. Third big player is Paytm with a share of nearly 12 percent. The volume of UPI transactions and India’s digital ecosystem is a testimony that the scaled-up mobile banking infrastructure is here to stay and transform the economy. Creating a secure UPI ecosystem becomes more important due to the exponentially growing customer base. If you wish to learn how Valuebound processes solutions to ensure a safe and secure UPI product for you, get in touch with us.

Microservices have become a key ingredient in the successful recipe of a FinTech product. Even conventional financial services have recognized the importance of microservices in their digital transformation journey because microservices can digitize legacy systems of financial service companies and banks by re-architecting apps into newer ones. The popularity of microservices can be understood by the fact that over 37% of IT respondents said they at least “partially” used microservices in 2021, while 34% fully used them. This is almost 25% higher than that in 2020, according to the 2021 Global Survey results of the GitLab DevSecOps report.

Even though microservices involve complexity, monitoring systems, and organizations, the results and benefits of microservices in the FinTech industry are worth the efforts. Microservices can increase productivity by up to 50% and decrease overhead costs by half on average. The idea behind using microservices is simple- making a product that fits the bill of scalability, agility, and a constant change of market scenario- something that’s easier said than done. Age-old monolithic systems are not only difficult to restructure but also burn the pocket.  In this insight, we compile best practices for microservices that will help you build a winning FinTech product.

What Are Microservices?

Microservices are a cluster of interconnected, and still independent frameworks, libraries, and tools which are designed to perform their tasks. They are written to support business goals by using different languages. Microservices are built within smaller, multidisciplinary teams, which makes it easier to deploy, test, and maintain.

Best Practices for Microservices in Fintech

Have Dedicated Infrastructure to Support Business Functions

Addressing vital issues like App security, load balancing, performance, caching, and monitoring is critical. To work on these issues, it is essential to ensure quality cloud computing services or hosting, which can handle traffic load and make the product work.

Go Slow While Migrating a Monolithic App

Monolithic architectures, also known as tight coupled architectures, come with their own set of baggage, such as stack dependencies that do not allow embedding of the latest technologies. Danske Bank, for instance, worked with monolithic architecture that relies mostly on resource sharing. This prevented the bank’s processes from functioning independently. Also, such an architecture may send unencrypted user data, which accounts for a major security breach. Monolithic architectures are not computable with microservices, which is why migration must go slow. The best practice for a financial service or fintech company is to recognize its pain points and know what legacy functionalities it needs for functionality on new architecture.

Automate RESTful APIs

REST APIs are flexible and portable, allowing a company to migrate from one server to another. Also, it helps perform database changes with much flexibility. Having said that, hand-coding customer RESTful APIs for individual microservice in the architecture requires tremendous time and resources. One way could therefore be to include a feature of automatic API generation which converts any database into REST API.

Prioritize Loosely Coupled Architecture

Loosely Coupled Architecture, also known as microservices, is lean, independent, and has a single responsibility principle. This means that each microservice is dedicated to performing one particular function only. Therefore, it makes maintenance, testing, and fault rescue an easier job. Microservices are popular in fintech app development because they can be deployed independently, and also have a lot of business responsiveness due to a clean interface for communication.

Adopt DevSecOps Security Model

We have already discussed fintech API security risks and challenges and a winning security strategy. Adopting the DevSecOps model at the core of the Software Development Life Cycle (SDLC) helps in creating a secure codebase. DevSecOps focuses on embedding security at the early stages of SDLC. This methodology uses cybersecurity as the central part of the production pipeline with other phases like architectural designing, coding, and testing.

Deploy Easily With Containers

Deploying microservices in containers makes migration flexible and portable, while also helping in managing services independently. Container Architecture is popular for deploying microservices for fintech. It comes with several benefits like container-centric infrastructure orchestration, container runtime, container orchestration, self-healing mechanisms, load balancing, and service delivery. Kubernetes application deployment architecture is such an open source platform that is widely used among developers for grouping microservices in the fintech platform.

Introduce Microservices Central Logging

As basic hygiene in microservices, central logging is considered the best practice. It is a must to have a centralized logging location and add sufficient context to logs to identify the difference between useful and useless log data. Microservices central logging enables visibility for debugging issues in a better manner.

Use Case of Microservices in Fintech: Monzo Bank

London-based Monzo Bank uses more than two thousand microservices in its architecture for building its mobile-first, cloud-native digital bank while also being compliant with regulations. The fintech application uses AWS hosting for core banking, leveraging cloud computing strength to derive benefits like flexibility and scalability. Cloud eliminates hiccups around provisioning management, infrastructure, and capacity limits.

The core banking system of Monzo Bank is established on the platform using microservices with virtualized servers that have container tools like Kubernetes and Docker. The architecture of the platform is composed of smaller elements that can scale as an entire entity, including APIs, and communicate synchronously or asynchronously. For easy interoperability, the banking fintech app is platform-agnostic. Monzo Bank’s greatest benefit from microservices architecture is organizational flexibility.

Suhail Patel, the backend engineer of Monzo says, “Monzo is a fully licensed and regulated bank in the UK. We have no physical branches. We've had this API ever since we began. You can manage all of your money and finances within the Monzo app, and the bank has more than 4 million customers in the UK.” He also adds, “We build services which are granular enough to be easily understood. Ownership of services is well-defined but can be fluid based on the goals of the company.”

In Conclusion

Fintech companies and legacy financial service companies must adopt best practices while using microservices to enter new markets and position themselves rightly. With platform banking and new-age banking apps, enhanced customer experience goes a long way. In the long-term, moving to sophisticated microservices architecture-based core MVP, a fintech solution must also coordinate with service mesh. The end goal of microservices architecture in fintech or banking services is to align different services and products from multiple platforms to provide a uniform customer experience.

To know more about the use of microservices in fintech and implementing best practices, let us connect. You may also write to us at hello@valuebound.com.

Google PageRank is an essential factor that Google considers while deciding whether or not your website will show on the top Search Engine Result Pages, also known as SERPs. Appearing on top of search engine listings means that your content is easily seen by the users. While there are other search engines, Google PageRank is a gold standard for your content, and other search engines also follow similar techniques for listings. It not only becomes a significant factor to the popularity of your content but also reaps direct benefit for your product or service. Hence, tracking Google PageRank for keywords is critical analysis that must be done at the organizational level.

Google PageRank

PageRank(PR) is a Google Search algorithm that ranks websites based on how important they are. It was named after the term "web page" and co-founder Larry Page.The more important a website is, the more likely it is that it will get links from other websites.

Monitoring the progress of keywords you want to rank

It becomes a tedious task to repeatedly search for the keywords you want to rank and monitor the progress. There are quite a number of expensive tools to monitor keyword rankings. This can be accomplished by using scraping libraries provided. One such tool is googlesearch, which is a Python library for searching Google, easily. googlesearch uses requests and BeautifulSoup4 to scrape Google.

In this blog, we aim to provide a tutorial on how to get Google pagerank in Google spreadsheet. The arrangement of this kind makes it easier for an organization to track and monitor the progress of their keywords. So let’s begin.

Step 1: Install googlesearch Python Library

To install googlesearch Python Library, run the following command:

python3 -m pip install googlesearch-python

Required Params of the googlesearch: Your basic requirements for googlesearch include-

• query: query string that we want to search for
• lang: Language
• TLD: TLD stands for the top-level domain which means we want to search our results on google.com or google.in or some other domain
• num: Number of result we want
• start: The first result to retrieve
• stop: The last result to retrieve. Use None to keep searching forever
• pause: Lapse to wait between HTTP requests
• Return: Generator (iterator) that yields found URLs

Python code

Follow the code below to move ahead on the process.

Step 2: Google Spreadsheet Settings

Make sure you are following along, you'll need a spreadsheet. Head over to Google Sheets and create one.

Step 3: Create a service account and OAuth2 credentials

Now, you'll need to create a service account and OAuth2 credentials from the Google API Console. Follow the simple steps below to enable the API and grab your credentials.

• Head over to the Google API Console.
• Create a new project by selecting My Project -> + button
• Search for 'Google Drive API', ‘Google Sheets API’ and enable them.
• Head over to 'Credentials' (sidebar), click 'Create Credentials' -> 'Service Account Key'
• Select Compute Engine service default, JSON, hit create.
• Save the JSON file in your system.
• Share your spreadsheet with the "XXX@XXX.gserviceaccount.com" email listed in the JSON file.

Step 4: Operations in Spreadsheet

To access spreadsheets via Google Sheets API you need to authenticate and authorize your application. Follow these steps for the same-

• oauth2client - to authorize with Google Drive API
• gspread - to interact with Google Spreadsheets

Step 5: Install Required Package

After completing the aforementioned steps, now Install required package. You will have to install gspread, oauth2client using the following code-

pip install gspread oauth2client

You can perform insert, fetch, update and delete in the spreadsheet. Let’s say you want to fetch keywords from a spreadsheet and have to update the search ranks corresponding to the keywords (Fig.1)-

 

You have every column name as a keyword in the sheet. You will fetch the keywords and update the corresponding rank to that keyword in below row.
 
Finally, import all required packages as discussed above.

 

To Conclude

Tracking Google PageRank is an essential factor in the process of search engine optimization since it measures the importance of a web page. Relevance of any web page is a critical factor that determines it’s PageRank. But tracking the progress is what matters the most to any organization's SEO efforts. Whether you’re an SEO consultant or an organization tracking the progress of your top rated keywords, a good SEO strategy with right measuring tools can go a long way.

Reach out to us if you have further questions on this tutorial on how to automate Google PageRank for your keywords in a Google spreadsheet. 
 

A resounding 94% of IT company leaders reported they have experienced API security problems in production APIs, the SALT, a leading security research firm that identifies API security vulnerabilities, report highlights. Among the critical API, security problems are vulnerability (47%), authentication (38%), data exposure (31%), and breach (19%) over a period from July 2021 to July 2022. (Fig. 1). Malicious API attack traffic surged 117% over the past year, from an average of 12.22M malicious calls per month to an average of 26.46M calls.

In a global and growing API ecosystem Postman users signed in from an impressive 234 different countries and geographies while making 855 million API requests in the year 2021 (up 56% from the prior year). Speaking specifically of India regarding the Country-by-country API growth, the country is in the third spot for the fastest growing geographies (Fig. 2).

Industry-wise, Technology (29%) represents the largest industry that makes use of APIs, followed by business/IT services (28%), banking/finance/insurance (11%), and healthcare (5%). In our previous blog, we mentioned how API attacks are causing significant security concerns among fintech companies that are heavily reliant on APIs to build applications. The result? Unfortunately, 54% of respondents indicate that they have had to slow the rollout of a new application because of an API security concern.

While the reliance on APIs is pointedly high, still unfortunately only 9% of respondents can confidently state that they have an advanced API security strategy that includes dedicated API testing and protection. Meanwhile, an alarming 61% admit that they lack any API security strategy or have only basic protections. API security is considered the most important component of web application security, but before we dig deeper into the best practices for API security posture, let us first understand what defines Application Programming Interface (API) security.

What is API Security?

Application Programming Interface or API enables software applications to communicate with each other, thus enhancing interoperability, among offering other advantages. API security, therefore, means protecting APIs from vulnerable attacks. Since Application Programming Interface, also called API, is so commonly used among industries now, they also carry sensitive software data and functions, thus becoming bait for attackers.

API security is especially critical for the fintech industry which extensively embraces the API-first philosophy. We have already written a detailed insight about Open Web Application Security Project (OWASP) top 10 challenges of API security for fintech companies. This article, therefore, extends further to present several tools, methods, and best practices for securing your APIs.

Architectural Styles Used for Modern APIs: Mitigating Security Risks

Postman’s survey underscores that as many as 94% of its respondents use REST or REpresentational State Transfer as their main architectural style. Some of the other architectural styles used for engineering APIs include webhooks, WebSockets, GraphQL, and SOAP. Among these the most commonly used is also SOAP or Simple Object Access Protocol.

Among specifications, JSON Schema (used by 47%) is the top specification in use, followed by Swagger 2.0 (54%) and OpenAPI 3.0 (40%).

While REST is considered a simpler approach (and therefore most popular) and uses HTTP/S as the transport protocol, it makes use of JSON format for transferring data. SOAP in the meanwhile is the highly structured message protocol to APIs, and supports multiple low-level protocols. Both these types of architectural styles for APIs can support HTTP requests and Secure Sockets Layer (SSL). However, the difference lies in the level of security they offer.

SOAP vs REST API: Which is more secure?

Before explaining which of the two- SOAP vs REST APIs architectural styles is more secure, let us first understand the difference through the table below.

	SOAP	REST
Organized in terms of	enveloped message structure	compliance with six architectural constraints
Format	XML only	XML, JSON, HTML, plain text
Learning curve and usage	Difficult	Easy
Preferred for Community	Small	Large
Use cases	Payment gateways, identity management CRM solution, financial and telecommunication services, legacy system support	Public APIs simple resource-driven apps

API security would remain a priority regardless of the architectural approach you choose. While REST is faster and has a simpler learning curve and ease of use than SOAP, the latter is more secure, and here’s why-

Both REST and SOAP use Secured Socket Layer or SSL for data protection during API call requests, but SOAP also supports Web Services Security. This ensures adding a double layer of protection for the API security. In the case of REST, the security must be built-in for deployment, transmission, and interaction with clients.

SOAP is based upon OASIS and W3C recommendations, and includes XML encryption and signatures, and SAML tokens. Meanwhile, REST does not have its own built-in security capabilities, and the security is based on the API itself.

SOAP supports WS-ReliableMessaging that enables built-in error handling, while REST APIs have no in-built error handling and need to resend the data in case of error.

SOAP can support Web Services (WS) specifications, which enables you to use WS-Security kind of extensions. This provides enterprise-grade security for web services. On the other hand, developers’ architectural choice is deploying REST APIs behind API gateway. So, when the clients send requests for gateway connection, it acts as a proxy and does not directly go to the REST API. This poses security concerns that must be addressed by the API gateway.

The technologies associated with APIs that are most commonly preferred now include Microservices (58%) and Kubernetes (50%), followed by containers (46%), serverless architecture (44%), and GraphQL (35%). This brings us to the segment of GraphQL, the query language that describes how clients request information through APIs.

Mitigating GraphQL Security Risks

Some of the strategies that can help pacify the API security risks arising from GraphQL include-

• Timeout: It can help you secure against large query requests. Among the simplest of all strategies, in this case, the server only needs to understand the maximum time set for a query and not the details about incoming queries.
• Maximum Query Depth: Analysis of abstract syntax tree (AST of query document to understand what is acceptable is called the maximum query depth, and it can help in preventing clients from abusing a query depth. GraphQL server can make use of Maximum Query Depth to function requests by either accepting or rejecting them.  
• Query Complexity- It can be used as a strategy to define the complexity level of certain schema fields which may be more complex to compute. By defining query complexity, you can also restrict those queries which do not fit into the complexity threshold bill.
• Throttling- It can be an ideal strategy for stopping clients requesting medium-sized queries. By estimating the required server time for completing each query type, throttling can be done.

API Security Best Practices

For improving the overall API security the following best practices can be implemented-

• Understand and Identify Vulnerabilities- Even while this could be a complex process, the only way one can effectively secure APIs is by understanding the risks at the API lifecycle steps. Organizations, especially fintech companies, must treat APIs as software artifacts that must also pass through the security stage during their own SDLC.
• Access Control- Non-public REST services must perform access control at each API endpoint. Web services in monolithic applications implement this by means of user authentication, authorization logic, and session management. OAuth, the token-based authentication framework, could be a powerful tool for controlling API access. OAuth does not expose user credentials and also completes third-party service requests for information.
• Encrypt Data for Database Security- Sensitive data, especially personally identifiable information or PII- all of which is managed by APIs- must be protected by way of encryption, by also considering regulations and compliance. Data encryption during rest, and also in transit, with the help of Transport Layer Security (TLS) can ensure that attackers do not compromise with API servers.
• Consider Anti-DoS Approach- With denial of service (DoS) attacks becoming primary in API security leak, it's necessary to involve different profiles within your organization to assess the actual situation and to apply countermeasures accordingly. The core essence of a DoS is to affect the availability of instances or objects and eventually render them inaccessible. Thus, for any information system to serve its purpose, it must be available at any time. Hence why every computing system within the interoperability flow must function correctly to achieve that.
• Use Service Mesh- With the increase in the use of microservices, the importance of using a service mesh has increased too. Similar to the API gateways, service mesh uses different layers of control and management while routing requests. It is an ideal way for the service communication layer. In API security, service meshes can be used for automation and providing security for larger projects that require deploying multiple APIs.

Test Your API Security

It is suggested to adopt a DevSecOps approach to test web applications, with a critical focus on testing API security. With a range of API architectures, you should test your legacy or contemporary applications including REST API, GraphQL, and SOAP.

Leveraging various discovery mechanisms and tools to ensure dynamic API security, Valuebound has helped multiple fintech clients in deploying secure apps.

If you need to discuss API security with us, drop us a hello and let us wrap our head around your query to develop a feasible solution.