The ABCs of APIs

This special code has made possible everything from mobile payments to open banking. Now, get ready for the next stage in the evolution of this remarkable technology.

It seems like it was just yesterday that a group of technology experts from the major California banks were sitting around a table discussing ways to share ATMs. A process-flow diagram of a payment gateway emerged. The description in the box labeled debit gateway read “Magic Happens Here.”

Fast forward almost four decades. Application processing interfaces (APIs) have those same mystical powers.

Simply put, APIs are a set of protocols and codes that determine how different software components can communicate. The original source code for these communication protocols was written years ago by programmers who have long since retired. To facilitate new communication among disparate databases of information, this old Cobol language needs to be wrapped into a newer language (C, C+, or C Sharp) so that the data can be converted to an application.

These applications have been the heartbeat for product innovation and new business solutions in the financial services industry.

For example, open banking has ushered in a new era of cooperation and data sharing among banks and third parties. API integration facilitates an open banking strategy, which uses open APIs to access information from financial institutions for financial data exchange.

Open banking uses “translators” to address the multiplicity of communication protocols. These translators are needed to normalize transactions for processing purposes and to enable access to data from multiple sources. API translation protocols are built into the application to make this work.

Think of APIs as an integration tool that describes how to communicate with a program to access information from it. In this way, APIs enable two applications to exchange data (push or pull) among themselves and allow the capabilities of one computer program to be used by another.

APIs facilitate integration to banking platforms and/or applications and can also build features and functions into proprietary applications. APIs make the integration process easier, and in this way foster a better user experience.

From a payments perspective, open banking enables consumers to pay for goods and services. It makes it easier for them to access information about new products and services and perform routine customer service functions like viewing recent purchases. APIs support the development of these new applications and services.

Payment APIs have made a monumental impact on the e-commerce business, enabling online payment platforms to process card transactions, accept payments from digital wallets, track orders, and maintain user accounts. Operational functions enabled by payment APIs include:

– Transmitting and receiving payloads

– Processing transactions

– Requesting and sending money

– Retrieving account information and balances

– Managing customer / account information

– Sending invoices / accepting payments

– Sending receipt data

– Managing subscriptions

Following are some of the latest developments for APIs in the payment industry.

Core Banking

The introduction of fintech solutions has transformed the banking ecosystem, and APIs are at the epicenter of this transformation. The customer’s account of record resides in the core banking platform. APIs provide that platform with access to disparate systems, applications, and libraries.

The next generation of core systems will be designed to separate channels and customer data management from the transaction, settlement, and accounting functions. These modifications will be facilitated using APIs and incorporating a middle layer for control, management and security.

APIs provide access to payment data, thereby supporting a new level of research and data analytics. Financial institutions can now take user data and use business artificial intelligence to examine patterns and spending classifications, thereby creating more innovative and targeted products and services for their customers.

Merchant Mobile Apps

In the mobile channel, APIs have profoundly changed the functionality and speed by which users can get access to data and make purchases. Merchants are actively promoting merchant-specific mobile wallets, enticing customers with rewards, discounts, and promotions.

APIs allow merchants to build capabilities right into the wallet so that they can track when, where, and what customers are buying and support a myriad of payment options. Browser-based APIs access device components, such as storage, audio, and camera, used in performing those transactions.

Location services can be facilitated right on the device by calling the API on the phone’s GPS receiver. Mapping functions can be built right into the merchant’s proprietary maps using Google’s API for Google Maps.

Social Media

All of us have been on Web sites where you are asked if you want to log in with your Facebook or Google credentials. This is a perfect example of the use of APIs in social media.

OAUTHv2.0 is an open standard authorization protocol that provides customers with access to their data on Web sites and in social media applications without having to use their login credentials. It is the standard for secure access to APIs.

OAUthv2.0 manages shared content in social media and financial interactions; it works in concert with OpenID Connect, an authentication protocol that enables apps to verify the user’s identity and generate information about them. In this case, APIs foster enhanced security and ease of access for the end user.

The Next Evolution

The major trends for APIs center on cloud-based services, security enhancements, business processes, and increased standardization.

Availability of APIs-as-a-Service

APIs-as-a-Service provides users with access to third-party applications and the ability to develop, test, and manage custom applications. API services support interfaces that provide a set of rules to access or interact with functions stored in a system or database.

These API services enable data retrieval from those sources or the ability to alter the data therein without knowing the database system or its rules of interaction.

Users have access to API documents that help them to generate APIs with a level of consistency and standardization. APIs-as-a-Service makes all of these services available to smaller companies at an affordable price.

Building More Security into APIs

One of the biggest industry challenges is that open APIs are relying on the security of APIs as provided by the third parties that built them. The industry is doing more to support best practices security measures for APIs, employing the latest encryption, SSL, key management, DLP, tokenization, and schema validation.

APIs support user authentication for both identity and access management in the customer onboarding process. APIs can help secure all of these layers.

The use of APIs should be policy-based, with guidelines specifying which users can get access to information and what can they do with the information. Establishing rules about the transactions performed (e.g., country of origin, transaction amount limits, etc.) can also help to mitigate risk.

Tight integration of cloud and on-premises applications will enable APIs to be shared safely. The application layer must deal with a wide range of protocols used in application requests. Parameters need to be built around these protocols to ensure security between and among the third parties.

Build Business Processes into APIs

Perhaps the biggest anticipated change is the movement to build business processes into APIs. Say, for example, your bank wanted to support a device registration process as part of the mobile app onboarding. APIs could be used to validate username and password or to send a text-based notification to the customer if the device needed to be registered. These same APIs can be used by the bank to create an enterprise service that can be used and reused across multiple channels, for example, ATMs, point-of-purchase, web, etc.

To make this work, banks will need to build rules and policies based on their lines of business and channel access requirements. The business rules need to specify the functions supported (get a balance, move funds, and so on) for each unique business line.

There may also be channel distinctions for these functions. For example, banks may want to provide lower dollar limits on money movement from mobile phones compared to that available from a customer service agent.

Efforts to Develop a Common Standard

A common language for APIs is needed so that individual applications can interact with multiple systems without having to change API usage language for every different source of data and application. Every system uses the same operations. Differences among services are the types of operations performed and the data sent and received. A single API language is necessary so that, if an application decides to employ a different service, changes to the application code are minimal.

The development of a common language for APIs presents a different challenge in the United States because there is no government mandate for standardization. Organizations are moving to create a common standard for APIs in four major areas: core banking, web, consumer, and back-end.

Good headway has been made in building business processes in these areas, but there are no common standards for some basic banking functions, like getting a balance. Moreover, there is no superset or industry standards group that is overseeing standardization of APIs. Perhaps over time, APIs will follow ISO guidelines.

Some companies will be building common standard APIs for sharing on their own. A case in point: The Clearing House released a template called the Model Data Access Agreement, designed to help banks connect to fintechs via the financial-data exchange (FDX) API, thereby establishing a common, secure protocol between the parties.

The agreement focuses on data security and control through standardized contractual agreements between parties sharing data. That’s a start. In the meantime, there are tremendous opportunities for commercial entities to build out these standards. Let’s see if they rise to the occasion.

Opportunities Abound

APIs sit at the forefront of digital transformation. There is a huge appetite for the API business as companies move to take advantage of rapid product time-to-market and revenue growth opportunities.

We expect that companies will begin to build separate business units or even consortiums around API development of proprietary apps and apps that interface to third parties. Lots of new applications will emerge.

There will be a heavy emphasis on operational components, like onboarding for card customers and OFAC checks for wire services that will enable banks and other stakeholders to expand their footprint and connect in the cloud.

—Maria Arminio is president and chief executive at Avenue B Consulting, Redondo Beach, Calif. Reach her at maria.arminio@avenuebconsulting.com. Bo Berg is the founder of Hygge Consulting Corp., a technology strategist and innovation specialist. Reach him at bo@edweb.com.