APIs and Points of Vulnerability Spotlight BaaS Risks as Platforms Evolve 

digital banking

If there’s a surety in financial services, it’s that hackers and bad actors probe ecosystems and platforms for points of vulnerability, looking for weak links to yield access to data or ways to infiltrate the organizations themselves.

Banking as a Service (BaaS) enables nonbanking entities to provide financial services. BaaS also cements new revenue opportunities for traditional banks that need new technological capabilities, and the risks grow as the more there are third parties in the mix.

Application programming interfaces (APIs) are the gateways, so to speak, of the data-sharing efforts between banks and digital upstarts. And APIs are key to the rise of open banking, where consumer-permissioned data sharing can give rise to new use cases within financial services. But as PYMNTS Intelligence noted recently, nearly half of financial institutions (FIs) have said that the risks of open banking outweigh the benefits. BaaS is part of open banking, as banks open up their APIs and connect to third parties as the latter seek to innovate. PYMNTS data found that a quarter of banks surveyed said that BaaS could add some top-line momentum. Less than 10% of FIs, as recently as last year, said they were in the process of developing such services.

APIs in Hackers’ Sights

There are some headwinds in place. In recent months, and as documented by several sites and companies, the rise of attacks on APIs has been notable. In one example, Check Point has estimated that in the first month of this year alone, attacks on APIs were up 20% year on year. Back in 2021, joint findings from PYMNTS Intelligence and Fastly found that protecting APIs and demands a proactive approach, from the initial stages of product development to testing and rollout.

And as we noted last week, at least some providers are pivoting to refine their service and software strategies. Treasury Prime, in moving to a bank-direct model, has moved away from a scenario where intermediaries help manage the FinTech customer relationship.

Late last year, the Office of the Comptroller of the Currency stated in its semiannual “Risk Perspective” report that banks will need to more firmly monitor the risks tied to third party relationships. The report observed that “there has been an observed increase in distributed denial of service (DDoS) attacks against the financial sector. Some of the increase may be attributed to politically motivated attacks while others are financially driven, coupled with extortion demands. Ransomware actors continue to affect the sector by targeting banks and their third parties.” The OCC continued that “these attacks have the potential to affect banks and market operations by rendering critical data inaccessible as well as by threatening the confidentiality of customer data through data leaks.”