How financial services cyber regulations are hotting up for API security
Financial services firms deploy an increasingly complicated mix of technologies, systems, applications, and processes to serve customers and partners and to solve organizational challenges. Focused heavily on consumer hyper-personalization, banks are evolving more and more digital assets and services to meet and exceed growing customer experience expectations.
As a result, the modern banking environment is heavily reliant on APIs to the point that they are now indispensable. APIs allow financial banks to connect with their ecosystem, while inspiring innovative developers to create new products, improve existing services, and work more efficiently.
A sector disproportionately targeted
However, this reliance on APIs presents challenges. They create vulnerabilities and are often the gateway for cybercriminals. The financial services industry is disproportionately targeted by threat actors who know that it has what they want -- data and money.
This has brought an ever-increasing set of cyber regulations into sharp focus to help to ensure that banks are protected and compliant. However, this has led to fragmentation, as regulators try to achieve a balance between robust governance and not stifling innovation or driving businesses abroad.
This fragmentation has occurred because banks must comply with a cocktail of regulations in the same or different jurisdictions that are well-intentioned, but sometimes conflicting, and that do not actually enhance cyber-resilience.
Therefore, what are these different types of cyber regulations and what should banks be thinking about when it comes to API security?
Stress testing banks
Earlier this year, the European Central Bank (ECB) announced plans to stress test the cyber resilience of the Eurozone's top banks in 2024 because of the proliferation of sophisticated cyberattacks, with EU law mandating that the ECB undertakes stress tests on supervised banks at least once per year. Results from these tests help supervisors identify vulnerabilities and address them early on in their interaction with banks. Likewise, the results of annual stress tests provide important input for the Supervisory Review and Evaluation Process (SREP) in the test year.
In years when there are no EU-wide tests, the ECB tests significant institutions under its direct supervision against specific kinds of incidents. These tests run in cooperation with national supervisory authorities, and the ECB publishes the results on an aggregate basis.
A lack of API standards
The European Commission has just published its proposal for the third Payment Services Directive (PSD3), to help advance open banking and strengthen consumer protection. The PSD3 and Payment Services Regulation aims to drive further development in open banking, first introduced with PSD2, as well as addressing issues around API quality, and giving authorities the required tools to better evaluate the dedicated API interfaces provided by banks and other financial institutions.
According to the European Banking Authority (EBA), “The experience acquired in the implementation of the PSD2 has shown that the absence of a single API standard has led to the emergence of different API solutions across the EU. This creates significant challenges for third-party service providers as they must invest significant efforts into connecting to different Account Servicing Payment Service Providers’ APIs and adapt their connections to changes in APIs over time.” Whilst PSD3 will absorb the lessons learned from PSD2, it’s no secret that PSD2 is seen as complex and difficult to define. In fact, between 2016 and 2022, the EBA released six technical standards, eight sets of guidelines, eight opinions, and more than 200 Q&As in relation to PSD2.
PCI DSS v4.0 is the next evolution of the PCI DSS standard. The goal of this new standard is to continue to meet the security needs of the payments industry, promote security as a continuous process, add flexibility for different methodologies, and enhance the validation methods. This is the first time APIs have been explicitly called out in the standard, underpinning their importance. In fact, the EBA argues that API standardization is needed to reduce the barriers to entry for FinTechs wanting to access financial account data held by banks and similar institutions.
Adhering to DORA
Additionally, by January 2025, EU financial entities and their critical ICT providers must be ready to comply with the Digital Operational Resilience Act (DORA). DORA standardizes how financial entities report cybersecurity incidents, test their digital operational resilience, and manage ICT third-party risk across the sector.
For certain financial entities this includes undertaking advanced threat-led penetration testing every three years. By clarifying testing methodology and introducing mutual recognition of testing results, DORA will help financial entities continue to build and scale their testing capabilities in a way that works throughout the EU.
The NIS2 Directive – which came into force in January 2023 -- aims to strengthen cybersecurity risk management requirements as well as ensure companies take appropriate and proportionate technical, operational, and organizational measures to manage their cybersecurity risks as well as prevent and minimize the impact of potential incidents. The Directive aims to ensure a safer and stronger Europe by significantly expanding the sectors and types of entities falling under its scope.
It replaces the current Directive on Security of Network and Information Systems and focuses on measures including incident response and crisis management, vulnerability handling and disclosure, policies and procedures to assess the effectiveness of cybersecurity risk management measures, and cybersecurity hygiene and training.
Furthermore, it features more stringent supervisory measures for national authorities, as well as stricter enforcement requirements, along with a list of administrative sanctions, including fines for breaches of the cybersecurity risk management and reporting obligations.
Compliance across all financial Directives
The DORA Amending Directive will amend other Directives to align with DORA, including CRD IV, Solvency II, MiFID II, PSD2, UCITS and AIFMD. In-scope entities include credit institutions, payment institutions, electronic money institutions, investment firms, and crypto-asset service providers, whilst regulation 2022/2554 outlines the requirements concerning the security of network and information systems supporting the business processes of financial entities.
Clearly, APIs have become the default connectivity and data exchange method within modern financial services environments and will continue to be so in the future. With this in mind, securing APIs from both a pre-production and post-production perspective is paramount to securely operating in our digital-first banking world.
Therefore, financial services entities should work with an API security platform provider that can deliver strong API security and help with compliance and governance requirements. In this evolving regulatory landscape this will enable organizations to implement a robust API strategy across discovery, posture management, runtime protection and API security testing.
Filip Verloy is Field CTO, Noname Security.