Stability and security

Why is stability and security important in open banking payments?

Open banking in Europe came into force in 2018, and while the technology powering open banking payments has advanced significantly in that time, it is constantly being iterated upon and improved.

And if you want to offer open banking payments to your customers, it’s vital to find a provider with stable APIs (ie APIs that virtually always work) and good security, so neither you nor your customers are at risk from cyber criminals. They should be continually testing, debugging and maintaining both their own products and the bank APIs they connect to so you know your new payment method will continue to offer a good payer experience over time.

When assessing stability, look out for the following:

A detailed API status page

Your potential payment provider should have a publicly available status page, which will detail the uptime of each API. Some providers will show uptime in hourly increments, while others will show daily increments. You should also be able to look at historic status updates to get a sense of how consistent the provider’s APIs are, as well as how long any downtime typically lasts.

Ask your provider

Do you have a public status page that is regularly updated?

buyers guide status page example
9.0 An example of a detailed open banking API status page

Minimal downtime

With even the most stable of APIs, downtime can and does happen. But your provider should be able to clearly communicate to you what caused a particular period of downtime. For example:

  • Was it scheduled maintenance or an unexpected problem?

  • How long did it take to discover

  • How long did it take to fix?

  • How many end customers were affected?

  • How were end customers notified of any problem?

  • What work has happened to prevent this type of problem in the future?

Ask your provider

What was your uptime in the previous [time period]?

A clear methodology for testing and monitoring bank APIs

While your provider can control the reliability of their own service, bank APIs are outside of their direct control. And as discussed in Coverage, they have different levels of reliability.

With that said, your provider should have a clear process for testing the different bank APIs it connects to. If a particular set of banks — banks in a specific country, for example — are critical for the success of your payment experience, then make sure your provider regularly pushes large volumes of requests through those APIs and has a clear process for delivering feedback to the banks on how they can improve.

Ask your provider

How do you test the quality of bank APIs, and how do you feed back the results of these tests to the banks?

A rigorous information security programme

To keep you and your customers’ financial data safe and secure, your open banking payment provider should have:

  • A consistent threat modelling programme, mitigating any potential vulnerabilities

  • A dedicated security team

  • A security programme based on a recognised standard (eg ISO27001)

  • Independent third-party auditing of its security programme

  • A clear protocol for release management

  • Oversight of any third-party development, with the same level of testing as internal teams

  • An independent third-party penetration testing programme of its infrastructure

While it’s difficult to pinpoint one single area of information security that’s most important, the consistency of the answers from your intended provider will give you a sense of how strong their security approach is.

Ask your provider

What is your approach to information security? Talk me through your information security programme?

How does TrueLayer compare?

TrueLayer systems operate with over 99.9% uptime, and you can see live status updates for all APIs on our status page. Our connections to bank APIs across Europe are constantly being tested with high volumes of requests to spot errors and feed back those issues to the banks.

We carry out all our development work in house, and we have a dedicated Information Security team. We are also fully ISO27001 certified.

We operate a 24/7 technical on-call rota composed of engineers involved in the development of our systems and the availability of our service.

In the event that our monitoring detects a potential issue with one or more of our systems, our on-call engineer will be automatically paged to triage and resolve any potential issue. Having this 24/7 coverage ensures the impact of a loss of service is minimal and resolved quickly.