Stability and security

Why is stability and security important in open banking payments?

Open banking in Europe came into force in 2018, and while the technology powering open banking payments has advanced significantly in that time, it is constantly being iterated upon and improved.

And if you want to offer open banking payments to your customers, it’s vital to find a provider with stable APIs (ie APIs that virtually always work) and good security, so neither you nor your customers are at risk from cyber criminals. They should be continually testing, debugging and maintaining both their own products and the bank APIs they connect to so you know your new payment method will continue to offer a good payer experience over time.

When assessing stability, look out for the following:

A detailed API status page

Your potential payment provider should have a publicly available status page, which will detail the uptime of each API. Some providers will show uptime in hourly increments, while others will show daily increments. You should also be able to look at historic status updates to get a sense of how consistent the provider’s APIs are, as well as how long any downtime typically lasts.

Minimal downtime

With even the most stable of APIs, downtime can and does happen. But your provider should be able to clearly communicate to you what caused a particular period of downtime. For example:

• Was it scheduled maintenance or an unexpected problem?

• How long did it take to discover

• How long did it take to fix?

• How many end customers were affected?

• How were end customers notified of any problem?

• What work has happened to prevent this type of problem in the future?

A clear methodology for testing and monitoring bank APIs

While your provider can control the reliability of their own service, bank APIs are outside of their direct control. And as discussed in Coverage, they have different levels of reliability.

With that said, your provider should have a clear process for testing the different bank APIs it connects to. If a particular set of banks — banks in a specific country, for example — are critical for the success of your payment experience, then make sure your provider regularly pushes large volumes of requests through those APIs and has a clear process for delivering feedback to the banks on how they can improve.

A rigorous information security programme

To keep you and your customers’ financial data safe and secure, your open banking payment provider should have:

• A consistent threat modelling programme, mitigating any potential vulnerabilities

• A dedicated security team

• A security programme based on a recognised standard (eg ISO27001)

• Independent third-party auditing of its security programme

• A clear protocol for release management

• Oversight of any third-party development, with the same level of testing as internal teams

• An independent third-party penetration testing programme of its infrastructure

While it’s difficult to pinpoint one single area of information security that’s most important, the consistency of the answers from your intended provider will give you a sense of how strong their security approach is.