These days, if you’re immersed in the worlds of fintech and payments, you can’t open a newspaper or magazine or listen to a podcast without hearing the term APIs.
A lot of the rhetoric in recent months around APIs, or Application Programming Interfaces, has centred round the implementation of the European Union’s 2nd Payment Services Directive (PSD2), which came into law in the UK and some EU member states on the 13 January 2018.
Under PSD2, providers of online payment accounts must allow regulated payment information and account information service providers (PISPs and AISPs) access to these accounts. PISPs and AISPs are two new classes of payment service providers under PSD2. PISPs initiate payments on behalf of a customer from their account, and AISPs aggregate information across one or more payment accounts.
Some fintechs use screen scraping – essentially impersonating a human user and ‘reading’ data from a regular user interface - to capture customer account information. Every time the data is scraped, the customer must provide their full log-in details.
PSD2 does not mandate the use of APIs. However, the European Banking Authority, which sets the Regulatory Technical Standards for PSD2, and other regulatory bodies such as the Financial Conduct Authority in the UK, favour the use of APIs over screen scraping. “APIs are a more reliable, structured and secure way of extracting information,” says Ritesh Tendulkar, chief software architect at Modulr.
Although most of us probably know what API stands for, that is where our knowledge ends. Software developers may bat the term back and forth amongst themselves over the water cooler, but do us non-techie folk really understand what APIs are? For example, are all APIs the same? How secure are they? Quite frankly, what is all the fuss about APIs? And just because you have an API, does that mean you’re easier to work with?
So, what is an API?
The term ‘user interface’ describes how a human accesses a software platform; an API is simply how a system or software platform talks to another system. “It’s a way of exposing functionality and data within a system,” says Gareth Faull, a product manager at Modulr.
APIs are typically provided by companies that have built a service they want others to easily access and use through another system, often removing an unnecessary layer of slow and costly human interaction. Modulr, for example, provides an API for its customers to connect to its payment functionality. Via the API, customers can automate payments, create discrete accounts to streamline incoming payments, receive notifications of incoming funds or manage funds on behalf of third parties — all initiated directly through another application such as a booking system or payroll application.
Previously, companies exchanged data or information with one another via printouts or emailing files, which required teams of people to extract data from one system, reformat it and feed it into another system. An API simply automates the exchange of data between two systems, which can talk directly to one another.
A well-designed API, should reduce software development time frames and speed up implementation, which is important in an environment where every company is a software company looking to bring new and innovative applications to market quickly and enable customers to easily integrate and connect with them.
Not All APIs Are Made Equal
These days, when most people talk about APIs, they are referring to web-based APIs. Web-based applications like Twitter, Amazon, Google, Facebook and Salesforce all publish APIs.
But not all web-based APIs are the same. They use different protocols to exchange data. “Ten years ago, most web-based APIs would have used the SOAP (Simple Object Access Protocol) an XML-based protocol for data exchange,” explains Tendulkar. Today, however, REST (REpresentational State Transfer) is the preferred protocol. “The amount of data exchanged is smaller in REST using JSON (Java Script Object Notation) (a type of data format),” says Tendulkar, “which makes it easier for developers to use.
Under PSD2 APIs that are likely to be created by banks are those for AISPs so customers can grant non-bank third parties access to their bank account details; and those to help (PISPs) make payments and perform transactions on behalf of a customer.
Are APIs Secure?
One question that crops up a lot with APIs is how secure are they? Tendulkar says there are various aspects to API security. “Firstly, when two systems are connected with each other,” he explains, “you don’t want a third system to be able to see or alter that information exchange —a man-in-the-middle attack. These sorts of things have to be handled in an API at different levels.”
Most APIs nowadays use transport layer security (TLS) to keep communication secure between sender and receiver. In addition, API designers may employ additional forms of security, which could include a hash-based message signature (similar to a username and password), which is implemented at the API, not the transport-layer level.
APIs are more secure than using manual processes to exchange data or screen scraping as access can be restricted to specific areas – for example, viewing account information may be allowed, but making payments can be restricted.
Once a company publishes an API, that is not the end of it. The API continues to evolve as new functionality is added. “Every time we create a new feature we must consider how to expose this out as an API,” says Tendulkar. “How should we structure the API to make it user friendly? What information should be exposed?”
How do you make a payment using Modulr's API calls? Watch this demo: