[This post has been authored by Vaibhav Parikh, Legal Counsel at ICICI Bank. Views are personal]
The value of online/ mobile banking rose from INR 69.47 billion in 2016-17 to INR 21,317 billion in 2019-20. Providing data access to third-party firms by banks and other financial institutions has proved to be one of the important reasons for such rapid development in online/ mobile banking, since it has allowed for introduction of innovative financial services and products to customers (Basel Committee Report on Open Banking, Page 8); such as seamless payments transmission between accounts at different banks, instant payments using Unified Payments Interface (“UPI”) and aggregation of all financial accounts onto one dashboard. Gradually, the delivery of financial services and products is also being offered by non-banking third parties, such as fintech firms. These developments are aspects of open banking and are continuously evolving in nature.
Considering such a nexus between data sharing and increase in online/ mobile banking, banks and other financial institutions traditionally used techniques such as screen scraping or reverse engineering to facilitate data sharing to third-party firms. Both the techniques are not secured for a customer as the third-party firm will have the customer credentials and thereby have an unfettered access to the account. Reserve Bank of India (“RBI”) did not take cognizance or reactive steps to such security and consumer protection risks; instead the banks and other financial institutions adapted by developing new techniques. Banks and other financial institutions started relying on Application Programming Interfaces (“API”) for data sharing with third parties as it was a more secure way. Such APIs are program codes that allow multiple software programs to communicate and share information with each other in a seamless manner and on real time basis. APIs can be of open nature where token keys for authentication are publicly available and mandated by the government, for example: IndiaStack lists APIs for sharing data of all UPI users for the third-party firms (“Public API”) as opposed to restricted nature of APIs where the token keys for authentication are only made available by banks and other financial institutions to the third-party firms under contractually agreed terms (“Partner API”).
There is an inherent risk of data security and breach that is associated with such sharing of data by banks and other financial institutions through API to the third-party firms. Especially in case of Partner APIs, if the third-party firm breaches its contract with the bank and/or financial institution by sharing the token keys for authentication to other non-banking third parties, then it can result in such particular set of banking and/or financial institution data being accessible to various third parties. In jurisdictions including India, there are a number of instances where the use of APIs was found to be vulnerable and susceptible to cyber hacks. In India, API breach incidents of Airtel, Indane, Ola, JustDial, McDonalds (the “Incidents”) indicates the vulnerability in usage of APIs. Such Incidents resulted in leak of names, mobile numbers, addresses, social networking credentials, credit/ debit card credentials and also money laundering. In its whitepaper, RBI backed Reserve Bank Information Technology Private Limited (“ReBIT”) has also acknowledged that APIs which facilitate seamless data hops with multiple applications may be most vulnerable and create prospects for malware propagation, in case of cyber-attacks.
ReBIT cited that one of the main issues in APIs being vulnerable is due to the lack of understanding in establishing security infrastructures and privacy implications. In the whitepaper, ReBIT also stressed on the importance for banks and financial institutions to develop strong defence mechanisms and procedures to address the concerns. The RBI too has recommended that there is a need to provide for developing fintech innovations and testing of APIs developed by banks (Para 6.1.16). For banks and financial institutions to ensure standardization and security of data, there is a need for prescribing uniform design specifications for APIs for open banking. Accordingly, standards for the process of deciding those specifications can also be further prescribed in order to overcome such security and consumer protection risks. Setting of uniform standards and design specifications in API based banking will help India develop a deeper understanding of various fintech products and their interaction with the financial sector. Such uniform standards will help in establishing approach of RBI more closely in line with a financial sector where usage of API based banking is becoming mainstream. Also, from an economic and innovation viewpoint, such uniform standard setting might help RBI in examining the extent in imposing barriers to innovations and to what extent, these can be removed.