Skip to content

Tech Law Forum @ NALSAR

A student-run group at NALSAR University of Law

Menu
  • Home
  • Newsletter Archives
  • Blog Series
  • Editors’ Picks
  • Write for us!
  • About Us
Menu

Open Banking in India & the Need for Setting Uniform Standards in Usage of APIs

Posted on November 20, 2020November 20, 2020 by Tech Law Forum NALSAR

[This post has been authored by Vaibhav Parikh, Legal Counsel at ICICI Bank. Views are personal]

The value of online/ mobile banking rose from INR 69.47 billion in 2016-17 to INR 21,317 billion in 2019-20. Providing data access to third-party firms by banks and other financial institutions has proved to be one of the important reasons for such rapid development in online/ mobile banking, since it has allowed for introduction of innovative financial services and products to customers (Basel Committee Report on Open Banking, Page 8); such as seamless payments transmission between accounts at different banks, instant payments using Unified Payments Interface (“UPI”) and aggregation of all financial accounts onto one dashboard. Gradually, the delivery of financial services and products is also being offered by non-banking third parties, such as fintech firms. These developments are aspects of open banking and are continuously evolving in nature.

Considering such a nexus between data sharing and increase in online/ mobile banking, banks and other financial institutions traditionally used techniques such as screen scraping or reverse engineering to facilitate data sharing to third-party firms. Both the techniques are not secured for a customer as the third-party firm will have the customer credentials and thereby have an unfettered access to the account. Reserve Bank of India (“RBI”) did not take cognizance or reactive steps to such security and consumer protection risks; instead the banks and other financial institutions adapted by developing new techniques. Banks and other financial institutions started relying on Application Programming Interfaces (“API”) for data sharing with third parties as it was a more secure way. Such APIs are program codes that allow multiple software programs to communicate and share information with each other in a seamless manner and on real time basis. APIs can be of open nature where token keys for authentication are publicly available and mandated by the government, for example: IndiaStack lists APIs for sharing data of all UPI users for the third-party firms (“Public API”) as opposed to restricted nature of APIs where the token keys for authentication are only made available by banks and other financial institutions to the third-party firms under contractually agreed terms (“Partner API”).

There is an inherent risk of data security and breach that is associated with such sharing of data by banks and other financial institutions through API to the third-party firms. Especially in case of Partner APIs, if the third-party firm breaches its contract with the bank and/or financial institution by sharing the token keys for authentication to other non-banking third parties, then it can result in such particular set of banking and/or financial institution data being accessible to various third parties. In jurisdictions including India, there are a number of instances where the use of APIs was found to be vulnerable and susceptible to cyber hacks. In India, API breach incidents of Airtel, Indane, Ola, JustDial, McDonalds (the “Incidents”) indicates the vulnerability in usage of APIs. Such Incidents resulted in leak of names, mobile numbers, addresses, social networking credentials, credit/ debit card credentials and also money laundering. In its whitepaper, RBI backed Reserve Bank Information Technology Private Limited (“ReBIT”) has also acknowledged that APIs which facilitate seamless data hops with multiple applications may be most vulnerable and create prospects for malware propagation, in case of cyber-attacks.

ReBIT cited that one of the main issues in APIs being vulnerable is due to the lack of understanding in establishing security infrastructures and privacy implications. In the whitepaper, ReBIT also stressed on the importance for banks and financial institutions to develop strong defence mechanisms and procedures to address the concerns. The RBI too has recommended that there is a need to provide for developing fintech innovations and testing of APIs developed by banks (Para 6.1.16). For banks and financial institutions to ensure standardization and security of data, there is a need for prescribing uniform design specifications for APIs for open banking. Accordingly, standards for the process of deciding those specifications can also be further prescribed in order to overcome such security and consumer protection risks. Setting of uniform standards and design specifications in API based banking will help India develop a deeper understanding of various fintech products and their interaction with the financial sector. Such uniform standards will help in establishing approach of RBI more closely in line with a financial sector where usage of API based banking is becoming mainstream. Also, from an economic and innovation viewpoint, such uniform standard setting might help RBI in examining the extent in imposing barriers to innovations and to what extent, these can be removed.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe

Recent Posts

  • Lawtomation: ChatGPT and the Legal Industry (Part II)
  • Lawtomation: ChatGPT and the Legal Industry (Part I)
  • “Free Speech is not Free Reach”: A Foray into Shadow-Banning
  • The Digital Personal Data Protection Bill: A Move Towards an Orwellian State?
  • IT AMENDMENT RULES 2022: An Analysis of What’s Changed
  • The Telecommunications Reforms: A Step towards a Surveillance State (Part II)
  • The Telecommunications Reforms: A Step towards a Surveillance State (Part I)
  • Subdermal Chipping – A Plain Sailing Task?
  • A Comparative Analysis of Adtech Regulations in India Vis-a-Vis Adtech Laws in the UK
  • CERT-In Directions on Cybersecurity, 2022: For the Better or Worse?

Categories

  • 101s
  • 3D Printing
  • Aadhar
  • Account Aggregators
  • Antitrust
  • Artificial Intelligence
  • Bitcoins
  • Blockchain
  • Blog Series
  • Bots
  • Broadcasting
  • Censorship
  • Collaboration with r – TLP
  • Convergence
  • Copyright
  • Criminal Law
  • Cryptocurrency
  • Data Protection
  • Digital Piracy
  • E-Commerce
  • Editors' Picks
  • Evidence
  • Feminist Perspectives
  • Finance
  • Freedom of Speech
  • GDPR
  • Insurance
  • Intellectual Property
  • Intermediary Liability
  • Internet Broadcasting
  • Internet Freedoms
  • Internet Governance
  • Internet Jurisdiction
  • Internet of Things
  • Internet Security
  • Internet Shutdowns
  • Labour
  • Licensing
  • Media Law
  • Medical Research
  • Network Neutrality
  • Newsletter
  • Open Access
  • Open Source
  • Others
  • OTT
  • Personal Data Protection Bill
  • Press Notes
  • Privacy
  • Recent News
  • Regulation
  • Right to be Forgotten
  • Right to Privacy
  • Right to Privacy
  • Social Media
  • Surveillance
  • Taxation
  • Technology
  • TLF Ed Board Test 2018-2019
  • TLF Editorial Board Test 2016
  • TLF Editorial Board Test 2019-2020
  • TLF Editorial Board Test 2020-2021
  • TLF Editorial Board Test 2021-2022
  • TLF Explainers
  • TLF Updates
  • Uncategorized
  • Virtual Reality

Tags

AI Amazon Antitrust Artificial Intelligence Chilling Effect Comparative Competition Copyright copyright act Criminal Law Cryptocurrency data data protection Data Retention e-commerce European Union Facebook facial recognition financial information Freedom of Speech Google India Intellectual Property Intermediaries Intermediary Liability internet Internet Regulation Internet Rights IPR Media Law News Newsletter OTT Privacy RBI Regulation Right to Privacy Social Media Surveillance technology The Future of Tech TRAI Twitter Uber WhatsApp

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org
best online casino in india
© 2023 Tech Law Forum @ NALSAR | Powered by Minimalist Blog WordPress Theme