In the rapidly expanding fields of Open Banking, where there are regulations driven by systems like the European Payment Services Directive, you have to prove your IT systems work as the regulations require – AND, just to add a little extra complexity, some of the dependencies might be entirely outside your control! But when it comes to API Compliance Monitoring, the dirty secret of most testing and DevOps strategies is that they’re more interested in being able to prove the IT systems are working at all than working the way they’re meant to be.
Compliance – Can You Prove It?
If an external regulator says you have to return, via API, all the records pertaining to a particular item or event, how do you prove that you’ve done it?
If asked tomorrow to resolve a dispute raised by a regional ICO in Europe over failure to provide records on a particular event, could you do it easily? Without wasting hours, possibly days trying to pull specific records out of logs?
Many of our clients, even large banks, have limits on what they store in systems like Splunk. What if the non-compliance was months ago, and only now has been flagged?
MONITOR what the standards say
PROVE non-compliance
The APIs Work – But Not How You Expect
Essentially, the team behind an API only knows it works because it works for them in the development and test environments. That says little about how it works in the field or for live users. We strongly recommend a documentation and test system like Postman for your collections, but even those products can lead to some unexpected results, especially when it comes to implementing the security associated with the API. Fir example, forgetting to tick the right options can leave gaps in the documentation that will block users and developers.
VERIFY that what you document is what you deliver
Do you perform where your customers are?
The very nature of API security, especially in fields like banking and fintech, makes it hard to measure live performance of the actual services. The requirements are strict – Mutual TLS, OAuth with two-factor authentication. and so on.
Customers and partners alike will be on different infrastructures and cloud hosts. It doesn’t help if all your external testing is on AWS when your partners are building their apps and solutions on IBM or Azure, and there’s a fundamental problem in how a cloud service handles communication with your stack.
TEST from where your users and partners are, on the platforms they’re on – not what is convenient to your DevOps groups
The Implications
API compliance is a new problem, but with CMA9 PSD2, GDPR, HIPAA and more standards coming – especially in the fintech, medical and governmental sectors – and the regional regulators like the ICO in the UK and the European Commission are talking fines based on a percentage of your GLOBAL revenue, can you afford not to take this seriously?
