The state of the API economy
It may seem like we have been talking about the API economy for a long time, but it is only now maturing towards the original expectation: a mission-critical, integral part of how financial companies do business.
Arguably, APIs are a gateway to rapidly introducing innovative services and products or exploring new market directions.
The most significant shift has been from viewing APIs merely as developer-led internal bits of technology that connected all kinds of systems and processes. Of course, APIs in that context have an immense benefit (without them, many applications could not work or interoperate with others). However, where the API economy is booming right now is viewing APIs as products with a tangible business value.
Banks and other financial service providers can either take advantage of existing APIs to build products, or conversely, offer their own to other organisations. In this way, everyone can evolve and roll out new services faster and with less ground-up development. Think of APIs as the software equivalent of Lego bricks.
This is why, these days, it is not just developers who have an interest in APIs. Product managers and new business development executives increasingly realise that APIs are another route to market, a source of brand awareness, an improvement to customer service, even potentially revenue generation. Plus, creating APIs has never been easier, meaning that just about anyone can build an API.
The advance of the API economy also arguably democratises the development of new software-based finance products because the entry level is reduced, enabling more innovative start-ups to enter the market. Furthermore, founders do not have to be software engineers: they just need to have a great idea and find suitable APIs.
Use cases
Potential use cases are vast. A bank could use APIs to enhance its existing services, such as automatically checking the availability of funds before making a purchase, providing an instant up-to-date summary of a loan’s current repayment status, locating the nearest ATM or branch, or creating a digital wallet. It could also employ APIs to help customers have better visibility of their expenditure and where to put their money to get a better interest rate.
Other relevant API examples include connecting to payment systems, stock market services, and voice activation and chatbot tools to carry out simple tasks. For instance, a retailer could offer a payment API from a bank, so that the customer never needs to leave the merchant’s environment.
Similar examples could include a travel app, providing a seamless experience across flight purchase, hotel bookings, and car hire. A bank could even use APIs to evolve into other aspects of its customers’ lives, such as integration with healthcare apps and wearable devices.
Best practices
Of course, theory is one thing. Successful execution is another. And there are some important issues to consider. One of the original concerns about the API economy was the risk that by handing over a part of the customer relationship to a third party, some of the visibility over customer activity is lost.
The solution to that risk is analytics, which not only provide operational metrics around the functionality of an API but also how it is being consumed. For example, what are the percentages of web versus mobile access? What kind of transactions are most popular on the app? In which geographic area is there the most growth?
A solid API strategy must focus on very clear business outcomes and the target audiences. Various tools in the market can help estimate potential API revenue based on the anticipated adoption rate (for instance, 5% or 25%). The next step is to consider which monetisation model to use. The revenue opportunity may be direct or indirect (the latter accounts for most API sales and includes income created through advertising-based models).
Making sure that an API is easily discoverable and accessible is a vital part of its monetisation, and this is where API marketplaces become essential. These are public hubs where API providers publish their ‘productised’ APIs. It is vital to find an API marketplace that is the best fit for the target market, and APIs need to be attractively packaged. Take the time to write compelling and clear introductions about what the API does and the advantages it offers and describe use cases.
A glance at APIs on marketplaces right now shows that this is by no means universal. Similarly, accompanying technical documentation needs to be easily accessible and understandable so that consumers can adapt and work with an API efficiently.
Security first
Another priority has to be security, because APIs are increasingly the target of cybercriminals and the development stage — in common with other types of software — is often the stage at which vulnerabilities appear that allow hacking to occur. Unfortunately, if an API with a vulnerability is released, there is little time for remedial action once an API is released containing vulnerabilities ready for exploitation.
This is why a security first approach to API management has become so important across the lifecycle of an API, and addressing the fact that exposure to external API usage requires different security measures compared to internal usage.
While a ‘raw’ API might be created by a developer, creation of API products — again, going back to the Lego analogy — may be the responsibility of a different team. Developers will have their own security measures, such as mutual TLS in combination with a basic authentication approach, whereas the API product team will need to focus on security from an external consumer perspective.
Typically, a combination of Oauth2.0 and OpenID Connect are used for managing access control by external consumers, with token validation usually delegated to an API gateway. Furthermore, there is an increasing awareness that other security tasks can be delegated to the API gateway, so that it becomes the first line of defence. So, beyond access control, an API gateway can validate an API request (is it conforming to the underlying JSON schema? Can its integrity be assured? Does the request contain any malicious content?)
Also, with banks having potentially hundreds of APIs and many people involved (often not technically trained), look for API management tools that automate as much as possible to reduce the risk of manual error by applying consistent metadata-based rules. This ensures that the required levels of quality and compliance are consistently achieved, whether creating or updating an API product.
Also, when changes are implemented, the elements within the API product that remain the same are not touched. Finally, make sure that the API management tool is designed to accommodate external API consumption, not just an internal focus.
A look to the future
Given that the API economy is only now catching up to where many predicted it would be, it is hard to put precise stakes in the ground for its future. However, APIs will likely continue to contribute towards the blurring boundaries between types of organisations involved in financial services, with multiple services accessible from a single, aggregated source for users.
Another thing is for sure: while the API economy may have taken its time to get off the ground, it is now accelerating. So, it is time to lay the foundations for a strong API strategy that can support change and innovation now and in the future.