Finance
How Financial Services Cyber Regulations are Hotting Up For API Security
Published
2 months agoon
By
admin
Filip Verloy, Field CTO, Noname Security
Financial services firms deploy an increasingly complicated mix of technologies, systems, applications, and processes to serve customers and partners and to solve organisational challenges. Focused heavily on consumer hyper-personalisation, banks are evolving more and more digital assets and services to meet and exceed growing customer experience expectations.
As a result, the modern banking environment is heavily reliant on APIs to the point that they are now indispensable. APIs allow financial banks to connect with their ecosystem, while inspiring innovative developers to create new products, improve existing services, and work more efficiently.
A sector disproportionately targeted
However, this reliance on APIs presents challenges. They create vulnerabilities and are often the gateway for cybercriminals. The financial services industry is disproportionately targeted by threat actors who know that it has what they want – data and money.
This has brought an ever-increasing set of cyber regulations into sharp focus to help to ensure that banks are protected and compliant. However, this has led to fragmentation, as regulators try to achieve a balance between robust governance and not stifling innovation or driving businesses abroad.
This fragmentation has occurred because banks must comply with a cocktail of regulations in the same or different jurisdictions that are well-intentioned, but sometimes conflicting, and that do not actually enhance cyber-resilience.
Therefore, what are these different types of cyber regulations and what should banks be thinking about when it comes to API security?
Stress testing banks
Earlier this year, the European Central Bank (ECB) announced plans to stress test the cyber resilience of the Eurozone’s top banks in 2024 because of the proliferation of sophisticated cyberattacks, with EU law mandating that the ECB undertakes stress tests on supervised banks at least once per year. Results from these tests help supervisors identify vulnerabilities and address them early on in their interaction with banks. Likewise, the results of annual stress tests provide important input for the Supervisory Review and Evaluation Process (SREP) in the test year.
In years when there are no EU-wide tests, the ECB tests significant institutions under its direct supervision against specific kinds of incidents. These tests run in cooperation with national supervisory authorities, and the ECB publishes the results on an aggregate basis.
A lack of API standards
The European Commission has just published its proposal for the third Payment Services Directive (PSD3), to help advance open banking and strengthen consumer protection. The PSD3 and Payment Services Regulation aims to drive further development in open banking, first introduced with PSD2, as well as addressing issues around API quality, and giving authorities the required tools to better evaluate the dedicated API interfaces provided by banks and other financial institutions.
According to the European Banking Authority (EBA), “The experience acquired in the implementation of the PSD2 has shown that the absence of a single API standard has led to the emergence of different API solutions across the EU. This creates significant challenges for third-party service providers as they must invest significant efforts into connecting to different Account Servicing Payment Service Providers’ APIs and adapt their connections to changes in APIs over time.” Whilst PSD3 will absorb the lessons learned from PSD2, it’s no secret that PSD2 is seen as complex and difficult to define. In fact, between 2016 and 2022, the EBA released six technical standards, eight sets of guidelines, eight opinions, and more than 200 Q&As in relation to PSD2.
PCI DSS v4.0 is the next evolution of the PCI DSS standard. The goal of this new standard is to continue to meet the security needs of the payments industry, promote security as a continuous process, add flexibility for different methodologies, and enhance the validation methods. This is the first time APIs have been explicitly called out in the standard, underpinning their importance. In fact, the EBA argues that API standardisation is needed to reduce the barriers to entry for FinTechs wanting to access financial account data held by banks and similar institutions.
Adhering to DORA
Additionally, by January 2025, EU financial entities and their critical ICT providers must be ready to comply with the Digital Operational Resilience Act (DORA). DORA standardises how financial entities report cybersecurity incidents, test their digital operational resilience, and manage ICT third-party risk across the sector.
For certain financial entities this includes undertaking advanced threat-led penetration testing every three years. By clarifying testing methodology and introducing mutual recognition of testing results, DORA will help financial entities continue to build and scale their testing capabilities in a way that works throughout the EU.
The NIS2 Directive – which came into force in January 2023 – aims to strengthen cybersecurity risk management requirements as well as ensure companies take appropriate and proportionate technical, operational, and organisational measures to manage their cybersecurity risks as well as prevent and minimise the impact of potential incidents. The Directive aims to ensure a safer and stronger Europe by significantly expanding the sectors and types of entities falling under its scope.
It replaces the current Directive on Security of Network and Information Systems and focuses on measures including incident response and crisis management, vulnerability handling and disclosure, policies and procedures to assess the effectiveness of cybersecurity risk management measures, and cybersecurity hygiene and training.
Furthermore, it features more stringent supervisory measures for national authorities, as well as stricter enforcement requirements, along with a list of administrative sanctions, including fines for breaches of the cybersecurity risk management and reporting obligations.
Compliance across all financial Directives
The DORA Amending Directive will amend other Directives to align with DORA, including CRD IV, Solvency II, MiFID II, PSD2, UCITS and AIFMD. In-scope entities include credit institutions, payment institutions, electronic money institutions, investment firms, and crypto-asset service providers, whilst regulation 2022/2554 outlines the requirements concerning the security of network and information systems supporting the business processes of financial entities.
Clearly, APIs have become the default connectivity and data exchange method within modern financial services environments and will continue to be so in the future. With this in mind, securing APIs from both a pre-production and post-production perspective is paramount to securely operating in our digital-first banking world.
Therefore, financial services entities should work with an API security platform provider that can deliver strong API security and help with compliance and governance requirements. In this evolving regulatory landscape this will enable organisations to implement a robust API strategy across discovery, posture management, runtime protection and API security testing.
Finance
Why businesses must get ready for mandatory e-invoicing
Published
10 hours agoon
October 2, 2023By
admin
Ken Clark, Director, Product Marketing, Business Network Cloud at OpenText
Invoicing is one of those business processes that has proved oddly resistant to the march of digitisation. Or, at least, partly. While many businesses have been moving towards some form of electronic invoicing for a while, studies have found that 80% of finance and IT leaders at medium and large-size enterprises are still frustrated by the need to manage paper records. [1]
Perhaps part of the reason for the slow transition lies in e-invoicing being seen as a ‘nice to have’, as opposed to an essential process.
This is not helped by the fact that many countries, the UK included, have no overarching e-invoice mandate. At this time, it is only mandatory for UK companies to use e-Invoicing with the NHS. All other public sector bodies introduced what’s effectively a “soft mandate” where the government agency is obliged to accept e-Invoices if they meet the published specification but suppliers are not mandated to issue e-Invoices.
This has seen the slow creep of a patchwork quilt of invoice processes and approaches. But more and more mandates are being introduced. In a December 2022 publication, the European Commission proposed to make e-invoicing mandatory for intra-Community flows as early as 2028, and more than 80 countries worldwide already have some form of e-invoice mandate in place. Around 50 have announced their intentions to do so.
So, organisations must get ready for mandatory e-invoicing or face being on the back foot when those mandates come in. But this should be viewed as an opportunity rather than a burdensome obligation.
3 reasons to convert to e-invoicing by default
Simplicity
As tax authorities seek to focus more on VAT/GST compliance and tax reporting, they are harnessing advances in digital technologies to improve visibility and control. One of the key methods is mandating real-time or near real-time e-Invoicing.
Unfortunately, there has been very little standardisation of models, platforms or technologies used in national governments’ e-Invoicing compliance regimes. This has led to huge complexity for businesses to manage when it comes to e-invoicing. But a robust, global electronic invoicing solution can offer greater traceability than paper invoicing and can be secured to guarantee the integrity and authenticity of invoices. These usually include a secure electronic backup, accessible online to the tax auditor from an intuitive web interface. This makes the process of recording, tracing, verifying and submitting accounts much simpler and more reliable.
Cost
Return on investment for any new tech solution is top of mind for CFOs right now. Luckily, e-invoicing has a proven significant impact in reducing costs through automation, improving human resource productivity, and reducing commercial and administrative costs[2].
The cost savings offered by e-invoicing can only be achieved with a fully automated invoicing approach. Electronic invoicing on PDF eliminates very few costs on the supplier side; and while this format is accepted for tax purposes, it offers few advantages to companies compared to adopting e-invoicing via end-to-end processing automation.
Speed
The automation inherent within modern e-invoicing solutions enables companies to process much larger volumes of invoices, with little need for error-prone human intervention. Some studies out there show that the average error rate for manual data entry is about 2%. That might seem small, but it compounds over time, with the potential to lead to significant financial losses. When it comes to regulatory obligations as well, total accuracy is vital.
Companies with fully automated electronic invoicing processes are able to get paid sooner and pay their suppliers more quickly. These indirect benefits can be crucial, sometimes outweighing direct savings on operational costs.
Overcoming the technical obstacles to e-invoicing
According to the IDG survey cited above, the main obstacles to adopting full automation of billing processes are data security (54%), integration with internal systems, e-procurement (45%), perceived complexity of the technology (36%), lack of expertise (32%) and integration with customers and suppliers (30%). In addition, 42% of professionals have billing processes that are compartmentalised by geographical area, department or information system. So, the main obstacle for companies is the integration of electronic invoicing into existing IT infrastructures.
In light of this, perhaps the best approach for companies looking to get ahead of the game on e-invoicing is to find a robust solution provided by a vendor offering greater technical support and expertise, in order to speed up and streamline that integration.
Get ready for global mandates
The regulatory landscape around e-invoicing may be patchwork at the moment, but all signs point to more global mandates ahead. Regardless, the direct and indirect benefits of e-invoicing mean that companies shouldn’t wait until they’re made to adopt it – indeed, there’s a real opportunity to grasp by making the move now.
Companies lagging behind in adopting e-invoicing will miss out on the opportunities offered by streamlining and eliminating operational costs, as well as improving cash flow. The risk is that they will lose their competitive edge to companies that are already benefiting.
[1] IDG MarketPulse, E-Invoicing’s Time Has Come, 2022
[2] 2022 Gartner report
Finance
The hidden value of business architecture In Financial Services
Published
10 hours agoon
October 2, 2023By
admin
By Graham Self, business architect at Axiologik
As a business architect at digital delivery firm Axiologik with 21 years of experience in the Financial Services industry, Graham Self, is often asked, “What is the true value of business architecture?” In today’s climate of providing hyper-personalised financial services in a heavily regulated environment, business architecture is a role that has never been more vital to the industry. Here, Graham explores why that is.
In the UK, many financial organisations are currently operating under the Operational Resilience regulations, with a deadline of March 2025 for complete compliance for important business services. And Europe is following fast with the Digital Operational Resilience Act (DORA) regulations, as are many other markets with their own set of legislation.
The intention of these regulations is not simply to ensure that financial institutions perform the minimum criteria for regulatory deadlines, but to make sure that an operational resilience practice and mindset is embedded within organisations for the future. This requires full transparency across the business, from processes and people to technology and data. But who in the organisation has this level and breadth of knowledge?
Change in a traditional industry
Adding to these challenges with compliance, the financial services (FS) industry is also going through a time of significant change, with continued investment in digital transformation. Decisions about technology are being made against a strategy to reach more customers digitally, more personally, and through “banking as a service” partnerships.

Graham Self
But all of this change is happening within a hugely regulated environment that sensibly mandates operational resiliency in many markets of the most important business services to customers. All changes must, therefore, be relevant and validated against robust business continuity controls.
Those who operate in the industry have an obligation to customers – and the market – to provide a trusted, resilient and reliable service at all times. To deliver on that commitment requires financial organisations to not only know what services to deliver to their customers but how to provide them – not only that but to provide them well, on an ongoing basis, and in all circumstances.
Managing the strong – potentially competing – forces that exist between strategy, technology investment, customer experience, operational efficiency and resiliency requires a discipline that has never before been so important; business architecture.
Connecting the ‘what’ and ‘how’
Business Architects have the unique advantage of collaborating between business units, technology and operations teams. These groups of stakeholders historically have their own visions and perspectives of what needs to change within an organisation. They often have their own language or taxonomy and don’t always see each other’s perspective; a world of service vs. capability.
But business architecture provides the tools, techniques, accountability and ways of working to facilitate the efficient, fast flow and compliant change sought by financial institutions. It ensures that in an environment of ongoing transformation, operational resilience is maintained, by ensuring financial institutions have a complete understanding of their processes, their associated risks and controls, and how they are fulfilled through technology and people.
Customer outcome mentality
The business architect is the person in an organisation who can directly correlate customers’ needs and the service outcomes they require, aligned to strategy, with technical and operational solutions, validated through value streams. They put the customer at the heart of every part of the business, and this is a unique and much-needed aspect of today’s change programmes.
I like to think of a “shop window” when describing the relationship between any financial organisation and its customers. The shop window conveys a business’s brand, identity and purpose. It enables the customer to peer inside the organisation, and see the services on offer and products provided. From this, customers make instant decisions on whether it meets their needs.
Just like a traditional shop window, financial organisations are also able to see out. By doing so they can validate everything they do operationally and technically through the lens of the services provided to customers.
The window sheds a critical light onto operational and technical solutions, helping evaluate these by the value they provide to customers. If FS organisations don’t pay attention to that window, they will find themselves in the dark making assumptions about where to invest. This is dangerous territory when budgets and timelines are tight.
Therefore, business architecture helps financial organisations look through the shop window – both ways – empowering organisations on their digital transformation journey.
Business Architecture helps put FS companies in the shoes of their customers, and understand what their needs are, what services should be offered and where they should be accessed. Business architects inform and interpret strategies to ensure these needs, and the services provided to address them, are clearly and consistently articulated. It enables the early identification of capability gaps, that will fail to meet business strategy before problems arise.
Customer-centred design
During this shift towards a more customer-centric future, my advice to any financial organisation – big or small – is to ensure there is complete transparency through their own shop window. Without it, there runs the risk of making strategic decisions in the dark about new products and services powered by technology.
In a highly regulated and incumbent sector, the only way to successfully address customers’ needs is to actively engage business architecture from the outset.
Magazine
Trending


Automated Payments: The Power of Innovation Within the Legal Sector
Attributed to: Sophie Condie, Chief Operating Officer at Shieldpay Class action lawsuits represent a pivotal component of the modern legal...


8 Tips to Choosing a Powerful Business Name
For anyone trying to achieve financial success, owning your own business is the way to go. Of course, you need...


Why businesses must get ready for mandatory e-invoicing
Ken Clark, Director, Product Marketing, Business Network Cloud at OpenText Invoicing is one of those business processes that has...


The hidden value of business architecture In Financial Services
By Graham Self, business architect at Axiologik As a business architect at digital delivery firm Axiologik with 21 years...


Is there ever a ‘single version of the truth’ for investment reporting?
Is there such a thing as a single, reliable source of data for investment reporting, asks Abbey Shasore, CEO, Factbook. ...


Cross-Border Payments: Cybersecurity Challenges and Collaborative Solutions
Teresa Cameron, Finance Director at Clear Junction Real-time payments have transformed how businesses make transactions in the global digital...


The Rising Tide of IT Automation in the Financial Services Sector
By John Diamond; Senior Solutions Architect, Product, Park Place Technologies IT automation in the financial services industry has been...


How open banking can build better customer relationships for businesses
Attributed to James Hodgson, Chief Product Officer, Payit by NatWest Open banking has revolutionised the world of payments, providing...


Experiential perks: A new dimension to employee rewards for financial services
By Sarah Whitman, SVP, e-Commerce at Workhuman Despite tough economic times, voluntary resignations in the UK rose by 62%...


How will regulations effect the open banking sector?
Martin Hartley – Group CCO of emagine Consulting Comments on the future of the open banking sector and how...


How can law firms embrace automation and revolutionise their payments?
Attributed to: Ed Boal, Head of Legal at Shieldpay Once again, AI is dominating international headlines. This time, it’s...


In-platform solutions are only a short-term enhancement, but bespoke AI is the future
By Damien Bennett, Global Director, Principal Consultant, Incubeta If you haven’t heard anyone talking about artificial intelligence (AI) yet,...
Exploring the Transformative Potential and Ethical Challenges of AI in Wealth Management
Nuno Godinho, Group CEO of Industrial Thought Group In recent years, the advent of AI has sparked both excitement...


Are SaaS platforms challenging banks for a piece of the payments pie?
Attributed to: Ralph Dangelmaier, Global CEO of BlueSnap The finance industry is at a tipping point with software firms...


Emerging technology will power long-term sustainability within the UK banking industry
By Peter-Jan Van De Venn, VP Global Digital Banking at Hexaware Mobiquity. Sustainability has been a big focus for...


Is your business suffering with Fintech FOMO?
Tom Kiddle, Chief Commercial Officer at Equals Money It’s a challenging time for businesses of all sizes, but the past three...


The Future of Banking: Streamlined Cash Management for ATMs
Gaetano Ziri, Innovation Manager, Auriga “Maintaining free access to cash for the community demands robust strategies to mitigate the...


Can AI revolutionise wealth management?
~ The benefits of AI when collecting and analysing financial data ~ Global fintech company Finder reported that around...


Where is the value in generative AI for financial services?
Michael Conway, Executive Partner, Data, AI and Technology Transformation Service Line Leader at IBM Consulting The New York Times...


Connecting the security dots with cyber fusion
Anuj Goel, Co-founder and CEO at Cyware Against the backdrop of Russian-based hacktivists declaring war on Europe’s financial systems, the...

Automated Payments: The Power of Innovation Within the Legal Sector

8 Tips to Choosing a Powerful Business Name

Why businesses must get ready for mandatory e-invoicing

The hidden value of business architecture In Financial Services

Is there ever a ‘single version of the truth’ for investment reporting?

Cross-Border Payments: Cybersecurity Challenges and Collaborative Solutions

PCI DSS v.4.0 Latest Updates That You Need to Know

RBI’s MASTER DIRECTION ON DIGITAL PAYMENTS SECURITY CONTROLS

EMV® 3-D SECURE: ENABLING STRONG CUSTOMER AUTHENTICATION

HOW TO SIMPLIFY IDENTIFICATION IN THE GLOBAL DIGITAL ECONOMY WITH THE LEI

EXEGER – CHANGING THE PERCEPTION OF POWER

FUTURE FX PROMO
Trending
-
Business5 days ago
How can law firms embrace automation and revolutionise their payments?
-
Business3 days ago
Experiential perks: A new dimension to employee rewards for financial services
-
Finance3 days ago
The Rising Tide of IT Automation in the Financial Services Sector
-
Banking3 days ago
How will regulations effect the open banking sector?