<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=575722&amp;fmt=gif">

How Bud and our partners are setting the standard for API security

Bud-team-shot-Merlin

At Bud, our use of APIs mean that we can match people with relevant products from our partners at the right time. This network of fintech companies and financial service providers use Bud as a point of access for their products and services, available to millions of customers through our integration with banks.
But how does it all work — and how can we guarantee that user data remains secure? Here are a few key points about why, what and where next.

Why do we use APIs?

The best place to start is the world prior to APIs. Scrapers, systems that would log into your online banking account on your behalf to access the necessary data, occasionally do not meet contemporary security requirements. Banks had little control over which third parties were granted access, and customers had no standardised way of revoking it, either.


As a user, this presented problems when using personal finance management (PFM) tools. Once you have provided a tool outside of your bank with your credentials, they are no longer secure. These credentials are now saved somewhere other than your bank, and your transactional data can be accessed by the PFM tool whenever it wants. Like your bank, you have no control over this at all.


When open banking was introduced, there was concern that it would ‘open the floodgates’ to people’s personal data; in reality, it’s the opposite. APIs remove the lack of control posed by scrapers, reinstating the bank as the gatekeeper of your data. They allow you in and out of your account to various regulated providers and know exactly when you’re doing it — and, crucially, whether the request you’re making is secure.


This also means that users, using a token provided the third party on their behalf, can be logged in by their bank. This token can be invalidated at any point if there is a security issue, and we — Bud — don’t have to save any sensitive information, such as usernames or passwords.


Bud’s criteria for working with APIs


Rest APIs haven’t changed much since Bud started working with them. What has changed, however, is the standard of security that is now required from both ourselves and our partners when doing so.
As part of our process, we delve into the security practices of all our partners, asking everything from what their current systems are and how they store their data to their protocol if their site goes down. Everything we have to think about ourselves, we require our partners to think about too. That way, it’s safer for all involved.


Now, we see a lot of partners asking us for advice around security and tech standards — and that’s one huge benefit of working with a network like ours. It means together, we can establish a cross-industry API standard that works for everyone.

What next for the API Economy?


Open banking was initially mandated for the CMA9 — the nine largest banks and building societies in Great Britain and Northern Ireland, based on the volume of personal and business current accounts — but this is just the start.


With the expansion set to cover joint accounts, credit cards, and beyond, this means more data — and, in turn, more value for the users as regulated platforms such as Bud become more intelligent. Look at Amazon: you can look at a list of recent purchases, but there is little benefit in that. It’s when it starts to recommend products based on these purchases that the real value begins to emerge, and we envisage the same thing for open banking.


The next step is being able to do this with our API-integrated partners. Users will be introduced to products and services relevant to their individual circumstances, such as their credit scores. Rental Recognition is a prime example of the tangible benefits real people will be able to experience as a result of this.
It’s developments like this that will continue to evolve the industry at such a rapid rate, and ensure it’s at the forefront of data privacy and security. For those that don’t develop APIs, there is a real risk of being left behind.


If your API is ready to use, get in touch with our partnerships team. We’d love to work with you!