Re-thinking credit union API infrastructure: the case for an abstraction layer

An API and data transformation abstraction layer is an integral part of your data security ecosystem.

Introduction

The financial services industry is undergoing a significant transformation with increasing collaboration with third-party providers and the spectre of open banking on the horizon.? While sharing data through APIs has become the norm, it is essential for banks and credit unions to re-evaluate their approach to API integration. This article explores the benefits of implementing an abstraction layer between core banking systems and third-party interfaces.? As more and more credit unions open their systems and data to external parties (be it partners, vendors or approved open banking participants), a well-designed abstraction layer can offer enhanced security, operational efficiency, and flexibility in managing the data being shared via APIs.

The current landscape

Credit unions have been creating APIs to share information within their ecosystems for years.? The types of APIs being written are dependent upon the nature of those systems.? Some are true APIs in the modern sense while others are web service calls or proprietary messages between specific systems and applications.

We have been seeing a trend whereby credit unions have been exposing their native APIs (whatever format that may be) directly to third parties to facilitate data sharing.? In many cases the CU has asked the third party for a specification and written APIs on their core systems to support those third-party specifications.? These point-to-point APIs had an important role in connecting disparate applications.? They had the benefit of being quick to create and relatively easy to implement.? However, they add technical debt in that they are not reusable or scalable, which means ongoing duplication of effort to achieve the same outcome over and over again because the third parties are often requesting the same data (example: four different partners requesting data from a chequing account = four different APIs delivering data in four different formats!).?

This reality makes them a challenge to maintain and because these point-to-point APIs have been tailored to specific use cases, there is a lack of standardization and increased complexity in managing multiple interfaces. And they present a possible security risk because they effectively allow third parties to come into your systems to retrieve data.

Challenges in direct API integration:

Directly exposing native APIs can present unexpected challenges for a credit union.? The lack of standardization can make it difficult for third-party developers to work seamlessly with various banking systems, hindering innovation and collaboration. Direct integration may expose the core banking system to vulnerabilities, necessitating additional security measures.? And finally, maintaining and updating native APIs for multiple third-party providers can be resource intensive and inefficient which simply results in unnecessary increased costs. The implementation of an abstraction layer can address these challenges.

The role of an abstraction layer:

By introducing an abstraction layer, credit unions can implement robust security measures, such as access controls, encryption, authentication and transaction throttling to protect the core banking system from potential threats.

The abstraction layer serves as a standardized gateway, allowing third parties to interact with the core system using a unified and standardized set of APIs. This promotes interoperability, enabling external developers to create applications that work seamlessly across different credit unions.

With an abstraction layer in place, credit unions can easily adapt to evolving industry standards and regulatory requirements, promoting flexibility and scalability.? This flexibility ensures that the APIs remain relevant and compliant with changing market conditions.

An abstraction layer streamlines the process by providing a standardized interface, reducing the operational overhead associated with managing multiple APIs. Developers can focus on building and maintaining the abstraction layer, reducing the complexity of managing native APIs for each third-party integration. This results in cost savings and improved efficiency.

And finally, the abstraction layer acts as a protective shield around the core banking system. By encapsulating third-party message specifications and business rules, it ensures that external interactions adhere to security protocols.

Orchestration:

Orchestration plays a crucial role within the context of an abstraction layer, especially in managing complex interactions and workflows between the core banking systems and third-party interfaces.

Let's explore how orchestration fits into the abstraction layer framework:

Definition of Orchestration: Orchestration, in the context of API integration, refers to the coordination and management of multiple APIs and services to accomplish a specific business process or workflow. It involves controlling the sequence of operations, handling errors, and ensuring that data flows smoothly between different components.

Integration of orchestration within the abstraction layer:

Workflow Management: The abstraction layer can act as an orchestrator, defining and managing end-to-end workflows that involve interactions with the core banking system and various third-party APIs. This includes scenarios like user authentication, transaction processing, and data synchronization.

Normalization of Data: Orchestration can be used to normalize data formats and structures between the diverse APIs connected through the abstraction layer. This ensures consistency and coherence in data representation, making it easier for third-party developers to work with the integrated system.

Key functions of orchestration in the abstraction layer:

API Choreography: Orchestration can choreograph the sequence of API calls, orchestrating the flow of data and actions between different APIs. This helps in optimizing the performance and ensuring that the APIs work together seamlessly.

Error Handling: The abstraction layer, with orchestration capabilities, can efficiently handle errors and exceptions that may occur during API interactions. This involves implementing retry mechanisms, logging errors, and providing appropriate responses to ensure robustness.

Security Orchestration: Orchestration can play a vital role in managing security-related tasks, such as authentication, authorization, and encryption, ensuring that sensitive data remains protected throughout the transaction lifecycle.

Benefits of orchestration in the abstraction layer:

Enhanced Flexibility: Orchestration adds a layer of flexibility by allowing credit unions to adapt and modify workflows without making significant changes to the core systems or individual APIs.

Improved Scalability: As the number of APIs and third-party interactions grows, orchestration helps in managing the increased complexity by providing a scalable and efficient way to coordinate activities.

Consistent User Experience: Orchestration ensures a consistent and seamless user experience by coordinating interactions across various services and APIs. This is particularly important for maintaining a unified front-end for customers and third-party users.

Considerations for implementing orchestration in the abstraction layer:

Scalable Architecture: Ensure that the architecture of the abstraction layer supports scalable orchestration to handle increasing volumes of API interactions without compromising performance.

Monitoring and Analytics: Implement robust monitoring and analytics capabilities within the orchestration layer to track the performance of workflows, identify bottlenecks, and optimize processes over time.

Security Measures: Integrate security measures into the orchestration layer to protect against potential threats and vulnerabilities. This includes secure communication channels, access controls, and data encryption.

Guidelines for implementing an abstraction layer:

The following represent the basic approach to implementing an Abstraction Layer:

Design Principles: Establishing design principles for the abstraction layer, such as RESTful architecture, can ensure simplicity, flexibility, and ease of integration for third-party developers.

API Documentation: Clear and comprehensive documentation for the abstraction layer APIs is crucial for third-party developers to understand how to interact with the banking system effectively.

Continuous Monitoring and Updates: Regular monitoring and updates to the abstraction layer are essential to address emerging security threats, industry changes, and evolving business requirements.

Conclusion

The adoption of an abstraction layer between core banking systems and third-party interfaces is a strategic move for credit unions looking to enhance security, improve operational efficiency, and foster innovation. ?The synergy between abstraction and orchestration is pivotal for credit unions seeking to elevate their API integration strategies.

The abstraction layer provides the foundation for standardization and security, while orchestration adds the necessary coordination and flexibility to navigate the complexities of modern API integration. Together, they pave the way for a more secure, scalable, and user-friendly financial ecosystem.

Think of it this way; a fast food restaurants lets you use a mobile app to order a burger and fries, but you have to go to the counter to pick it up, they don’t let you walk into the kitchen to take it off the grill and scoop the fries out of the deep fryer.? Point-to-point APIs let the date requestor walk in and get it directly from your crown jewel systems… protect your data better by making the data requestor come to the counter for you to deliver the data to them! And, if you have to provide the data in a specific format for them, then you control it and transform it within this layer rather than having duplicate functions built on your core.

How Can CGI Help?

CGI introduce its first open banking / API management solutions in 2016 to support digital bank clients in Europe.? Since that time, we have taken the fundamental concepts and built the next generation – a cloud-native Open Finance / API Management Platform that can help credit unions and banks to reposition themselves and expand their presence, replace proprietary API gateways, participate in marketplaces, grow an ecosystem of vendors and be prepared for an open banking / open finance / open data future.

Diagram: CGI API Management Platform

Built on a cloud-native architecture but designed to be cloud agnostic, the CGI API Management Platform is a robust, full-function abstraction layer - essentially what we have been describing in this paper.?

The platform, currently live in MS Azure, contains the following components:

• External API Layer: this is where we create APIs based on standards – be it FDX or a vendor specified standard – and conduct authentication and user validation.
• API Management Layer: we work with our clients to augment the investments they have made in cloud infrastructure and API management.? This is where Third-Party Providers (TPPs) are onboarded – the beginning of the security and validation process ensuring that your APIs will only be exposed to authorized third parties.? T
• Consent Layer: this is where we manage external party authentication, internal access controls and of course, manage the consent of data owners.
• Integration Layer: this the orchestration layer where we map the external APIs to the native APIs; this is where the data transformation takes place – taking the data from the source system and delivering it in the layout required by the API layer (e.g. FDX in ISO 20022 format).? Clients continue to create their APIs on their core systems in whatever format they need to and we will replicate them and invoke them from this secure layer.

More importantly, we have already done an MVP integration into RFS360, as well as the Ovation and Wealthview Banking systems.? This means that there should be very few surprises when integrating to your core banking instance... and that means we can get you prepared for open banking quicker!?

As the financial services industry moves towards open banking, credit unions must adopt advanced solutions to remain competitive and meet member demands for better, more personalized services. CGI's Open Finance / API Management Platform offers a comprehensive, secure, and scalable framework to facilitate this transition. By leveraging the platform's abstraction and orchestration capabilities, credit unions can enhance their operational efficiency, foster innovation, and be well-prepared for a future that promises a wealth of consumer-driven banking services requiring the exchange of member data.

If you are interested in demonstration and further discussions, please reach out to David Hooper, VP, Payments and Open Banking Consulting.?