NAB has now built up a portfolio of 1200 APIs for both internal and external use, with reinforced monitoring wrapped around the latter in particular in a bid to avoid potential abuse.
Executive for enterprise technology Steve Day told FST Media’s Future of Financial Services summit that APIs are increasingly powering “a whole ecosystem of partners around the banks that can provide value-added services on top of the basic banking services.”
Many external-facing APIs pertain to NAB’s implementation of open banking, and are published via a developer portal.
Day noted that bank customers could authorise third-party websites to access their data and analyse it in order to better understand their finances and spending habits.
“If you’re willing, through all of the checks, to provide your details on what you have in your banking environment and your personal information, you can make that available for a range of services either to yourself or for third-parties that you entrust to handle your finances on your behalf,” he said.
Increasingly though, NAB also built APIs to allow its customers (or other third parties) to integrate their environments directly with NAB.
“Many of [our 1200] APIs link to our customers to enable great integrations into their environments and really help then digitise their environments in a way that integrates with their banking services,” Day said.
Other APIs enabled third-party app and site developers to link into NAB services.
“We’ve built interfaces to things like Xero, so Xero can now interface to us directly. We built interfaces to realestate.com.au so that people, as they buy houses, can actually get real time information back out on our products and services through these APIs and what they’d be able to loan, etc,” Day said.
“We’re creating a lot more of these interfaces so not only can we provide digital windows into our business but also we can open it up to allow other third parties to provide services.”
Day said that prospective API users were able to test NAB’s APIs in sandbox environments.
He also said that the bank had paid particularly close attention to security and monitoring the use of its APIs, particularly following the PayID look-up abuse incident that hit rival Westpac last year.
Fraudsters ran thousands of automated PayID look-ups a day for six weeks before the incident was detected and shut down.
Day said NAB was already focused on security and governance as a result of its long-running and wide-ranging move into the cloud.
But he suggested the PayID incident had reinforced the need for NAB to keep tabs on the use of its own APIs.
“Obviously, putting APIs out there without monitoring would be extremely dangerous,” Day said.
“Early in the piece we learned from the PayID incident where APIs were put out to the market for PayID and before you knew it, you had people trying to exploit those and gather personal information on people by just guessing mobile numbers, for instance.
“We put a lot of blocks in place to prevent that sort of thing, [and] a lot of monitoring to make sure we don’t have scanning of our APIs for the wrong reasons.
“We’re looking at transaction levels, looking at suspicious activities – all of that has been built in as part of the monitoring.”