„Open Banking in a Box” and why it does not exist, Krzysztof Trojan​, IT architect and Senior Manager at Consult Trojan Ltd

1. „Open Banking in a Box”
and why it does not exist
The (perceived) broken promise
of API Management in Open Banking
&
other API program related misconceptions at banks

2. • Lead architect in Open Banking
implementation program
• Author of an early Open Banking
accelleration framework
• Several projects of creating a bank from
scratch
• Active Open Banking movement
participant, standard reviewer
(currently the only independent person
in the PolishAPI working group of
Polish Banking Association)
• Banks large & small
• Before banking – Electronic Warfare
Krzysztof Trojan
IT Architect & Executive Consultant

3. Percentage of EU banks
who met the regulatory deadline for PSD2 Sandbox
as surveyed by

4. reg
CMA9 API performance
metrics over time reports:

5. Core systemsMiddlewareChannels
Process engine
ESB
Batch execution
CIF
CA DEP LN
Ledger, DWH, …
Internet Banking
Mobile banking
IVR
Branch
ATM
CSR

6. Core systemsMiddlewareChannels
Process engine
ESB
Batch execution
CIF
CA DEP LN
Ledger, DWH, …
Internet Banking
Mobile banking
IVR
Branch
ATM
CSR
Open
Banking
API

7. Furthermore, an API management solution may be expected to address security-related
and operational aspects that are not explicitly addressed by the RTS or the PSD2 API
specifications, but that should be taken into account nevertheless, for example:
Additional security threats like distributed denial of service (DDoS), compromised
message integrity, etc.
Monitoring and management of consumer ‘behavior’, as a means to protect downstream
systems (think of mitigating actions like traffic rate limiting or throttling)
• Banks are notiorious in under-estimating the complexity of
implementing open APIs
• Most of the banks (until well in the program) consider it an
implementation of a localized „interface” or system, not a
transformational program
• Banks’ delivery pipelines are for large monoliths. There are
banks whose delivery to production is designed with
multi-month, fixed lenght cycle (like twice a year)
• When it comes to microservices, it is now (and not 2 years
ago when it needed to) that the banks run what the industry
considers platform pre-requisites: containers, service
discovery, DevOps pipelines

8. Furthermore, an API management solution may be expected to address security-related
and operational aspects that are not explicitly addressed by the RTS or the PSD2 API
specifications, but that should be taken into account nevertheless, for example:
Additional security threats like distributed denial of service (DDoS), compromised
message integrity, etc.
Monitoring and management of consumer ‘behavior’, as a means to protect downstream
systems (think of mitigating actions like traffic rate limiting or throttling)
„First, whether approaching open banking from a
perspective of mere compliancy or whether expecting
substantial business value from it, an API management
solution may be expected to provide great help in terms of
ease-of-implementation and interface flexibility. For
example, it will allow APIs to be published in a simple and
consistent manner, where the solution may even allow for
alternative versions based on different OB/PSD2 standards
(simultaneously or over time).”
„WSO2 Open Banking leverages WSO2’s API
management, security and integration
capabilities to create a pre-configured solution
specially designed for PSD2 compliance. It is
built on architecture that can scale to deliver
compliance for differing deployment sizes.”
The API management suites, especially Open Banking
targeted flavours, enforce confirmation bias

10. Furthermore, an API management solution may be expected to address security-related
and operational aspects that are not explicitly addressed by the RTS or the PSD2 API
specifications, but that should be taken into account nevertheless, for example:
Additional security threats like distributed denial of service (DDoS), compromised
message integrity, etc.
Monitoring and management of consumer ‘behavior’, as a means to protect downstream
systems (think of mitigating actions like traffic rate limiting or throttling)
Have you maybe heard it before?
„The enterprise service bus (ESB) is a silent partner in the SOA logical architecture. Its
presence in the architecture is transparent to the services of your SOA application.
However, the presence of an ESB is fundamental to simplifying the task of invoking
services – making the use of services wherever they are needed, independent of the
details of locating those services and transporting service requests across the network to
invoke those services wherever they reside within your enterprise.”
IBM’s SOA Foundation An Architectural Introduction and Overview
IBM 2005

11. Furthermore, an API management solution may be expected to address security-related
and operational aspects that are not explicitly addressed by the RTS or the PSD2 API
specifications, but that should be taken into account nevertheless, for example:
Additional security threats like distributed denial of service (DDoS), compromised
message integrity, etc.
Monitoring and management of consumer ‘behavior’, as a means to protect downstream
systems (think of mitigating actions like traffic rate limiting or throttling)
Request routing (external endpoint, versioning)
API Gateway Traffic shaping (throtting, caching, quota)
Policy enforcement (see security)
API definition & docs publication
Developer and client application enrolment
Development
portal

12. Furthermore, an API management solution may be expected to address security-related
and operational aspects that are not explicitly addressed by the RTS or the PSD2 API
specifications, but that should be taken into account nevertheless, for example:
Additional security threats like distributed denial of service (DDoS), compromised
message integrity, etc.
Monitoring and management of consumer ‘behavior’, as a means to protect downstream
systems (think of mitigating actions like traffic rate limiting or throttling)
Editor
API Design
Registry
Dashboard
Mock runtime
Mock editor
API Virtualisation
& Mocking
API Traffic Metrics

13. Furthermore, an API management solution may be expected to address security-related
and operational aspects that are not explicitly addressed by the RTS or the PSD2 API
specifications, but that should be taken into account nevertheless, for example:
Additional security threats like distributed denial of service (DDoS), compromised
message integrity, etc.
Monitoring and management of consumer ‘behavior’, as a means to protect downstream
systems (think of mitigating actions like traffic rate limiting or throttling)
Policy editor
API Security OAuth2, OIDC, FAPI
Web Application Firewall
Quota
Billing
API Monetisation

14. Core systemsMiddleware
Channels
Process engine
ESB
Batch execution
CIF
CA DEP LN
Ledger, DWH, …
Internet Banking
Mobile banking
IVR
Branch
ATM
CSR
API
Gateway

15. Client

16. Client
API Gateway

17. Client
API Gateway

18. Client
API Gateway

19. Client
API Gateway

20. Client
API Gateway
ESB

21. Client
API Gateway
ESB

22. Coherency-limited scalability
Contention-limited scalability
Concurrency-limited scalability
Amdahl’s Law, Brewer’s Theorem (CAP), PACELC, …
Universal Scalability Law

23. Core systems
MiddlewareChannels
Process engine
ESB
CIF
CA DEP LN
Internet Banking
Mobile banking
API Operational data stores
API GW
…
API
API
API
APIAPI
APIAPI
API

24. API Gateway
API Gateway
API Gateway
API Gateway
API Resources
API
API
API
APIAPI
API
Replicated,
queryable call log
replication
Example
The throttler capping the throughput, with no throttling enabled
… because of DB throughput limits

25. East-West Traffic
API
Artifacts
Registry
Service runtime
Eg. K8s
Service
instance
registry
API
Templates
Policy
fragments
Gateway
Deployment
pipeline
API contract
designer
Policy
designer
North-South
Traffic
API
Contract
Registry
Policies
Low-code /
No-code API
builder
Metrics
Dashboard
API IDE
Alarms &
monitors
Message-exchange patterns?
Affinity?
Resiliency patterns?
Queueing?

27. • what a reverse proxy could do
(with a better management UI)
• throttling, caching, audit logging,
request based routing
• monitoring the traffic
• rudimentary communication to
developers (dev portal) – getting
it fast
• a place to run a policy
enforcement point
• running trivial transformations,
like signing and encryption
• formal schema validation
• the catalogue of your APIs
• scale up, what is itself not scalable
• help you with implementing resiliency
patterns
• code API logic, beyond trivialities
• integrate to your backend, unless you
already have an API
• solve your CI/CD proces deficiencies
• provide you with pluggable
authorization logic
• provide you with visibility of the
internal metrics of the things exposed
• protect you from DDoS to a reasonable
extent
• magically link to your SIEM, integrate to
your authorization UI (unless you code
it all)
API Management can help with: API Management will not :

28. Furthermore, an API management solution may be expected to address security-related
and operational aspects that are not explicitly addressed by the RTS or the PSD2 API
specifications, but that should be taken into account nevertheless, for example:
Additional security threats like distributed denial of service (DDoS), compromised
message integrity, etc.
Monitoring and management of consumer ‘behavior’, as a means to protect downstream
systems (think of mitigating actions like traffic rate limiting or throttling)
scale well, and at reasonable price …
Check, if your
chosen
API Management:
write metrics where all your other systems do …
can be automated with the toolchain you use …
formats logs as you (or your SIEM package) expect
can be painted so it looks like the rest of your bank
Check first if you are going to implement a layered API architecture at all …
does talk to your HSM …
… and so on, so on

29. Thank You!