Jordanian Journal of Informatics and Computing

ISSN: 3080-6828 (Online)

Securing API Ecosystems in Banking: A Critical Review of Cyber Risks, Control Frameworks, and Future Trends

by 

Sopheaktra Huy ;

Sokroeurn Ang ;

Mony Ho ;

Vivekanandam Balasubramaniam

PDF logoPDF

Published: 2026/01/15

Abstract

The rapid evolution of open banking and digital financial services has fueled the widespread adoption of Application Programming Interfaces (APIs) across the banking sector. While APIs enable real-time payments, embedded finance, and seamless integration with third-party platforms, they simultaneously introduce critical cybersecurity risks including misconfigurations, excessive data exposure, broken authentication, and weak access controls. This review critically investigates the cyber threat landscape of financial APIs by synthesizing academic literature, industry frameworks, and real-world breach reports. It evaluates the practical effectiveness of controls such as the OWASP API Security Top 10, Financial-grade API (FAPI) standards, and Zero Trust Architecture, and explores the emerging role of AI-driven security models including machine learning, deep learning, and Bayesian attack graph modeling. The key findings reveal persistent implementation gaps despite available standards, with real-world breaches like Twilio and Dell highlighting the high-risk exposure of unsecured APIs. The review also uncovers fragmented regulatory maturity between jurisdictions: while the EU leads with structured mandates like PSD2, the US and UK adopt more market-driven, inconsistent approaches posing challenges for global financial compliance. Furthermore, the study identifies underexplored threat vectors such as insider misuse, unmanaged shadow APIs, and third-party abuse areas rarely addressed in existing frameworks. Most importantly, it emphasizes a critical lack of integration between technical controls, regulatory policies, and lifecycle security implementation in real-world banking environments. This paper concludes with forward-looking recommendations to enhance API resilience through layered defenses, global regulatory alignment, AI-enhanced threat detection, and embedding security within software development pipelines.

Keywords

API SecurityOpen Banking,Cyber Risk Management Zero Trust Architecture FinancialGrade APIArtificial Intelligent (AI)Machine Learning (ML)

Securing API Ecosystems in Banking: A Critical Review of Cyber Risks, Control Frameworks, and Future Trends is licensed under CC BY 4.0CCBY

References

  1. Cybersecurity News. (2024). Twilio’s Authy breach exposes 33.4 million phone numbers via unauthenticated API. https://cybersecuritynews.com/securing-apis/
  2. Cybersecurity News. (2024). Dell customer data exposure affects 49 million records due to API vulnerability. https://cybersecuritynews.com/securing-apis/
  3. Behbehani, D., Rajarajan, M., Komninos, N., & Al-Begain, K. (2022). Detecting open banking API security threats using Bayesian attack graphs. In Proceedings of the 14th International Conference on Computational Intelligence and Communication Networks (CICN) (pp. 146–151). IEEE. https://doi.org/10.1109/CICN56167.2022.10008365
  4. Dhaiya, S., Ranjan, P., Pandey, B. K., Adusumilli, S. B. K., & Avacharmal, R. (2021). Optimizing API security in FinTech through genetic algorithm-based machine learning model. International Journal of Information Technology, 13(3), 348–356.
  5. Alam, F., Hossain, M., & Ramakrishnan, K. (2024). Analyzing API threats and mitigation techniques using deep learning. Future Generation Computer Systems, 145, 87–101. https://doi.org/10.1016/j.future.2023.11.015
  6. OWASP Foundation. (2023). API security top 10 – 2023 edition. https://owasp.org/www-project-api-security/
  7. OpenID Foundation. (2024). Financial-grade API (FAPI) security profile. https://openid.net/wg/fapi/
  8. Casolaro, A. M. B., Rauber, G. N., & de Lima, U. S. M. (2024). Open banking: A systematic literature review. Journal of Banking Regulation. https://doi.org/10.1057/s41261-024-00262-x
  9. Briones de Araluze, G. K., & Cassinello Plaza, N. (2022). Open banking: A bibliometric analysis-driven definition. PLOS ONE, 17(10), e0275496. https://doi.org/10.1371/journal.pone.0275496
  10. Ranjan, P., & Haider, M. T. (2024). API security challenges and risk mitigation in fintech applications. International Journal of Global Information Security. https://doi.org/10.21428/e90189c8.43a4136c
  11. Hossain, M. A., Raza, M. A., & Rahman, J. Y. (2025). Investigating the cybersecurity implications of open banking and APIs in the financial sector. Jurnal Ekonomi dan Bisnis Digital (MINISTAL), 4(1). https://doi.org/10.55927/MINISTAL.V4I1.13370
  12. Machine learning techniques for enhancing security in financial technology systems. (2024). International Journal of Scientific Research and Applications, 13(1). https://doi.org/10.30574/ijsra.2024.13.1.1965
  13. Cloud-native API strategies for financial services: Ensuring security, compliance, and scalability. (2025). European Journal of Computer Science and Information Technology, 13(1). https://doi.org/10.37745/ejcsit.2013/vol13n1584101
  14. Open banking: An early review. (2024). Journal of Innovation and Development in Economics. https://doi.org/10.1108/JIDE-03- 2024-0009
  15. Adari, V. K. (2024). APIs and open banking: Driving interoperability in the financial sector. International Journal of Research in Computer Applications and Information Technology. https://ijrcait.com/index.php/home/article/view/IJRCAIT_07_02_142
  16. Padhi, S. (2024). Intelligent API caching for financial data: A scalable and performance-optimized approach. International Research Journal of Modernization in Engineering Technology and Science. https://doi.org/10.56726/IRJMETS65604
  17. Navigating the nexus of security and privacy in modern financial technologies. (2024). GSC Advanced Research and Reviews, 18(2). https://doi.org/10.30574/gscrr.2024.18.2.0043
  18. Adanigbo, O. S., et al. (2022). Systematic review of API-driven innovation in digital financial platforms across emerging economies. Iconic Research and Engineering Journals. https://www.irejournals.com/paper-details/1708020
  19. Customer data access and fintech entry: Early evidence from open banking. (2024). Journal of Financial Economics. https://doi.org/10.1016/j.jfineco.2024.103950
  20. Data privacy and cybersecurity challenges in the digital transformation of banking. (2024). Computers & Security. https://doi.org/10.1016/j.cose.2024.104051
  21. Cybersecurity News. (2024). Twilio’s Authy breach exposes 33.4 million phone numbers. https://cybersecuritynews.com/securingapis/
  22. Cybersecurity News. (2024). Dell customer data exposure affects 49 million records. https://cybersecuritynews.com/securing-apis/
  23. Equixly. (2024). Cox Communications API flaw gives access to millions of modems. https://equixly.com/blog/2024/09/06/top-10- api-breaches-in-2024/
  24. The Australian. (2024). Aussie banks targeted in global cyber heist. https://www.theaustralian.com.au
  25. The Australian. (2024). Security flaw let hackers into super funds. https://www.theaustralian.com.au
  26. Business Insider. (2025). Citizens Bank open banking technology. https://www.businessinsider.com
  27. Silicon Digest. (2024). Barclays open banking APIs fintech collaboration. https://silicondigest.com
  28. Intellectsoft. (2024). How open banking APIs boost FinTech growth. https://www.intellectsoft.net
  29. OWASP Foundation. (2023). API security top 10. https://owasp.org/www-project-api-security/
  30. OpenID Foundation. (2024). Financial-grade API (FAPI) security profile. https://openid.net/wg/fapi/
  31. Financial Times. (2024). US rolls out open banking rules. https://www.ft.com
  32. Traceable AI. (2024). Meeting regulatory and industry standards for API security. https://www.traceable.ai
  33. Central Bank of Oman. (2024). Open banking API specifications. https://cbo.gov.om
  34. European Banking Authority. (2019). Guidelines on ICT and security risk management. https://www.eba.europa.eu
  35. National Institute of Standards and Technology. (2020). Zero trust architecture (SP 800-207). https://doi.org/10.6028/NIST.SP.800-207
  36. Akamai. (2023). API security best practices: Protecting the digital gateway. https://www.akamai.com
  37. Salt Security. (2024). State of API security report (Q1 2024). https://salt.security/resources
  38. ENISA. (2023). Threat landscape for APIs. https://www.enisa.europa.eu
  39. IBM X-Force. (2024). Cloud threat landscape report: API vulnerabilities. https://www.ibm.com/security
  40. Kephart, J. O., & Guha, S. (2024). The role of AI in securing financial APIs. ACM Transactions on Privacy and Security, 27(2), 1– 25. https://doi.org/10.1145/3607380
  41. Bansal, A. K., Wadhwa, R., & Saini, S. (2024). Cybersecurity risks in open banking APIs. Journal of Information Security and Applications, 72, 103584. https://doi.org/10.1016/j.jisa.2023.103584
  42. Alam, F., Hossain, M., & Ramakrishnan, K. (2024). Analyzing API threats using deep learning. Future Generation Computer Systems, 145. https://doi.org/10.1016/j.future.2023.11.015
  43. Colangelo, G., & Khandelwal, P. (2025). The many shades of open banking. Internet Policy Review, 14(1). https://doi.org/10.14763/2025.1.1821
  44. Ramachandran, K. K. (2024). The role of AI in enhancing financial data security. International Journal of AI & Applications, 10(1), 22–30. https://doi.org/10.30574/ijsra.2023.10.1.0700
  45. Wan, Z., Yuan, Y., & Meng, X. (2023). API access control strategies in cloud-based financial services. Computers & Security, 127, 102630. https://doi.org/10.1016/j.cose.2023.102630