Best Practices for FinTech APIs
How many third-party APIs is your application consuming? All modern FinTech companies rely on external APIs to run their business. Take Robinhood for instance: the famous investment application is using the Plaid API to connect to its users’ bank accounts, the Xignite API to get financial data, and the Galileo API to process payments. That is only the beginning. The essential parts of their service could not run without consuming third-party APIs.
The API wave has overwhelmed the FinTech industry over the past years. Payment, peer-to-peer transfers, lending, investing, accounting, and know your customer (KYC) checks. No service is immune. If you’re starting a company in FinTech, you should definitely learn about the API ecosystem to understand how you could benefit from it. Not because APIs are trendy. But because they allow you to build software better, faster, and cheaper.
One question remains: how risky is it? Let’s remember that external APIs are dependencies you don’t have control over. If your services are heavily reliant on third-party APIs, any downtime those APIs experience can be devastating for your business. I bet you think that such issues are rare and insignificant. We’ll see that they aren’t and that you might want to be prepared.
Table of contents:
- Why are APIs fueling the FinTech industry?
- As a FinTech company, which APIs are available?
- APIs are a critical component of the FinTech stack
- The most common issues you will have with FinTech APIs
- How you should monitor FinTech APIs
Why are APIs fueling the FinTech industry?
More than in any other industry, APIs are flourishing in the finance space. Have a look at the 2020 API Landscape and you will see an abundance of financial services such as payment, KYC, accounting, Open Banking, and financial data in the Business Processes category.
Lower development costs and time-to-market
Financial products are very complex and costly to develop on your own. If you want to connect to your users’ bank accounts, you’d have to build an integration for each financial institution. You probably have limited resources, you already write complex code, handle infrastructural challenges, and manage a team.
That’s how demand for account aggregation APIs rose. Building financial products proved to be very costly if you wanted to do everything in-house. Third-party APIs and services offer simple, fast, and cost-efficient ways to do this.
More income for traditional players
Providers realized they could generate significant revenue if they could provide their services through APIs. If you think about the big players, most expose an API: Paypal for payments, Intuit for accounting, and Xignite for financial data.
Even the more traditional companies are getting into it: 72% of the world's top 50 largest banks had an API platform by Q1 2020 (Citi, Barclays, BBVA, etc. ).
New business for innovators
Some companies even made an entire business of selling an API to developers. Stripe, for example, powers numerous payment systems and is targeted at developers and startups. Pure Banking-as-a-Service providers like Plaid offer the ability to connect to multiple financial institutions with ease, and allow users to authorize themselves without the need for your application to store sensitive authorization data.
Favorable political agenda
Regulation, more so than economic factors, has also driven API development. Open Banking initiatives have been thriving all around the world over recent years, forcing these institutions to release APIs that expose their data to third-parties. The Second Payment Services Initiative (PSD2) compels European banks to do so from September 2019. It aims at expanding the financial services ecosystem. As a result, all the surrounding ecosystems—insurance, real estate, retail—are now going along.
As a FinTech company, which APIs are available?
This non-exhaustive list aims at giving an overview of the most used APIs in the FinTech space.
Traditional Banking APIs
Most FinTech companies use APIs to build banking capabilities such as opening a new bank account, issuing IBANs and debit cards, transferring money, or pulling financial data from their users’ bank account.
These banks provide their core banking capabilities through APIs. For example, Bankrate integrated with the Credit Offers API from Capital One to add its credit card offerings to their comparison engine. Other banks offering similar APIs include BBVA, BNP Paribas, Capital One, Citi, Deutsche Bank, HSBC, ING, and Santander.
Keep in mind that these traditional bank APIs still are experiencing significant downtime compared to the rest of the API economy. For instance, in May 2020, the average time large UK bank APIs were unavailable was just over 8 hours (compared to 2 hours for Stripe API).
Pure Banking-as-a-Service APIs
You can also use pure Banking-as-a-Service APIs (aka Open Banking solutions) that are already connected to many banks and offer a developer-friendlier experience: SaltEdge, Token.io, Plaid, Finastra, Deposit Solutions, Tink, SynapseFI, 10x banking, Finicity, Galileo, Marqeta, and Quovo are just a few providers in this space.
For instance, Venmo relies on the Plaid API to provide its peer-to-peer payment solution.
Whatever products or services you are selling, collecting money from customers will always be key. Sending and tracking invoices, accepting online or in-person payment, managing subscription plans, and financial reporting can quickly turn into a nightmare.
That’s where payments APIs come in and help you build a scalable and cost-efficient payment stack: Stripe, Square, Paypal, Venmo, LINE Pay, Alipay, Braintree, Adyen, Wepay and many others can integrate directly into your application. For instance, Xero partnered with Stripe to help them facilitate payment for their customers.
Peer-to-peer payment is another type of payment for which APIs are widely used. They help developers building a P2P application connect to their users’ bank accounts. Recognized providers are TransferWise, Dwolla, and PopMoney.
Most B2B Fintech services integrate with accounting APIs to automate manual, repetitive, and tedious tasks such as data entry. The most-used APIs include: Wave, Xero, Quickbooks, FreeAgent, Concur, Sage, TrueLayer, Expensify, and Zoho Books.
For instance, more than 650 business applications integrate with the Quickbooks API. If you are building a B2B FinTech service, it might be interesting to assess how much a native integration with an accounting software would be valuable to your users.
Financial Data APIs
If you are working with stock markets, data is king. For instance, investment applications like Robinhood or Wealthfront need real-time data to give their users the ability to quickly make good decisions about buying and selling securities. That’s precisely what they use Xignite API for.
Other well-known financial data providers include: Yahoo Finance, Alpha Vantage, Schwab, Bloomberg Market & Financial News, IEX, EOD Historical Data, Morningstar, Quandl and Refinitiv.
Algorithmic trading has been just around the corner for many years due to the huge amounts of money involved. While it was very costly to build the underlying infrastructure, APIs have recently made it accessible to developers that do not necessarily belong to deep-pocketed hedge funds.
For example, Alpaca provides an API to developers and traders willing to build stock trading applications. If you’re among them, you can also check Tradier and TD Ameritrade. Most cryptocurrency exchanges also expose a trading API to their customers like Kraken, Coinbase, Binance, and Bitfinex.
If you are launching a FinTech company, don’t underestimate regulatory and legal duties. KYC - Know Your Customer (KYC) and Anti-Money Laundering (AML) checks are mandatory and compel you to verify the identity of your customers. For instance, Marqeta, a card issuing, and payment solution, is using Alloy API to run its KYC and AML processes.
As a result, an entire ecosystem of Regulation and Compliance Tech companies, or RegTech, have spawned to make this process easier. You should also have a look at the following providers: Trulioo, Onfido, Configo, Hummingbird, Chainanalysis, ComplyAdvantage, NetGuardians, SwiftDil, Facephi, Mitek, Veratad, and Passbase.
Many APIs consumed by FinTech applications are not specifically related to the FinTech industry. Yet they are worth mentioning as they contribute to a critical part for the user experience.
Here are the most common ones:
- Emailing APIs to send transactional emails to users: Sendgrid, Postmark, Mailgun, Sendinblue, Nylas and Mailjet.
- SMS APIs to send SMS to users: Twilio, Nexmo, MessageBird and Clicksend.
- CRM APIs to gather and consolidate user data and interactions: Salesforce, Hubspot, Zoho, Pipedrive, and Microsoft Dynamics.
APIs are a critical component of the FinTech stack
We’ve established that APIs are everywhere in the FinTech industry. Their existence allows engineers to build better financial products faster and cheaper. However, it comes with a major risk: the core business of FinTech companies relies on external, uncontrolled technologies. Why is it important? Because APIs can experience outages or perform poorly at any moment.
Regarding Robinhood, what if the Plaid, Galileo, or Xignite APIs suffer a temporary outage? Their product would simply collapse (and they really don’t need that). As a result, they would lose customers, revenue, and strongly damage their brand reputation. It was Warren Buffet who said “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”
But you are probably thinking: “API outages never happen, I shouldn’t worry about them”.
Well, they do:
The most common issues you will have with FinTech APIs
API is down
This is the worst-case scenario as the API is completely unavailable. This is a server-side problem and API requests will timeout or return an HTTP response with a 5xx error code, like Service Unavailable (503).
Client errors are the result of the content of an API request being invalid. It will return an HTTP response with a 4xx error code. It could be because:
- Invalid parameters are sent - Bad Request (400)
- The application access token has expired or was revoked - Unauthorized (401)
- You do not have the appropriate user rights to access the request - Forbidden (403)
- The resource specified in the request was not found - Not Found (404)
- Your application has been rate limited - Too many requests (429)
This is not an exhaustive list, and you should definitely read the Handling Errors page of your API provider to learn about common issues and how to deal with them. Also, have a look at the most common HTTP Status codes that you should know.
Network errors come from connectivity issues between client and server. They often show as low-level errors without a status code, like a timeout exception.
Error rate is elevated
Whether it comes from you or your API provider, you may experience intermittent issues. The API isn’t completely down but the number of errors increased and it is affecting your services badly as a significant part of the performed requests are not successful.
API is slow
You are experiencing increased latency, maybe even timeouts, for the requests you perform. This often comes from a surge of incoming requests or increasing queues on the provider side.
API consumption spiked.
You are performing an unexpectedly high number of requests to an API. Whatever the reason, it may be the symptom of an issue in your code. It may also cost you a lot of money if you pay your API provider on a per-usage basis.
It’s an issue we experienced with Sendgrid API during a major release in June 2020.
Rate-limiting is a classic API issue. To protect themselves, most providers will block your requests if you perform too many in a narrow time window. They will return an HTTP response with a 429 error code.
For instance, you can make up to 500 requests per minute on Quickbooks Online API endpoints. This means any additional requests after the 500 threshold will fail until the timer resets. More on the matter can be found in a dedicated article about rate limiting and how to deal with it.
API has been deprecated
API providers are constantly improving and changing their APIs. As a result, you may find yourself using a deprecated API or endpoint. The deprecation warnings in the response headers should help you spot and prevent the use of expiring and expired APIs. Many providers will send out notices to customers in advance as well, but sometimes these can slip by your team.
Financial data is sensitive, and thus coveted by hackers. Venmo, which is owned by PayPal, was hacked by an engineering student in June 2019. Despite huge means and a public bounty program, Venmo’s public API was still susceptible to attacks. Scary, right?
How you should monitor FinTech APIs
Make no mistake: the examples we have cited are just the tip of the iceberg. Most status pages—when they exist—are inaccurate and won’t help you protect yourself properly against the above-mentioned issues. Meaning most incidents will not be reported but will impact your application somehow. When APIs are critical to your business, you should definitely have a close look at them and set up a proper monitoring system. You can start instrumenting your HTTP code (here is an article about it if you are curious), collecting logs, sending them to your monitoring solution, aggregating metrics, building dashboards and setting up alerts. You could also try a solution that does all of this for you, like Bearer.