The importance of API Testing in Open Banking

Listen on the go!

UK’s Competition and Markets Authority (CMA), after a market study, stated that the nine biggest banks (CMA9) allow authorized startups and third-party providers (TPPs) access to their data.

The Open Banking Implementation Entity (OBIE) was created to help with this. OBIE’s mission is to collaborate with the UK’s top banks and building societies to promote competition, open up personal data, and provide an individual with a vendor option.

Why and what is Open Banking?

Open Banking means the bank can share financial data with third parties with the customer’s permission. Third parties will access the customer’s financial information, including transaction history, banking interactions, businesses used, and spending habits.

Thanks to Open Banking, FinTechs can use APIs to connect their services to financial data. With the consumers’ cooperation, open banking moved from a closed data model to an open one, where data can be shared across different stakeholders in the banking ecosystem.

Banks can provide clients more control over their financial data by allowing them to connect to other regulated providers. Third-party money management software, such as Intuit, can display all transaction details and balances in one place. It will also pave the way for a plethora of fintech innovations.

It is thus essential to understand the business drivers behind the advent of Open Banking.

Business drivers behind the advent of Open Banking

The critical business drivers behind the advent of Open Banking are:

  • Co-innovation with third parties to expand their service offerings
  • Creation of intuitive and frictionless customer journeys
  • Pursuing new business models and revenue streams
  • Accelerated growth and expansion into new markets
  • Increase market speed without introducing additional risk
  • Competing with Fintech challengers and the big banks

While we’ve seen the business drivers behind the advent of Open Banking, it is imperative to understand the essential requirements and implementation of Open Banking.

Open Banking Key Requirements and Implementation:

An API is an application programming interface connecting an application to the web and other APIs. It is the brain of the connected world and is a set of tools/protocols/standards and code.

The use of APIs is fundamental to the Open Banking and Payment Services Directive (PSD2) concept. The requests for services and products that can deliver multichannel customers and provide relationships to these customers need significant development in the Open API sector.

The API Platform’s primary function is to publish and secure APIs. The Platform is described as a layer that communicates with bank middleware.

blog1

Challenges of API-based infrastructure

Communication between the various components of Open Banking will be accomplished through an ‘API-based infrastructure that includes numerous hardware and software components.

End-to-end testing of these complex infrastructures will be difficult, time-consuming, and error-prone, resulting in higher costs, longer onboarding times, and a danger to reputation.

blog2

Testing Considerations

Potential Areas  

blog3

Testing considerations  

  • A robust approach to validate conformance of security, digital performance, and operational OBIE (Open Banking Implementation Entity) requirements.
  • An appropriate Test Environment Strategy to enable end to end tests with TPP’s using ‘Production like’ environments.
  • Adequate test coverage of different payment types across retail and business customers.

blog4

  • Physical mobile devices to validate web to mobile/mobile to web /mobile to mobile redirection.
  • Data mapping to ensure correct data is exposed to target OB fields
  • Functional tests to validate for consent, AIS, PIS, confirmation of Funds, access dashboards API
  • End to end customer journeys tests which align with the Open banking [OB] customer experience guidelines

blog5

  • Comprehensive tests to MI and reporting solution to generate periodic reports for FCA (including PSD transaction information, fraud/operational & risk assessment, Complaints, etc.)
  • Comprehensive tests of event driven notification to FCA (AIS/PIS denial, major operation/security incidents, etc.)

blog6

Develop Tests to validate:

  • Electronic payments initiated by the payer are covered under the SCA solution and the customer experience is consistent across all journeys and channels.
  • Dynamic linking to electronic remote payment transactions
  • Fraud rules implemented consistently across channels

Open Banking Sample Scenario:

Cus1 and Cus2 are two individuals who want to register for HSBC PSD2 and avail themselves of its services. However, they have different customer statuses in HSBC’s existing e-banking system. The details of both are mentioned below:

Payment initiation service:

Cus1 is an existing customer of HSBC and is already using the current BOV e-banking channel. Cus1 has a 6-digit numeric unique user ID and a physical VASCO device. Cus1 wants to pay from PayPal (TPP) using his HSBC account.

-Sample API requests: GET-Payment ID, Payment Product, etc.

Account information service:

Cus2 is an existing HSBC customer but has not registered for current BOV e-banking channel access. Cus2 wants to inquire about his account details using Mint (TPP) for his HSBC accounts.

-Sample API requests: GET-accounts, balances etc.

Sample GET-Account API Request:

{
“id” : “80a64003-3649-44b1-8931-cf665bbf6d36”,
“name” : “v1_accounts”,
“request” : {
“url” : “/v1/accounts?withBalance=false”,
“method” : “GET”,
“headers” : {
“X-Request-ID” : {
“matches” : “.+”
},

Sample GET-Account API Response:

“response” : {“status” : 200,”body” : “{\”accounts\”:[{\”resourceId\”:\”HGlNA7CqT8sjd_1aV2v2LI\”,\”iban\”:\”DE38760700240320465700\”,\”currency\”:\”EUR\”,\”name\”:\”max.musterman\”,\”displayName\”:\”mock displayname\”,\”product\”:\”Cash24\”,\”cashAccountType\”:\”CASH\”,\”status\”:\”enabled\”,”}}}]}”, “headers” : { “vary” : [ “Origin”, “Access-Control-Request-Method”, “Access-Control-Request-Headers” ],”x-request-id” : “70a7346e-e769-4c4b-8326-ceb6b785e07c”, “content-type” : “application/json”, “date” : “Tue, 07 Jul 2020 08:08:14 GMT”,”x-robots-tag” : “none”,
“set-cookie” : “SRVNAME=17984ba812b2bfa7d54e249e16048ab4; path=/; HttpOnly; Secure”,”cache-control” : “private” }

Sample HTTP Status Codes: 

Status Code       Message  Description 
200  OK  Response to a successful REST API action. The HTTP method can be GET, POST, PUT or DELETE.  
201  Created  The request has been fulfilled, and a resource was created. A URI for the created resource is returned in the Location Header.  
202  Accepted   The request has been accepted for processing, but processing is not yet complete.  
400  Bad Request  The request is malformed, such as a message body format error.  
401  Unauthorized   Wrong or no authentication ID/password provided.  

API Testing: This test ensures an API is working as functionally designed and gracefully handles failures by responding with the desired status codes.

The APIs are tested with single requests and through collection runners via the Postman tool to validate the consent.

Integration Testing: Ensures that all the integration touchpoints are validated correctly to uncover any bottlenecks irrespective of the complexity of the application and technologies involved.

Communication/integration between different components in the system, i.e., PSU > TPP (AIS/PIS) > ASPSP touch points, are validated.

Data Validation: In a banking ecosystem, several data types can be accessed through an interface. This can include customer or account information, deposit data, loan information, transaction details, and real-time or end-of-day batch process details. Thorough validation should be performed on the input data, including:

  • Data type validation
  • Field length validation
  • Data validation in the response body.

Performance Testing:  Performance testing helps to determine a system’s and application’s limitations under expected loads. It also helps fine-tune the application to make sure it is stable, scalable, and performs consistently as expected with optimal resource utilization. PT ensures the application runs optimally by considering factors like response time, scalability, downtime, and infrastructure costs.

Outcomes of performance testing include:

  • The response time of each transaction in the application
  • Network delay between the client request and server response
  • Limitations due to hardware like CPU maximization, network bottlenecks, memory limitation, etc.

Security Testing:

Authentication and authorization are vital in banking APIs. Testers should ensure that multi-factor authentication is performed before authorizing APIs to perform desired functions.

Compliance Testing:

Testing the processes for onboarding TPPs before they are permitted to integrate with the FI’s APIs and Defining clear internal standards for creating audit trails and reporting procedures that consider the FI’s activities and that of their TPP partners.

Conclusion

Cigniti’s Testing approaches outlined above bring many benefits, as we have seen based on our own experiences, i.e., Web Services Validator utility for automated Test Data Generation for SOAP and RESTful Services.

Cigniti’s utilities and best practices help shrink the test execution cycle. Service virtualization simulates request patterns and data parsers for JSON & XML requests and Open API Accelerators with pre-written test scenarios and checklists. We possess test accelerators and other reusable test artifacts consisting of end-to-end test scenarios and checklists for major open banking API functionalities.

Cigniti’s Solution Alignment with Open Banking Ecosystem validation coverage includes Functionalities, API Security, API Performance, and API automation. Our value proportions include Omnichannel coverage cutting across all validation areas in the complex Open API ecosystem and adherence to industry standards and Open API compliance and guidelines.

Our comprehensive validation solution is based on cutting-edge technology, best practices, and accelerators that add significant value in effort, cost, user experience, increased market reach, and demographics.

Need help? Schedule a discussion with our Banking and API Testing experts to learn more about the importance of API testing in Open Banking.

Author

  • Ramji Suman Rentapalli

    Suman has 10+ years of experience in quality assurance with special focus on Digital Banking. Within Cigniti, Suman is part of BFSI CoE team that leads enhancing domain competency and solution developments.

    View all posts

Leave a Reply

Your email address will not be published. Required fields are marked *