API Governance

There are many benefits to opening APIs to external stakeholders. But as with any digital strategy, there are also risks that need to be managed.

API governance is a business and technical approach to managing the risks and security threats of a digital financial services provider’s open API initiative. An API governance approach identifies risks to a provider’s reputation, brand, partnership relationships, and customer data. API governance involves establishing clear oversight of an API initiative and identifying and managing potential risks according to the level of severity that they represent. If a provider addresses governance and security when it first embarks on an open API strategy, it can build these considerations into the design of its APIs without slowing down the innovation process.

API governance processes ensure that there is a high level of security and risk management. In today’s complex enterprise software architecture, an enterprise’s perimeters have become blurred. Enterprise software is now generally made up of legacy systems, reusable API components created for internal teams that are then opened to partners, and external APIs that are consumed by the business alongside third-party software-as-a-service tools. This arrangement creates security risks. It also means that there are a variety of data assets and business capabilities that need to be restricted to ensure they can only be accessed by users with the right permissions and authorization.  

Some key aspects of API governance and risk management include ensuring that only authorized, fully authenticated users can access the capabilities and data exposed by an API; that systems secure confidential consumer data; that end-customers give consent before developers connect to their accounts; and that a provider's brand reputation is maintained when third parties start building solutions for the same customer base.

CGAP’s work in API governance focuses on:

  • API governance processes
  • Managing risks posed by an open API strategy
  • Managing security in an open API platform


18 April 2017
By opening up their payments platforms to third parties—such as financial technology companies, software developers, startups, and digital banks—providers can open the door to the development of innovative products that can be brought to market quickly.
Download PDF: 
English (36 pages)

From Our Blog

24 October 2017
Payments providers can grow revenues by allowing third-parties to create apps that leverage digital payment platforms, but the potential for reward comes with risk. Taking a "maturity model" approach can help providers avoid common pitfalls.
Young women look at their cellphone during a community meeting
04 May 2017
1 comment
Is “going open” worth the risk for payment providers? A money transfer business in India shares how allowing other companies to deliver financial services based on its systems has fueled its recent growth.