API Talk Ritesh Kirad Oct 2017 Agenda API

API Talk Ritesh Kirad Oct, 2017

Agenda API Overview API’s in Global context BAML API Journey ASIG introduction ASIG Update on API Standardization API Implementation Considerations Demo (time permitting) 5 3 2 align: left; flow: right align: right; flow: left Max. logo size (H) 8 x (W) 25

What is an API? Application program interface (API) is a set of routines, protocols, and tools for building software applications. Webopedia - http: //www. webopedia. com/TERM/A/API. html APIs (application programming interfaces) provide a way to connect computer software components. API Academy - http: //www. apiacademy. co/resources/api-strategy-lesson-101 -what-is-an-api/ A RESTful API is an application program interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. Tech Target - http: //searchcloudstorage. techtarget. com/definition/RESTful-API 3

API: Best Definition An API describes an interface! An API is a service that allows developers to connect and communicate • Establishes a protocol which allows for the interaction of both integrated and disparate components • Defines an interface as a means by which two separate components or systems communicate • Describes the data which is exchanged between the components 4

API Business Case • • • API’s enabling new Use cases e. g. real-time payments, P 2 P Zelle Deeper Integration with clients Revenue opportunities from Innovation Fin. Tech drivers Transaction fee revenue for API calls Mobile Apps leveraging API’s Data Analytics and API’s creating new business opportunities Regulatory mandates e. g. EU Thinking differently for the same problems Ease of systems integration and Cost reduction Simplification of middleware layers 5 3 5 align: left; flow: right align: right; flow: left Max. logo size (H) 8 x (W) 25

API’s in Global Context • PSD 2 mandate EU mandate for FI’s to expose different API’s Stet (PSD 2 API Specification) https: //www. stet. eu/en/news 1/stet-psd 2 -api-is-now-available. html • Open Banking API Open Banking UK : https: //www. openbanking. org. uk/ e. g. https: //www. openbanking. org. uk/read-write-apis/payment-initiation-api/v 1 -1 -0/ • Berlin Group https: //www. berlin-group. org/market-consultations 5 3 6 align: left; flow: right align: right; flow: left Max. logo size (H) 8 x (W) 25

BAML Channel Harmonization & Modernization Channel Payments online, mobile & H 2 H • Implementation of new functionality is difficult, complex, time-consuming, and expensive. • functionality is fragmented, duplicated, inconsistent across channels. • • Legacy systems are on declining hardware and software • TCOA is high due to the number of platforms • High Vendor Dependency • API as an approach for design • API ask from Vendors • Internal components leveraging API 3 7 align: left; flow: right Common align: right; flow: left Functionality 5 Current State – Online Current State – Host–to- Max. logo size (H) 8 x (W) 25

ASIG API Design WG Meeting October 13, 2017

API Standardization Industry Group Objective: Repository of standard APIs for the U. S. financial industry APIs are intended to be open

Foundation (Decisions) • REST – Header and Payload – HTTP verb (get, post etc. ) – Definition of API as Resource (URL), nouns • JSON or XML – JSON (starting point) – can be structured – Separate Payload versus Other data exchange e. g. Docs and images • SWAGGER (https: //swagger. io/specification/) • Business dictionary ISO 20022 (REST) – needs deeper dive – Repository for artifacts (need a place/doc holder) • Coding & Testing procedures – Tooling, Open. Api verification, published Sandboxes

Phase I Site Publish Swagger – UI Swagger Hub Sandbox (Test) Reference Environment Implementation (how to make call, Not doable what to expect/responses, error scenarios, etc. ) Phase I Goal of Phase I – (use case that will be given by Business Analyst WG e. g. , get bank info) › Define › Implement › Test › Gateway Developer Portal Evaluation

ASIG Gateway/Repository Cloud Developer Corp Fintech Test ………………. . Stub Data Provider … NACHA BAML Wells

Considerations • API Journey – Three phases • 1 st defining API’s - Swagger. Hub, web site targeting business users and developers • 2 nd Documentation and Sanbox capability with simulation and Stub data, • 3 rd Registration of users (authentication and authorization) allow developers to play with the api without Production security keys and access • 4 th phase registering Apps (signing authority) – Dependency • Website and Portal can be 1 tool like APIGee (drupal) • Some build two different assets – Glossary and Business dictionary

Developer Portal • API management platform contains a gateway and developer portal • API Gateway versus Developer Portal – Gateway is more involved and Complex due to Security & compliance – Portal is a developer collaboration site with Knowledgebase, Blogs, samples • • ASIG current goal is a developer portal Q 1 Oct 2018 API Platform involves content management system Sand box for testing API’s without production data API developer portal connects to the API Gateway, manages User/developer sign up • Building a custom portal can be “expensive” • Consider feedback and inputs from registered developers

API Gateway • • API Gateway should implement policies similar to KYC (KYD) Key Store for generating non-prod and prod Keys Governance for who can access what – layered security Registration for Entities and Users to gain access Version control for supported and deprecated API’s Audit and User tracking of API usage Maintenance and outage without disruption – SLA for response time and down time • Deployed using Cloud like architecture for Scaling

Appendix

API Essentials: Basics APIs connect anything & everything Web Platforms Enterprise Platforms Mobile Platforms Internet of Things Large Corporates Digital Bank Convergence of integration patterns Communication • HTTP is the backbone of the web • REST describes resources and actions Security • TLS – Transport-level security (successor to SSL) • o. Auth 2 – Authentication and authorization Data • JSON – Java. Script Object Notation for payloads • Query Parameters – Metadata for resources Application connectivity & communication Web Platform Services Message { api } File Built on the foundation of the Internet Data Resource: /payment/1234 Response Code: 200 Response Data: {…} Resource: /payment/1234 Verb: POST Request Data: {…} Enterprise Platform 17

API Essentials: Architecture The API-First Architecture Experience APIs Process APIs Micro Services in an API Ecosystem Data APIs REST Connectivity Payment Validation Web Experience Debit Authorization Mobile Experience Payment Initiation Client Enrichments Client API Connect Execute Payment Integration APIs Design Authority: Artifacts for APIs API Schematic HLD+ or Lean HLD Swagger Model LLD or Agile Story Payments POST /payments GET /payments/{id} DELETE /payments/{id} Detailed API definition specification capturing: • Resource • Verbs • Return Codes • Payload Structure Functional Component Rules / Business Process / Data Access Micro Service Collection of APIs, connectivity, and functional code that can be created within an iteration Micro Service Application Composition of independently deployable and testable components as an application Enterprise API Standards (abridged) • All Business Capabilities must be exposed as RESTful API adhering to HTTP standards • API must be Hypermedia driven enabling self-describing and discoverability feature(s) • API must be Stateless on the server side and transition the application state to the client • API must be Modeled as a resource e. g. : (clients, accounts, products, goaltypes etc. ) • API Naming convention should define resources as plural nouns and not as verbs • Each resource and Resource relationship must be identified as part of the URI • API must support Uniform interface as HTTP verbs: GET, POST, PUT, PATCH and DELETE • API must return standard HTTP Response codes • Filtering, Sorting, and Pagination functionality should be implemented via query string • API Versioning must be supported through API headers and must not within URI • API must leverage standard Security construct for Authentication and Authorization • API deployed must support Version Classification of up to two active versions 18