In February 2020, DTCC launched its Application Programming Interface (API) Marketplace to provide its clients, partners and internal developers with a single, central location for APIs developed by DTCC, streamlining access to services and improving the user experience.
DTCC Connection spoke with Sandeep Singh, DTCC Managing Director, who oversees DTCC’s API ecosystem and client interfaces, to get an update on the Marketplace and APIs under development.
Related: Introducing the API Marketplace
DC: We hear the term “API ecosystem” thrown around a lot. What is it and is DTCC a part of it?
SS: The term “API ecosystem” refers to the business models and practices designed around the use of APIs in today's digital economy. It involves the exposure of an organization's digital services and assets through APIs in a managed way. The ultimate goal of the API economy is to facilitate the rapid creation of client-focused applications that support business goals and improve workforce throughput.
Consider Uber for example. The Uber mobile application provides functionality allowing clients to pay ahead of time, assist the driver in locating the client and ensuring that the driver knows how to get to the client’s destination. To accomplish this, the Uber application integrates with a payment API (e.g., Stripe), leverages the Google Maps API to plot the route, and then uses an alerting API (e.g., Twilio) to notify the client when the driver has arrived. Uber’s success is driven by the combination of various third-party APIs to realize a robust end-user and driver experience. The API technologies utilized by Uber coexist and support each other to form an API ecosystem.
Today's demand for data integration has encouraged businesses of all sizes to separate complex software components into smaller, containerized components called microservices. The API economy together with microservices make data and services more accessible and flexible. By utilizing APIs businesses can access third-party services and data to rapidly build compelling applications while significantly shortening time-to-market. Businesses can also create business models around APIs by transforming their own data and services into a platform that others build upon and use within their client applications. Experts predict that as software developers see the economic advantages of integration, many large monolithic software systems will start to separate into highly organized sets of microservices.
DC: Are APIs a secure way to use DTCC services?
SS: Yes, DTCC APIs are certainly secure. DTCC employs various industry-standard security mechanisms and best practices to provide highly secure API-based client interfaces. DTCC’s API infrastructure consists of a number of key systems providing multiple layers of defense against intrusions and invalid API usage. We use a Web Application Firewall (WAF) as an API Edge Gateway to prevent distributed denial-of-service (DDoS) attacks. We’ve partnered with Google to provide API SLA (Service Level Agreement) management services such as security, rate limiting, quotas, and usage analytics.
Client communication is encrypted to and from the API using HTTPs for network layer transport-level security. We leverage an identity management system that provides client authentication services based on multiple security credential patterns including certificate-based multi-factor authentication and OAuth2 token-based security credentials. Client passwords are rotated on a periodic basis and encrypted in-transit and at-rest. No-one, neither clients nor DTCC personal, have access to API passwords. A security access manager system provides role-based access control authorization services limiting API functionality to clients possessing the required authorization entitlements. API traffic is continuously monitored by automated systems so that alerts are generated when anomalous situations are detected. Our third-party rules-based expert system is employed to detect invalid API usage patterns.
The guiding principle of a defense in depth strategy is the idea that a single security product alone cannot fully safeguard an API from every attack it might face. Implementing multiple security products and practices helps to detect and prevent attacks as they arise, enabling DTCC to effectively mitigate a wide range of threats. By integrating these various security products, DTCC has effectively created a robust and highly secure API environment.
Related: What is an API?
DC: Why did DTCC launch an API Marketplace?
SS: The financial services industry is experiencing a period of rapid innovation that has clients seeking solutions to make their businesses more efficient. The business value of building an API ecosystem at DTCC is clear. APIs enable growth and opportunities for exposing DTCC’s data and services externally to clients. APIs are a fundamental aspect of DTCC’s modernization strategy, providing clients with a seamless way to access DTCC services and data from which they can derive critical business insights.
DTCC has embraced the API economy by developing the API Marketplace platform providing key services and data assets as APIs to the financial industry. The API Marketplace provides clients with three key value perspectives – DTCC digital strategy branding and positioning value, client value, and operations and support value. The branding and positioning perspective provides clients with an overview and articulation of DTCC’s digital strategy and the value it offers. The client perspective provides clients with a view into the API inventory offered by DTCC so that clients can easily discover capabilities provided by DTCC APIs. The operations and support perspective provides client developers with API interface specifications containing the functional and non-functional information needed by client developers to effectively integrate DTCC APIs with the client systems.
In essence, the API Marketplace provides external clients with a user-friendly, app-store-like mechanism through which clients can discover APIs for integration with their client applications. Using the API Marketplace, clients can obtain the information needed from a usability, operationality, and supportability perspective to operationalize an efficient integration of DTCC APIs with client systems.
DC: What APIs are currently available for clients and what APIs are in the development pipeline?
SS: DTCC’s API adoption has experienced exponential growth since launch. Within the last three quarters of 2021 alone, DTCC’s API traffic has increased 3.5x times over previous quarters, with multiple clients onboarded using APIs. To date, seven financial service APIs have been released. Key APIs include:
- Risk Management as a Service (RMaaS) – Provides access to financial risk data (e.g., clearing fund requirement, portfolios) and tools (e.g., VaR calculator) from within DTCC's suite of Financial Risk Management applications.
- Cash Claim Management – Provides ability to submit new cash claims and query or update existing cash claims.
- Electronic Pool Notification (EPN) – A medium by which existing MBSD clients can exchange pool information. FICC works as a centralized authority to receive, validate, acknowledge, and forward the message to the clients.
- Insurance Information Exchange – a platform providing clients with an easy, flexible, and secure data hub to support the sourcing and consumption of insurance data.
In terms of our API pipeline, there are multiple APIs currently under development including Project ION, Risk Management as a Service, Digital Securities Management (DSM), Mutual Funds Information Exchange (MFIX), Voluntary Reorg Instructions (VRI), Fundamental Review of the Trading Book (FRTB), Securities Processing Architecture (SPA), GMEI, CDS Kinetics, and ITP Data Analytics.
Client developers can peruse the ever-growing inventory of DTCC APIs by visiting DTCC’s API Marketplace at https://developer.dtcc.com.