Security

Learn more about integration methods, authorization, authentication, key management and more.

Integration Methods

Investec supports three integration methods to facilitate seamless connectivity and data exchange between systems. These integration methods cater to different scenarios and use cases, providing flexibility and convenience to clients.

Direct Integration

  • Clients, both individual and corporate, can directly connect to the Investec API to access their own data.
  • This integration method allows clients to pull data from Investec's systems, enabling them to retrieve and utilise their account information, transaction details, balances, and other relevant data.
  • Clients authenticate themselves using their credentials obtained through Investec Online, ensuring secure access to their own information.
  • Direct integration empowers clients to have real-time access to their data, enabling them to build custom applications, perform data analysis, and automate processes.

3rd Party Integration

  • Clients have the option to authorise third-party applications or services to access their data on their behalf.
  • Before any interactions can occur, the third-party application or service needs to be vetted by Investec for security and compliance purposes.
  • Once authorised, the third party can access specific data and perform actions on behalf of the client, as per the defined permissions and scopes.
  • This integration method allows clients to leverage the capabilities of trusted third-party applications or services to enhance their banking experience, manage finances, or perform specialised tasks.

System to System Integration

  • Investec provides system-to-system integration capabilities for third parties to directly connect into Investec's systems.
  • This integration method is not in the context of a user and is primarily used for feature integration between systems.
  • Third-party systems can connect to Investec's systems to exchange data, trigger actions, or synchronise information seamlessly.
  • System-to-system integration enables efficient and automated data flows between different systems, facilitating streamlined processes and enhancing overall operational efficiency.

API Authentication and Authorisation

API Authentication and Authorisation are essential components of secure and controlled access to APIs. They ensure that only authorised users and applications can interact with the API and perform specific actions. In the case of Investec APIs, OAuth2 protocol is used for authentication, and API keys are used for authorisation.

API Authentication

  • OAuth2 Protocol: Investec APIs use the OAuth2 protocol for authentication. OAuth2 is an industry-standard protocol that allows users to grant limited access to their resources on one site to another site without sharing their credentials.
  • User Credentials: To access Investec APIs, users need to log in to Investec Online, where they can obtain their credentials. These credentials are used to authenticate the user and verify their identity when making API requests.

API Authorisation

  • API Keys: Once authenticated, users can create an API key. An API key is a unique identifier that grants access to specific resources and actions within the API. It acts as a secret token that needs to be included in API requests to authorise the user and determine the level of access they have.
  • Scopes and Grants: When creating an API key, users can specify the scopes and grants they require. Scopes define the specific resources or data that the API key can access, while grants determine the actions or operations that the API key can perform on those resources.

API Key Management

API Key management involves the proper handling, storage, and protection of API keys to prevent unauthorised access and misuse. Investec provides consumers with the capability to manage their API keys in Investec Online. However, it is the responsibility of the consumer to ensure the safekeeping of these keys and prevent unauthorised access.

Best Practices

  • Storing API Keys Securely: It is crucial for consumers to store their API keys in a safe and secure environment. This can be achieved by utilising secure storage mechanisms such as encrypted databases, key management systems, or secure file storage.
  • Access Control: Consumers must implement proper access control measures to ensure that only authorised individuals or applications can access the API keys. This includes setting up strong authentication methods, restricting access to key storage locations, and regularly reviewing and updating access permissions.
  • Monitoring and Logging: Consumers should implement monitoring and logging mechanisms to track API key usage and detect any suspicious or unauthorised activities. This helps in identifying potential security breaches and taking appropriate actions to mitigate risks.
  • Key Rotation: It is advisable for consumers to periodically rotate their API keys. Key rotation involves generating new keys and retiring the old ones. This practice enhances security by reducing the risk of compromised keys.
  • Revoking and Deactivating Keys: In case of a security breach or when API keys are no longer needed, consumers should have the ability to revoke or deactivate the keys. This ensures that any unauthorised access attempts using those keys are blocked.
  • Regular Security Audits: Consumers should conduct regular security audits to evaluate the effectiveness of their API key management practices. This includes reviewing access controls, monitoring logs, and ensuring compliance with security standards.

Transport Level Security

Transport Level Security (TLS) is a critical encryption protocol that ensures secure communication over the internet. It plays a vital role in protecting the privacy and integrity of data while it is in transit. Investec utilises TLS to secure all messages exchanged between users and their systems, ensuring the confidentiality and integrity of the data.

Message Level Encryption

Message Level Encryption (MLE) is a security mechanism that ensures the privacy and integrity of messages exchanged between systems. It employs encryption key exchange to protect the data both in transit and at rest. Investec utilises Message Level Encryption as an option for their Corporate and Intermediary APIs to provide a high level of security for the data exchanged. The option to use it or not would be based on the risk of the relevant integration.

By employing Message Level Encryption, Investec ensures that the data exchanged between systems remains private and secure. The encryption and decryption process guarantees that only the intended sender and receiver can access and understand the messages. This provides assurance to both parties that the messages have not been modified during transit.

Rate Limiting

Rate Limiting is an essential mechanism used by Investec to protect both their systems and clients' applications from malicious or excessive use of the API. It ensures that the number of requests made to the API is controlled and limited based on the specific use case being implemented.

Rate limiting helps maintain the stability, performance, and security of Investec's API infrastructure. It prevents abuse, protects against denial-of-service (DoS) attacks, and ensures fair usage for all clients. By implementing rate limiting, Investec can effectively manage the API traffic and allocate resources efficiently.

The specific rate limits and time windows for rate limiting will vary based on the use case being implemented. Investec sets appropriate limits to balance the need for security and resource allocation while allowing clients to access the API effectively.

Second Factor Authentication

Investec enforces second-factor authentication to access your API credentials as an additional layer of security. Second-factor authentication, also known as two-factor authentication (2FA), is a security measure that requires users to provide two pieces of evidence to verify their identity.

In the context of accessing API credentials, this means that in addition to the usual username and password combination, a second factor is required to authenticate the user. This second factor typically takes the form of an in-app notification in the Investec App or one-time password (OTP) sent via SMS.

By implementing second-factor authentication, Investec strengthens the security of its API credentials by adding an extra layer of protection. This helps to mitigate the risk of unauthorised access to sensitive data or actions performed through the API.