OpenID Foundation Foundation Financial API (FAPI) WG
18 likes13,888 views
The document discusses the evolution of financial data access through APIs, highlighting the persistence of screen scraping since 2001 and recent regulatory pushes towards open banking solutions. It emphasizes the importance of JSON data schemas and security protocols to facilitate user control over financial data without relying on outdated methods. The document suggests that improved standards will foster innovation in fintech while addressing security concerns associated with OAuth.
OpenID Foundation Foundation Financial API (FAPI) WG
- 1. Nomura Research Institute Nat Sakimura Chairman of the Board, OpenID Foundation Senior Researcher, Nomura Research Institute #cisnola Foundation Financial API WG • OpenID® is a registered trademark of OpenID Foundation. • *Unless otherwise noted, all the photos and vector images are licensed by GraphicStocks. June 2016 Anoop Saxena FAPI WG co-chair, OpenID Foundation Architect, Intuit http://openid.net/wg/fapi/
- 2. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 2 Do you use Personal Finance Software? What are the current problems?
- 3. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 3 When NRI started screen scraping in 2001, we thought it will be a temporally solution. 3 “There was OFX, and SAML was coming. SOAP was gaining momentum. We should be able to get out of scraping business in a few years time!”
- 4. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 4 WRONG! 4
- 5. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 5 After 15 years, we are still screen scraping. 5
- 6. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 6 The situation is changing though. 6
- 7. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 7 Fintech is gaining a lot of interest lately (SOURCE)Google Trends
- 8. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 8 API is known to be one of the three main component of FinTech 8 Use cases for Identity Federation API in Financial sector 1. Account Opening (incl. KYC) 2. Personal Asset Managment 3. Payment, Sending Money 4. Loan Application 5. AI assisted portfolio management (Source) Nikkei BP: Fintech Revolution P.4 (Source)Nikkei BP: FinTech Yearbook
- 9. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 9 I JSON , XML + OAuth 2.0 INDUSTRY PUSH > US: FS-ISAC Durable Data API 9 (Source) FS-ISAC FSDDA WG OpenID Financial API
- 10. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 10 REGULATORY PUSH> EU Payment Service Directive 2 mandates API availability by the end of 2017. 10 (SOURCE) ODI OBWG: The Open Banking Standard (2016) JSON REST OAuth OpenID Connect
- 11. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 11 Regulatory Pressures Release 1 – to be completed within 12 months ▪ the launch of a tightly scoped Open Banking API, enabling select, read-access, open data use cases. Release 2 – to be completed by end of Q1 2017 ▪ Third party read access to “midata”* personal customer data (Read Only) Release 3 – to be completed by end of Q1 2018 ▪ Similar to R2 but has “midata” business customer data sets (Read Only) Release 4 – to be completed by end of Q1 2019 ▪ Higher Risk – Full read & write access. Timelines 11 * Minimum midata is a csv file. provided in a single column (indicating whether a transaction is a debit or credit using the symbols -/+), 2.4.5. Running Balance: Provides an account balance after each transaction. 2.4.6. The columns will be titled: Date, Type, Merchant/Description Debit/Credit, Balance. 2.4.7. Arranged overdraft limit at point of download. 3. Example of midata minimum standard Draft midata minimum standard Date Type Merchant/ Description Debit/Credit Balance 04/03/2014 VIS Boots the Chemist £5.00 £260.00 04/03/2014 DD Fitness First -£50.00 £255.00 03/03/2014 ATM ATM withdrawal -£100.00 £305.00 03/03/2014 TRF etc. -£20.00 £405.00 02/03/2014 VIS etc. -£75.00 £425.00 01/03/2014 CSH etc. -£50.00 £500.00 Arranged overdraft limit 04/03/2014 £1000.00 (SOURCE) http://www.pcamidata.co.uk/445505-v2-PCA_midata_- _file_content_standard_-_March_2015-2.pdf
- 12. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 12 Open Data in Finance Conference 15 June London 12 http://www.open-data-finance.com/agenda/
- 13. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 13 Now is the time! 13
- 14. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 14 but what API protection? 14 and what API request/response?
- 15. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 15 Solution Time! 15
- 16. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 16 OpenID Foundation Financial API WG (FAPI WG) 16
- 17. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 17 Purpose The goal of FAPI is to provide JSON data schemas, REST APIs, and security & privacy recommendations and protocols to: 17 JSON REST OAuth OpenID Connect (SOURCE) ODI OBWG: The Open Banking Standard (2016)
- 18. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 18 Enable applications to utilize the data stored in the financial account, applications to interact with the financial account, and users to control the security and privacy settings. Both commercial and investment banking account as well as insurance, and credit card accounts are to be considered. (Source) OpenID Foundation Financial API WG draft charter
- 19. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 19 So that we can finally get rid of password storing and screen scraping! 19 Enhanced Authentication Profile WG http://openid.net/wg/eap/
- 20. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 20 It will also help foster the FinTech companies. 20
- 21. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 21 Possible Approaches 21 JSON REST OAuth OpenID Connect Based on FS-ISAC DDA Internationalize Convert to Swagger Based on FS-ISAC DDA Internationalize Convert to Swagger and HAL.
- 22. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 2222 JSON REST OAuth OpenID Connect Locked down profile for interoperability. Holder of Key and out- of-band authorization for higher risk scenario (write). Privacy Considerations.
- 23. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 23 Challenges of OAuth (RFC 6749) in a typical scenario OAuth’s primary security assumption is that there are only 1 Authz Server per client: In case of Personal Financial Client, it will necessarily have multiple Authz Servers. Make sure to have adequate separation, e.g., having different redirect endpoints for each server. v.s. C1 O C1R U A A1Z C2R C2 O A2Z 1 Authz Server / client Model C2R C1 O C1R U A A1Z C2 O A2Z n Authz Server / client Model
- 24. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 24 Challenges of OAuth (RFC 6749) in a typical scenario Communication through UA are not authenticated and thus can be tainted, but often used without taint check. Neither ‘code’ nor ‘state’ can be taken at its face value, but we do... C1O C1R UA A1Z TLS terminates here. Not authenticated (response_type, client_id, redirect_uri, scope, state) Not authenticated (code, state)
- 25. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 25 Should we recommend using modified hybrid flow? Include ‘s_hash’ as well? Security Level Feature Set Remarks Request Object w/Hybrid FLow Authz Request protected Hybrid Flow (confidential client) Authz Response protected Code Flow (confidential client) Client authentication Implicit Flow No client authentication Plain OAuth Anonymous
- 26. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 26 Is bearer token adequate? For “read only” access, probably yes. For “write” access, maybe not. Token Binding? Mobile Apps security? RFC7636 OAuth PKCE mandatory? MODRNA? AppAuth?
- 27. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 27 Once complete, consider submitting it to ISO/TC 68 27 ISO 20022 Financial Services - universal financial industry message scheme. Part 1: Overall Methodology and Format Specifications for Inputs and Outputs to/from the ISO 20022 Repository Part 2: Roles and responsibilities of the registration bodiesPart 3: (TS) XML design rules Part 5: (TS) Reverse engineering Part 6: Message Transport Characteristics
- 28. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 28 Join the group! https://openid.net/wg/fapi/ 28