Open Banking is globally disruptive and growing exponentially, spurring innovation in financial services. It was developed to create software standards and industry guidelines to drive competition and innovation in the financial services industry. Successful Open Banking APIs have increased by 10x over the last 18 months and continues to accelerate during the pandemic. Now, Open Banking adoption has become inevitable across the financial sector.
However, Open Banking is still in its infancy and there is still much untapped potential. Open Banking adoption has grown significantly in Asia, South America, the Middle East and in the U.S. In the U.S., Open Banking is under the guidance of the Financial Data Exchange (FDX), which is slowly creating a global marketplace with an overarching set of strict compliance and security standards.
Today, the ability to data share through Open APIs is creating opportunities for startups to create innovative technology for Open Finance, Open Energy, Open Healthcare, Open Gov and other industries. This extends technology companies’ ability to create new and innovative apps and services, redefining customer, partner and fintech interaction.
These advancements in the API economy pose this question to business leaders: how can my organization participate in the Open Banking revolution and adjust to comply with its complex standards?
To start off, it’s easiest to break adoption of Open Banking into three steps.
- Build or expose APIs to join the API economy.
- Secure those APIs with Financial Grade Security (FAPI).
- Protect customer privacy with fine-grained consent.
Step one could be the simplest or the most complex depending on where your organization is on the digital transformation spectrum. Most applications written in the last five years support APIs for communication, but often, older applications require API abstraction or a translation layer for them to be able to participate in the API economy. This is where existing API Management solutions or Cloudentity’s API Security Gateway can help customers move toward an Open Banking system more quickly.
Step two is securing your APIs with FAPI. FAPI compliance is a best practice for any service to join the Open Banking ecosystem. It’s a rapidly evolving set of standards based on OAuth 2.0 and OpenID Connect, which are two heavily used standards. Then, it’s enhanced with FAPI specifications that are separated into two parts, a Read-Only Security Profile and security controls that focus on both read and write capabilities.
The major requirements of the second part of FAPI include:
- Mutual TLS
- OAuth client authentication via a client certificate
- Certificate binding of OAuth tokens
- Proof Key for Code Exchange (PKCE)
- JWT (JSN Web Token) Authorization Response
- Security Algorithm
In addition, Open Banking and its variants like Consumer Data Rights (CDR) have added several new features to complete the baseline specifications, such as:
- Dynamic Client Registration DCR: Allows Open Banking clients to dynamically register and utilize Open Banking APIs.
- Pairwise Identifiers: Unique identifiers that protect user privacy by using opaque and random identifiers which are unique to clients to increase user privacy.
- Advanced Consent Capability: Connects Open Banking account-based consent with fine-grained OAuth consent and Kantara consent receipts to provide customers with a singular view into their consent history, patterns and usage.
- Push Authorization Requests: Improves security by allowing the client to send data requests directly to the authorization server and invoke the authorization process using the issued request Uniform Resource Identifier (URI).
The third and final major step for Open Banking adoption and compliance is protecting customer privacy with fine-grained consent. The requirements for privacy and consent began with the adoption of GDPR in 2014 and in recent years, Open Banking has added new facets for data privacy, as well as sharing and consenting to data sharing on a fine-grained basis.
In more practical terms, this means the blanket cookie consents posted on every webpage, such as the below, is not sufficient for Open Banking applications.
Open Banking and Open Data consent must go much further by creating fine-grained consent requirements for every individual piece of Personal Identifiable Information (PII). The user’s account, individual transactions, last name and even shoe size must be consented to before the information is shared with the financial entity. In addition, financial services firms must also take into account the intent of the usage, the duration of usage, who the data is being shared with and for how long. Consent management becomes a competitive differentiator for some of the Open Banking variants, such as CDR in Australia, and creates new opportunities for allowing customers to protect and share data.
At this point, you are likely wondering how adopting Open Banking could ever be considered quick and simple, but that is where technology partners like Cloudentity can help. Cloudentity offers out-of-the-box Open Banking Policy Packs that provide certified FAPI-supported SaaS solutions within minutes, instead of months.
*Please note: FAPI 2.0 is currently pending ratification and will further refine and enhance the existing security profiles, bringing more standards to features like distributed fine-grained authorization.