Authorization Basics

API Security Profile Requirements For Open Finance Initiatives

Learn about OAuth and API Security Profile related requirements financial institutions must satisfy as members of Open Finance Ecosystems.

OAuth and Information Security Overview

Information security and OAuth capabilities are essential for financial institutions looking to comply with open finance initiatives. These initiatives require financial institutions to provide secure and efficient access to customer financial data to authorized third-party providers (TPPs).

To meet these requirements, financial institutions must implement robust information security measures to protect customer data from unauthorized access, disclosure, alteration, or destruction. In addition, financial institutions must also implement OAuth capabilities to enable secure, token-based authentication and authorization for TPPs. To comply with open finance initiatives, financial institutions must also ensure that their OAuth implementation supports the necessary standards and protocols, such as OAuth 2.0 and OpenID Connect, and their extensions. This allows for interoperability between different systems and ensure that TPPs can easily integrate with the financial institution’s systems.

Many Open Finance specifications utilize the Financial-grade API (FAPI). It is a highly secured OAuth profile that provides specific implementation guidelines that aim to improve the security and interoperability of your APIs. It is more strict than traditional OAuth and OIDC profiles and requires from financial institutions to comply with, for example, standards like Pushed Authorization Requests (PAR), Client-Initiated Backchannel Authentication (CIBA), or Proof Key Of Code Exchange (PKCE).

Instantly Meet OAuth, FAPI, and Information Security Requirements with Cloudentity

Cloudentity is a cutting edge access management platform built to address contemporary authorization and access control challenges that companies face. To address above challenges Cloudentity employs open standards and encloses authorization servers, policy engine and API gateway authorizers. It supplements applications with authorization leveraging current authentication providers, API gateways, and service meshes.

Cloudentity is built with Open Finance in mind! Cloudentity complies with the requirements set by various Open Finance ecosystems and delivers authorization servers that comply with FAPI requirements. Cloudentity is certified in most of the OIDF-compliant specifications. Cloudentity provides the implementation for all the Open Banking specifications that have been finalized and is an active member and participant of various FAPI working groups. Cloudentity also provides the draft implementation of evolving specifications in this space. For a full list of supported standards and certifications, see the Open Standards and Certifications articles.

With Cloudentity as your Information Security Provider, you do not need to worry about evolving requirements of different specifications. You can rest assured that our engineers stay on top of the changes.

Updated: Feb 3, 2023