Authorization Basics

Financial Data Exchange (FDX) Basics

Need a refresher for Financial Data Exchange (FDX)? Look no more!

Financial Data Exchange Overview

Financial Data Exchange (FDX) aims to unify the financial industry around a common, interoperable, royalty-free standard for secure and convenient consumer and business access to their financial data. FDX is initially focusing on the United States and Canada but the standards are being developed keeping global economy in mind and serviing upon best practices and learnings from the Open Banking initiatives across the globe. FDX exists chiefly to promote, enhance, and seek broad adoption of the FDX API technical standard and is dedicated to five core principles of user permissioned data sharing: Control, Access, Transparency, Traceability and Security.

End users use software applications (aka Data Recipients) to manage their finances or provision financial services. Data recipients may leverage Data Access Platforms or Data aggregators to connect to thousands of financial institutions (Data Providers) or can connect directly to financial institutions (Data Providers).

Data sharing in FDX ecosystem may involve at least three parties - Data Recipient, Data Access Platform and Data Provider (e.g., Financial Institutions.). There can also be more than one intermediary (one DAP leverages another DAP to gain access to financial institutions in another market for expanded coverage). As you can see in this chain, secure flow of information across these parties and how each of these parties trust and identity each other is of utmost importance.

In FDX, the term Consent represents the following to each of the involved parties:

  • Data Recipient (DR) views the Consent Grant as permission to access End User’s financial data. The Data Recipient’s use of this data is generally governed by Terms of Service with the End User.
  • Data Provider sees consent as their permission to provide access to the Data Recipient for the End User’s financial data. The Data Provider generally makes no assertions about Data Recipient’s use of the data.
  • End User (EU) sees consent as their record that they have given permission for data access. The End User is not expected to disambiguate access vs. use of their financial data.

In the FDX three party model, Data Recipient discloses the parameters of the consent request to the End User; Data Provider collects authorization from End User; Data Provider provides the record of consent to the Data Recipient.

The Cloudentity platform accelerates and enables various parties involved in FDX system to securely control access to user permissioned data. Cloudentity steps in to provide the most critical pieces for user permissioned data sharing components that includes the API Security Profile and End User Consent for these parties involved in the FDX ecosystem:

  • Data Provider (e.g., Financial Institutions)

  • Intermediaries such as data access platforms (aka aggregators)

  • Software applications (aka Data Recipients)

Cloudentity provides Consent APIs and capabilities as per FDX guidelines that allows each of the above parties to initiate consent request, capture consent grant, retrieve/query consent state, revoke consent, and more.

Follow this article to find more detailed information about FDX Consent APIs offered by Cloudentity.

FDX API security profile provides security requirements for participants in the FDX ecosystem to expose and access the APIs securely using open standards. Cloudentity automatically configures all the security profile requirements when a FDX workspace is created.

Cloudentity provides out-of-the-box integration with multiple API gateways through localized authorizers. Irrespective what product you use to expose financial data APIs, you will be able to connect to it to apply security profile to APIs. Easily integrate with any of your existing API gateways to enforce data sharing conformance checks.

Interested? Read more on how you can comply with Financial Data Exchange with Cloudentity!

Updated: Jan 20, 2023