Solution guides

Financial Data Exchange - Secure Data Sharing Enabled by Cloudentity

As Financial Data Exchange (FDX) implementations are getting broader adoption, consumers get more choice over products that utilizes the data securely from providers. Cloudentity provides a secure foundational platform to enable providers to be FDX compliant. Cloudentity platform handles end user consents and also provides a highly scalable and configurable financial grade authorization server to ensure the data is shared with only authorized parties based on end user consent. Keeping up with the API security profile requirements for data consent and authorization can be challenging and Cloudentity is here to help with that problem in the FDX space.

Financial Data Exchange

Financial Data Exchange (FDX) aims to unify the financial industry around a common, interoperable, royalty-free standard for secure and convenient consumer and business access to their financial data. FDX is initially focusing on the United States and Canada but the standards are being developed keeping global economy in mind and serviing upon best practices and learnings from the Open Banking initiatives across the globe. FDX exists chiefly to promote, enhance, and seek broad adoption of the FDX API technical standard and is dedicated to five core principles of user permissioned data sharing: Control, Access, Transparency, Traceability and Security.

Financial data exchange ecosystem overview

End users use software applications (aka Data Recipients) to manage their finances or provision financial services. Data recipients may leverage Data Access Platforms or Data aggregators to connect to thousands of financial institutions (Data Providers) or can connect directly to financial institutions (Data Providers).

Cloudentity as FDX Enabler

The Cloudentity platform accelerates and enables various parties involved in FDX system to securely control access to user permissioned data. Cloudentity steps in to provide the most critical pieces for user permissioned data sharing components that includes the API Security Profile and End User Consent for these parties involved in the FDX ecosystem:

  • Data Provider (e.g., Financial Institutions)

  • Intermediaries such as data access platforms (aka aggregators)

  • Software applications (aka Data Recipients)

Financial data exchange API integration patterns

Data sharing in FDX ecosystem may involve at least three parties - Data Recipient, Data Access Platform and Data Provider (e.g., Financial Institutions.). There can also be more than one intermediary (one DAP leverages another DAP to gain access to financial institutions in another market for expanded coverage). As you can see in this chain, secure flow of information across these parties and how each of these parties trust and identity each other is of utmost importance. FDX has a dedicated API security model to address how these parties should interoperate and Cloudentity provides the implementation for FDX API security model.

With instantly applicable FDX profile offered by Cloudentity your organization will:

  • Make APIs over which financial data is shared aligned with the FDX API security model
  • Expose FDX compliant consent APIs provided by Cloudentity
  • Support FDX compliant end user consent flows essential for customers' data sharing
  • Support fine-grained authorization (account selection) during consent flow
  • Connect to data providers to consume data and share it further (intermediaries)
  • Enable controlled data recipient registration via registration APIs and developer portal
  • Easily integrate with existing components for authentication and consent management
  • Get an multi-tenant advanced FAPI & FDX compliant and certified authorization server built on open standards and compatible with advanced OAuth 2.0 & OIDC specifications.

Above features inturn allow the organization to:

  • Accelerate the entire effort for achieving FDX compliance
  • Achieve faster time to market for data sharing capabilities
  • Offloads the implementation and maintenance of constantly evolving FDX API security profile to Cloudentity
  • Lowers the overall FDX implementation and maintenance cost

Why Cloudentity and not any authorization server

The solution and capabilities offered by Cloudentity platform are very different compared to other IAM platforms or authorization servers and is important to understand the difference in approaches that we undertake to ensure a robust spec compliant solution for your consumption.

Ecosystem-specific profiles offered by Cloudentity include numerous distinct configurations of internal OAuth authorization server and other components that assure our customers about up-to-date compliance in area of security and consent. IAM platforms and authorization servers in general do not come with such profiles and treat consent APIs as part of the solution that is out of their scope which often requires extra plugins or other code and is not treated as a main stream features. But Cloudentity is tailored to each and every profile and we make sure to keep up the standards and treat them as primary features.

Use of FDX profiles saves hours of engineering work required for configuration, testing, and development of consent APIs in case of building the solution with use of a general purpose IAM platform or authorization server.

FDX API Security Profile

FDX API security profile conformance and Financial Grade API (FAPI) compliance can be enabled in the Cloudentity platform with a single click security profile for meeting the FDX recommended standards for user permissioned data sharing. You get a FAPI grade authorization server configured to meet all FDX API securiy model requirements. Even though it is preconfigured, if needed to relax some requirements one is free to adjust them at their will. There may be cases when one want to downgrade FAPI level profile like lower environments, temporary testing, and more.

Financial data exchange workspace

FDX API security profile provides security requirements for participants in the FDX ecosystem to expose and access the APIs securely using open standards. Cloudentity automatically configures all the security profile requirements when a FDX workspace is created.

Exposing FDX compliant APIs

Cloudentity provides out-of-the-box integration with multiple API gateways through localized authorizers. Irrespective what product you use to expose financial data APIs, you will be able to connect to it to apply security profile to APIs. Easily integrate with any of your existing API gateways to enforce data sharing conformance checks.

FDX API Gateways

In FDX, the term Consent represents the following to each of the involved parties:

  • Data Recipient (DR) views the Consent Grant as permission to access End User’s financial data. The Data Recipient’s use of this data is generally governed by Terms of Service with the End User.
  • Data Provider sees consent as their permission to provide access to the Data Recipient for the End User’s financial data. The Data Provider generally makes no assertions about Data Recipient’s use of the data.
  • End User (EU) sees consent as their record that they have given permission for data access. The End User is not expected to disambiguate access vs. use of their financial data.

In the FDX three party model, Data Recipient discloses the parameters of the consent request to the End User; Data Provider collects authorization from End User; Data Provider provides the record of consent to the Data Recipient.

Cloudentity provides Consent APIs and capabilities as per FDX guidelines that allows each of the above parties to:

  • Initiate Consent Request
  • Capture Consent Grant
  • Retrieve/Query Consent state
  • Revoke Consent

Follow this article to find more detailed information about FDX Consent APIs offered by Cloudentity

In addition to data recipient facing consent management APIs specified by FDX, Cloudentity also provides consent administration user interface and administrative APIs that are usually consumed by existing user interface of data providers and data access platforms.

Bring Your Own Identity Provider

Bring Your Own Identity (BYOID) is a philosophy that Cloudentity strongly believes in. Cloudentity allows you to integrate the platform with your existing identity sources using open standards such as OpenID Connect and SAML.

To make it easier for you to integrate solutions, Cloudentity has a vast number of built-in Identity Connectors for major Identity Sources that allow you to quickly connect your Identity Source to the platform. If your Identity Source does not have a dedicated connector in Cloudentity, but shares identity information using either OIDC or SAML standard, you can use a generic OIDC or SAML connector instead. Most of the provided out of the box connectors comply with the OIDC standard, but you can also use the SAML generic connector to integrate your identity source in a SAML-compliant way.

FDX identity provider

FDX Quickstart

Cloudentity provides a quickstart with sample applications for developer and integrators to get an experience of how Cloudentity accelerates and enables FDX implementation journey. Checkout the FDX quickstart article and take it for a spin!

You can, for example, check out how consent flow works and use the project as a reference to build your consent application, consents self-service portal, or consent administrator portal.

FDX Integration Guides

Feels like diving deep into all the FDX specifics and integrations? We have detailed guides to help you navigate the FDX journey with ease.

Jump Start FDX Journey

Pick Your Style - SaaS vs non SaaS

Cloudentity offers a higly available SaaS region in North America. If you want to host the solution yourself, we offer the same binary and tools that we use to run our SaaS infrastructure to your DevOps team. Your team can run our high scale solution on the infrastructure of your choice. Read about all the offered deployment models here

Register for free to get access to a Cloudentity tenant and accelerate the FDX adoption journey with us!

Updated: Oct 14, 2022