What is open banking
The advent of digital marketplaces, eCommerce, and smartphones has paved the way for Open Banking to become ever popular. Open banking refers to when financial institutions share their customer’s data with each other via APIs to integrate their services. It grants consumers the flexibility to make transactions and invest their money on a global scale. However, it also opens a new set of challenges and risks that must be addressed.
Open Banking can also involve sharing customer data over APIs with third-party developers that build a web or mobile applications. These applications can facilitate the banking services provided by FinTech companies, bringing value to the customer experience. As such, greater financial transparency and trust in data protection become a priority for these users.
What is FAPI?
Financial-grade API or FAPI, is a set of standards and regulatory guidelines to protect sensitive customer data and prevent bad actors from manipulating it. Since financial records and personal details of users are being shared by organizations via APIs, there needs to be some form of accountability to keep them in check. FAPI is just that.
Besides this, if you’re involved in financial activities in the European Economic Area (EEA), you also need to adhere to the Payment Services Directive (PSD2). It is a regulatory requirement that further protects customers and their assets from fraud or illegal online activity.
Strong Customer Authentication (SCA) is a requirement of the Payment Services Directive. It is like the commonly known Two-Factor Authentication (2FA). It basically means that when a customer is performing a transaction online using their debit or credit card, they will be required to enter a secondary one-time password generated on their mobile banking application.
FAPI, however, isn’t just limited to the EEA. It is a protocol developed by the OpenID foundation and is built on the OAuth 2.0 and OIDC (OpenID Connect) frameworks. It aims to bring enhanced security to API standards for online transactions in various industries such as healthcare, insurance, telecommunications, etc. This is done thanks to four important factors:
- Any exchange of data between the client and server is via JSON Web Tokens (JWT).
- JWTs use asymmetrical key pairs to ensure cryptographic password exchange.
- The exchange of JWT allows a limited set of security algorithms.
- It offers conformance testing methods, which can be automated.
Benefits of FAPI
Strong level of authentication Clients can trust the authentication that includes mutual Transport Layer Security (TLS) and JSON Web Token (JWT) based mechanism that functions on the application level.
Strengthen API security and reduce risk
Open banking financial providers require a top level of security to transfer data and transactional information to Fintech providers without risking intrusion. It needs to adhere to legal and regulatory standards and prove that the customer’s privacy and sensitive information are protected.
Token-based data exchange
Enforcing the use of a signed JWT that is cryptographically encrypted increases the level of trust between the client and server. The cryptographic proofs are an optional feature in OpenID Connect.
Seamless and simple to use
Adding stringent regulations and limitations often hamper the usability and profitability of services. But, FAPI balances it out by prioritizing a simple process for users while still having a robust and secure authentication system.
Flexible to many industries
The banking-level security of FAPI using OAuth and OpenID Connect is available not just for financial providers. It can be used by just about any online service provider that deals with a sizable number of clients and customers that need their private information protected, yet easily accessible.
Scope of FAFI
As mentioned above, FAPI isn’t just limited to the banking sector. It can be used as a general standard for sharing sensitive information via APIs while guaranteeing client security. This is made possible by using one of the following four standards
Read only API security profile
Read-only access, as the name suggests, only allows viewing the contents shared by the API, but not editing it. This can come in handy when one provider wants to verify the details of a user before confirming a transaction. It has a comparatively lower risk compared to the read-and-write access profile. Thus, applying a lower protection level is satisfactory. However, it contains sensitive information and must have a higher protection level than the basic OAuth level.
Read & write API security profile
Read and write access to a bank’s API has a much higher level of risk, requiring a higher level of security as well. The OIDF Financial-grade API (FAPI) is a REST API that provides JSON data representing higher-risk information. This profile provides an ID token in response to the authorization request. However, it doesn’t always provide the identity of the resource owner. It may be used as an identifier for a time-limited subject that wishes to change user data.
JWT secured authorization response mode for OAuth 2.0 (JARM)
This profile features a JSON Web Token (JWT) that carries various data points to secure the transmission. The URL of the issuer that created the response, the client ID for whom the response is intended, and the expiration date of the JWT. Together, these parameters really amp up the security of the profile for OAuth 2.0. They are present in the token even in case of an error response. And since it has an expiration date, it cannot be misused by unauthorized users on the same system.
Client initiated back channel authentication (CIBA) profile
This profile applies to both read-only and read-and-write APIs. Client-Initiated Backchannel Authentication, or CIBA, extends OpenID Connect to a decoupled flow where authentication can be started on one device and carried out on another. It enables direct communication between the client and the authorization server. All the above essentially hardens the level of security offered by OAuth and OIDC. Additionally, CIBA offers a new method of requesting the authentication of an end user. Therefore, FAPI essentially closes out loopholes and toughens up OAuth and OIDC processes, making them fit for a practically limitless number of industries. Since OAuth and OIDC are so widely used, industries like healthcare, education, eCommerce, telecommunications, FinTech, insurance, etc. must conform to the standards of FAPI. All such industries necessarily need to adapt to growing markets, increasing competition, and an expectation of swift provision of services without compromising on security. FAPI helps you get there.