What is Open Banking
Open Banking focuses on how data can be used to help people to transact, save, borrow, lend, pay, and invest their money. It is widely recognized that people have the right to greater inclusivity in their financial decisions, greater control over their financial data, and the ability to grant third parties with access to their financial data.
For financial institutions, open banking means enabling the use of open APIs to secure the exchange of data, processes, and banking applications and systems to an ecosystem of developers, fintech vendors and partners. It is a business model which legally requires us to protect customer data privacy and evidence of customer consent.
Open Banking by Region
1. Introduction to OAuth 2.0
OAuth 2.0 is an authorization framework that enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
The OAuth 2.0 specifications are designed to support the development of authentication and authorization protocols. It provides a variety of standardized message flows based on JSON and HTTP; OpenID Connect uses these to provide Identity services.
2. Introduction to OpenID Connect
OpenID Connect 2.0 is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. It uses simplified REST/JSON message flows. OpenID Connect 2.0 enables developers to authenticate users across websites and apps without having to own and manage password files.
3. Introduction to Financial Grade API (FAPI)
Financial Grade API (FAPI) is an industry-led specification of JSON data schemas, security and privacy protocols to support use cases for commercial and investment banking accounts as well as insurance and credit card accounts. FinTech developers can accelerate Secure Open Banking, for example:
➤ Applications using a standards-based secure data model (JSON) for levels of access to financial data stored in accounts.
➤ Applications using a standards-based program interface (REST) for sharing of financial data between banks, institutions, and third-parties.
➤ Application and User security controls and privacy settings to be consistently implemented with open standards (OAuth) and providers (OpenID Connect).
4. Introduction to Client Initiated Backchannel Authentication (CIBA)
Financial Grade API (FAPI) includes a Client Initiated Backchannel Authentication (CIBA) specification to support a secure method of decoupling authentication and authorization use cases to reduce the risks associated with social engineering or insider threat, for example:
➤ Leveraging a strongly authenticated session FROM a smart device to grant authorization TO another device.
➤ Pay WITH your phone, watch, or point of sale terminal/kiosk or any other type of smart device TO a third-party through PUSH notification.
➤ Granting a call center agent or financial advisor TO access an account instead of using knowledge-based questions (e.g. mother’s maiden name).
5. Introduction to Certification
Certification drives trust. With our self-certification program, any builder or vendor of applications, products and services conducts its own conformance testing using a royalty-free, open source test suite. Developers can complete tests at your own pace, at your own schedule, as you adopt the standards and specifications and submit results for certification at a fraction of the cost and complexity of independent third-party certifiers.
Enhances reputation of the organization
and its implementation.
Provides society with the legal assurance
and certification mark of conformance.
Mitigates development, deployment, and
integration risks for various providers.
Qualifies the expertise of the certified
organizations through a public registry.
Open-source testing suite for
in-house quality assurance (QA).
Test results describe “how things will work”,
no custom scripts required.
Differentiates certified implementations
from others transparently.
Greater comparability among the market
of available products and services.
The OpenID Foundation enables deployments of Financial-grade API (FAPI) Read/Write Profile to be certified to specific conformance profiles to promote interoperability and robust implementations. The OpenID Foundation’s certification process utilizes self-certification and conformance test suites developed by the Foundation.