A summary of Open Banking status around the world, with emphasis on Digital Identity Security standards used and some of the issues uncovered while the author has been involved int he Australian Open Banking (CDR) process.
3. ®
Open Banking Summary
• Open Standards, not Open Access. Participants are certified.
• Some jurisdictions focus on government regulation, others on industry
cooperation
• Two categories of content APIs
• Access to consumer banking transactions (used by data aggregators)
• Payments (used by third party payment initiators)
• Three components of Open Banking standards
• Content APIs
• Security APIs
• User Experience (authentication, consent, etc.)
• Based on OAuth2, some use FAPI (OpenID Connect)
• Where standards are nascent, divergence is greatest
• e.g. end user consent
6. ®
UK — Now at Version 3
• Access to transaction data (one account type initially)
• Initiate payments
• Central bank-run body (OBIE) certifies participants, runs
central directory
• Based on FAPI with Consent Object
• eIDAS
• Learnings
• User Experience is key. No standard authentication flow.
• Banks found it difficult to be compliant on Day 1
• Difficult for Fintechs due to bank outages, API errors, …
8. ®
AU — Consumer Data Right
• Banking is the first vertical, but Energy and Telco efforts started
• Transaction Data only (wide range of account types)
• Payments in the future.
• Government-led effort, 3 government bodies
• Department of Treasury — legislation
• Australian Competition and Consumer Commission — Framework, rules
• Data61 — standards
• Legislation delayed, standards incomplete, slow to begin central
directory
• Production date delayed until February 2020 for Big 4 banks
10. ®
NZ — Co-operation, Payments First
• Industry-led effort
• Two largest banks and two Fintechs
• Focused on payments only
• Aim to reduce credit card transaction fees to zero
• Based on OAuth2
• Now starting on transaction data
• Moving to FAPI
12. ®
EU — Strong regulation, diverse
outcomes
• Initial standard was not definitive enough
• Bank implementations are different and interoperability is complex
• Berlin Group was formed to define common standards
• “Flexible framework”
• Screen-scraping is not allowed, but…
• Banks must provide access very similar to screen-scraping
• TPPs using this interface must digitally sign the messages to identify
themselves
• TPPs must use APIs if they are available
• eIDAS is mandated
14. ®
SG — Strong guidelines, voluntary
adoption
• 2017 release of “API Playbook” as reference guide
• No single standard
• No mandated timelines for banks. Adoption of OB is voluntary.
• Government believes innovation will drive adoption
• So far:
• Limited to Singapore’s established, traditional banks
• Third parties excluded from taking part
• No licenses issued to neo or digital-only banks
• Banks are using OAuth2
16. ®
JP — Government-led, Consensus-
driven
• Regulator leads, industry follows, consensus is key.
• Currently 12 major providers of core/internet banking systems
• Everyone’s a bit different
• Each have layered on an “open banking” API of their own
• Different OAuth2 scopes
• Security is varied: API based security, IPSec, fintechs whitelisted at banks
• Some use OAuth2, some OIDC
• Don’t need same visibility of consent on both sides
• Low number of APIs at this time, take up has been reasonable
• Banks using third party ID to correlate identities across silos
18. ®
HK — High level details at this time
• Government mandated
• Starting with publicly available product data
• Interest rates
• Fees
• ATM locations
• Access to transaction data and payment initiation in the future
• Based on OAuth2 — although details are very high level
• Likely to be similar outcomes to Singapore at this stage
20. ®
US — Separate banks building APIs,
FDX industry body created
• Intuit’s Mint uses OAuth tokens to connect to Chase and Bank
of America APIs, instead of screenscraping
• In October 2018, Financial Data Exchange (FDX) was launched
• Non-profit organisation made up of banks and fintechs
• Introduced the Durable Data API, now called FDX API
• Uses OAuth 2
• No certification program as yet
• Working with FAPI WG
23. ®
Finally… Open Banking is Here to Stay!
• Identity Security Professionals need to lead
• Get involved in your local OB standards process
• Security is key… don’t let other IT professionals discount it!
• Build on the open standards that are proven and tested
• Strong focus on UX and consent needed, otherwise end users
will drop off
• There’s a lot at stake for the industry: banks, fintechs and most
importantly — consumers