SlideShare a Scribd company logo

OpenID Foundation Foundation Financial API (FAPI) WG

Nat Sakimura
Nat Sakimura

This presentation explains the newly formed FAPI WG at OpenID Foundation. Date: June 7, 2016 Place: Cloud Identity Summit 2016

Technology
1 of 28
Nomura Research Institute Nat Sakimura Chairman of the Board, OpenID Foundation Senior Researcher, Nomura Research Institute #cisnola Foundation Financial API WG • OpenID® is a registered trademark of OpenID Foundation. • *Unless otherwise noted, all the photos and vector images are licensed by GraphicStocks. June 2016 Anoop Saxena FAPI WG co-chair, OpenID Foundation Architect, Intuit http://openid.net/wg/fapi/
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 2 Do you use Personal Finance Software? What are the current problems?
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 3 When NRI started screen scraping in 2001, we thought it will be a temporally solution. 3 “There was OFX, and SAML was coming. SOAP was gaining momentum. We should be able to get out of scraping business in a few years time!”
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 4 WRONG! 4
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 5 After 15 years, we are still screen scraping. 5
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 6 The situation is changing though. 6
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 7 Fintech is gaining a lot of interest lately (SOURCE)Google Trends
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 8 API is known to be one of the three main component of FinTech 8 Use cases for Identity Federation API in Financial sector 1. Account Opening (incl. KYC) 2. Personal Asset Managment 3. Payment, Sending Money 4. Loan Application 5. AI assisted portfolio management (Source) Nikkei BP: Fintech Revolution P.4 (Source)Nikkei BP: FinTech Yearbook
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 9 I JSON , XML + OAuth 2.0 INDUSTRY PUSH > US: FS-ISAC Durable Data API 9 (Source) FS-ISAC FSDDA WG OpenID Financial API
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 10 REGULATORY PUSH> EU Payment Service Directive 2 mandates API availability by the end of 2017. 10 (SOURCE) ODI OBWG: The Open Banking Standard (2016) JSON REST OAuth OpenID Connect
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 11 Regulatory Pressures Release 1 – to be completed within 12 months ▪ the launch of a tightly scoped Open Banking API, enabling select, read-access, open data use cases. Release 2 – to be completed by end of Q1 2017 ▪ Third party read access to “midata”* personal customer data (Read Only) Release 3 – to be completed by end of Q1 2018 ▪ Similar to R2 but has “midata” business customer data sets (Read Only) Release 4 – to be completed by end of Q1 2019 ▪ Higher Risk – Full read & write access. Timelines 11 * Minimum midata is a csv file. provided in a single column (indicating whether a transaction is a debit or credit using the symbols -/+), 2.4.5. Running Balance: Provides an account balance after each transaction. 2.4.6. The columns will be titled: Date, Type, Merchant/Description Debit/Credit, Balance. 2.4.7. Arranged overdraft limit at point of download. 3. Example of midata minimum standard Draft midata minimum standard Date Type Merchant/ Description Debit/Credit Balance 04/03/2014 VIS Boots the Chemist £5.00 £260.00 04/03/2014 DD Fitness First -£50.00 £255.00 03/03/2014 ATM ATM withdrawal -£100.00 £305.00 03/03/2014 TRF etc. -£20.00 £405.00 02/03/2014 VIS etc. -£75.00 £425.00 01/03/2014 CSH etc. -£50.00 £500.00 Arranged overdraft limit 04/03/2014 £1000.00 (SOURCE) http://www.pcamidata.co.uk/445505-v2-PCA_midata_- _file_content_standard_-_March_2015-2.pdf
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 12 Open Data in Finance Conference 15 June London 12 http://www.open-data-finance.com/agenda/
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 13 Now is the time! 13
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 14 but what API protection? 14 and what API request/response?
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 15 Solution Time! 15
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 16 OpenID Foundation Financial API WG (FAPI WG) 16
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 17 Purpose The goal of FAPI is to provide JSON data schemas, REST APIs, and security & privacy recommendations and protocols to: 17 JSON REST OAuth OpenID Connect (SOURCE) ODI OBWG: The Open Banking Standard (2016)
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 18 Enable applications to utilize the data stored in the financial account, applications to interact with the financial account, and users to control the security and privacy settings. Both commercial and investment banking account as well as insurance, and credit card accounts are to be considered. (Source) OpenID Foundation Financial API WG draft charter
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 19 So that we can finally get rid of password storing and screen scraping! 19 Enhanced Authentication Profile WG http://openid.net/wg/eap/
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 20 It will also help foster the FinTech companies. 20
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 21 Possible Approaches 21 JSON REST OAuth OpenID Connect Based on FS-ISAC DDA Internationalize Convert to Swagger Based on FS-ISAC DDA Internationalize Convert to Swagger and HAL.
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 2222 JSON REST OAuth OpenID Connect Locked down profile for interoperability. Holder of Key and out- of-band authorization for higher risk scenario (write). Privacy Considerations.
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 23 Challenges of OAuth (RFC 6749) in a typical scenario  OAuth’s primary security assumption is that there are only 1 Authz Server per client: In case of Personal Financial Client, it will necessarily have multiple Authz Servers.  Make sure to have adequate separation, e.g., having different redirect endpoints for each server. v.s. C1 O C1R U A A1Z C2R C2 O A2Z 1 Authz Server / client Model C2R C1 O C1R U A A1Z C2 O A2Z n Authz Server / client Model
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 24 Challenges of OAuth (RFC 6749) in a typical scenario Communication through UA are not authenticated and thus can be tainted, but often used without taint check. Neither ‘code’ nor ‘state’ can be taken at its face value, but we do... C1O C1R UA A1Z TLS terminates here. Not authenticated (response_type, client_id, redirect_uri, scope, state) Not authenticated (code, state)
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 25 Should we recommend using modified hybrid flow? Include ‘s_hash’ as well? Security Level Feature Set Remarks Request Object w/Hybrid FLow Authz Request protected Hybrid Flow (confidential client) Authz Response protected Code Flow (confidential client) Client authentication Implicit Flow No client authentication Plain OAuth Anonymous
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 26 Is bearer token adequate?  For “read only” access, probably yes.  For “write” access, maybe not. Token Binding? Mobile Apps security? RFC7636 OAuth PKCE mandatory? MODRNA? AppAuth?
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 27 Once complete, consider submitting it to ISO/TC 68 27 ISO 20022 Financial Services - universal financial industry message scheme. Part 1: Overall Methodology and Format Specifications for Inputs and Outputs to/from the ISO 20022 Repository Part 2: Roles and responsibilities of the registration bodiesPart 3: (TS) XML design rules Part 5: (TS) Reverse engineering Part 6: Message Transport Characteristics
© 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 28 Join the group! https://openid.net/wg/fapi/ 28

Recommended

API Days 2016 Day 1: OpenID Financial API WG
API Days 2016 Day 1: OpenID Financial API WGAPI Days 2016 Day 1: OpenID Financial API WG
API Days 2016 Day 1: OpenID Financial API WGNat Sakimura
 
OpenID Foundation FAPI WG: June 2017 Update
OpenID Foundation FAPI WG: June 2017 UpdateOpenID Foundation FAPI WG: June 2017 Update
OpenID Foundation FAPI WG: June 2017 UpdateNat Sakimura
 
Financial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID ConnectFinancial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID ConnectNat Sakimura
 
OpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WGOpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WGNat Sakimura
 
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...MikeLeszcz
 
Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...
Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...
Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...FinTechLabs.io
 
Introduction to the FAPI Read & Write OAuth Profile
Introduction to the FAPI Read & Write OAuth ProfileIntroduction to the FAPI Read & Write OAuth Profile
Introduction to the FAPI Read & Write OAuth ProfileNat Sakimura
 
Introduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 Updates
Introduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 UpdatesIntroduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 Updates
Introduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 UpdatesNat Sakimura
 

Recommended

API Days 2016 Day 1: OpenID Financial API WG
API Days 2016 Day 1: OpenID Financial API WGAPI Days 2016 Day 1: OpenID Financial API WG
API Days 2016 Day 1: OpenID Financial API WGNat Sakimura
 
OpenID Foundation FAPI WG: June 2017 Update
OpenID Foundation FAPI WG: June 2017 UpdateOpenID Foundation FAPI WG: June 2017 Update
OpenID Foundation FAPI WG: June 2017 UpdateNat Sakimura
 
Financial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID ConnectFinancial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID ConnectNat Sakimura
 
OpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WGOpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WGNat Sakimura
 
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...MikeLeszcz
 
Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...
Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...
Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...FinTechLabs.io
 
Introduction to the FAPI Read & Write OAuth Profile
Introduction to the FAPI Read & Write OAuth ProfileIntroduction to the FAPI Read & Write OAuth Profile
Introduction to the FAPI Read & Write OAuth ProfileNat Sakimura
 
Introduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 Updates
Introduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 UpdatesIntroduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 Updates
Introduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 UpdatesNat Sakimura
 
Identity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation AppsIdentity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation AppsTom Freestone
 
Examining the emergent open source IoT ecosystem - IoT World Europe 2016
Examining the emergent open source IoT ecosystem - IoT World Europe 2016Examining the emergent open source IoT ecosystem - IoT World Europe 2016
Examining the emergent open source IoT ecosystem - IoT World Europe 2016Benjamin Cabé
 
Sitecore might be secure, but your site isn't
Sitecore might be secure, but your site isn'tSitecore might be secure, but your site isn't
Sitecore might be secure, but your site isn'tBas Lijten
 
FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Allian...
FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Allian...FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Allian...
FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Allian...FIDO Alliance
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakYuichi Nakamura
 
Canberra Executive Breakfast - A Citizen-Centric Approach to Identity
Canberra Executive Breakfast - A Citizen-Centric Approach to Identity Canberra Executive Breakfast - A Citizen-Centric Approach to Identity
Canberra Executive Breakfast - A Citizen-Centric Approach to Identity ForgeRock
 
P&L qualification document v1.6
P&L qualification document v1.6P&L qualification document v1.6
P&L qualification document v1.6Manish Y M
 
IOT Networks
IOT NetworksIOT Networks
IOT NetworksMarc Nader
 
ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018Quentin Castel
 
Ben goodman cybersecurity in the iiot
Ben goodman cybersecurity in the iiotBen goodman cybersecurity in the iiot
Ben goodman cybersecurity in the iiotMassTLC
 
Wavestone forgerock banking demo
Wavestone forgerock banking demoWavestone forgerock banking demo
Wavestone forgerock banking demoBertrand Carlier
 
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...CODE BLUE
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeNowSecure
 
aplonAPI Product Presentation
aplonAPI Product PresentationaplonAPI Product Presentation
aplonAPI Product PresentationPaymentComponents
 
Autonomous webinar final deck
Autonomous webinar final deckAutonomous webinar final deck
Autonomous webinar final deckLora Cecere
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfHitachi, Ltd. OSS Solution Center.
 
Childrens Personalised Writing Paper Set Alphabet By Hone
Childrens Personalised Writing Paper Set Alphabet By HoneChildrens Personalised Writing Paper Set Alphabet By Hone
Childrens Personalised Writing Paper Set Alphabet By HoneSara Perez
 
WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview Edgar Silva
 
Blockchain Primer - Founder Collective - December 2017
Blockchain Primer - Founder Collective - December 2017Blockchain Primer - Founder Collective - December 2017
Blockchain Primer - Founder Collective - December 2017Parul Singh
 
A Backstage Tour of Identity - Paris Identity Summit 2016
A Backstage Tour of Identity - Paris Identity Summit 2016A Backstage Tour of Identity - Paris Identity Summit 2016
A Backstage Tour of Identity - Paris Identity Summit 2016ForgeRock
 
FAPI and beyond - よりよいセキュリティのために
FAPI and beyond - よりよいセキュリティのためにFAPI and beyond - よりよいセキュリティのために
FAPI and beyond - よりよいセキュリティのためにNat Sakimura
 
OpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the FutureOpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the FutureNat Sakimura
 

More Related Content

Similar to OpenID Foundation Foundation Financial API (FAPI) WG

Identity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation AppsIdentity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation AppsTom Freestone
 
Examining the emergent open source IoT ecosystem - IoT World Europe 2016
Examining the emergent open source IoT ecosystem - IoT World Europe 2016Examining the emergent open source IoT ecosystem - IoT World Europe 2016
Examining the emergent open source IoT ecosystem - IoT World Europe 2016Benjamin Cabé
 
Sitecore might be secure, but your site isn't
Sitecore might be secure, but your site isn'tSitecore might be secure, but your site isn't
Sitecore might be secure, but your site isn'tBas Lijten
 
FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Allian...
FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Allian...FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Allian...
FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Allian...FIDO Alliance
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakYuichi Nakamura
 
Canberra Executive Breakfast - A Citizen-Centric Approach to Identity
Canberra Executive Breakfast - A Citizen-Centric Approach to Identity Canberra Executive Breakfast - A Citizen-Centric Approach to Identity
Canberra Executive Breakfast - A Citizen-Centric Approach to Identity ForgeRock
 
P&L qualification document v1.6
P&L qualification document v1.6P&L qualification document v1.6
P&L qualification document v1.6Manish Y M
 
ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018Quentin Castel
 
Ben goodman cybersecurity in the iiot
Ben goodman cybersecurity in the iiotBen goodman cybersecurity in the iiot
Ben goodman cybersecurity in the iiotMassTLC
 
Wavestone forgerock banking demo
Wavestone forgerock banking demoWavestone forgerock banking demo
Wavestone forgerock banking demoBertrand Carlier
 
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...CODE BLUE
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeNowSecure
 
aplonAPI Product Presentation
aplonAPI Product PresentationaplonAPI Product Presentation
aplonAPI Product PresentationPaymentComponents
 
Autonomous webinar final deck
Autonomous webinar final deckAutonomous webinar final deck
Autonomous webinar final deckLora Cecere
 
Childrens Personalised Writing Paper Set Alphabet By Hone
Childrens Personalised Writing Paper Set Alphabet By HoneChildrens Personalised Writing Paper Set Alphabet By Hone
Childrens Personalised Writing Paper Set Alphabet By HoneSara Perez
 
WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview Edgar Silva
 
Blockchain Primer - Founder Collective - December 2017
Blockchain Primer - Founder Collective - December 2017Blockchain Primer - Founder Collective - December 2017
Blockchain Primer - Founder Collective - December 2017Parul Singh
 
A Backstage Tour of Identity - Paris Identity Summit 2016
A Backstage Tour of Identity - Paris Identity Summit 2016A Backstage Tour of Identity - Paris Identity Summit 2016
A Backstage Tour of Identity - Paris Identity Summit 2016ForgeRock
 

Similar to OpenID Foundation Foundation Financial API (FAPI) WG (20)

Identity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation AppsIdentity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation Apps
 
Examining the emergent open source IoT ecosystem - IoT World Europe 2016
Examining the emergent open source IoT ecosystem - IoT World Europe 2016Examining the emergent open source IoT ecosystem - IoT World Europe 2016
Examining the emergent open source IoT ecosystem - IoT World Europe 2016
 
Sitecore might be secure, but your site isn't
Sitecore might be secure, but your site isn'tSitecore might be secure, but your site isn't
Sitecore might be secure, but your site isn't
 
FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Allian...
FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Allian...FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Allian...
FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Allian...
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
 
Canberra Executive Breakfast - A Citizen-Centric Approach to Identity
Canberra Executive Breakfast - A Citizen-Centric Approach to Identity Canberra Executive Breakfast - A Citizen-Centric Approach to Identity
Canberra Executive Breakfast - A Citizen-Centric Approach to Identity
 
P&L qualification document v1.6
P&L qualification document v1.6P&L qualification document v1.6
P&L qualification document v1.6
 
IOT Networks
IOT NetworksIOT Networks
IOT Networks
 
ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018
 
Ben goodman cybersecurity in the iiot
Ben goodman cybersecurity in the iiotBen goodman cybersecurity in the iiot
Ben goodman cybersecurity in the iiot
 
Wavestone forgerock banking demo
Wavestone forgerock banking demoWavestone forgerock banking demo
Wavestone forgerock banking demo
 
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
 
aplonAPI Product Presentation
aplonAPI Product PresentationaplonAPI Product Presentation
aplonAPI Product Presentation
 
Autonomous webinar final deck
Autonomous webinar final deckAutonomous webinar final deck
Autonomous webinar final deck
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
 
Childrens Personalised Writing Paper Set Alphabet By Hone
Childrens Personalised Writing Paper Set Alphabet By HoneChildrens Personalised Writing Paper Set Alphabet By Hone
Childrens Personalised Writing Paper Set Alphabet By Hone
 
WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview
 
Blockchain Primer - Founder Collective - December 2017
Blockchain Primer - Founder Collective - December 2017Blockchain Primer - Founder Collective - December 2017
Blockchain Primer - Founder Collective - December 2017
 
A Backstage Tour of Identity - Paris Identity Summit 2016
A Backstage Tour of Identity - Paris Identity Summit 2016A Backstage Tour of Identity - Paris Identity Summit 2016
A Backstage Tour of Identity - Paris Identity Summit 2016
 

More from Nat Sakimura

FAPI and beyond - よりよいセキュリティのために
FAPI and beyond - よりよいセキュリティのためにFAPI and beyond - よりよいセキュリティのために
FAPI and beyond - よりよいセキュリティのためにNat Sakimura
 
OpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the FutureOpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the FutureNat Sakimura
 
170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English Translation170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English TranslationNat Sakimura
 
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WGNat Sakimura
 
ブロックチェーン〜信頼の源泉の民主化のもたらす変革
ブロックチェーン〜信頼の源泉の民主化のもたらす変革ブロックチェーン〜信頼の源泉の民主化のもたらす変革
ブロックチェーン〜信頼の源泉の民主化のもたらす変革Nat Sakimura
 
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...Nat Sakimura
 
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴールNat Sakimura
 
OAuth SPOP @ IETF 91
OAuth SPOP @ IETF 91OAuth SPOP @ IETF 91
OAuth SPOP @ IETF 91Nat Sakimura
 
Oidc how it solves your problems
Oidc how it solves your problemsOidc how it solves your problems
Oidc how it solves your problemsNat Sakimura
 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extensionNat Sakimura
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604Nat Sakimura
 
Smartphone Native Application OP
Smartphone Native Application OPSmartphone Native Application OP
Smartphone Native Application OPNat Sakimura
 
Open idとcyber空間
Open idとcyber空間Open idとcyber空間
Open idとcyber空間Nat Sakimura
 
サイバー空間上の信頼フレームワークとパーソナルデータ経済
サイバー空間上の信頼フレームワークとパーソナルデータ経済サイバー空間上の信頼フレームワークとパーソナルデータ経済
サイバー空間上の信頼フレームワークとパーソナルデータ経済Nat Sakimura
 
20110706 PIDSプロジェクト中間報告
20110706 PIDSプロジェクト中間報告20110706 PIDSプロジェクト中間報告
20110706 PIDSプロジェクト中間報告Nat Sakimura
 
Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011Nat Sakimura
 
国民ID制度とトラスト・フレームワーク
国民ID制度とトラスト・フレームワーク国民ID制度とトラスト・フレームワーク
国民ID制度とトラスト・フレームワークNat Sakimura
 
Introduction to OpenID TX proposed extension
Introduction to OpenID TX proposed extensionIntroduction to OpenID TX proposed extension
Introduction to OpenID TX proposed extensionNat Sakimura
 

More from Nat Sakimura (20)

FAPI and beyond - よりよいセキュリティのために
FAPI and beyond - よりよいセキュリティのためにFAPI and beyond - よりよいセキュリティのために
FAPI and beyond - よりよいセキュリティのために
 
OpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the FutureOpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the Future
 
170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English Translation170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English Translation
 
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
 
ブロックチェーン〜信頼の源泉の民主化のもたらす変革
ブロックチェーン〜信頼の源泉の民主化のもたらす変革ブロックチェーン〜信頼の源泉の民主化のもたらす変革
ブロックチェーン〜信頼の源泉の民主化のもたらす変革
 
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...
 
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
 
OAuth SPOP @ IETF 91
OAuth SPOP @ IETF 91OAuth SPOP @ IETF 91
OAuth SPOP @ IETF 91
 
Oidc how it solves your problems
Oidc how it solves your problemsOidc how it solves your problems
Oidc how it solves your problems
 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extension
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604
 
Smartphone Native Application OP
Smartphone Native Application OPSmartphone Native Application OP
Smartphone Native Application OP
 
Open idとcyber空間
Open idとcyber空間Open idとcyber空間
Open idとcyber空間
 
サイバー空間上の信頼フレームワークとパーソナルデータ経済
サイバー空間上の信頼フレームワークとパーソナルデータ経済サイバー空間上の信頼フレームワークとパーソナルデータ経済
サイバー空間上の信頼フレームワークとパーソナルデータ経済
 
Closing Note
Closing NoteClosing Note
Closing Note
 
20110706 PIDSプロジェクト中間報告
20110706 PIDSプロジェクト中間報告20110706 PIDSプロジェクト中間報告
20110706 PIDSプロジェクト中間報告
 
Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011
 
国民ID制度とトラスト・フレームワーク
国民ID制度とトラスト・フレームワーク国民ID制度とトラスト・フレームワーク
国民ID制度とトラスト・フレームワーク
 
Introduction to OpenID TX proposed extension
Introduction to OpenID TX proposed extensionIntroduction to OpenID TX proposed extension
Introduction to OpenID TX proposed extension
 

Recently uploaded

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Recently uploaded (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

OpenID Foundation Foundation Financial API (FAPI) WG

  • 1. Nomura Research Institute Nat Sakimura Chairman of the Board, OpenID Foundation Senior Researcher, Nomura Research Institute #cisnola Foundation Financial API WG • OpenID® is a registered trademark of OpenID Foundation. • *Unless otherwise noted, all the photos and vector images are licensed by GraphicStocks. June 2016 Anoop Saxena FAPI WG co-chair, OpenID Foundation Architect, Intuit http://openid.net/wg/fapi/
  • 2. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 2 Do you use Personal Finance Software? What are the current problems?
  • 3. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 3 When NRI started screen scraping in 2001, we thought it will be a temporally solution. 3 “There was OFX, and SAML was coming. SOAP was gaining momentum. We should be able to get out of scraping business in a few years time!”
  • 4. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 4 WRONG! 4
  • 5. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 5 After 15 years, we are still screen scraping. 5
  • 6. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 6 The situation is changing though. 6
  • 7. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 7 Fintech is gaining a lot of interest lately (SOURCE)Google Trends
  • 8. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 8 API is known to be one of the three main component of FinTech 8 Use cases for Identity Federation API in Financial sector 1. Account Opening (incl. KYC) 2. Personal Asset Managment 3. Payment, Sending Money 4. Loan Application 5. AI assisted portfolio management (Source) Nikkei BP: Fintech Revolution P.4 (Source)Nikkei BP: FinTech Yearbook
  • 9. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 9 I JSON , XML + OAuth 2.0 INDUSTRY PUSH > US: FS-ISAC Durable Data API 9 (Source) FS-ISAC FSDDA WG OpenID Financial API
  • 10. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 10 REGULATORY PUSH> EU Payment Service Directive 2 mandates API availability by the end of 2017. 10 (SOURCE) ODI OBWG: The Open Banking Standard (2016) JSON REST OAuth OpenID Connect
  • 11. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 11 Regulatory Pressures Release 1 – to be completed within 12 months ▪ the launch of a tightly scoped Open Banking API, enabling select, read-access, open data use cases. Release 2 – to be completed by end of Q1 2017 ▪ Third party read access to “midata”* personal customer data (Read Only) Release 3 – to be completed by end of Q1 2018 ▪ Similar to R2 but has “midata” business customer data sets (Read Only) Release 4 – to be completed by end of Q1 2019 ▪ Higher Risk – Full read & write access. Timelines 11 * Minimum midata is a csv file. provided in a single column (indicating whether a transaction is a debit or credit using the symbols -/+), 2.4.5. Running Balance: Provides an account balance after each transaction. 2.4.6. The columns will be titled: Date, Type, Merchant/Description Debit/Credit, Balance. 2.4.7. Arranged overdraft limit at point of download. 3. Example of midata minimum standard Draft midata minimum standard Date Type Merchant/ Description Debit/Credit Balance 04/03/2014 VIS Boots the Chemist £5.00 £260.00 04/03/2014 DD Fitness First -£50.00 £255.00 03/03/2014 ATM ATM withdrawal -£100.00 £305.00 03/03/2014 TRF etc. -£20.00 £405.00 02/03/2014 VIS etc. -£75.00 £425.00 01/03/2014 CSH etc. -£50.00 £500.00 Arranged overdraft limit 04/03/2014 £1000.00 (SOURCE) http://www.pcamidata.co.uk/445505-v2-PCA_midata_- _file_content_standard_-_March_2015-2.pdf
  • 12. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 12 Open Data in Finance Conference 15 June London 12 http://www.open-data-finance.com/agenda/
  • 13. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 13 Now is the time! 13
  • 14. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 14 but what API protection? 14 and what API request/response?
  • 15. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 15 Solution Time! 15
  • 16. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 16 OpenID Foundation Financial API WG (FAPI WG) 16
  • 17. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 17 Purpose The goal of FAPI is to provide JSON data schemas, REST APIs, and security & privacy recommendations and protocols to: 17 JSON REST OAuth OpenID Connect (SOURCE) ODI OBWG: The Open Banking Standard (2016)
  • 18. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 18 Enable applications to utilize the data stored in the financial account, applications to interact with the financial account, and users to control the security and privacy settings. Both commercial and investment banking account as well as insurance, and credit card accounts are to be considered. (Source) OpenID Foundation Financial API WG draft charter
  • 19. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 19 So that we can finally get rid of password storing and screen scraping! 19 Enhanced Authentication Profile WG http://openid.net/wg/eap/
  • 20. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 20 It will also help foster the FinTech companies. 20
  • 21. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 21 Possible Approaches 21 JSON REST OAuth OpenID Connect Based on FS-ISAC DDA Internationalize Convert to Swagger Based on FS-ISAC DDA Internationalize Convert to Swagger and HAL.
  • 22. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 2222 JSON REST OAuth OpenID Connect Locked down profile for interoperability. Holder of Key and out- of-band authorization for higher risk scenario (write). Privacy Considerations.
  • 23. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 23 Challenges of OAuth (RFC 6749) in a typical scenario  OAuth’s primary security assumption is that there are only 1 Authz Server per client: In case of Personal Financial Client, it will necessarily have multiple Authz Servers.  Make sure to have adequate separation, e.g., having different redirect endpoints for each server. v.s. C1 O C1R U A A1Z C2R C2 O A2Z 1 Authz Server / client Model C2R C1 O C1R U A A1Z C2 O A2Z n Authz Server / client Model
  • 24. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 24 Challenges of OAuth (RFC 6749) in a typical scenario Communication through UA are not authenticated and thus can be tainted, but often used without taint check. Neither ‘code’ nor ‘state’ can be taken at its face value, but we do... C1O C1R UA A1Z TLS terminates here. Not authenticated (response_type, client_id, redirect_uri, scope, state) Not authenticated (code, state)
  • 25. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 25 Should we recommend using modified hybrid flow? Include ‘s_hash’ as well? Security Level Feature Set Remarks Request Object w/Hybrid FLow Authz Request protected Hybrid Flow (confidential client) Authz Response protected Code Flow (confidential client) Client authentication Implicit Flow No client authentication Plain OAuth Anonymous
  • 26. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 26 Is bearer token adequate?  For “read only” access, probably yes.  For “write” access, maybe not. Token Binding? Mobile Apps security? RFC7636 OAuth PKCE mandatory? MODRNA? AppAuth?
  • 27. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 27 Once complete, consider submitting it to ISO/TC 68 27 ISO 20022 Financial Services - universal financial industry message scheme. Part 1: Overall Methodology and Format Specifications for Inputs and Outputs to/from the ISO 20022 Repository Part 2: Roles and responsibilities of the registration bodiesPart 3: (TS) XML design rules Part 5: (TS) Reverse engineering Part 6: Message Transport Characteristics
  • 28. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 28 Join the group! https://openid.net/wg/fapi/ 28