More Related Content Similar to apidays LIVE Hong Kong 2021 - Next Stage for Open API at Banking Industry by Nicky Ng, IBM (20) apidays LIVE Hong Kong 2021 - Next Stage for Open API at Banking Industry by Nicky Ng, IBM1. IBM Services / © 2021 IBM Corporation
Next Stage for Open API at
Banking Industry
for
25,26 August 2021
IBM Services / © 2021 IBM Corporation
IT Architect
Global Business Services
2. IBM Services / © 2021 IBM Corporation
BANK
BANK
BANK
Different Ways of Open API with Banks
BANK
Open API
Calls
Open API
Calls
Open API
Calls
As API Provider
As API Consumer Bank-to-Bank Transactions
• Mostly focused as part of Open Banking
journey
• Hong Kong Monetary Authority (HKMA)
Open API Framework
• Banks are traditionally more regulated &
trustworthy, governing also TSPs at
same standard is a challenge
• Account Aggregator use case as an
example
TSP
Has long been relying on SWIFT as the
global standard and centralized hub
• Growth of industry/technology giants
having huge customer base will attract
banks to offer more tailored joint
services
• Banks gradually may build trusts on
consuming APIs from external provider
to enrich real-time transactions
• Bancassurance can be this use case
Third-party Service
Provider (TSP)
Insurances
3. IBM Services / © 2021 IBM Corporation
Customer
Establish an API Ecosystem to support Business Use Cases
which are beneficial to Customers
$
Customer
Insurances
Properties
Developers
Food & Beverages
Retails
Games & E-Sports
BANK
TSP
4. IBM Services / © 2021 IBM Corporation
BANK
R
e
q
u
e
s
t
S
e
r
v
i
c
e
/
P
r
o
d
u
c
t
Transaction Based Customer Consent
Consented (Authorized) API
Transaction
TSP
TSP
Side
REQUEST
Read
Account
Balance
Bank
Side
CONFIRM
Read
Account
Balance
Grant Consent
For Transaction
1
2
3
• Involving end-customer different from traditional B2B system
integrations
• End-customer instantly participates through their own digital
device
• Authentication conducted on the bank side without exposing
personal credentials to third-party service provider
• Allow him/her to grant consent to own transaction directly to
the bank side
Customer
5. IBM Services / © 2021 IBM Corporation
Transaction Based Customer Consent
OAuth2.0 specified only API authorization
Customer Consent is a Business Entity which should support:
• Lifecycle - status includes Pending, Authorized, Revoked,
Rejected which are not supported by OAuth spec.
• Auditability - track the full provenance of when / whom
manipulated the consent
• Consistency Check - validation business logic upon authorized
APIs to ensure expected transaction context or to conduct data
level access control
• Extensibility - handle different consent types for different
business transactions on new use cases BANK
R
e
q
u
e
s
t
S
e
r
v
i
c
e
/
P
r
o
d
u
c
t
Consented (Authorized) API
Transaction
TSP
TSP
Side
REQUEST
Read
Account
Balance
Bank
Side
CONFIRM
Read
Account
Balance
Grant Consent
For Transaction
1
2
3
Customer
6. IBM Services / © 2021 IBM Corporation
Transaction Based Customer Consent
Aligned with HKMA Phase III
• Also defined Customer Consent
Management Endpoints
• Specified a "consentId" as unique
reference of consent entity in the bank
• Listed the expected status of consent
entity
• Target to support Account Aggregator
related use cases with business
functions:
• Account Availability
• Account Status
• Account Balance
• Account Transaction
• Aggregate personal financial
profile which may includes
spending, income or loans
• Feasible for implementing
collective reminders or
insights, e.g., for credit card
repayments, total card
expenses.
• Refer customers to bank
services e.g. loans, time
deposit offers
7. IBM Services / © 2021 IBM Corporation
Our Solution to meet HKMA Phase III
Pre-built Accelerators for API
developments & Microservices
Framework which are well adopted
& proven in previous
implementation projects
Industry Expertise and Experience with local
reference on various API-First Microservices &
Cloud projects at local Banks & large enterprises
Market Leading API & Cloud Platform Products
to support the security and availability
requirements for the solution
Experiences on HKMA Open API Phase I & II
& global EU PSD2 implementations are the
foundation references
8. IBM Services / © 2021 IBM Corporation
Our Solution to meet HKMA Phase III
Developer
Portal
Management & Monitoring Server
API
Gateway
Customer Authentication &
Authorization (AZ/AU) Backend
Consent Management Service
Open API Provider Services
IBM API Connect
• Enterprise grade all-in-one
package for API management
with Developer Portal and API
Gateway
• Support of multi-tenant design to
serve various business domains
• API Gateway using IBM
DataPower technology for
security, control & integrations
Red Hat OpenShift Container
Platform
• Support the microservices
architecture solution to achieve
high availability
TSP Notification Events Service
We have already prepared a reference architecture & pre-built modules to serve the transaction based customer consent which
will work together with the bank's facilities to meet HKMA's Open API Phase III.
Customer Notification Service
OAuth
Server
Enterprise Service Bus / Existing Integration Tier
Bank's Systems of Records
Customer AZ/AU
Web Frontend
Bank's Customer
Authentication Engine
Bank's Customer
Notification
Facilities
Customer
TSP
Side
REQUEST
Read
Account
Balance
TSP Redirect authentication
9. IBM Services / © 2021 IBM Corporation
When we are moving on to more security sensitive business use cases, additional considerations should be
considered to further evolve the Open API solution in the near future. For example but not limited to:
Data
Tokenization
Transaction
Signing
More Security
Considerations
FAPI 1.0
Part 2: Advanced
PKCE
for OAuth
Replay
Attack
Protection