apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare
July 28 & 29, 2021
Security Design Patterns that Protect Sensitive Financial Data Shared via APIs
Dinesh Katyal, Product Director at Financial Data Exchange, Ray Voss, VP, Security Architect, JPMorgan Chase Bank, N.A and Co-Chair, Financial Data Exchange Security and Authentication Working, & Shawn Jobe, Director of Software Development at Factual Data
WordPress Websites for Engineers: Elevate Your Brand
apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive Financial Data Shared via APIs
1. The Industry Standard for Consumer
Access to Financial Records
APIdays – New York
Fall 2021
Security Design Patterns that Protect Sensitive
Financial Data Shared via APIs
Dinesh Katyal, Ray Voss, Shawn Jobe
2. The Industry Standard for Consumer Access to Financial Records
Agenda
2
FDX Confidential. All rights reserved.
• Introduction – 2 min
• Financial Data Exchange
• Overview – 5 min
• Problem Context
• Cross Industry Effort
• Recommended Security Patterns – 10-15 min
• Future Work
• Q&A – 5 min
7. The Industry Standard for Consumer Access to Financial Records
Problem Context
Sensitive Data
• Any individual or collection of data elements in transit that requires a combination of security
and privacy controls
• Evaluated Data: Account Number, Account Holder Name and Address In the Context of Use
for Personal Financial Management, Credit and Lending, and Money Movement
Need for Protection
• Prevent use in a fraudulent transaction
• Prevent compromise of private consumer information
• Adherence to specific laws and regulations.
Protection Approach
• Layered set of security techniques across multiple parties with controls for both access and
visibility
FDX Confidential. All rights reserved. 7
8. The Industry Standard for Consumer Access to Financial Records
Constraints
• Increased Security
• Proposed approach should result in a meaningful increase in security and privacy
• Ease of Adoption
• Solution should be implementable with reasonable resources and with a high degree of consistency and
predictability
• Pro-competitive
• No business use cases, or ecosystem participants should be negatively impacted
FDX Confidential. All rights reserved. 8
9. The Industry Standard for Consumer Access to Financial Records
Detailed Benefits
• Improved sensitive data protections through the ecosystem
• Targeted protections e.g., field level encryption, focus on the relevant data
• Complements existing data security models by layering techniques
• End-user transparency into data usage
• Reduce need for sensitive data sharing via alternate means of satisfying use cases
• Reduces potential for 1st party fraud
• Improves data integrity
FDX Confidential. All rights reserved. 9
11. The Industry Standard for Consumer Access to Financial Records
Recommendation Overview
• Categories
• General Purpose
• Use Case Specific
• Emerging
• Primary Assumptions
• Patterns are recommended in the context of App2App integrations. Data at rest is not addressed.
• All patterns are to be considered as additive to existing patterns in place (e.g.: Message encryption).
FDX Confidential. All rights reserved. 11
13. The Industry Standard for Consumer Access to Financial Records
Data Encryption and Consent
• Asymmetric Encryption
• Sharing of keys between a data provider and data recipient used for the encryption and
decryption of sensitive data.
• Granular Consent
• Supplementary practice for setting permissions that are driven by the consumer and enforced
throughout a multi-party ecosystem.
FDX Confidential. All rights reserved. 13
14. The Industry Standard for Consumer Access to Financial Records
Asymmetric Encryption
FDX Confidential. All rights reserved. 14
Scope of Data All
Use Cases in Scope All
Considerations • Use only for hops between data provider to data access platform, and from data access platform
to data recipient. Only encrypt relevant data keeping data needed by intermediary systems in
clear.
• Trust is established without exchanging private keys.
• Partner public keys are signed and verified using a mutually trusted Certificate Authority’s public
key
• Certificate authority is responsible to establishing identity of the individual organizations.
• FDX API Security Model and FDX API documentation describe the pattern and implementation
techniques in detail.
What Problem
Can/Does It Solve
• Prevents PII and sensitive data from traversing internal networks unencrypted. TLS will typically
terminate at the API gateway and the raw content will traverse the internal network unencrypted.
• Supports data minimization along with controlling what consumer information is being
secured. Thus supporting bi-lateral agreements.
• Layered prevention against first party attacks, compromised transport-layer-security encryption. In
alignment with FDX security control considerations. Can be used with additional patterns to
provide additional levels of security.
15. The Industry Standard for Consumer Access to Financial Records
Granular Consent
FDX Confidential. All rights reserved. 15
Scope of Data All
Use Cases in Scope All
Considerations • A granular consent should always be used where possible to separate use case consent that needs
access to sensitive data from those that don’t.
• Information on requested use case and the associated sensitive data should be made available to
all parties - data providers and data access platforms - to enable them to trigger appropriate
controls for the data and use case.
• Supported by FDX User Experience Guidelines and FDX Consent API
What Problem
Can/Does It Solve
• Limiting the delivery of data provided through exchanges between parties along with providing
transparency to the end user.
• Reduces consumer friction by providing a clear and concise understanding of the data use.
• Provides consumers a means for increased control over the privacy of their data.
17. The Industry Standard for Consumer Access to Financial Records
Substitution and Data Minimization
• Data Masking / Truncation
• Obfuscation of a value from it’s original form for the purpose controlling visibility and
exposure.
• Tokenization
• Substitutes the value with an opaque identifier that can be used as a replacement of a
sensitive data element within an ecosystem.
•
• Alternative Data
• Limiting the sharing and collection of data in order to maintain consumer trust and reducing
general security threats
• Hashing
• Process in which data of any size is mapped to a fixed length of characters and used for
ensuring that the data has been unaltered.
FDX Confidential. All rights reserved. 17
18. The Industry Standard for Consumer Access to Financial Records
Tokenization
FDX Confidential. All rights reserved. 18
Scope of Data Account Number
Use Cases in Scope Money Movement
Considerations • Implemented at the data provider for better security, and control.
• Ensure tokens are as usable for the purpose as the original account number e.g., no change to
ACH, SWIFT, or other money movement schemes should be needed.
• Supported in FDX API v 4.5 onwards
What Problem
Can/Does It Solve
• Protects the account number from being leaked by using a substitute value that can only be used
to execute transactions. Substitute account numbers can be reissued and replaced without
impacting the end customer.
• Provide ability to the end-customer for deactivating a substitute account number and taking away
any holder ability to move money.
• Streamlines the replacement of account numbers for the account holder as it requires the
customer to be involved.
• Reduces the risk to all parties in the chain as nobody holds an the actual account number.
19. The Industry Standard for Consumer Access to Financial Records
Alternative Data
FDX Confidential. All rights reserved. 19
Scope of Data Account Number
Use Cases in Scope Account Verification
Considerations • Potential for removing sensitive data from transaction.
• Account validation can be done through data such as transaction history rather than account
number
• Becoming more common that credit furnishers are not providing the full account numbers
• Can impact the robustness of a automated verification process
• Without the full account number it can lead to fraud
What Problem
Can/Does It Solve
• Replaces the use of sensitive data with non-sensitive data reducing the need for additional
security measures or design patterns associated with sensitive data
• Accomplishes the same business objective using non-sensitive data, which is neutral from a
business perspective, but superior from a compliance, risk and security perspective. The exact
alternative data would be decided on a use case by use case basis
• Minimizes the amount of sensitive data throughout ecosystem.
20. The Industry Standard for Consumer Access to Financial Records
Verification Query
FDX Confidential. All rights reserved. 20
Scope of Data All
Use Cases in Scope Account Owner Identity Verification, Money Movement Setup
Considerations • Sensitive data is gathered and transmitted to the provider for verification.
• Can be combined with hashing to prevent data transmission in the clear.
• Instead of requiring account number to verify, the data recipient sends an end-user identifier, e.g.,
account number, or phone number, to the data provider. The data provider compares that with the
account number, or phone number on record and responding with yes if the data match, and no, if
it does not.
• Bank information becomes the primary source versus derived.
What Problem
Can/Does It Solve
• Reduces the risk from rogue or poorly implemented data recipient apps. Since this method relies
on end-user providing the sensitive data to verify, it prevents the data recipient from obtaining
this data from data provider without the end-user knowing about it, or worse, under false
pretexts.
• It also reduces the risk surface for ATO fraud by making it difficult for a fraudulent user that took
over legitimate user’s credentials from carrying out fraud, as the fraudulent user now also needs
to know the sensitive data to complete the operation.
21. The Industry Standard for Consumer Access to Financial Records
Masking / Truncation
FDX Confidential. All rights reserved. 21
Scope of Data All
Use Cases in Scope Account Verification, Account Identification, API call requirements.
Considerations • Reconciliation of information with unmasked data element
• Integrity of data structure with selective masking of data elements
• Data Recipient discretion based on used case
• Masking used in conjunction of alternative data and verification query increases
• Generally accepted best practice when working with cardholder data
What Problem
Can/Does It Solve
• Protects the data element from being leaked or re-distributed as source data is masked
• Pseudonymization for analytical modeling, regulatory compliance and privacy scenarios
22. The Industry Standard for Consumer Access to Financial Records
Hashing
FDX Confidential. All rights reserved. 22
Scope of Data Account Number, Account Holder Name, Account Holder Address.
Use Cases in Scope Account Verification
Considerations • Used to verify the integrity and ensure the original value has not been modified or tampered.
• Hashing is not the encryption of data in that it is a one-way transformation of the data. Whereas
an encryption algorithms are two-way (encryption, decrypting) functions.
• Requires use of SHA256 or SHA-3 (secure hashing algorithms).
• It is recommended that it be combined with various encryption techniques for added security.
• Use is well known and there are no real blockers to adoption.
• Both parties know the original data that is used for comparing.
What Problem
Can/Does It Solve
• Hashing provides a solution for ensuring the integrity of a given value while adding an additional
level of security.
• Recipients are able to perform verification without needing the value in clear text.
• If encryption is not implemented/not being used than it is a feasible alternative to ensure the
integrity of the data element and/or message payload.
24. The Industry Standard for Consumer Access to Financial Records
Future Work
• API Adoption of Security Patterns
• API specifications for approved methods for sensitive data sharing e.g., verification query,
hashing.
• Decision Framework (Concept)
• Multi-step process to assist FDX task forces in addressing the sharing of sensitive data for
their given use cases.
• Emerging Technology Use
• Trust Frameworks/Verifiable Credentials, Homomorphic and Polymorphic Encryption, Secure
Multi-Party Computation, Trusted Execution Environments.
FDX Confidential. All rights reserved. 24
25. The Industry Standard for Consumer Access to Financial Records
Additional References
• FDX API v 4.6
• FDX API Security Model API v3.3
• FDX User Experience Guidelines 1.0
These documents are available on https://financialdataexchange.org for free. Login and
terms acceptance is required.
FDX Confidential. All rights reserved. 25