SlideShare a Scribd company logo

apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive Financial Data Shared via APIs

Download as PPTX, PDF
apidays
apidays

apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare July 28 & 29, 2021 Security Design Patterns that Protect Sensitive Financial Data Shared via APIs Dinesh Katyal, Product Director at Financial Data Exchange, Ray Voss, VP, Security Architect, JPMorgan Chase Bank, N.A and Co-Chair, Financial Data Exchange Security and Authentication Working, & Shawn Jobe, Director of Software Development at Factual Data

Technology
1 of 26
The Industry Standard for Consumer Access to Financial Records APIdays – New York Fall 2021 Security Design Patterns that Protect Sensitive Financial Data Shared via APIs Dinesh Katyal, Ray Voss, Shawn Jobe
The Industry Standard for Consumer Access to Financial Records Agenda 2 FDX Confidential. All rights reserved. • Introduction – 2 min • Financial Data Exchange • Overview – 5 min • Problem Context • Cross Industry Effort • Recommended Security Patterns – 10-15 min • Future Work • Q&A – 5 min
The Industry Standard for Consumer Access to Financial Records Financial Data Exchange (FDX) 3 FDX is not a policy or lobbying group. • We estimate that in North America alone there are ~100 million credential pairs being used to scrape data. • Typically 30%-35% of a given financial institution’s online user base has shared their credentials. • Typically 25%-40% of a given financial institution’s online logins are scraping sessions. FDX is dedicated to unifying the financial industry around a common, interoperable, royalty-free standard for the secure access of permissioned consumer and business financial data, aptly named the FDX Application Programming Interface (FDX API). Data Sharing Ecosystem FDX Mission © FDX, all rights reserved  100% of our FI members are using or plan to use FDX API  >16 million consumers are on FDX as of March 2021  FDX API averaged 99.91% availability. Who is using FDX  Adopt, Promote and Improve Data-Sharing Standards  Adopt, Promote and Improve Secure Authentication Standards  Develop a Certification Program  Develop User Experience and Consent Guidelines Best Practices FDX Objectives
The Industry Standard for Consumer Access to Financial Records 190+ Member Organizations on 4 continents 4 The current Board comprises 12 Financial Institutions, 5 Permissioned Parties, 5 Aggregators, 2 Industry Groups, FS-ISAC, 1 Canadian Fintech, and 1 Consumer Advocacy Group as an observer. FDX does not comment on policy or engage in lobbying. © FDX, all rights reserved Open Membership | ¼ of members are Fin-Tech firms | 2/3 are not banks ABA Adastra Corporation Affinity Credit Union Akoya Ally American Express apimetrics Apiture Assiniboine Credit Union ATB Financial Authlete Axway Back in the Black Bank of America Bank of Montreal Bank of Nova Scotia/ Tangerine Bank Policy Institute BillGo Blanc Labs Blend Labs, Inc. Blucora BNC BotKeeper Callsign Canadian Credit Union Assoc. CCUA Capital One Caspian One Celero Centime Inc Central 1 CU Cequence Security CIBC Citi Group Citizens Bank Cloud Entity CloudVector Codat Computer Services Inc (CSI) Concord Advice Connect Connexussecure Consumer Edge Credit Union Central Alberta Limited DAPI Datapro inc Decision Logic Desjardins Digits Discover Duality Technologies EarnIn EEI Emoney Advisor Empower Retirement Equifax Equitable Bank Everlink Payment Services Inc. EWS Experian F5 Networks Inc. Fairstone Financial Inc. Fannie Mae FGS - Fintech Growth Syndicate FI.Span Services Inc Ficanex FICO Fidelity Financial Apps Finconecta Finicity Finovera First Bank First Canadian Title Company Limited Fiserv Flinks Forge Rock FormFree Holdings Co FS-ISAC GT Software H&R Block Home Trust Company IBBIE LLC ICBA Iclose Inclusive Innovations Innovecture Intelliware Interac Internet Tax information Processing Services (ITIPS) Intuit Inverite Jack Henry Inc Japan Association for Financial API's JPMChase KOHO Konsentus Ltd L7 Defense LTD Large Credit Union Coalition LCUC Mass Mutual Mastercard Mazooma Merchant Treasury Meridian Credit Union Microbilt MorningStar Mountain America FCU Mscience MX MyFinApps Navy Federal Credit Union NCRC Neosec New Media IV Holdings Ninth-Wave Nivelo Tech Inc Okta Opportunity Financial Orum - Project Midas Ozoneapi PAI Payments Canada PayPal Petal Card Inc. Ping Identity Plaid Plenee Co PNC PointServ PPIJV Prarie Payments Price Water House Coopers LLP Principal PSCU QuadFI INC. Quicken Quicken Loans Raidiam Services Limited Rattlehub Digital Royal Bank of Canada Sage Salt Security Schwab Securekey self lender Servus Credit Union SIFMA Silicon Valley Bank Simpli Singular Key Skyflow Smart Solution Smart Vault Sovos Spring Labs Star Point Symcor TD Bank The Clearing House The Goldman Sachs Group The Pathfinder Group The Working Group TIAA Transunion True Layer Truist Trust Stamp US Bank USAA UW Credit Union Validifi Vantage Score Verify My Banks Visa Vopay Wells Fargo Xero Xtensifi Yodlee Varo Bank
The Industry Standard for Consumer Access to Financial Records 5 Every Working Group, Committee and the Board are co-chaired by a Financial Institution and a Non-Financial Institution © FDX, all rights reserved
The Industry Standard for Consumer Access to Financial Records How many consumers are on it? © FDX, all rights reserved. TLP AMBER UK Open Banking is at 3 million consumers as of March 5th The US also has a higher per-capita usage than the UK. (46 per thousand versus 44)
The Industry Standard for Consumer Access to Financial Records Problem Context Sensitive Data • Any individual or collection of data elements in transit that requires a combination of security and privacy controls • Evaluated Data: Account Number, Account Holder Name and Address In the Context of Use for Personal Financial Management, Credit and Lending, and Money Movement Need for Protection • Prevent use in a fraudulent transaction • Prevent compromise of private consumer information • Adherence to specific laws and regulations. Protection Approach • Layered set of security techniques across multiple parties with controls for both access and visibility FDX Confidential. All rights reserved. 7
The Industry Standard for Consumer Access to Financial Records Constraints • Increased Security • Proposed approach should result in a meaningful increase in security and privacy • Ease of Adoption • Solution should be implementable with reasonable resources and with a high degree of consistency and predictability • Pro-competitive • No business use cases, or ecosystem participants should be negatively impacted FDX Confidential. All rights reserved. 8
The Industry Standard for Consumer Access to Financial Records Detailed Benefits • Improved sensitive data protections through the ecosystem • Targeted protections e.g., field level encryption, focus on the relevant data • Complements existing data security models by layering techniques • End-user transparency into data usage • Reduce need for sensitive data sharing via alternate means of satisfying use cases • Reduces potential for 1st party fraud • Improves data integrity FDX Confidential. All rights reserved. 9
Recommended Security Patterns
The Industry Standard for Consumer Access to Financial Records Recommendation Overview • Categories • General Purpose • Use Case Specific • Emerging • Primary Assumptions • Patterns are recommended in the context of App2App integrations. Data at rest is not addressed. • All patterns are to be considered as additive to existing patterns in place (e.g.: Message encryption). FDX Confidential. All rights reserved. 11
General Purpose Patterns
The Industry Standard for Consumer Access to Financial Records Data Encryption and Consent • Asymmetric Encryption • Sharing of keys between a data provider and data recipient used for the encryption and decryption of sensitive data. • Granular Consent • Supplementary practice for setting permissions that are driven by the consumer and enforced throughout a multi-party ecosystem. FDX Confidential. All rights reserved. 13
The Industry Standard for Consumer Access to Financial Records Asymmetric Encryption FDX Confidential. All rights reserved. 14 Scope of Data All Use Cases in Scope All Considerations • Use only for hops between data provider to data access platform, and from data access platform to data recipient. Only encrypt relevant data keeping data needed by intermediary systems in clear. • Trust is established without exchanging private keys. • Partner public keys are signed and verified using a mutually trusted Certificate Authority’s public key • Certificate authority is responsible to establishing identity of the individual organizations. • FDX API Security Model and FDX API documentation describe the pattern and implementation techniques in detail. What Problem Can/Does It Solve • Prevents PII and sensitive data from traversing internal networks unencrypted. TLS will typically terminate at the API gateway and the raw content will traverse the internal network unencrypted. • Supports data minimization along with controlling what consumer information is being secured. Thus supporting bi-lateral agreements. • Layered prevention against first party attacks, compromised transport-layer-security encryption. In alignment with FDX security control considerations. Can be used with additional patterns to provide additional levels of security.
The Industry Standard for Consumer Access to Financial Records Granular Consent FDX Confidential. All rights reserved. 15 Scope of Data All Use Cases in Scope All Considerations • A granular consent should always be used where possible to separate use case consent that needs access to sensitive data from those that don’t. • Information on requested use case and the associated sensitive data should be made available to all parties - data providers and data access platforms - to enable them to trigger appropriate controls for the data and use case. • Supported by FDX User Experience Guidelines and FDX Consent API What Problem Can/Does It Solve • Limiting the delivery of data provided through exchanges between parties along with providing transparency to the end user. • Reduces consumer friction by providing a clear and concise understanding of the data use. • Provides consumers a means for increased control over the privacy of their data.
Use Case Specific Patterns
The Industry Standard for Consumer Access to Financial Records Substitution and Data Minimization • Data Masking / Truncation • Obfuscation of a value from it’s original form for the purpose controlling visibility and exposure. • Tokenization • Substitutes the value with an opaque identifier that can be used as a replacement of a sensitive data element within an ecosystem. • • Alternative Data • Limiting the sharing and collection of data in order to maintain consumer trust and reducing general security threats • Hashing • Process in which data of any size is mapped to a fixed length of characters and used for ensuring that the data has been unaltered. FDX Confidential. All rights reserved. 17
The Industry Standard for Consumer Access to Financial Records Tokenization FDX Confidential. All rights reserved. 18 Scope of Data Account Number Use Cases in Scope Money Movement Considerations • Implemented at the data provider for better security, and control. • Ensure tokens are as usable for the purpose as the original account number e.g., no change to ACH, SWIFT, or other money movement schemes should be needed. • Supported in FDX API v 4.5 onwards What Problem Can/Does It Solve • Protects the account number from being leaked by using a substitute value that can only be used to execute transactions. Substitute account numbers can be reissued and replaced without impacting the end customer. • Provide ability to the end-customer for deactivating a substitute account number and taking away any holder ability to move money. • Streamlines the replacement of account numbers for the account holder as it requires the customer to be involved. • Reduces the risk to all parties in the chain as nobody holds an the actual account number.
The Industry Standard for Consumer Access to Financial Records Alternative Data FDX Confidential. All rights reserved. 19 Scope of Data Account Number Use Cases in Scope Account Verification Considerations • Potential for removing sensitive data from transaction. • Account validation can be done through data such as transaction history rather than account number • Becoming more common that credit furnishers are not providing the full account numbers • Can impact the robustness of a automated verification process • Without the full account number it can lead to fraud What Problem Can/Does It Solve • Replaces the use of sensitive data with non-sensitive data reducing the need for additional security measures or design patterns associated with sensitive data • Accomplishes the same business objective using non-sensitive data, which is neutral from a business perspective, but superior from a compliance, risk and security perspective. The exact alternative data would be decided on a use case by use case basis • Minimizes the amount of sensitive data throughout ecosystem.
The Industry Standard for Consumer Access to Financial Records Verification Query FDX Confidential. All rights reserved. 20 Scope of Data All Use Cases in Scope Account Owner Identity Verification, Money Movement Setup Considerations • Sensitive data is gathered and transmitted to the provider for verification. • Can be combined with hashing to prevent data transmission in the clear. • Instead of requiring account number to verify, the data recipient sends an end-user identifier, e.g., account number, or phone number, to the data provider. The data provider compares that with the account number, or phone number on record and responding with yes if the data match, and no, if it does not. • Bank information becomes the primary source versus derived. What Problem Can/Does It Solve • Reduces the risk from rogue or poorly implemented data recipient apps. Since this method relies on end-user providing the sensitive data to verify, it prevents the data recipient from obtaining this data from data provider without the end-user knowing about it, or worse, under false pretexts. • It also reduces the risk surface for ATO fraud by making it difficult for a fraudulent user that took over legitimate user’s credentials from carrying out fraud, as the fraudulent user now also needs to know the sensitive data to complete the operation.
The Industry Standard for Consumer Access to Financial Records Masking / Truncation FDX Confidential. All rights reserved. 21 Scope of Data All Use Cases in Scope Account Verification, Account Identification, API call requirements. Considerations • Reconciliation of information with unmasked data element • Integrity of data structure with selective masking of data elements • Data Recipient discretion based on used case • Masking used in conjunction of alternative data and verification query increases • Generally accepted best practice when working with cardholder data What Problem Can/Does It Solve • Protects the data element from being leaked or re-distributed as source data is masked • Pseudonymization for analytical modeling, regulatory compliance and privacy scenarios
The Industry Standard for Consumer Access to Financial Records Hashing FDX Confidential. All rights reserved. 22 Scope of Data Account Number, Account Holder Name, Account Holder Address. Use Cases in Scope Account Verification Considerations • Used to verify the integrity and ensure the original value has not been modified or tampered. • Hashing is not the encryption of data in that it is a one-way transformation of the data. Whereas an encryption algorithms are two-way (encryption, decrypting) functions. • Requires use of SHA256 or SHA-3 (secure hashing algorithms). • It is recommended that it be combined with various encryption techniques for added security. • Use is well known and there are no real blockers to adoption. • Both parties know the original data that is used for comparing. What Problem Can/Does It Solve • Hashing provides a solution for ensuring the integrity of a given value while adding an additional level of security. • Recipients are able to perform verification without needing the value in clear text. • If encryption is not implemented/not being used than it is a feasible alternative to ensure the integrity of the data element and/or message payload.
Summary
The Industry Standard for Consumer Access to Financial Records Future Work • API Adoption of Security Patterns • API specifications for approved methods for sensitive data sharing e.g., verification query, hashing. • Decision Framework (Concept) • Multi-step process to assist FDX task forces in addressing the sharing of sensitive data for their given use cases. • Emerging Technology Use • Trust Frameworks/Verifiable Credentials, Homomorphic and Polymorphic Encryption, Secure Multi-Party Computation, Trusted Execution Environments. FDX Confidential. All rights reserved. 24
The Industry Standard for Consumer Access to Financial Records Additional References • FDX API v 4.6 • FDX API Security Model API v3.3 • FDX User Experience Guidelines 1.0 These documents are available on https://financialdataexchange.org for free. Login and terms acceptance is required. FDX Confidential. All rights reserved. 25
Q & A

Recommended

Digital Threats: Scenarios Exercise
Digital Threats: Scenarios ExerciseDigital Threats: Scenarios Exercise
Digital Threats: Scenarios ExerciseElena Kvochko
 
DBX Open Banking
DBX Open BankingDBX Open Banking
DBX Open BankingBase Camp
 
Open Banking - Bringing Regulation and Technology together for Digital Trans...
Open Banking - Bringing Regulation and Technology together for Digital Trans...Open Banking - Bringing Regulation and Technology together for Digital Trans...
Open Banking - Bringing Regulation and Technology together for Digital Trans...WSO2
 
Beyond Open Banking : Uncovering The Opportunities Ahead- 21st april 2021 - N...
Beyond Open Banking : Uncovering The Opportunities Ahead- 21st april 2021 - N...Beyond Open Banking : Uncovering The Opportunities Ahead- 21st april 2021 - N...
Beyond Open Banking : Uncovering The Opportunities Ahead- 21st april 2021 - N...Nouamane Cherkaoui
 
apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...
apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...
apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...apidays
 
The Power Of Open Banking Coupled With Artificial Intelligence
The Power Of Open Banking Coupled With Artificial IntelligenceThe Power Of Open Banking Coupled With Artificial Intelligence
The Power Of Open Banking Coupled With Artificial IntelligenceIndusNetMarketing
 
apidays LIVE Australia 2021 - Empowering the fintech ecosystem with APIs by D...
apidays LIVE Australia 2021 - Empowering the fintech ecosystem with APIs by D...apidays LIVE Australia 2021 - Empowering the fintech ecosystem with APIs by D...
apidays LIVE Australia 2021 - Empowering the fintech ecosystem with APIs by D...apidays
 
[APIdays Melbourne 2019] The Consumer Data Right: Building a Successful Open ...
[APIdays Melbourne 2019] The Consumer Data Right: Building a Successful Open ...[APIdays Melbourne 2019] The Consumer Data Right: Building a Successful Open ...
[APIdays Melbourne 2019] The Consumer Data Right: Building a Successful Open ...WSO2
 

Recommended

Digital Threats: Scenarios Exercise
Digital Threats: Scenarios ExerciseDigital Threats: Scenarios Exercise
Digital Threats: Scenarios ExerciseElena Kvochko
 
DBX Open Banking
DBX Open BankingDBX Open Banking
DBX Open BankingBase Camp
 
Open Banking - Bringing Regulation and Technology together for Digital Trans...
Open Banking - Bringing Regulation and Technology together for Digital Trans...Open Banking - Bringing Regulation and Technology together for Digital Trans...
Open Banking - Bringing Regulation and Technology together for Digital Trans...WSO2
 
Beyond Open Banking : Uncovering The Opportunities Ahead- 21st april 2021 - N...
Beyond Open Banking : Uncovering The Opportunities Ahead- 21st april 2021 - N...Beyond Open Banking : Uncovering The Opportunities Ahead- 21st april 2021 - N...
Beyond Open Banking : Uncovering The Opportunities Ahead- 21st april 2021 - N...Nouamane Cherkaoui
 
apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...
apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...
apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...apidays
 
The Power Of Open Banking Coupled With Artificial Intelligence
The Power Of Open Banking Coupled With Artificial IntelligenceThe Power Of Open Banking Coupled With Artificial Intelligence
The Power Of Open Banking Coupled With Artificial IntelligenceIndusNetMarketing
 
apidays LIVE Australia 2021 - Empowering the fintech ecosystem with APIs by D...
apidays LIVE Australia 2021 - Empowering the fintech ecosystem with APIs by D...apidays LIVE Australia 2021 - Empowering the fintech ecosystem with APIs by D...
apidays LIVE Australia 2021 - Empowering the fintech ecosystem with APIs by D...apidays
 
[APIdays Melbourne 2019] The Consumer Data Right: Building a Successful Open ...
[APIdays Melbourne 2019] The Consumer Data Right: Building a Successful Open ...[APIdays Melbourne 2019] The Consumer Data Right: Building a Successful Open ...
[APIdays Melbourne 2019] The Consumer Data Right: Building a Successful Open ...WSO2
 
apidays LIVE Australia 2021 - Open Banking: Successful Implementation Strateg...
apidays LIVE Australia 2021 - Open Banking: Successful Implementation Strateg...apidays LIVE Australia 2021 - Open Banking: Successful Implementation Strateg...
apidays LIVE Australia 2021 - Open Banking: Successful Implementation Strateg...apidays
 
FABRIC - Open Banking Teaser
FABRIC - Open Banking TeaserFABRIC - Open Banking Teaser
FABRIC - Open Banking TeaserGavin Payne
 
Open banking [Evolution, Risks & Opportunities]
Open banking [Evolution, Risks & Opportunities]Open banking [Evolution, Risks & Opportunities]
Open banking [Evolution, Risks & Opportunities]Kannan Srinivasan
 
Open Banking in Australia - An Open Forum
Open Banking in Australia - An Open Forum Open Banking in Australia - An Open Forum
Open Banking in Australia - An Open Forum WSO2
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...apidays
 
INTERFACE, by apidays - The future is a graph by Martin Buhr, Tyk
INTERFACE, by apidays - The future is a graph by Martin Buhr, TykINTERFACE, by apidays - The future is a graph by Martin Buhr, Tyk
INTERFACE, by apidays - The future is a graph by Martin Buhr, Tykapidays
 
Embedded Finance - the $7 Trillion market opportunity
Embedded Finance - the $7 Trillion market opportunityEmbedded Finance - the $7 Trillion market opportunity
Embedded Finance - the $7 Trillion market opportunitySimon Torrance
 
apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...
apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...
apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...apidays
 
Open Banking APIs with case studies for senior stakeholders
Open Banking APIs with case studies for senior stakeholdersOpen Banking APIs with case studies for senior stakeholders
Open Banking APIs with case studies for senior stakeholdersMimi Ajayi, PMC
 
Digital banking as a service(v.e)
Digital banking as a service(v.e)Digital banking as a service(v.e)
Digital banking as a service(v.e)Mehdi Arabzadeh Yekta
 
Chances of open banking
Chances of open banking Chances of open banking
Chances of open banking Netcetera
 
apidays LIVE Jakarta - The future of hyper--personalised Financial Services i...
apidays LIVE Jakarta - The future of hyper--personalised Financial Services i...apidays LIVE Jakarta - The future of hyper--personalised Financial Services i...
apidays LIVE Jakarta - The future of hyper--personalised Financial Services i...apidays
 
Webinar:Blockchain in Insurance - Here for Good? Insights from Hong Kong & B...
Webinar:Blockchain in Insurance - Here for Good? Insights from Hong Kong & B...Webinar:Blockchain in Insurance - Here for Good? Insights from Hong Kong & B...
Webinar:Blockchain in Insurance - Here for Good? Insights from Hong Kong & B...The Digital Insurer
 
APIdays Singapore 2019 - Global Open Banking Frameworks and Standards: Luca F...
APIdays Singapore 2019 - Global Open Banking Frameworks and Standards: Luca F...APIdays Singapore 2019 - Global Open Banking Frameworks and Standards: Luca F...
APIdays Singapore 2019 - Global Open Banking Frameworks and Standards: Luca F...apidays
 
APIdays Singapore 2019 - Open Banking is Here to Stay: How Will You Benefit f...
APIdays Singapore 2019 - Open Banking is Here to Stay: How Will You Benefit f...APIdays Singapore 2019 - Open Banking is Here to Stay: How Will You Benefit f...
APIdays Singapore 2019 - Open Banking is Here to Stay: How Will You Benefit f...apidays
 
Digital Currencies: Where to from here?
Digital Currencies: Where to from here?Digital Currencies: Where to from here?
Digital Currencies: Where to from here?Chartered Accountants Australia and New Zealand
 
apidays LIVE LONDON - How APIs are changing the fintech world by Chirine Ben...
apidays LIVE LONDON - How APIs are changing the fintech world by Chirine Ben...apidays LIVE LONDON - How APIs are changing the fintech world by Chirine Ben...
apidays LIVE LONDON - How APIs are changing the fintech world by Chirine Ben...apidays
 
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...apidays
 
PSD2: Open Banking with APIs
PSD2: Open Banking with APIsPSD2: Open Banking with APIs
PSD2: Open Banking with APIsJason Bloomberg
 
20211027 apidays london - business model innovation final v1.0 (1)
20211027 apidays london - business model innovation final v1.0 (1)20211027 apidays london - business model innovation final v1.0 (1)
20211027 apidays london - business model innovation final v1.0 (1)apidays
 
Michael Josephs
Michael JosephsMichael Josephs
Michael JosephsdaveGBE
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...Financial Poise
 

More Related Content

What's hot

apidays LIVE Australia 2021 - Open Banking: Successful Implementation Strateg...
apidays LIVE Australia 2021 - Open Banking: Successful Implementation Strateg...apidays LIVE Australia 2021 - Open Banking: Successful Implementation Strateg...
apidays LIVE Australia 2021 - Open Banking: Successful Implementation Strateg...apidays
 
FABRIC - Open Banking Teaser
FABRIC - Open Banking TeaserFABRIC - Open Banking Teaser
FABRIC - Open Banking TeaserGavin Payne
 
Open banking [Evolution, Risks & Opportunities]
Open banking [Evolution, Risks & Opportunities]Open banking [Evolution, Risks & Opportunities]
Open banking [Evolution, Risks & Opportunities]Kannan Srinivasan
 
Open Banking in Australia - An Open Forum
Open Banking in Australia - An Open Forum Open Banking in Australia - An Open Forum
Open Banking in Australia - An Open Forum WSO2
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...apidays
 
INTERFACE, by apidays - The future is a graph by Martin Buhr, Tyk
INTERFACE, by apidays - The future is a graph by Martin Buhr, TykINTERFACE, by apidays - The future is a graph by Martin Buhr, Tyk
INTERFACE, by apidays - The future is a graph by Martin Buhr, Tykapidays
 
Embedded Finance - the $7 Trillion market opportunity
Embedded Finance - the $7 Trillion market opportunityEmbedded Finance - the $7 Trillion market opportunity
Embedded Finance - the $7 Trillion market opportunitySimon Torrance
 
apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...
apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...
apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...apidays
 
Open Banking APIs with case studies for senior stakeholders
Open Banking APIs with case studies for senior stakeholdersOpen Banking APIs with case studies for senior stakeholders
Open Banking APIs with case studies for senior stakeholdersMimi Ajayi, PMC
 
Chances of open banking
Chances of open banking Chances of open banking
Chances of open banking Netcetera
 
apidays LIVE Jakarta - The future of hyper--personalised Financial Services i...
apidays LIVE Jakarta - The future of hyper--personalised Financial Services i...apidays LIVE Jakarta - The future of hyper--personalised Financial Services i...
apidays LIVE Jakarta - The future of hyper--personalised Financial Services i...apidays
 
Webinar:Blockchain in Insurance - Here for Good? Insights from Hong Kong & B...
Webinar:Blockchain in Insurance - Here for Good? Insights from Hong Kong & B...Webinar:Blockchain in Insurance - Here for Good? Insights from Hong Kong & B...
Webinar:Blockchain in Insurance - Here for Good? Insights from Hong Kong & B...The Digital Insurer
 
APIdays Singapore 2019 - Global Open Banking Frameworks and Standards: Luca F...
APIdays Singapore 2019 - Global Open Banking Frameworks and Standards: Luca F...APIdays Singapore 2019 - Global Open Banking Frameworks and Standards: Luca F...
APIdays Singapore 2019 - Global Open Banking Frameworks and Standards: Luca F...apidays
 
APIdays Singapore 2019 - Open Banking is Here to Stay: How Will You Benefit f...
APIdays Singapore 2019 - Open Banking is Here to Stay: How Will You Benefit f...APIdays Singapore 2019 - Open Banking is Here to Stay: How Will You Benefit f...
APIdays Singapore 2019 - Open Banking is Here to Stay: How Will You Benefit f...apidays
 
apidays LIVE LONDON - How APIs are changing the fintech world by Chirine Ben...
apidays LIVE LONDON - How APIs are changing the fintech world by Chirine Ben...apidays LIVE LONDON - How APIs are changing the fintech world by Chirine Ben...
apidays LIVE LONDON - How APIs are changing the fintech world by Chirine Ben...apidays
 
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...apidays
 
PSD2: Open Banking with APIs
PSD2: Open Banking with APIsPSD2: Open Banking with APIs
PSD2: Open Banking with APIsJason Bloomberg
 
20211027 apidays london - business model innovation final v1.0 (1)
20211027 apidays london - business model innovation final v1.0 (1)20211027 apidays london - business model innovation final v1.0 (1)
20211027 apidays london - business model innovation final v1.0 (1)apidays
 

What's hot (20)

apidays LIVE Australia 2021 - Open Banking: Successful Implementation Strateg...
apidays LIVE Australia 2021 - Open Banking: Successful Implementation Strateg...apidays LIVE Australia 2021 - Open Banking: Successful Implementation Strateg...
apidays LIVE Australia 2021 - Open Banking: Successful Implementation Strateg...
 
FABRIC - Open Banking Teaser
FABRIC - Open Banking TeaserFABRIC - Open Banking Teaser
FABRIC - Open Banking Teaser
 
Open banking [Evolution, Risks & Opportunities]
Open banking [Evolution, Risks & Opportunities]Open banking [Evolution, Risks & Opportunities]
Open banking [Evolution, Risks & Opportunities]
 
Open Banking in Australia - An Open Forum
Open Banking in Australia - An Open Forum Open Banking in Australia - An Open Forum
Open Banking in Australia - An Open Forum
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
 
INTERFACE, by apidays - The future is a graph by Martin Buhr, Tyk
INTERFACE, by apidays - The future is a graph by Martin Buhr, TykINTERFACE, by apidays - The future is a graph by Martin Buhr, Tyk
INTERFACE, by apidays - The future is a graph by Martin Buhr, Tyk
 
Embedded Finance - the $7 Trillion market opportunity
Embedded Finance - the $7 Trillion market opportunityEmbedded Finance - the $7 Trillion market opportunity
Embedded Finance - the $7 Trillion market opportunity
 
apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...
apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...
apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...
 
Open Banking APIs with case studies for senior stakeholders
Open Banking APIs with case studies for senior stakeholdersOpen Banking APIs with case studies for senior stakeholders
Open Banking APIs with case studies for senior stakeholders
 
Digital banking as a service(v.e)
Digital banking as a service(v.e)Digital banking as a service(v.e)
Digital banking as a service(v.e)
 
Chances of open banking
Chances of open banking Chances of open banking
Chances of open banking
 
apidays LIVE Jakarta - The future of hyper--personalised Financial Services i...
apidays LIVE Jakarta - The future of hyper--personalised Financial Services i...apidays LIVE Jakarta - The future of hyper--personalised Financial Services i...
apidays LIVE Jakarta - The future of hyper--personalised Financial Services i...
 
Webinar:Blockchain in Insurance - Here for Good? Insights from Hong Kong & B...
Webinar:Blockchain in Insurance - Here for Good? Insights from Hong Kong & B...Webinar:Blockchain in Insurance - Here for Good? Insights from Hong Kong & B...
Webinar:Blockchain in Insurance - Here for Good? Insights from Hong Kong & B...
 
APIdays Singapore 2019 - Global Open Banking Frameworks and Standards: Luca F...
APIdays Singapore 2019 - Global Open Banking Frameworks and Standards: Luca F...APIdays Singapore 2019 - Global Open Banking Frameworks and Standards: Luca F...
APIdays Singapore 2019 - Global Open Banking Frameworks and Standards: Luca F...
 
APIdays Singapore 2019 - Open Banking is Here to Stay: How Will You Benefit f...
APIdays Singapore 2019 - Open Banking is Here to Stay: How Will You Benefit f...APIdays Singapore 2019 - Open Banking is Here to Stay: How Will You Benefit f...
APIdays Singapore 2019 - Open Banking is Here to Stay: How Will You Benefit f...
 
Digital Currencies: Where to from here?
Digital Currencies: Where to from here?Digital Currencies: Where to from here?
Digital Currencies: Where to from here?
 
apidays LIVE LONDON - How APIs are changing the fintech world by Chirine Ben...
apidays LIVE LONDON - How APIs are changing the fintech world by Chirine Ben...apidays LIVE LONDON - How APIs are changing the fintech world by Chirine Ben...
apidays LIVE LONDON - How APIs are changing the fintech world by Chirine Ben...
 
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...
 
PSD2: Open Banking with APIs
PSD2: Open Banking with APIsPSD2: Open Banking with APIs
PSD2: Open Banking with APIs
 
20211027 apidays london - business model innovation final v1.0 (1)
20211027 apidays london - business model innovation final v1.0 (1)20211027 apidays london - business model innovation final v1.0 (1)
20211027 apidays london - business model innovation final v1.0 (1)
 

Similar to apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive Financial Data Shared via APIs

Michael Josephs
Michael JosephsMichael Josephs
Michael JosephsdaveGBE
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...Financial Poise
 
Internet of things ecosystem: The quest for value
Internet of things ecosystem: The quest for valueInternet of things ecosystem: The quest for value
Internet of things ecosystem: The quest for valueDeloitte United States
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataUlf Mattsson
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkPrecisely
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredPrecisely
 
Who changed my data? Need for data governance and provenance in a streaming w...
Who changed my data? Need for data governance and provenance in a streaming w...Who changed my data? Need for data governance and provenance in a streaming w...
Who changed my data? Need for data governance and provenance in a streaming w...DataWorks Summit
 
SecureWeb3 - Developing a Comprehensive Cybersecurity Strategy for the Decent...
SecureWeb3 - Developing a Comprehensive Cybersecurity Strategy for the Decent...SecureWeb3 - Developing a Comprehensive Cybersecurity Strategy for the Decent...
SecureWeb3 - Developing a Comprehensive Cybersecurity Strategy for the Decent...Prasanna Hegde
 
File Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial ServicesFile Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial ServicesBlackBerry
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 
12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotatedwdsnead
 
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDX
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDXapidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDX
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDXapidays
 
Isaca new delhi india - privacy and big data
Isaca new delhi india - privacy and big dataIsaca new delhi india - privacy and big data
Isaca new delhi india - privacy and big dataUlf Mattsson
 
Secure and Compliant Data Management in FinTech Applications
Secure and Compliant Data Management in FinTech ApplicationsSecure and Compliant Data Management in FinTech Applications
Secure and Compliant Data Management in FinTech ApplicationsLionel Briand
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 

Similar to apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive Financial Data Shared via APIs (20)

Michael Josephs
Michael JosephsMichael Josephs
Michael Josephs
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
 
Internet of things ecosystem: The quest for value
Internet of things ecosystem: The quest for valueInternet of things ecosystem: The quest for value
Internet of things ecosystem: The quest for value
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive data
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big data
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in Splunk
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
 
Who changed my data? Need for data governance and provenance in a streaming w...
Who changed my data? Need for data governance and provenance in a streaming w...Who changed my data? Need for data governance and provenance in a streaming w...
Who changed my data? Need for data governance and provenance in a streaming w...
 
SecureWeb3 - Developing a Comprehensive Cybersecurity Strategy for the Decent...
SecureWeb3 - Developing a Comprehensive Cybersecurity Strategy for the Decent...SecureWeb3 - Developing a Comprehensive Cybersecurity Strategy for the Decent...
SecureWeb3 - Developing a Comprehensive Cybersecurity Strategy for the Decent...
 
File Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial ServicesFile Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial Services
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 
12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated
 
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDX
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDXapidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDX
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDX
 
Isaca new delhi india - privacy and big data
Isaca new delhi india - privacy and big dataIsaca new delhi india - privacy and big data
Isaca new delhi india - privacy and big data
 
Aggregation Platforms-White Paper
Aggregation Platforms-White PaperAggregation Platforms-White Paper
Aggregation Platforms-White Paper
 
Secure and Compliant Data Management in FinTech Applications
Secure and Compliant Data Management in FinTech ApplicationsSecure and Compliant Data Management in FinTech Applications
Secure and Compliant Data Management in FinTech Applications
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 

More from apidays

apidays Australia 2023 - A programmatic approach to API success including Ope...
apidays Australia 2023 - A programmatic approach to API success including Ope...apidays Australia 2023 - A programmatic approach to API success including Ope...
apidays Australia 2023 - A programmatic approach to API success including Ope...apidays
 
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays
 
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays
 
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays
 
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays
 
apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays
 
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays
 
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays
 
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays
 
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...apidays
 
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays
 
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays
 
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...apidays
 
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOApidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOapidays
 
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...apidays
 
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...apidays
 
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...apidays
 
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...apidays
 
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...apidays
 
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...apidays
 

More from apidays (20)

apidays Australia 2023 - A programmatic approach to API success including Ope...
apidays Australia 2023 - A programmatic approach to API success including Ope...apidays Australia 2023 - A programmatic approach to API success including Ope...
apidays Australia 2023 - A programmatic approach to API success including Ope...
 
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
 
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
 
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
 
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
 
apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...
 
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
 
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
 
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
 
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
 
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
 
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
 
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
 
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOApidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
 
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
 
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
 
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
 
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
 
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
 
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
 

Recently uploaded

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Recently uploaded (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive Financial Data Shared via APIs

  • 1. The Industry Standard for Consumer Access to Financial Records APIdays – New York Fall 2021 Security Design Patterns that Protect Sensitive Financial Data Shared via APIs Dinesh Katyal, Ray Voss, Shawn Jobe
  • 2. The Industry Standard for Consumer Access to Financial Records Agenda 2 FDX Confidential. All rights reserved. • Introduction – 2 min • Financial Data Exchange • Overview – 5 min • Problem Context • Cross Industry Effort • Recommended Security Patterns – 10-15 min • Future Work • Q&A – 5 min
  • 3. The Industry Standard for Consumer Access to Financial Records Financial Data Exchange (FDX) 3 FDX is not a policy or lobbying group. • We estimate that in North America alone there are ~100 million credential pairs being used to scrape data. • Typically 30%-35% of a given financial institution’s online user base has shared their credentials. • Typically 25%-40% of a given financial institution’s online logins are scraping sessions. FDX is dedicated to unifying the financial industry around a common, interoperable, royalty-free standard for the secure access of permissioned consumer and business financial data, aptly named the FDX Application Programming Interface (FDX API). Data Sharing Ecosystem FDX Mission © FDX, all rights reserved  100% of our FI members are using or plan to use FDX API  >16 million consumers are on FDX as of March 2021  FDX API averaged 99.91% availability. Who is using FDX  Adopt, Promote and Improve Data-Sharing Standards  Adopt, Promote and Improve Secure Authentication Standards  Develop a Certification Program  Develop User Experience and Consent Guidelines Best Practices FDX Objectives
  • 4. The Industry Standard for Consumer Access to Financial Records 190+ Member Organizations on 4 continents 4 The current Board comprises 12 Financial Institutions, 5 Permissioned Parties, 5 Aggregators, 2 Industry Groups, FS-ISAC, 1 Canadian Fintech, and 1 Consumer Advocacy Group as an observer. FDX does not comment on policy or engage in lobbying. © FDX, all rights reserved Open Membership | ¼ of members are Fin-Tech firms | 2/3 are not banks ABA Adastra Corporation Affinity Credit Union Akoya Ally American Express apimetrics Apiture Assiniboine Credit Union ATB Financial Authlete Axway Back in the Black Bank of America Bank of Montreal Bank of Nova Scotia/ Tangerine Bank Policy Institute BillGo Blanc Labs Blend Labs, Inc. Blucora BNC BotKeeper Callsign Canadian Credit Union Assoc. CCUA Capital One Caspian One Celero Centime Inc Central 1 CU Cequence Security CIBC Citi Group Citizens Bank Cloud Entity CloudVector Codat Computer Services Inc (CSI) Concord Advice Connect Connexussecure Consumer Edge Credit Union Central Alberta Limited DAPI Datapro inc Decision Logic Desjardins Digits Discover Duality Technologies EarnIn EEI Emoney Advisor Empower Retirement Equifax Equitable Bank Everlink Payment Services Inc. EWS Experian F5 Networks Inc. Fairstone Financial Inc. Fannie Mae FGS - Fintech Growth Syndicate FI.Span Services Inc Ficanex FICO Fidelity Financial Apps Finconecta Finicity Finovera First Bank First Canadian Title Company Limited Fiserv Flinks Forge Rock FormFree Holdings Co FS-ISAC GT Software H&R Block Home Trust Company IBBIE LLC ICBA Iclose Inclusive Innovations Innovecture Intelliware Interac Internet Tax information Processing Services (ITIPS) Intuit Inverite Jack Henry Inc Japan Association for Financial API's JPMChase KOHO Konsentus Ltd L7 Defense LTD Large Credit Union Coalition LCUC Mass Mutual Mastercard Mazooma Merchant Treasury Meridian Credit Union Microbilt MorningStar Mountain America FCU Mscience MX MyFinApps Navy Federal Credit Union NCRC Neosec New Media IV Holdings Ninth-Wave Nivelo Tech Inc Okta Opportunity Financial Orum - Project Midas Ozoneapi PAI Payments Canada PayPal Petal Card Inc. Ping Identity Plaid Plenee Co PNC PointServ PPIJV Prarie Payments Price Water House Coopers LLP Principal PSCU QuadFI INC. Quicken Quicken Loans Raidiam Services Limited Rattlehub Digital Royal Bank of Canada Sage Salt Security Schwab Securekey self lender Servus Credit Union SIFMA Silicon Valley Bank Simpli Singular Key Skyflow Smart Solution Smart Vault Sovos Spring Labs Star Point Symcor TD Bank The Clearing House The Goldman Sachs Group The Pathfinder Group The Working Group TIAA Transunion True Layer Truist Trust Stamp US Bank USAA UW Credit Union Validifi Vantage Score Verify My Banks Visa Vopay Wells Fargo Xero Xtensifi Yodlee Varo Bank
  • 5. The Industry Standard for Consumer Access to Financial Records 5 Every Working Group, Committee and the Board are co-chaired by a Financial Institution and a Non-Financial Institution © FDX, all rights reserved
  • 6. The Industry Standard for Consumer Access to Financial Records How many consumers are on it? © FDX, all rights reserved. TLP AMBER UK Open Banking is at 3 million consumers as of March 5th The US also has a higher per-capita usage than the UK. (46 per thousand versus 44)
  • 7. The Industry Standard for Consumer Access to Financial Records Problem Context Sensitive Data • Any individual or collection of data elements in transit that requires a combination of security and privacy controls • Evaluated Data: Account Number, Account Holder Name and Address In the Context of Use for Personal Financial Management, Credit and Lending, and Money Movement Need for Protection • Prevent use in a fraudulent transaction • Prevent compromise of private consumer information • Adherence to specific laws and regulations. Protection Approach • Layered set of security techniques across multiple parties with controls for both access and visibility FDX Confidential. All rights reserved. 7
  • 8. The Industry Standard for Consumer Access to Financial Records Constraints • Increased Security • Proposed approach should result in a meaningful increase in security and privacy • Ease of Adoption • Solution should be implementable with reasonable resources and with a high degree of consistency and predictability • Pro-competitive • No business use cases, or ecosystem participants should be negatively impacted FDX Confidential. All rights reserved. 8
  • 9. The Industry Standard for Consumer Access to Financial Records Detailed Benefits • Improved sensitive data protections through the ecosystem • Targeted protections e.g., field level encryption, focus on the relevant data • Complements existing data security models by layering techniques • End-user transparency into data usage • Reduce need for sensitive data sharing via alternate means of satisfying use cases • Reduces potential for 1st party fraud • Improves data integrity FDX Confidential. All rights reserved. 9
  • 11. The Industry Standard for Consumer Access to Financial Records Recommendation Overview • Categories • General Purpose • Use Case Specific • Emerging • Primary Assumptions • Patterns are recommended in the context of App2App integrations. Data at rest is not addressed. • All patterns are to be considered as additive to existing patterns in place (e.g.: Message encryption). FDX Confidential. All rights reserved. 11
  • 13. The Industry Standard for Consumer Access to Financial Records Data Encryption and Consent • Asymmetric Encryption • Sharing of keys between a data provider and data recipient used for the encryption and decryption of sensitive data. • Granular Consent • Supplementary practice for setting permissions that are driven by the consumer and enforced throughout a multi-party ecosystem. FDX Confidential. All rights reserved. 13
  • 14. The Industry Standard for Consumer Access to Financial Records Asymmetric Encryption FDX Confidential. All rights reserved. 14 Scope of Data All Use Cases in Scope All Considerations • Use only for hops between data provider to data access platform, and from data access platform to data recipient. Only encrypt relevant data keeping data needed by intermediary systems in clear. • Trust is established without exchanging private keys. • Partner public keys are signed and verified using a mutually trusted Certificate Authority’s public key • Certificate authority is responsible to establishing identity of the individual organizations. • FDX API Security Model and FDX API documentation describe the pattern and implementation techniques in detail. What Problem Can/Does It Solve • Prevents PII and sensitive data from traversing internal networks unencrypted. TLS will typically terminate at the API gateway and the raw content will traverse the internal network unencrypted. • Supports data minimization along with controlling what consumer information is being secured. Thus supporting bi-lateral agreements. • Layered prevention against first party attacks, compromised transport-layer-security encryption. In alignment with FDX security control considerations. Can be used with additional patterns to provide additional levels of security.
  • 15. The Industry Standard for Consumer Access to Financial Records Granular Consent FDX Confidential. All rights reserved. 15 Scope of Data All Use Cases in Scope All Considerations • A granular consent should always be used where possible to separate use case consent that needs access to sensitive data from those that don’t. • Information on requested use case and the associated sensitive data should be made available to all parties - data providers and data access platforms - to enable them to trigger appropriate controls for the data and use case. • Supported by FDX User Experience Guidelines and FDX Consent API What Problem Can/Does It Solve • Limiting the delivery of data provided through exchanges between parties along with providing transparency to the end user. • Reduces consumer friction by providing a clear and concise understanding of the data use. • Provides consumers a means for increased control over the privacy of their data.
  • 16. Use Case Specific Patterns
  • 17. The Industry Standard for Consumer Access to Financial Records Substitution and Data Minimization • Data Masking / Truncation • Obfuscation of a value from it’s original form for the purpose controlling visibility and exposure. • Tokenization • Substitutes the value with an opaque identifier that can be used as a replacement of a sensitive data element within an ecosystem. • • Alternative Data • Limiting the sharing and collection of data in order to maintain consumer trust and reducing general security threats • Hashing • Process in which data of any size is mapped to a fixed length of characters and used for ensuring that the data has been unaltered. FDX Confidential. All rights reserved. 17
  • 18. The Industry Standard for Consumer Access to Financial Records Tokenization FDX Confidential. All rights reserved. 18 Scope of Data Account Number Use Cases in Scope Money Movement Considerations • Implemented at the data provider for better security, and control. • Ensure tokens are as usable for the purpose as the original account number e.g., no change to ACH, SWIFT, or other money movement schemes should be needed. • Supported in FDX API v 4.5 onwards What Problem Can/Does It Solve • Protects the account number from being leaked by using a substitute value that can only be used to execute transactions. Substitute account numbers can be reissued and replaced without impacting the end customer. • Provide ability to the end-customer for deactivating a substitute account number and taking away any holder ability to move money. • Streamlines the replacement of account numbers for the account holder as it requires the customer to be involved. • Reduces the risk to all parties in the chain as nobody holds an the actual account number.
  • 19. The Industry Standard for Consumer Access to Financial Records Alternative Data FDX Confidential. All rights reserved. 19 Scope of Data Account Number Use Cases in Scope Account Verification Considerations • Potential for removing sensitive data from transaction. • Account validation can be done through data such as transaction history rather than account number • Becoming more common that credit furnishers are not providing the full account numbers • Can impact the robustness of a automated verification process • Without the full account number it can lead to fraud What Problem Can/Does It Solve • Replaces the use of sensitive data with non-sensitive data reducing the need for additional security measures or design patterns associated with sensitive data • Accomplishes the same business objective using non-sensitive data, which is neutral from a business perspective, but superior from a compliance, risk and security perspective. The exact alternative data would be decided on a use case by use case basis • Minimizes the amount of sensitive data throughout ecosystem.
  • 20. The Industry Standard for Consumer Access to Financial Records Verification Query FDX Confidential. All rights reserved. 20 Scope of Data All Use Cases in Scope Account Owner Identity Verification, Money Movement Setup Considerations • Sensitive data is gathered and transmitted to the provider for verification. • Can be combined with hashing to prevent data transmission in the clear. • Instead of requiring account number to verify, the data recipient sends an end-user identifier, e.g., account number, or phone number, to the data provider. The data provider compares that with the account number, or phone number on record and responding with yes if the data match, and no, if it does not. • Bank information becomes the primary source versus derived. What Problem Can/Does It Solve • Reduces the risk from rogue or poorly implemented data recipient apps. Since this method relies on end-user providing the sensitive data to verify, it prevents the data recipient from obtaining this data from data provider without the end-user knowing about it, or worse, under false pretexts. • It also reduces the risk surface for ATO fraud by making it difficult for a fraudulent user that took over legitimate user’s credentials from carrying out fraud, as the fraudulent user now also needs to know the sensitive data to complete the operation.
  • 21. The Industry Standard for Consumer Access to Financial Records Masking / Truncation FDX Confidential. All rights reserved. 21 Scope of Data All Use Cases in Scope Account Verification, Account Identification, API call requirements. Considerations • Reconciliation of information with unmasked data element • Integrity of data structure with selective masking of data elements • Data Recipient discretion based on used case • Masking used in conjunction of alternative data and verification query increases • Generally accepted best practice when working with cardholder data What Problem Can/Does It Solve • Protects the data element from being leaked or re-distributed as source data is masked • Pseudonymization for analytical modeling, regulatory compliance and privacy scenarios
  • 22. The Industry Standard for Consumer Access to Financial Records Hashing FDX Confidential. All rights reserved. 22 Scope of Data Account Number, Account Holder Name, Account Holder Address. Use Cases in Scope Account Verification Considerations • Used to verify the integrity and ensure the original value has not been modified or tampered. • Hashing is not the encryption of data in that it is a one-way transformation of the data. Whereas an encryption algorithms are two-way (encryption, decrypting) functions. • Requires use of SHA256 or SHA-3 (secure hashing algorithms). • It is recommended that it be combined with various encryption techniques for added security. • Use is well known and there are no real blockers to adoption. • Both parties know the original data that is used for comparing. What Problem Can/Does It Solve • Hashing provides a solution for ensuring the integrity of a given value while adding an additional level of security. • Recipients are able to perform verification without needing the value in clear text. • If encryption is not implemented/not being used than it is a feasible alternative to ensure the integrity of the data element and/or message payload.
  • 24. The Industry Standard for Consumer Access to Financial Records Future Work • API Adoption of Security Patterns • API specifications for approved methods for sensitive data sharing e.g., verification query, hashing. • Decision Framework (Concept) • Multi-step process to assist FDX task forces in addressing the sharing of sensitive data for their given use cases. • Emerging Technology Use • Trust Frameworks/Verifiable Credentials, Homomorphic and Polymorphic Encryption, Secure Multi-Party Computation, Trusted Execution Environments. FDX Confidential. All rights reserved. 24
  • 25. The Industry Standard for Consumer Access to Financial Records Additional References • FDX API v 4.6 • FDX API Security Model API v3.3 • FDX User Experience Guidelines 1.0 These documents are available on https://financialdataexchange.org for free. Login and terms acceptance is required. FDX Confidential. All rights reserved. 25
  • 26. Q & A

Editor's Notes

  1. https://financialdataexchange.org/FDX/The%20Consortium/FDX/The-Consortium/Members.aspx Some members are non-disclosure.
  2. https://www.openbanking.org.uk/ https://www.reuters.com/article/us-britain-banks/uk-watchdog-looks-to-open-banking-apps-to-help-boost-competition-idUSKBN2AX1EO