Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Open Banking APIs on AWS

1,274 views

Published on

Speakers:
Ronan Guilfoyle, Specialist Solutions Architect, AWS
Ramandeep Singh, Director, Solution Leader, Financial Services, Capgemini

PSD2 and Open Banking came into force this year with different levels of adoption across the industry. This session will show you how to run Open Banking APIs on AWS, the challenges and architectures, and why AWS makes sense for internet facing environments, even with a traditional on premise Core.

  • Be the first to comment

Open Banking APIs on AWS

  1. 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ronan Guilfoyle, Solutions Architect Oct 1st 2018 Open Banking Deploying Open Banking APIs on AWS
  2. 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why Open Banking? Open Banking is the secure way to give providers access to financial information1 • Works with online or mobile banking • Provides a clearer view of a consumer’s finances • Quick, easy, and direct payments • Transform price comparison websites 1. “What is Open Banking?” https://www.openbanking.org.uk/customers/what-is-open-banking/, Open Banking Limited, 2018, The Competition Markets Authority (CMA) investigated retail banking and found a lack of competition. The CMA produced a wide-reaching package of reforms – one of the remedies is Open Banking.
  3. 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. A bitter pill?
  4. 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Or the best medicine? “Banks aren’t being disrupted by FinTech technology, they’re being disrupted by customer expectations.” - McKinsey & Company
  5. 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. European standards are accelerating adoption Open Banking regulation requires banks to release data and provide access to payments transactions in a secure, standardized form, so authorized organizations can easily access it online for their own consumer applications. PSD2 is a directive that specifies only technical framework conditions, but no standards for interfaces. Open Banking is a technical standard for APIs that allow authorised third party providers (TTPs) access to current account transactions and to initiate payments on behalf of a payment service user (PSU).
  6. 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why build Open Banking in the cloud? With AWS, financial institutions can meet regulatory requirements while creating strategic value - build a secure, scalable, innovative platform for Open Banking. Build unified APIs on multiple microservices Scale APIs based on demand Innovate faster Implement high levels of security Authenticate and authorize requests Enable throttling and protect against DDoS attacks
  7. 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Requirements • Mutual TLS Authentication (API and IdP) Ø Specified by Open Banking & Berlin Group • OSCP Certificate validation, CRL fallback • FAPI & CIBA security profiles • OAuth2 Hybrid flow Open Banking APIs are complex
  8. 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Graphic © Open Banking Limited, 2018, https://www.openbanking.org.uk/customers/what-is-open-banking/ New payment flows and authentication methods
  9. 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Reference architecture AWS CloudHSM NLB Subnet API Endpoint NLB Auth Endpoint NLB AWS Shield Private Endpoint Payment Service User Third Party Provider Reverse Proxy or Marketplace API-Gateway
  10. 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Reference architecture AWS CloudHSM NLB Subnet API Endpoint NLB Auth Endpoint NLB AWS Shield Banking Application Private Endpoint Payment Service User Third Party Provider Core Banking on-premises Development or Mock API back-end instance instance Reverse Proxy or Marketplace API-Gateway Amazon API Gateway
  11. 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. N – Tier API architecture Consumer Facing Core Facing APIs: Open Banking, PSD2 etc. APIs: Core, Fraud, CRM, KYC etc.
  12. 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Deploy software on demand • 1280+ ISVs • 4200+ product listings • Procure new or BYOL • Billed through AWS account • Deployed in 15 Regions • 160,000 Active Customers • 481M EC2 hours deployed per month Find, test, buy, and deploy software in the cloud “Cloud will increasingly be the default option for software deployment.” - Gartner
  13. 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Systems Integrators & Consultants Financial Technology Providers AWS has an expansive Financial Services network
  14. 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!
  15. 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Open Banking https://www.openbanking.org.uk/providers/standards/ • Technical Specifications • Security Profile (FAPI and CIBA profiles) • Customer Experience Guidelines https://www.mckinsey.com/industries/financial-services/our- insights/data-sharing-and-open-banking https://www.capgemini.com/2017/06/open-banking-0/ Further Reading
  16. 16. Capgemini Open banking Platform on AWS Ramandeep Singh Product Owner and Lead Architect
  17. 17. 17© Capgemini 2018. All rights reserved | Open Banking - Dynamic Network of Financial Services Open Bank Other Banks Payment Services Account Info & Aggregation FinTech Partners Bank Apps & Experiences Payment Networks Intelligent Insight & Smart Products
  18. 18. 18© Capgemini 2018. All rights reserved | • Global Leader • A global leader in consulting, technology services and digital transformation, Capgemini is at the forefront of innovation to address the opportunities and challenges faced by clients in the evolving world of cloud, digital and platforms. • Serving two-thirds of the world’s largest financial services institutions • Capgemini’s Financial Services Strategic Business Unit helps banks, capital markets firms, and insurers meet today’s industry disruptions with innovative business and IT solutions which create tangible value. • 45,000 FS professionals • 45,000 FS professionals around the world collaborates across geographies, domains, and technologies to deliver the best tailored solutions to its clients. • Over 25 years of global delivery excellence • Capgemini’s Financial Services Unit brings award-winning industry expertise, leading market insights and over 25 years of global delivery excellence to client engagements. Capgemini Financial Services
  19. 19. 19© Capgemini 2018. All rights reserved | The Challenge - Traditional Banks vs Fin Techs 1. Aggressive timelines to achieve compliance 2. Risk of opening access to core banking systems and payment engines 3. Difficult to estimate scale and volume requirements 4. Cost
  20. 20. 20© Capgemini 2018. All rights reserved | Our solution brings together all pillars needed for banks to thrive in Open Banking era Industry standard domain models - BIAN Micro services based middleware Complete auto provisioning End to end DevOps tooling Developer portal API sandbox AIE innovation ecosystem EnablingAgility Security Digital Banking Platform of the Future OpenInnovation Open APIs API factory blueprint API analytics DDos protection End to end encryption Two-way secure digital trust Explicit customer consent API Gateway Pre-built Open Banking API Standards
  21. 21. 21© Capgemini 2018. All rights reserved | The Challenge - Traditional Banks vs Fin Techs 1. Aggressive timelines to achieve compliance Use Capgemini's Ready to Run solution 2. Risk of opening access to core banking systems and payment engines Don't open Capgemini's AWS based solution provides "Open Bank on Cloud", enabling secure access for open banking APIs while keeping the core banking secure 3. Difficult to estimate scale and volume requirements Don't Estimate Using AWS services and Serverless technology removes the guess work around scale and provide ability to scale as per business and market needs 4. Cost Benefit from competitive cost of AWS Services and Serverless technology. Option of using industry leading 3rd party packages and products as required
  22. 22. 22© Capgemini 2018. All rights reserved | Benefits Speed of Development Power of infrastructure as code - With AWS, it is easy to spin different environments for development testing and integration 80% reduction in environment creation and maintenance efforts Run Cost Power of AWS Services and Serverless - By using AWS Serverless technologies, start at a low cost and scale as needed. 65% reduction in infrastructure cost of production systems Security Security As needed in the Cloud - By using AWS WAF and DDoS shield, along with firewall, NACLS, security groups, KMS and IAM, we are able to offer the security as per the financial institutes standards and beyond. Path to cloud Experience and Embrace Cloud - Enabling Bank's to experience the power of Cloud for their Production runs and enabling future development on Cloud
  23. 23. 23© Capgemini 2018. All rights reserved | Platform Architecture Adapter Layer (Java / Camel) Database Service Monitoring & logging Security API Gateway Developer Portal Analytics & Reports API Key Management Account Request JSON (REST HTTPS) JSON (REST HTTPS) Bank's Integration Layer and Core Banking Systems VPC JSON (REST HTTPS) API Orchestration API Load Balancing Config Server API Discovery Payment SetupAccount Funds Check Payments API Adapter Consent SOAP Adapter JSON (REST HTTPS) SCA/MFA Adapter JSON (REST HTTPS)? API Management Authentication / SCA / MFA Consent Managemen t TPP Onboarding Routing Adapter Identity Provider NoSQL DB Adapter REST Adapter Fraud Prevention System Integration TPP DNS Routing and Health checks WAF & DDoS Protection TLS Termination and Certification Verification Load Balancing OAuth2 Infrastructure Monitoring Central Logging & Reports NoSQL Database OIDC OP KMS / HSM Encryption LDAP RBAC Customer Device Management Integration
  24. 24. 24© Capgemini 2018. All rights reserved | Multi Dimensional Security on Cloud As the banks are becoming more open and connected, security of data at rest and in motion is of major concern. Capgemini platform provides Multi Dimensional Security to ensure tight Security & Authentication, Threat Protection, Compliance to standard and regulations all the while marinating ease of use of the APIs. Threat Protection § Protection against DDoS attacks and malformed messages § Intrusion prevention and network attack protection using Network Firewall § Client and Server certificates to ensure positive identity Secure API Access § API access secured by oAuth 2.0 and Reference Access and Refresh tokens § LDAP Directory Server based strong developer and application registration process § Verification of PoP and additional TPP signature validation § Strong customer consent management for private data access Vulnerability Protection § WAF for detection & prevent of SQL, JavaScript and XPath/XQuery injection attacks § Protection against excessive XML/JSON depth and breadth, malicious contents § Viruses and malware protection using Antivirus Platform Security § Hardened AMIs to secure OS & PCI compliance § Secure Virtual Private Cloud (VPC) § Network isolation using Subnets and Security groups and ACLs § Secure, Role Based platform access using IAM § Secure Direct Connect link for connectivity with Bank Analytics and Monitoring § Tracking and monitoring of all network activities § Detailed access and audit logs § Analytics Reports and Dashboard for API status and performance monitoring Encryption of Data in Motion and at Rest § EBS and S3 volume level encryption § Amazon KMS for storage, management and rotation of encryption keys § End to end encryption of communication channel using TLS and MTLS § Encryption of stored files, databases and logs
  25. 25. 25© Capgemini 2018. All rights reserved | Platform Highlights § Independent layers with clear separation of concerns § Standard interfaces for inter-layer connectivity § Each layer can be scaled, managed and upgraded independently § Scalable micro services with service id based invocation Flexible Layered Architecture § Pre Built API’s for Open Banking (AISP, PISP, PIISP) § API Lifecycle Management § API Performance management § API Monitoring § API Traffic Management /Throttling § API Analytics API Managemen t § DDoS protection, WAF and Network Firewall § End to end encryption of data in motion and at rest § API security using OAuth 2.0, JWT Reference Tokens [Optional] § API Gateway policy enforcement § PoP (proof of possession) validation for tokens Security § Adherence to Open Banking Standards and security requirements § ISO 20022 based messages § FAPI & OB Security Profile Compliance Standards & Compliance § Developer portal with developer registration flows § Third party registration, onboarding § Consent management application § Service Monitoring, alerts, service resilience § Data Masking, Logging & reports dashboard [Optional] Functional Components § Configured to work on AWS § Provision to Sandbox § Full auto provisioning of all components enabling single click deployment § High Availability and Load Balancing § Full CI-CD pipeline for dev, deployment and versioning Platform
  26. 26. 26© Capgemini 2018. All rights reserved | Continuous Integration and Continuous Deployment Capabilities Production Environment Static AnalysisUnit Test Commit StageCommit Stage Monitoring & Control Development & Configuration Project/Task Management Source Code Repository Compile Packaging Environment Provisioning System of Records – Service Virtualization Release Stage Deployable Software Load Testing Perf Testing Ready to release Software Release Stage Static AnalysisUnit Test Development & Configuration Project/Task Management Source Code Repository Compile Packaging Environment Provisioning Acceptance Test Deployable Software Load Testing Perf Testing Ready to release Software IDE’s – Eclipse, etc.. Acceptance StageAcceptance Stage Load + Perf StageLoad + Perf Stage Rapid deployments enabled through fully integrated CI/CD pipeline
  27. 27. 27© Capgemini 2018. All rights reserved | Usecases • Account Information (For multiple accounts) • Account Information (For one account) • All Transaction Information (For one account) • Balance Information (For one account) • Beneficiaries Information (For one account) • Consent Authorization • Consent Record Retrieve • Consent Revoke • Consent Setup • Credit Transaction Information (For one account) • Debit Transaction Information (For one account) • Direct Debits Information (For one account) • Get Consent List for a Customer (Utility) • Products Information (For one account) • Standing Orders Information (For one account) AccountInformation • All API Analytics • All API Summary Report • API wise response time • API wise TPP activity • Calls made by a TPP based on the time range • PSU wise API Invocation Count Dashboard • PSU Wise TPP Activity Report • Reports Audit Log • TPP activity for a given PSU • TPP On boarding summary report • TPP Role Wise activity report • Developer Account Management • Developer Application Registration (Getting CID/SECRET) • Developer Login • Developer Registration • View API Documentation BusinessMonitoringDeveloperPortal • Perform Platform tuning and modifications • Review Health and Alerts • User Activity Monitoring • TPP Account Management • TPP Application Registration (Getting CID/SECRET) • TPP Login • TPP Registration PlatformmonitoringTPPPortal Our professional view on bare minimum use cases in scope for the solution.
  28. 28. Capgemini Open Banking (CMA/PSD2) platform for a leading bank in Ireland Business challenges § The client is an Irish major (part of CMA9) and was looking for a solution to implement PSD2 APIs as per CMA Open Banking UK specification § The client was facing very tight regulatory timelines so was in need of a solution which could be implemented as per required timelines § The client was looking for a solution that would cover their needs of CMA for UK as well as PSD2 compliance for rest of European market § The client wanted to have a partner to guide them on the Open Banking journey: PSD2 compliance and value added services § The client was also interested in utilizing power of cloud for implementing such a platform and was looking for a partner who can guide them to develop cloud infrastructure and also was planning to migrate other systems to cloud. Capgemini played a pivotal SI role in developing CMA/PSD2 compliant Open Banking Platform. Delivered complex multi-vendor platform on time as per regulatory timelines and with high quality Capgemini's Role § Acted as a single point of contact for the Bank for multi vendor platform § Managed vendor SLA and contract § Worked with different vendors to influence their product roadmap to develop required product features § Engaged vendor and 3rd party consultants for product expertise
  29. 29. 29© Capgemini 2018. All rights reserved | Case Study: Capgemini Open Banking PSD2 platform for a European Credit Card company Business challenges Capgemini approach Value delivered § The client is a European cards major and was looking for a ready-to-use solution to become compliant with PSD2 guidelines § The client wanted quick adoption of the open- banking regulations and was looking for a solution with low turnaround times § Client wanted a single system which could cover multiple countries and branches § The client was looking for a partner who can build and operate the system on their behalf. § The client wants to have a partner to guide them on the Open Banking journey: PSD2 compliance and value added services. Capgemini Open Banking API platform • Capgemini utilized its Open banking API Platform with ready to use PSD2 compliant APIs to implement the PSD2 APIs for the client • The ready to use platform provide complete infrastructure, security and access functionality to implement APIs. Distributed Delivery Model • Utilized Distributed delivery model with Product team and Development team located in Pune (India) and implementation team supporting the bank locally in Netherlands. Expertise • Capgemini deployed its PSD2 domain experts to enable bank's business teams with the required domain knowledge. Software As A Service • Capgemini deployed its PSD2 platform on AWS Cloud and provided complete management and operation of the system in SAS model. § Client could achieve PSD2 compliance well ahead of the regulatory timelines § Client started planning and development of their value added APIs and services which would also be deployed on the same platform along with the regulatory APIs § Developer portal – a secure environment for external third party developers to utilize client’s services to develop new services and integrate the APIs in different consumer facing applications § Fully supported SAS model. Does not need any time investment from the Bank's business and technical teams and enable them to focus on the core business and value adds
  30. 30. A global leader in consulting, technology services and digital transformation, Capgemini is at the forefront of innovation to address the entire breadth of clients’ opportunities in the evolving world of cloud, digital and platforms. Building on its strong 50-year heritage and deep industry-specific expertise, Capgemini enables organizations to realize their business ambitions through an array of services from strategy to operations. Capgemini is driven by the conviction that the business value of technology comes from and through people. It is a multicultural company of 200,000 team members in over 40 countries. The Group reported 2016 global revenues of EUR 12.5 billion. About Capgemini Learn more about us at www.capgemini.com This message contains information that may be privileged or confidential and is the property of the Capgemini Group. Copyright © 2017 Capgemini. All rights reserved. People matter, results count.

×