The document discusses RAiDiAM and its Open Banking Identity product. It summarizes: - RAiDiAM was created to help with identity challenges of Open Banking and PSD2 regulations. It provides consulting and modular/scalable identity architecture services. - The Open Banking Directory was developed as a trust framework "hub" to enable secure transactions between authorized financial companies using standards like OAuth2 and OIDC. - It describes the Directory's key components, onboarding process to issue credentials to companies, and role in later transactions to validate claims between financial entities.

1. © RAIDIAM 2018.All Rights Reserved.
RAiDiAM
The Open Banking Identity product
July2018 Information Classification: Confidential © RAIDIAM 2018. All Rights reserved.

2. © RAIDIAM 2018.All Rights Reserved.
About RAiDiAM
Strictly Confidential 2
Created to help with identity focused aspects of Open Banking and PSD2
regulatory challenges
Provides consulting and project delivery services focused on customer
identity using an architecture that is modular and scalable
We have delivered services to Open Banking, various large UK financial
services organizations and some software vendors
Have been engaged with Open Banking Implementation Entity since
January 2017 performing consulting and deeply engaged in architecture,
design, and delivery of UK CMA remedies and as part of that “The Open
Banking Directory”

3. © RAIDIAM 2018.All Rights Reserved. 3
Ralph Bragg
CTO, Founder
IAM Consultant
Standardsspecialist
Barry
O’Donohoe
CIO, Founder
IAM Consultant
Mark Haine
CEO, Founder
IAM Consultant
Daryl Searle
OperationsDirector and
ProgrammeManager

4. © RAIDIAM 2018.All Rights Reserved.
What’s Changing
4
• The banking services landscape is being radically transformed to promote increased
competition and innovation.
• This transformation is being driven by industry and regulatory directives that envisions
Open Banking APIs – UK CMA & EBA
• Third Party Providers (TPPs) will consume standard banking APIs to provide Account
Information and Payment Initiation Services
• TPP access to accounts (XS2A) must be secured by Banks’ using Strong Customer
Authentication (SCA) per technical standard, RTS
• With traditional security perimeters dissolving, a new approach is needed to ensure
security postures remain within risk appetite.
• Enabling this vision necessitates an identity-centric security model underpinned by open
international standards - OAuth2 & OIDC
• The GDPR in full force since 25th May 2018 for all
EU countries, including the UK despite Brexit being
underway.
• This will present major implications for Consumer
IAM platforms in dealing with customer (data
subject) consent.
• Consents need to be ‘freely given, specific,
informed and unambiguous’ – IAM will be on the
front line in dealing with this.
• Fine-grained consent management and its
enforcement on an API channel being used by a 3rd
Party client is non-trivial.
Financial Services APIs
Open Banking & PSD2
Data privacy
EU - General Data Protection
Regulation

5. © RAIDIAM 2018.All Rights Reserved.
Open Banking - the company
Strictly Confidential 5
An independent company “Open Banking Implementation Entity” was created by the banks but
driven by CMA order to deliver the “Open Banking remedies”.
The primary objective was to increasecompetition by opening up access to data and services that
werepreviously exclusiveto the UK banks.
There werea number of parallel workstreams on topics such as legal framework, customer
experience, functional APIs and Security
The technical workstreamsresulted in a decision to focus on a modern API based ecosystemin a
standardized fashion (screen scraping would notdo).
The security workstream agreed OAuth2 as the basis for the ecosysteminteractions with a trust
framework underpinning it.

6. © RAIDIAM 2018.All Rights Reserved.
Open Banking – the identity product
Strictly Confidential 6
In order for the technicalcomponentsto transact with each there there would need
to be a way to quickly and simply establisha level of trust sufficient to perform
financialtransactions.
A many-many trust model is difficult to scale so a hub and spoke model was
developed.
“The Directory” was born.
The challengewas to build,test and deployin 6 months in a multi-party ecosystem
that had a number of risk averse members using a team that was entirelynew.

7. © RAIDIAM 2018.All Rights Reserved.
Architecture principles
7
• Open Standardsbased interactions
• Prefer off-the shelf software
• Loosely coupled
• Applies separationof concerns
• Internet scalable
• Secure by design
• The solutionsand components
should be interoperable
• There was a need to deliver
quickly
• The requirementswere not all
known so there would be a
need for future flexibility
• Trying to apply security after
the applicationbuildwould
have likely been very
challenging
• Ongoing support model was
unclear
Why these principles?

8. © RAIDIAM 2018.All Rights Reserved.
The Directory – Actors
8
Open Banking ecosystem Actors:
• Regulators
• Authorised Companies(Banks
and third parties)
• People representing those
companies
• Technicalcomponents
belonging to those companies
Entity Relationships in
the directory
Open Banking ecosystem
Actors:

9. © RAIDIAM 2018.All Rights Reserved.
The Directory – a trust framework
Strictly Confidential 9
Key concept
• The FS customer does not interact directly with
Open Banking
• Open Banking systems are not in the transaction
flow
2 Phases
• On-Boarding
• Transacting

10. © RAIDIAM 2018.All Rights Reserved.
The Directory – On-Boarding
Strictly Confidential 10
For on-boarding each authorized company must go through
a process to create the necessary records, credentials and
certificates required to interact with other members of the
ecosystem. These credentials are issued by OB.
The on-boarding process checks the identity of the human
actors and the status of them and the claimed organization.
The OB credentials and certificates provided need to be
configured in the technical components belonging to the
company in question.
Additionally Fintechs must then also use their OB
credentials to register their applications with each of the
banks that they wish to transact. This would result in
credentials for Fintech -> Bank interactions.

11. © RAIDIAM 2018.All Rights Reserved.
The Directory – Transacting
Strictly Confidential 11
Once the onboarding has been performed the
Fintech will be able to engage with customers who
wish to share their data and permit a fintech to
transact on their behalf.
There is detailed documentation of how that flow
works but from the perspective of the directory
the only involvement is checking the authorization
of entities and their associated credentials.
In practice this means that a Bank can check the validity of claims presented by a
Fintech and visa-versa.
Customer identity claims, consent and authorization are primarily handled by each
Bank and do not involve the Open Banking Directory.

12. © RAIDIAM 2018.All Rights Reserved.
The Directory – Interfaces
Strictly Confidential 12
Web interface for on-boardingand self
service
APIs for reading variousattributesof an
entity
OpenID Provider for federation of authorized
human actors from Open Banking to Bank
developer portals
JWKS for accessing keys used for signing objects used in the ecosystem
CRL & OCSP for validationof certificates

13. © RAIDIAM 2018.All Rights Reserved.
The Directory – Key components & protocols
Strictly Confidential 13
Components
Onboarding CRM platform
Directory front end JS app
Microservices Custom Javaand Python components
Data store Commercial off the shelf LDAP
Data model OB specific
OIDC Components Commercial off the shelf software
User MFA Managedservice
Certificate authority Managedservice
Protocols
OAuth2 and OpenID Connect
SCIMv2
LDAP
HTTPS

14. © RAIDIAM 2018.All Rights Reserved.
Internals - Logical architecture
Strictly Confidential 14
OpenID provider
for human actors
OpenID Provider
for trust
framework
& Relying party
for human actors
SCIMv2 services
layer
Application
Microservices
File serviceQueue serviceData StoreData Store
Certificate
Authority
Identity policy enforcement
OIDC Relying party
OpenIDProvider
AndAuthorisation
Server
APIfor
directory
attributes
APIfor
directoryattributes
and webapplication
OpenIDProvider
AndAuthorisation
Server
JWKSfor signingkeys
and validity
OCSP& CRL for
certificate validity

15. © RAIDIAM 2018.All Rights Reserved.
The Directory – Future changes
15
eIDAS certificates as
identity source
New journey for
on-boardinga
new company
basedon eIDAS
identity
Directory providing
attributesfor eIDAS
identities
Changesthattighten
up the OpenBanking
security profile in
line with FAPI
PSD2
alignment
API only on-
boarding
Directory as
attribute provider
• With the challengingtimescales, Open Banking hadto consider thatsome requirementscouldnotbe achieved by
the original CMA deadline
• The following itemsare some of the changes that are planned for the OpenBankingDirectory and ecosystem
Next steps
FAPI-OB
convergence

16. © RAIDIAM 2018.All Rights Reserved.
Reference materials
Strictly Confidential 16
https://www.openbanking.org.uk/providers/directory/
https://openbanking.atlassian.net/wiki/spaces/DZ/overview

17. © RAIDIAM 2018.All Rights Reserved. 17
www.raidiam.com
+44 (0) 203 504 6440
50 Brook Street,
Mayfair,London.
W1K 5DR
info@raidiam.com
Get in touch