Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking and APIs Summit 2018 - July 24, 2018


Published on

By Mark Haine (Open Banking Limited)

Published in: Internet
  • Login to see the comments

Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking and APIs Summit 2018 - July 24, 2018

  1. 1. © RAIDIAM 2018.All Rights Reserved. RAiDiAM The Open Banking Identity product July2018 Information Classification: Confidential © RAIDIAM 2018. All Rights reserved.
  2. 2. © RAIDIAM 2018.All Rights Reserved. About RAiDiAM Strictly Confidential 2 Created to help with identity focused aspects of Open Banking and PSD2 regulatory challenges Provides consulting and project delivery services focused on customer identity using an architecture that is modular and scalable We have delivered services to Open Banking, various large UK financial services organizations and some software vendors Have been engaged with Open Banking Implementation Entity since January 2017 performing consulting and deeply engaged in architecture, design, and delivery of UK CMA remedies and as part of that “The Open Banking Directory”
  3. 3. © RAIDIAM 2018.All Rights Reserved. 3 Ralph Bragg CTO, Founder IAM Consultant Standardsspecialist Barry O’Donohoe CIO, Founder IAM Consultant Mark Haine CEO, Founder IAM Consultant Daryl Searle OperationsDirector and ProgrammeManager
  4. 4. © RAIDIAM 2018.All Rights Reserved. What’s Changing 4 • The banking services landscape is being radically transformed to promote increased competition and innovation. • This transformation is being driven by industry and regulatory directives that envisions Open Banking APIs – UK CMA & EBA • Third Party Providers (TPPs) will consume standard banking APIs to provide Account Information and Payment Initiation Services • TPP access to accounts (XS2A) must be secured by Banks’ using Strong Customer Authentication (SCA) per technical standard, RTS • With traditional security perimeters dissolving, a new approach is needed to ensure security postures remain within risk appetite. • Enabling this vision necessitates an identity-centric security model underpinned by open international standards - OAuth2 & OIDC • The GDPR in full force since 25th May 2018 for all EU countries, including the UK despite Brexit being underway. • This will present major implications for Consumer IAM platforms in dealing with customer (data subject) consent. • Consents need to be ‘freely given, specific, informed and unambiguous’ – IAM will be on the front line in dealing with this. • Fine-grained consent management and its enforcement on an API channel being used by a 3rd Party client is non-trivial. Financial Services APIs Open Banking & PSD2 Data privacy EU - General Data Protection Regulation
  5. 5. © RAIDIAM 2018.All Rights Reserved. Open Banking - the company Strictly Confidential 5 An independent company “Open Banking Implementation Entity” was created by the banks but driven by CMA order to deliver the “Open Banking remedies”. The primary objective was to increasecompetition by opening up access to data and services that werepreviously exclusiveto the UK banks. There werea number of parallel workstreams on topics such as legal framework, customer experience, functional APIs and Security The technical workstreamsresulted in a decision to focus on a modern API based ecosystemin a standardized fashion (screen scraping would notdo). The security workstream agreed OAuth2 as the basis for the ecosysteminteractions with a trust framework underpinning it.
  6. 6. © RAIDIAM 2018.All Rights Reserved. Open Banking – the identity product Strictly Confidential 6 In order for the technicalcomponentsto transact with each there there would need to be a way to quickly and simply establisha level of trust sufficient to perform financialtransactions. A many-many trust model is difficult to scale so a hub and spoke model was developed. “The Directory” was born. The challengewas to build,test and deployin 6 months in a multi-party ecosystem that had a number of risk averse members using a team that was entirelynew.
  7. 7. © RAIDIAM 2018.All Rights Reserved. Architecture principles 7 • Open Standardsbased interactions • Prefer off-the shelf software • Loosely coupled • Applies separationof concerns • Internet scalable • Secure by design • The solutionsand components should be interoperable • There was a need to deliver quickly • The requirementswere not all known so there would be a need for future flexibility • Trying to apply security after the applicationbuildwould have likely been very challenging • Ongoing support model was unclear Why these principles?
  8. 8. © RAIDIAM 2018.All Rights Reserved. The Directory – Actors 8 Open Banking ecosystem Actors: • Regulators • Authorised Companies(Banks and third parties) • People representing those companies • Technicalcomponents belonging to those companies Entity Relationships in the directory Open Banking ecosystem Actors:
  9. 9. © RAIDIAM 2018.All Rights Reserved. The Directory – a trust framework Strictly Confidential 9 Key concept • The FS customer does not interact directly with Open Banking • Open Banking systems are not in the transaction flow 2 Phases • On-Boarding • Transacting
  10. 10. © RAIDIAM 2018.All Rights Reserved. The Directory – On-Boarding Strictly Confidential 10 For on-boarding each authorized company must go through a process to create the necessary records, credentials and certificates required to interact with other members of the ecosystem. These credentials are issued by OB. The on-boarding process checks the identity of the human actors and the status of them and the claimed organization. The OB credentials and certificates provided need to be configured in the technical components belonging to the company in question. Additionally Fintechs must then also use their OB credentials to register their applications with each of the banks that they wish to transact. This would result in credentials for Fintech -> Bank interactions.
  11. 11. © RAIDIAM 2018.All Rights Reserved. The Directory – Transacting Strictly Confidential 11 Once the onboarding has been performed the Fintech will be able to engage with customers who wish to share their data and permit a fintech to transact on their behalf. There is detailed documentation of how that flow works but from the perspective of the directory the only involvement is checking the authorization of entities and their associated credentials. In practice this means that a Bank can check the validity of claims presented by a Fintech and visa-versa. Customer identity claims, consent and authorization are primarily handled by each Bank and do not involve the Open Banking Directory.
  12. 12. © RAIDIAM 2018.All Rights Reserved. The Directory – Interfaces Strictly Confidential 12 Web interface for on-boardingand self service APIs for reading variousattributesof an entity OpenID Provider for federation of authorized human actors from Open Banking to Bank developer portals JWKS for accessing keys used for signing objects used in the ecosystem CRL & OCSP for validationof certificates
  13. 13. © RAIDIAM 2018.All Rights Reserved. The Directory – Key components & protocols Strictly Confidential 13 Components Onboarding CRM platform Directory front end JS app Microservices Custom Javaand Python components Data store Commercial off the shelf LDAP Data model OB specific OIDC Components Commercial off the shelf software User MFA Managedservice Certificate authority Managedservice Protocols OAuth2 and OpenID Connect SCIMv2 LDAP HTTPS
  14. 14. © RAIDIAM 2018.All Rights Reserved. Internals - Logical architecture Strictly Confidential 14 OpenID provider for human actors OpenID Provider for trust framework & Relying party for human actors SCIMv2 services layer Application Microservices File serviceQueue serviceData StoreData Store Certificate Authority Identity policy enforcement OIDC Relying party OpenIDProvider AndAuthorisation Server APIfor directory attributes APIfor directoryattributes and webapplication OpenIDProvider AndAuthorisation Server JWKSfor signingkeys and validity OCSP& CRL for certificate validity
  15. 15. © RAIDIAM 2018.All Rights Reserved. The Directory – Future changes 15 eIDAS certificates as identity source New journey for on-boardinga new company basedon eIDAS identity Directory providing attributesfor eIDAS identities Changesthattighten up the OpenBanking security profile in line with FAPI PSD2 alignment API only on- boarding Directory as attribute provider • With the challengingtimescales, Open Banking hadto consider thatsome requirementscouldnotbe achieved by the original CMA deadline • The following itemsare some of the changes that are planned for the OpenBankingDirectory and ecosystem Next steps FAPI-OB convergence
  16. 16. © RAIDIAM 2018.All Rights Reserved. Reference materials Strictly Confidential 16
  17. 17. © RAIDIAM 2018.All Rights Reserved. 17 +44 (0) 203 504 6440 50 Brook Street, Mayfair,London. W1K 5DR Get in touch