apidays New York 2023 APIs for Embedded Business Models: Finance, Healthcare, Retail, and Media May 16 & 17, 2023 CATTS out of the bag. Bringing uniformity to financial industry APIs Jean-Paul LaClair, Director of Product at FDX ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

1. The Industry Standard for Consumer
Access to Financial Records
CATTS out of the bag.
Bringing uniformity to financial industry APIs
Jean-Paul LaClair, Sr Director of Product
May 16, 2023

2. In our quest for more convenience in our
financial lives, our financial lives have
become more complex to manage.
CATTS out of the bag. So what?

3. The Industry Standard for Consumer Access to Financial Records
3
FDX Confidential. All rights reserved.
An end consumer’s desires begins to disintermediate
financial services
The situation with data sharing

4. Plus...
Insurance
Borrowing (student loans,
car loans, mortgages…)

5. The Industry Standard for Consumer Access to Financial Records
Where it all started…
5
FDX Confidential. All rights reserved.
Software was developed in the 1990s that
could log in for you, gather the data (screen
scrape), and combine all the data into a
single interface; but required consumers to
share their IDs and Passwords
Consumers with accounts at multiple
banks had to manually combine the data.
The situation with data sharing

6. The Industry Standard for Consumer Access to Financial Records
And where it’s likely to go
6
FDX Confidential. All rights reserved.
The situation with data sharing
Volume of data created, captured, copied,
and consumed worldwide from 2010 to
2020, with forecasts from 2021 to 2025
© Statista 2023
(in zettabytes)

7. More options to manage finances
More complex financial lives
More creation, consumption, and storage of data
More data sharing

8. RED ALERT
Things are getting complicated

9. The Industry Standard for Consumer Access to Financial Records
Screen scraping requires sharing credentials
9
FDX Confidential. All rights reserved.
Red alert… that situation is causing complications
Customer provides
credentials to a 3rd party
3rd party uses the credentials to log-in and scrape data.
They can see ANY data the customer can see today.

10. The Industry Standard for Consumer Access to Financial Records
Credential-based data sharing
10
FDX Confidential. All rights reserved.
Red alert… that situation is causing complications
Consider the impact to the Banking Industry’s Infrastructure, Cyber Posture, and Privacy Posture
Rules of Thirds
• Approximately 1/3 of financial
institution customers share their
financial data with third parties1
• This equates to at least 100 million
U.S. consumers
Financial institution online traffic is,
on average1,2:
Just how big is it…?

11. 11
Popular FinTech app breached.
Millions of member IDs and PWs in
paste bins all over the dark web.
- June 1, 2023
…Chief Privacy Officer is on Line 1
…Board Risk Committee Chair is on Line 2
…60 Minutes is on Line 3
…Brian Krebs is calling your cell
How many of our customers were affected? We don’t know, maybe as much as 15-20%. Customer data has been confirmed in multiple
paste bins and call center call volume is intensifying.
What data was at risk? Anything the customer’s eye can see, including PII and full account numbers.
Are we seeing an increase in ATO and Fraud? There is an uptick, but attribution is not certain.
What are we doing about it? We have blocked that app with our WAF, our SOC is monitoring things closely, and we are in contact with our
peers and industry groups for signals and signature sharing and will reset compromised accounts and offer a year of privacy monitoring.
How many of our customers were affected? None. We converted from credentials-based access to token based last year using FDX.
Should the app itself become an issue, exactly nn,nnn customers use the app and we can revoke one or all tokens at any time with no
impact to their access to our online bank or our mobile app.
What data was at risk? Only the following fields were permissioned to the app: xx, yy, zz,
Are we seeing an increase in ATO and Fraud? No. No credentials were lost, and customer data was limited to the minimum the app
needed to function.
What are we doing about it? We have blocked that app from our API using our ACL and WAF, our SOC is monitoring things closely, and we
are in contact with our peers and industry groups for signals and signature sharing. Any tokens lost are unusable by external actors. Our
Fraud and Info Sec teams are engaged with the app for forensic review and remediation steps as we are both FDX members.
Which of these two conversations do you want to have with the callers?
Future
FICTIONAL
Headline

12. The Industry Standard for Consumer Access to Financial Records
Lack of interoperability
12
FDX Confidential. All rights reserved.
Red alert… that situation is causing complications

13. Let the CATTS out of the bag

14. The Industry Standard for Consumer Access to Financial Records
FDX is an international, nonprofit technical standards body dedicated to unifying the financial
industry around a common, interoperable, royalty-free standard for the secure access of
permissioned consumer and business financial data, the FDX API.
© FDX, all rights reserved
FDX does not comment on policy or engage in lobbying.
User Experience
Security
Certification
API & Data Structures
FDX Specifications v5.2.1
FDX is a subsidiary of FS-ISAC.
Financial Data Exchange – A Standard
Our Members
> 230 members | ¼ of members are Fin-Tech firms | 2/3 are not banks | 1/3 are Canadian
Our Leadership
Our Board comprises 12 Financial Institutions, 5 Permissioned Parties, 5 Aggregators, 2
Industry Groups, FS-ISAC, 1 Canadian Fintech, 1 Canadian Financial Institution and 1
Consumer Advocacy Group observer.
Our Adoption
53 Million Consumer Accounts using FDX API as of Spring 2023

15. The Industry Standard for Consumer Access to Financial Records
A Market Standard
15
FDX Confidential. All rights reserved.
Technology Regulation
Standardized
Payload
Connectivity
Security
& Auth
User Experience
Industry (the How) Government (the What)

16. 80 kph
50 mph
Technology Regulation
User
Experience
Connectivity
(TLS)
Security &
Authentication
(FAPI & FIDO)
Payload
(JSON)
JSON just tells us the type of object the truck is carrying – e.g., a shipping container.
The contents can be anything the sender and receiver agree on:
FDX format, ISO 20022 Format, IRS Tax (FIRE), or proprietary.
Components of the FDX Standard

17. Security & Authentication Stack

18. The Industry Standard for Consumer Access to Financial Records
Principles for Consumer-Permissioned Data Sharing
18
FDX Confidential. All rights reserved.
AKA: CATTS C
A
T
T
S

19. The Industry Standard for Consumer Access to Financial Records
FDX Specifications
19
FDX Confidential. All rights reserved.
API and Data Structures
1. Components
2. Core information – Accounts
and Transactions
3. Customer Information
4. Consent, Recipient Registration
5. Tax, Money Movement,
Metrics, Events, Fraud, and
Registry
User Experience
1. UX Guidelines – Consent Grant,
Notification, Viewing, and
Revocation
2. Data Clusters Mapping
3. Taxonomy
Security
1. Security Model (AuthN &
AuthZ), Security for Sensitive
Data, Secure App Onboarding
2. Control Consideration
3. Recipient Registration
Guidelines
Certification
1. Provider Requirements
2. Recipient Requirements
3. Data Access Platform
Requirements
4. Certification Use Cases
5. Certification Model

20. What else…

21. Join us

22. The Industry Standard for Consumer Access to Financial Records
22
FDX Confidential. All rights reserved.