The document discusses the work of the OpenID Foundation Financial API working group (FAPI WG) to develop standards for financial-grade APIs. It describes how the FAPI WG was formed in 2016 to address the lack of API protection standards and inconsistent request/response formats. The goal of the FAPI WG is to provide JSON schemas, REST specifications, and security recommendations to enable applications to access and interact with user financial data while protecting privacy and security. The document outlines the FAPI WG's draft specifications and approaches to address password sharing requirements in a way that does not compromise user security or privacy.

1. Copyright© Nomura Research Institute, Ltd. All rights reserved.
Nat Sakimura (@_nat)
Chairman of the Board, OpenID Foundation
Senior Researcher, Nomura Research Institute
Issues towards Open Banking ecosystem and how
OpenID Foundation tackles them with financial-grade
APIs standard
PAST AND FUTURE OF FINANCIAL-GRADE APIS:
• OpenID® is a registered trademark of OpenID Foundation.
• *Unless otherwisenoted, all the photos and vector images are licensed by GraphicStocks.
July 25, 2018

2. Copyright© Nomura Research Institute, Ltd. All rights reserved.
Do you use Personal
Finance Software?
What are the current problems?

3. Copyright© Nomura Research Institute, Ltd. All rights reserved.
When NRI started screen scraping in 2001,
we thought it will be a temporally solution.
3
“There was OFX, and SAML was coming. SOAP was gaining
momentum. We should be able to get out of scraping business
in a few years time!”

4. Copyright© Nomura Research Institute, Ltd. All rights reserved.
WRONG!
4

5. Copyright© Nomura Research Institute, Ltd. All rights reserved.
After 15 years, we are still screen scraping.
5
(2016)

6. Copyright© Nomura Research Institute, Ltd. All rights reserved.
But the wind was changing.
6
(2016)

7. Copyright© Nomura Research Institute, Ltd. All rights reserved.
Fintech was gaining momentum
（SOURCE）GoogleTrends

8. Copyright© Nomura Research Institute, Ltd. All rights reserved.
API started to gain attention as one of the
three main component of FinTech
8
Use cases for Identity Federation
API in Financial sector
1. Account Opening (incl. KYC)
2. Personal Asset Managment
3. Payment, Sending Money
4. Loan Application
5. AI assisted portfolio management
(Source) Nikkei BP: Fintech Revolution P.4
(Source)Nikkei BP: FinTech Yearbook

9. Copyright© Nomura Research Institute, Ltd. All rights reserved.
I
9
• JSON , XML + OAuth 2.0
• INDUSTRY PUSH >
US: FS-ISAC Durable Data API
(Source) FS-ISACFSDDA WG
OpenID FinancialAPI

10. Copyright© Nomura Research Institute, Ltd. All rights reserved.
REGULATORY PUSH> UK CMA Order and EU PSD2
10
(SOURCE) ODI OBWG: The Open Banking Standard (2016)
JSON REST
OAuth
OpenID Connect

11. Copyright© Nomura Research Institute, Ltd. All rights reserved.
Open Data
in Finance
Conference
15 June,
2016
London
12
http://www.open-data-finance.com/agenda/

12. Copyright© Nomura Research Institute, Ltd. All rights reserved.
Now is the time!
13

13. Copyright© Nomura Research Institute, Ltd. All rights reserved.
but what API protection?
14
and what API request/response?

14. Copyright© Nomura Research Institute, Ltd. All rights reserved.
Solution Time!
15

15. Copyright© Nomura Research Institute, Ltd. All rights reserved.
OpenID Foundation
Financial API (FAPI) WG
(2016)
16

16. Copyright© Nomura Research Institute, Ltd. All rights reserved.
II. What is OpenID Foundation
• A WG can be spun up by more than three
members proposing and by the approval by
the Specs Council and the Board review (2
weeks).
• Specs Council is composed by the current
editors of the specs and checks the overlaps
with other WGs or SDOs.
• The board checks that it will not cause IPR
threats to the foundation.
OpenID Foundation is an International Standardization
Organization that specializes on
Internet Identity and API protection
17

17. Copyright© Nomura Research Institute, Ltd. All rights reserved.
II. What is OpenID Foundation
Working Together
18
OpenID FAPI
(Chair)
(Co-Chair)(Co-Chair)
(UK OBIE Liaison)
Liaison Organizations
TC 68
JTC 1/SC 27/WG 5
Nat Sakimura
Tony NadalinAnoop Saxena
fido 2.0 WG Chair
W3C Web Authn WG Chair

18. Copyright© Nomura Research Institute, Ltd. All rights reserved.
II. Whatis OpenID Foundation
The work progresses with a weekly tele-conferences, mailing list discussions
and project repository (https://bitbucket.org/openid/fapi/ )
19
Issue Tracker
Meeting notes
Commit History
Pull Requests
Draft Text

19. Copyright© Nomura Research Institute, Ltd. All rights reserved.
Purpose
The goal of FAPI is to provide JSON data schemas, REST APIs,
and security & privacy recommendations and protocols to:
20
JSON REST
OAuth
OpenID Connect
(SOURCE) ODI OBWG: The Open Banking Standard (2016)

20. Copyright© Nomura Research Institute, Ltd. All rights reserved.
Enable
• applicationsto utilize the data stored in the financial
account,
• applicationsto interact with the financial account, and
• users to control the security and privacy settings.
Both commercial and investment banking account as well as
insurance, and credit card accounts are to be considered.
(Source) OpenID FoundationFinancial APIWG draft charter

21. Copyright© Nomura Research Institute, Ltd. All rights reserved.
So that we can finally get rid of
password storing and screen scraping!
22

22. Copyright© Nomura Research Institute, Ltd. All rights reserved.
It will also help foster
the FinTech companies.
23

23. Copyright© Nomura Research Institute, Ltd. All rights reserved.
Why OpenID Foundation?
•Authors of OAuth, JWT, JWS, OpenID
Connect are all here.
Right
People
•Loyalty Free, Mutual Non-Assert, so
that everyone can use it freely.
Right IPR
•Free to join WGs. (Sponsors welcome)
•WTO TBT Compliant Process.
Right
Structure
24

24. Copyright© Nomura Research Institute, Ltd. All rights reserved.
2 Implementer’s Drafts
• Part 1: Read Only Security Profile
• Part 2: Read and Write Security Profile
25
Redirect
Approach
Decoupled
Approach
Embedded
Approach

25. Copyright© Nomura Research Institute, Ltd. All rights reserved.
OpenID Foundation
Financial-grade API (FAPI) WG
(2018)
26

26. Copyright© Nomura Research Institute, Ltd. All rights reserved.
But the EC almost requires
PASSWORD SHARING
27
Redirect
Approach
Decoupled
Approach
Embedded
Approach
Though it is illegal in France…

27. Copyright© Nomura Research Institute, Ltd. All rights reserved.
To combat the situation, we have
• CIBA: The Decoupled Approach
28
Redirect
Approach
Decoupled
Approach
Embedded
Approach

28. Copyright© Nomura Research Institute, Ltd. All rights reserved.
To combat the situation, we have
• CIBA: The Decoupled Approach
• Manual Per App ”password” to third
party applications.
29
Redirect
Approach
Decoupled
Approach
Embedded
Approach

29. Copyright© Nomura Research Institute, Ltd. All rights reserved.
Hoping to come up with a solid draft by the end of the
summer
30
Redirect
Approach
Decoupled
Approach
Embedded
Approach

30. Copyright© Nomura Research Institute, Ltd. All rights reserved.
Join the group!
https://openid.net/wg/fapi/
31