The document discusses the evolution of financial data access through APIs, highlighting the persistence of screen scraping since 2001 and recent regulatory pushes towards open banking solutions. It emphasizes the importance of JSON data schemas and security protocols to facilitate user control over financial data without relying on outdated methods. The document suggests that improved standards will foster innovation in fintech while addressing security concerns associated with OAuth.

1. Nomura Research Institute
Nat Sakimura
Chairman of the Board, OpenID Foundation
Senior Researcher, Nomura Research Institute
#cisnola
Foundation Financial API WG
• OpenID® is a registered trademark of OpenID Foundation.
• *Unless otherwise noted, all the photos and vector images are licensed by GraphicStocks.
June 2016
Anoop Saxena
FAPI WG co-chair, OpenID Foundation
Architect, Intuit
http://openid.net/wg/fapi/

2. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
2
Do you use Personal Finance Software?
What are the current problems?

3. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
3
When NRI started screen scraping in 2001,
we thought it will be a temporally solution.
3
“There was OFX, and SAML was coming. SOAP was gaining momentum.
We should be able to get out of scraping business in a few years time!”

4. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
4
WRONG!
4

5. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
5
After 15 years, we are still screen scraping.
5

6. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
6
The situation is changing though.
6

7. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
7
Fintech is gaining a lot of interest lately
（SOURCE）Google Trends

8. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
8
API is known to be one of the three main component of FinTech
8
Use cases for Identity Federation
API in Financial sector
1. Account Opening (incl. KYC)
2. Personal Asset Managment
3. Payment, Sending Money
4. Loan Application
5. AI assisted portfolio management
(Source) Nikkei BP: Fintech Revolution P.4
(Source)Nikkei BP: FinTech Yearbook

9. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
9
I
JSON , XML + OAuth 2.0
INDUSTRY PUSH >
US: FS-ISAC Durable Data API
9
(Source) FS-ISAC FSDDA WG
OpenID Financial API

10. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
10
REGULATORY PUSH>
EU Payment Service Directive 2 mandates API availability by the end of 2017.
10
(SOURCE) ODI OBWG: The Open Banking Standard (2016)
JSON REST
OAuth
OpenID Connect

11. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
11
Regulatory Pressures
Release 1 – to be completed within 12 months
▪ the launch of a tightly scoped Open Banking API,
enabling select, read-access, open data use
cases.
Release 2 – to be completed by end of Q1
2017
▪ Third party read access to “midata”* personal
customer data (Read Only)
Release 3 – to be completed by end of Q1
2018
▪ Similar to R2 but has “midata” business customer
data sets (Read Only)
Release 4 – to be completed by end of Q1
2019
▪ Higher Risk – Full read & write access.
Timelines
11
* Minimum midata is a csv file.
provided in a single column (indicating whether a transaction is a debit or credit
using the symbols -/+),
2.4.5. Running Balance: Provides an account balance after each transaction.
2.4.6. The columns will be titled: Date, Type, Merchant/Description Debit/Credit,
Balance.
2.4.7. Arranged overdraft limit at point of download.
3. Example of midata minimum standard
Draft midata minimum standard
Date Type
Merchant/
Description
Debit/Credit Balance
04/03/2014 VIS Boots the Chemist £5.00 £260.00
04/03/2014 DD Fitness First -£50.00 £255.00
03/03/2014 ATM ATM withdrawal -£100.00 £305.00
03/03/2014 TRF etc. -£20.00 £405.00
02/03/2014 VIS etc. -£75.00 £425.00
01/03/2014 CSH etc. -£50.00 £500.00
Arranged
overdraft limit
04/03/2014 £1000.00
(SOURCE) http://www.pcamidata.co.uk/445505-v2-PCA_midata_-
_file_content_standard_-_March_2015-2.pdf

12. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
12
Open Data in
Finance
Conference
15 June
London
12
http://www.open-data-finance.com/agenda/

13. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
13
Now is the time!
13

14. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
14
but what API protection?
14
and what API request/response?

15. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
15
Solution Time!
15

16. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
16
OpenID Foundation
Financial API WG (FAPI WG)
16

17. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
17
Purpose
The goal of FAPI is to provide JSON data schemas, REST APIs,
and security & privacy recommendations and protocols to:
17
JSON REST
OAuth
OpenID Connect
(SOURCE) ODI OBWG: The Open Banking Standard (2016)

18. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
18
Enable
applications to utilize the data stored in the financial account,
applications to interact with the financial account, and
users to control the security and privacy settings.
Both commercial and investment banking account as well as
insurance, and credit card accounts are to be considered.
(Source) OpenID Foundation Financial API WG draft charter

19. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
19
So that we can finally get rid of password
storing and screen scraping!
19
Enhanced Authentication Profile WG
http://openid.net/wg/eap/

20. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
20
It will also help foster
the FinTech companies.
20

21. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
21
Possible Approaches
21
JSON REST
OAuth
OpenID Connect
Based on FS-ISAC DDA
Internationalize
Convert to Swagger
Based on FS-ISAC DDA
Internationalize
Convert to Swagger and
HAL.

22. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
2222
JSON REST
OAuth
OpenID Connect
Locked down profile for
interoperability.
Holder of Key and out-
of-band authorization for
higher risk scenario
(write).
Privacy Considerations.

23. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
23
Challenges of OAuth (RFC 6749) in a typical scenario
 OAuth’s primary security assumption is that there are only 1 Authz
Server per client: In case of Personal Financial Client, it will
necessarily have multiple Authz Servers.
 Make sure to have adequate separation, e.g., having different redirect
endpoints for each server.
v.s.
C1
O
C1R
U
A
A1Z
C2R
C2
O
A2Z
1 Authz Server / client Model
C2R
C1
O
C1R U
A
A1Z
C2
O
A2Z
n Authz Server / client Model

24. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
24
Challenges of OAuth (RFC 6749) in a typical scenario
Communication through UA are not authenticated and thus can be tainted, but
often used without taint check.
Neither ‘code’ nor ‘state’ can be taken at its face value, but we do...
C1O
C1R
UA A1Z
TLS terminates here.
Not authenticated
(response_type, client_id,
redirect_uri, scope, state)
Not authenticated
(code, state)

25. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
25
Should we recommend using modified hybrid flow?
Include ‘s_hash’ as well?
Security
Level
Feature Set Remarks
Request Object
w/Hybrid FLow
Authz Request protected
Hybrid Flow
(confidential client)
Authz Response protected
Code Flow
(confidential client)
Client authentication
Implicit Flow No client authentication
Plain OAuth Anonymous

26. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
26
Is bearer token adequate?
 For “read only” access, probably yes.
 For “write” access, maybe not.
Token Binding?
Mobile Apps security?
RFC7636 OAuth PKCE mandatory?
MODRNA?
AppAuth?

27. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
27
Once complete, consider submitting it to ISO/TC 68
27
ISO 20022 Financial Services - universal financial industry message scheme.
Part 1: Overall Methodology and Format Specifications for Inputs and Outputs to/from the ISO
20022 Repository
Part 2: Roles and responsibilities of the registration bodiesPart 3: (TS) XML design rules
Part 5: (TS) Reverse engineering
Part 6: Message Transport Characteristics

28. © 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
28
Join the group!
https://openid.net/wg/fapi/
28