Financial APIs, pushing the boundaries of Identity
Almost everyone will say “Publishing APIs are easy, Securing them is the hard part”. Sentiment remains, in the realms of financial APIs. A wave of Financial APIs have hit the proverbial shores of the internet, and much deeper thought is required in terms of how Identity and Access Management(IAM) is applied in this context.
Photo by [小谢](https://unsplash.com/@guogete?utm_source=medium&utm_medium=referral) on [Unsplash](https://unsplash.com?utm_source=medium&utm_medium=referral)
With regulatory directive such as PSD2 which presents a framework to expose banking data and services to trusted parties; Identity plays a crucial role. To learn more about Open Banking check out the article below
In the domain of financial APIs questions such as listed below arise,
— How to ensure that only trusted parties will access these APIs?
— How to effectively authenticate users and get consent?
— How to ensure that data is harnessed with customer consent?
These questions are to be considered with a keen eye and implemented according to specification to safeguard the power of these APIs.
The beauty of modern financial APIs
Gone are the days of proprietary protocols, Open Banking ushered a new era of open design philosophy to industries adopting standards such as OpenAPI, OAuth, Open ID Connect.
Following up PSD2, many countries and regulatory bodies were interested. In Australia is Consumer Data Right(CDR) fronted by Data61 who opened up the standards process on Github therefore whoever is interested in the standard is able to contribute.
With growing interests in the space, OpenID foundation started a new workgroup back in 2017 drafting specifications suitable for financial APIs,
The specifications by FAPI WG eventually became the backbone of modern financial APIs.
Is Open Banking the killer application for Identity?
Just like how VisiCalc or Lotus 1–2–3 became the killer apps of the Apple II and IBM PC, respectively. Will financial APIs become the killer app for IAM?
I’d love to claim this subtitle but it was posed in a panel during a recent Sibos conference. A debate took place on the core idea of how financial APIs are pushing the envelope of identity.
Working in the integration domain this is quite apparent with commercial IAM products being updated to support FAPI grade security specifications.
These specifications are to toughen the OAuth 2.0 authorization framework to tighten up sender, receiver and message security.
Excerpt from [OpenID Foundation FAPI WG: June 2017 Update](https://www.slideshare.net/nat_sakimura/openid-foundation-fapi-wg-june-2017-update?ref=https://openid.net/wg/fapi/)
The slide excerpt given above sums up what FAPI WG is trying to solve. IAM products are catching up to cater these specifications allowing usage in Open Banking scenarios.
The EU’s approach is much more ambitious to make identity pan europian with eIDAS, implementation of eIDAS has become mandatory in the region in the Open Banking context. To learn more about eIDAS check out the article below.
With regulators from different countries coming into Open Banking it’s not so easy to dismiss the question “Is Open Banking the killer application for Identity?”.
It’s an interesting time for Identity with new standards and specifications to cross borders from consumer singular scenarios to large scale financial API use cases. With adoption and time, these specifications might be adopted and evolved to be the norm in the future, giving a strong framework for high risk and low control scenarios.