API Days 2016 Day 1: OpenID Financial API WG

Nomura Research Institute
Nat Sakimura
Chairman of the Board, OpenID Foundation
Research Fellow, Nomura Research Institute
#apidays
Foundation Financial API WG
• OpenID® is a registered trademark of OpenID Foundation.
• *Unless otherwise noted, all the photos and vector images are licensed by GraphicStocks.
13th December 2016
http://openid.net/wg/fapi/

© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
2
Nat Sakimura
nAuthor of:
lOpenID Connect Core 1.0
lJSON Web Token [RFC7519]
lJSON Web Signature [7515]
lOAuth PKCE [RFC7636]
lOAuth JAR [forthcoming]
lEtc.
nEditor of:
lISO/IEC 29184 Guidelines for online notice and
consent
lISO/IEC 29100 AMD: Privacy Framework
lISO/IEC 27551 Requirements for attribute based
unlinkable entity authentication
lEtc.
Research Fellow, Nomura
Research Institute
Chairman of the Board,
OpenID Foundation
Chair, Financial API WG
Head of Japanese delegation to
ISO/IEC JTC 1/SC 27/WG5
Liaison Officer from ISO/IEC JTC
1/SC 27/WG5 to OECD/SPDE
Identity & Privacy research for
decades.
Grew up in Kenya!
Amateur flutist
(Most recent recording at
https://youtu.be/3gTCQhTcXL0)
• https://nat.Sakimura.org/
• @_nat_en (English)
• @_nat (Japanese)
• Linked.in/natsakimura
• https://www.linkedin.com
/in/natsakimura
• https://ja.wikipedia.org/w
iki/

3
?Do you use Personal Finance Software?
What are the current problems?

4
When NRI started screen scraping in 2001,
we thought it will be a temporary solution.
4
“There was OFX, and SAML was coming. SOAP was gaining momentum.
We should be able to get out of scraping business in a few years time!”

5
WRONG!
5

6
After 15 years, we are still screen scraping.
6

7
The situation is changing though.
7

8
Fintech is gaining a lot of interest lately
SOURCE Google Trends

9
API is known to be one of the three main component of FinTech
9
Use cases for Identity Federation
API in Financial sector
1. Account Opening (incl. KYC)
2. Personal Asset Managment
3. Payment, Sending Money
4. Loan Application
5. AI assisted portfolio management
(Source) Nikkei BP: Fintech Revolution P.4
(Source)Nikkei BP: FinTech Yearbook

10
I
nJSON , XML + OAuth 2.0
INDUSTRY PUSH >
US: FS-ISAC Durable Data API
10
(Source) FS-ISAC FSDDA WG
OpenID Financial API

11
REGULATORY PUSH>
EU Payment Service Directive 2 mandates API availability by the end of 2017.
11
(SOURCE) ODI OBWG: The Open Banking Standard (2016)
JSON REST
OAuth
OpenID Connect

12
Regulatory Pressures
lRelease 1 – to be completed within 12 months
▪ the launch of a tightly scoped Open Banking API,
enabling select, read-access, open data use cases.
lRelease 2 – to be completed by end of Q1 2017
▪ Third party read access to “midata”* personal
customer data (Read Only)
▪ Similar to R2 but has “midata” business customer
data sets (Read Only)
▪ Higher Risk – Full read & write access.
12
* Minimum midata is a csv file.
2.4.4. Debit/Credit: Displays the monies paid in and out of the account. Information
provided in a single column (indicating whether a transaction is a debit or credit
using the symbols -/+),
2.4.5. Running Balance: Provides an account balance after each transaction.
2.4.6. The columns will be titled: Date, Type, Merchant/Description Debit/Credit,
Balance.
2.4.7. Arranged overdraft limit at point of download.
3. Example of midata minimum standard
Draft midata minimum standard
Date Type
Merchant/
Description
Debit/Credit Balance
04/03/2014 VIS Boots the Chemist £5.00 £260.00
04/03/2014 DD Fitness First -£50.00 £255.00
03/03/2014 ATM ATM withdrawal -£100.00 £305.00
03/03/2014 TRF etc. -£20.00 £405.00
02/03/2014 VIS etc. -£75.00 £425.00
01/03/2014 CSH etc. -£50.00 £500.00
Arranged
overdraft limit
04/03/2014 £1000.00
(SOURCE) http://www.pcamidata.co.uk/445505-v2-
PCA_midata_-_file_content_standard_-_March_2015-
2.pdf

13
And the mere fact that we are here!
13
(SOURCE) API Day Web Site <http://apidays.io/>

14
Now is the time!
14

15
?but what API protection?
15
and what API request/response?

16
Solution Time!
16

17
OpenID Foundation
Financial API WG (FAPI WG)
17

18
Purpose
18
JSON REST
OAuth
OpenID Connect
(SOURCE) ODI OBWG: The Open Banking Standard (2016)

19
Enable
napplications to utilize the data stored in the financial account,
napplications to interact with the financial account, and
nusers to control the security and privacy settings.
Both commercial and investment banking account as well as
insurance, and credit card accounts are to be considered.
(Source) OpenID Foundation Financial API WG draft charter

20
So that we can finally get rid of password
storing and screen scraping!
20
Enhanced Authentication Profile WG
http://openid.net/wg/eap/

21
It will also help foster
the FinTech companies.
21

22
Why OpenID Foundation?
•Authors of OAuth, JWT, JWS, OpenID
Connect are all here.
Right
People
•Royalty Free, Mutual Non-Assert, so
that everyone can use it freely.Right IPR
•Free to join WGs. (Sponsors welcome)
•WTO TBT Compliant Process.
Right
Structure
22

23
Working Together
23
OpenID FAPI
UK Implementation Entity
(Chair)
(Co-Chair)(Co-Chair)
(UK IE Liaison)

24
In a IPR safe and Completely Open Environment
nIPR regime
lMutually assured patent non-assert
lTrademark (OpenID®) control against false claim of
the spec support
lCertification support to reinforce the interoperability
nCompletely Open Environment
lFree of charge to join the WG as long as you file the
IPR agreement
lBitbucket (git) to track the changes
▪ File an issue and send a pull request!
nMade possible by these sponsors!
24
Sustaining corporate members (board members)
Corporate members
Non-profit members

2626
JSON REST
OAuth
OpenID Connect
Locked down profile for
interoperability.
Holder of Key and out-of-
band authorization for
higher risk scenario
(write).
Privacy Considerations.

27
Possible Approaches
27
JSON REST
OAuth
OpenID Connect
Based on FS-ISAC DDA
Internationalize
Convert to Swagger
• Based on FS-ISAC DDA
etc.
• Provide Swagger and
HAL.

28
What we have achieved so far
nStarted off of 2 parts approach (Read Only & Read Write)
l But found that was too optimistic. Significant addition needed to
Data API while some functionality was really time sensitive.
l Thus …
n5 parts approach
Part 1: Read Only API Security Profile
Part 2: Read and Write API Security Profile
Part 3: Open Data API
Part 4: Protected Data API and Schema - Read only
Part 5: Protected Data API and Schema - Read and Write
28

29
Current Part 1 and thoughts on Part 2 will
be discussed tomorrow.
29

30
Once complete, consider submitting it to ISO/TC 68
30
nISO 20022 Financial Services - universal financial industry
message scheme.
Part 1: Overall Methodology and Format Specifications for Inputs and
Outputs to/from the ISO 20022 Repository
Part 2: Roles and responsibilities of the registration bodiesPart 3: (TS)
XML design rules
Part 5: (TS) Reverse engineering
Part 6: Message Transport Characteristics

31
Join the group!
https://openid.net/wg/fapi/
31

API Days 2016 Day 1: OpenID Financial API WG

More Related Content

Viewers also liked (7)

Similar to API Days 2016 Day 1: OpenID Financial API WG (20)

More from Nat Sakimura (17)

Recently uploaded (20)

API Days 2016 Day 1: OpenID Financial API WG