API Days 2016 Day 1: OpenID Financial API WG

Nomura Research Institute

Nat SakimuraChairman of the Board, OpenID FoundationResearch Fellow, Nomura Research Institute

#apidays

Foundation Financial API WG

• OpenID® is a registered trademark of OpenID Foundation. • *Unless otherwise noted, all the photos and vector images are licensed by GraphicStocks.

13th December 2016

http://openid.net/wg/fapi/

© 2016 by Nomura Research Institute. All rights reserved.

Copyright © 2016 Nat Sakimura. All Rights Reserved. 2

Nat SakimuranAuthor of:

lOpenID Connect Core 1.0lJSON Web Token [RFC7519]lJSON Web Signature [7515]lOAuth PKCE [RFC7636]lOAuth JAR [forthcoming]lEtc.

nEditor of: lISO/IEC 29184 Guidelines for online notice and

consentlISO/IEC 29100 AMD: Privacy FrameworklISO/IEC 27551 Requirements for attribute based

unlinkable entity authenticationlEtc.

Research Fellow, Nomura Research InstituteChairman of the Board, OpenID FoundationChair, Financial API WGHead of Japanese delegation to ISO/IEC JTC 1/SC 27/WG5Liaison Officer from ISO/IEC JTC 1/SC 27/WG5 to OECD/SPDEIdentity & Privacy research for decades. Grew up in Kenya!Amateur flutist(Most recent recording at https://youtu.be/3gTCQhTcXL0)

• https://nat.Sakimura.org/• @_nat_en (English)• @_nat (Japanese)• Linked.in/natsakimura• https://www.linkedin.com

/in/natsakimura• https://ja.wikipedia.org/w

iki/��


Copyright © 2016 Nat Sakimura. All Rights Reserved. 3?Do you use Personal Finance Software?

What are the current problems?



When NRI started screen scraping in 2001, we thought it will be a temporary solution.

4

“There was OFX, and SAML was coming. SOAP was gaining momentum. We should be able to get out of scraping business in a few years time!”



WRONG!

5



After 15 years, we are still screen scraping.

6



The situation is changing though.

7



Fintech is gaining a lot of interest lately

'SOURCE(Google Trends



API is known to be one of the three main component of FinTech

9

Use cases for Identity Federation

API in Financial sector

1. Account Opening (incl. KYC)

2. Personal Asset Managment

3. Payment, Sending Money

4. Loan Application

5. AI assisted portfolio management

(Source) Nikkei BP: Fintech Revolution P.4

(Source)Nikkei BP: FinTech Yearbook



I

nJSON , XML + OAuth 2.0

INDUSTRY PUSH >US: FS-ISAC Durable Data API

10

(Source) FS-ISAC FSDDA WG

OpenID Financial API



REGULATORY PUSH> EU Payment Service Directive 2 mandates API availability by the end of 2017.

11(SOURCE) ODI OBWG: The Open Banking Standard (2016)

JSON REST OAuth

OpenID Connect



Regulatory Pressures

lRelease 1 – to be completed within 12 months ▪ the launch of a tightly scoped Open Banking API,

enabling select, read-access, open data use cases.

lRelease 2 – to be completed by end of Q1 2017 ▪ Third party read access to “midata”* personal

customer data (Read Only)

lRelease 3 – to be completed by end of Q1 2018 ▪ Similar to R2 but has “midata” business customer

data sets (Read Only)

lRelease 4 – to be completed by end of Q1 2019 ▪ Higher Risk – Full read & write access.

��"

12

* Minimum midata is a csv file.

midata minimum standard 1. Overview

1.1. Banks who have committed to deliver midata downloads will provide personal current account customers, registered for online banking, with their own current account transaction data, on demand, in electronic format.

1.2. This data will be available for customers to access and download, anonymised as appropriate, and provided in a format that is consistent with this agreed industry-standard.

1.3. Midata downloads will be available for existing customers with personal current accounts, via secure online banking channels. Midata will not be available for closed accounts.

2. midata minimum standard

2.1. 12 months of transactional data in a single download 2.2. CSV format 2.3. Customer name, sort-code, account number will not be provided, or will be anonymised

as appropriate. 2.4. The following columns of data will be included:

2.4.1. Date: The day the transaction occurred, listed chronologically with the most recent transaction at the top. Format of date: DD/MM/YYYY

2.4.2. Type: The reference code given to a transaction 2.4.3. Merchant/descriptor field partially anonymised as appropriate. 2.4.4. Debit/Credit: Displays the monies paid in and out of the account. Information

provided in a single column (indicating whether a transaction is a debit or credit using the symbols -/+),

2.4.5. Running Balance: Provides an account balance after each transaction. 2.4.6. The columns will be titled: Date, Type, Merchant/Description Debit/Credit,

Balance. 2.4.7. Arranged overdraft limit at point of download.

3. Example of midata minimum standard

Draft midata minimum standard

Date Type Merchant/ Description Debit/Credit Balance

04/03/2014 VIS Boots the Chemist £5.00 £260.00

04/03/2014 DD Fitness First -£50.00 £255.00

03/03/2014 ATM ATM withdrawal -£100.00 £305.00

03/03/2014 TRF etc. -£20.00 £405.00 02/03/2014 VIS etc. -£75.00 £425.00 01/03/2014 CSH etc. -£50.00 £500.00

Arranged

overdraft limit 04/03/2014 £1000.00

(SOURCE) http://www.pcamidata.co.uk/445505-v2-PCA_midata_-_file_content_standard_-_March_2015-2.pdf



And the mere fact that we are here!

13

(SOURCE) API Day Web Site <http://apidays.io/>



Now is the time!

14


Copyright © 2016 Nat Sakimura. All Rights Reserved. 15?but what API protection?

15

and what API request/response?



Solution Time!

16



OpenID Foundation Financial API WG (FAPI WG)

17



Purpose

��"�#�� !�%�� #��"��"��"��"��$!�#&�� !�%��&�!��#��"�� !�#��"�#��

18

JSON REST OAuth

OpenID Connect

(SOURCE) ODI OBWG: The Open Banking Standard (2016)



Enablenapplications to utilize the data stored in the financial account,napplications to interact with the financial account, andnusers to control the security and privacy settings.

Both commercial and investment banking account as well as insurance, and credit card accounts are to be considered.

(Source) OpenID Foundation Financial API WG draft charter



So that we can finally get rid of password storing and screen scraping!

20

Enhanced Authentication Profile WGhttp://openid.net/wg/eap/



It will also help foster the FinTech companies.

21



Why OpenID Foundation?

•Authors of OAuth, JWT, JWS, OpenID Connect are all here.

Right People

•Royalty Free, Mutual Non-Assert, so that everyone can use it freely. Right IPR

•Free to join WGs. (Sponsors welcome) •WTO TBT Compliant Process.

Right Structure

22



Working Together

23

OpenID FAPI

UK Implementation Entity

(Chair)(Co-Chair)(Co-Chair)

(UK IE Liaison)



In a IPR safe and Completely Open Environment

nIPR regimelMutually assured patent non-assertlTrademark (OpenID®) control against false claim of

the spec supportlCertification support to reinforce the interoperability

nCompletely Open EnvironmentlFree of charge to join the WG as long as you file the

IPR agreementlBitbucket (git) to track the changes

▪ File an issue and send a pull request!

nMade possible by these sponsors!

24

Sustaining corporate members (board members)

Corporate members

Non-profit members



JSON REST OAuth

OpenID Connect

Locked down profile for interoperability. Holder of Key and out-of-band authorization for higher risk scenario (write). Privacy Considerations.



Possible Approaches

27

JSON REST OAuth

OpenID ConnectBased on FS-ISAC DDAInternationalizeConvert to Swagger

• Based on FS-ISAC DDA etc.

• Provide Swagger and HAL.



What we have achieved so far

nStarted off of 2 parts approach (Read Only & Read Write)l But found that was too optimistic. Significant addition needed to

Data API while some functionality was really time sensitive. l Thus …

n5 parts approachPart 1: Read Only API Security ProfilePart 2: Read and Write API Security ProfilePart 3: Open Data APIPart 4: Protected Data API and Schema - Read onlyPart 5: Protected Data API and Schema - Read and Write

28



Current Part 1 and thoughts on Part 2 will be discussed tomorrow.

29



Once complete, consider submitting it to ISO/TC 68

30

nISO 20022 Financial Services - universal financial industry message scheme.Part 1: Overall Methodology and Format Specifications for Inputs and

Outputs to/from the ISO 20022 RepositoryPart 2: Roles and responsibilities of the registration bodiesPart 3: (TS)

XML design rulesPart 5: (TS) Reverse engineeringPart 6: Message Transport Characteristics



Join the group!

https://openid.net/wg/fapi/

31

Internet

API Days 2016 Day 1: OpenID Financial API WG