The Industry Standard for Consumer Access to Financial Records · • Spec 4.2 (tax ‘20) –...

11
The Industry Standard for Consumer Access to Financial Records FDX API and Security Overview Dinesh Katyal – 7/20/20

Transcript of The Industry Standard for Consumer Access to Financial Records · • Spec 4.2 (tax ‘20) –...

Page 1: The Industry Standard for Consumer Access to Financial Records · • Spec 4.2 (tax ‘20) – 14-day member notice • Spec 4.5 (non-tax RFCs) – WG notification • Oct 5 (60 days

The Industry Standard for ConsumerAccess to Financial Records

FDX API and Security OverviewDinesh Katyal – 7/20/20

Page 2: The Industry Standard for Consumer Access to Financial Records · • Spec 4.2 (tax ‘20) – 14-day member notice • Spec 4.5 (non-tax RFCs) – WG notification • Oct 5 (60 days

The Industry Standard for Consumer Access to Financial Records

FDX Confidential. All rights reserved.

Agenda

2

Organization OverviewThe FDX API Portfolio

- FDX API 4.1

- Control Consideration for Consumer Financial Account Aggregation 3.1

- User Experience Guidelines – Account Information 1.0

- Use Cases

Q & A

Page 3: The Industry Standard for Consumer Access to Financial Records · • Spec 4.2 (tax ‘20) – 14-day member notice • Spec 4.5 (non-tax RFCs) – WG notification • Oct 5 (60 days

The Industry Standard for Consumer Access to Financial Records

FDX Confidential. All rights reserved.

Mission

3

The Financial Data Exchange (FDX) mission is to promote and enhance a common interoperable standard and operating framework to efficiently and securely share consumer and business financial data.

FDX operates as an independent subsidiary of the Financial Services Information Sharing and Analysis Center (FS-ISAC) and took up the work of the FS-ISAC Aggregation Working Group.

FDX launched on 18 October 2018.

Page 4: The Industry Standard for Consumer Access to Financial Records · • Spec 4.2 (tax ‘20) – 14-day member notice • Spec 4.5 (non-tax RFCs) – WG notification • Oct 5 (60 days

Financial Data Exchange (FDX) The current Board comprises 11 Financial Institutions, 5 Permissioned Parties, 5 Aggregators, 2 Industry Groups & the FS-ISAC.

The Industry Standard for Consumer Access to Financial Records

Open Membership | ¼ of members are Fin-Tech firms | 2/3 are not banks | FDX is not a policy or lobbying group.

118 Member Organizations

Page 5: The Industry Standard for Consumer Access to Financial Records · • Spec 4.2 (tax ‘20) – 14-day member notice • Spec 4.5 (non-tax RFCs) – WG notification • Oct 5 (60 days

The Industry Standard for Consumer Access to Financial Records

FDX Confidential. All rights reserved.

Page 6: The Industry Standard for Consumer Access to Financial Records · • Spec 4.2 (tax ‘20) – 14-day member notice • Spec 4.5 (non-tax RFCs) – WG notification • Oct 5 (60 days

The Industry Standard for Consumer Access to Financial Records

FDX Technical Organization

Security & Authentication

User Experience & Consent

API / Data Structures

Qualification & Certification

OFX

Working Groups

Every Working Group, Committee and the Board are co-chaired by a Financial Institution and a Non-Financial Institution

Technology Review

Committee

E2E Encryption

TaskForces

Cert Model Directory Tax FormsIntermediary ID

UX Guidelines TaxonomyMoney

Movement

FDX Staff

Director Product

+

Page 7: The Industry Standard for Consumer Access to Financial Records · • Spec 4.2 (tax ‘20) – 14-day member notice • Spec 4.5 (non-tax RFCs) – WG notification • Oct 5 (60 days

The Industry Standard for Consumer Access to Financial Records

FDX Confidential. All rights reserved.

FDX API

7

• Secure authentication - Tokenized access to data- No login credentials used/ held by aggregator/ apps

• Authorization and consent standard- Owner approves what is shared, its use, and duration- UX guidelines 1.0 will cover consent for account information services

• API specification- Replaces screen scraping- JSON/ REST- Comprehensive coverage of account information services and tax forms (US)- Free to access and royalty free to use

Page 8: The Industry Standard for Consumer Access to Financial Records · • Spec 4.2 (tax ‘20) – 14-day member notice • Spec 4.5 (non-tax RFCs) – WG notification • Oct 5 (60 days

The Industry Standard for Consumer Access to Financial Records

FDX Confidential. All rights reserved.

Supported Accounts and Documents■ Deposit: ■ Lines of Credit:

Checking (DDA) Credit CardsSavings LOC (retail)

Money Market Accounts LOC (Commercial)Time Deposits (CD) HELOC

Other Other

■ Loans: ■ InvestmentsLoans (Installment) IRA

Mortgages TAXABLELoans (Commercial) TRUST

Other Other

■ Insurance: ■ Annuities:

● Statements

● Tax Documents: US Tax Forms

● Images (receipts or check images)

Page 9: The Industry Standard for Consumer Access to Financial Records · • Spec 4.2 (tax ‘20) – 14-day member notice • Spec 4.5 (non-tax RFCs) – WG notification • Oct 5 (60 days

The Industry Standard for Consumer Access to Financial Records

• FALL 2020 Release Timeline• Sep 7 – RFC cutoff for release inclusion• Sep 21:

• Spec 4.2 (tax ‘20) – 14-day member notice• Spec 4.5 (non-tax RFCs) – WG notification

• Oct 5 (60 days prior) –• Spec 4.2 (tax ‘20) - GA• Spec 4.5 (non-tax RFCs) – 60-day member

notice• Dec 3 – Spec 4.5 GA

Note: Tax and non-tax will be aligned from Fall 2021 onwards shifting general release schedule up by 2 months

Release Calendar

Page 10: The Industry Standard for Consumer Access to Financial Records · • Spec 4.2 (tax ‘20) – 14-day member notice • Spec 4.5 (non-tax RFCs) – WG notification • Oct 5 (60 days

The Industry Standard for Consumer Access to Financial Records

FDX Confidential. All rights reserved.

Control Considerations

10

• Conceptual security architecture stack- Federated user authentication interoperability with OpenID Connect 1.0- Delegated user authorization using OAuth 2.0- Specific user identification pattern using FIDO 1.2 UAF

• Communication; - TLS for all communications- NIST recommended encryption algorithms- Recommended key lengths and host name verification enabled

• API Security Profile- Normative references to FAPI part 1 – read only security profile- FAPI part 2 – read-write security profile

OAuth 2.0

Page 11: The Industry Standard for Consumer Access to Financial Records · • Spec 4.2 (tax ‘20) – 14-day member notice • Spec 4.5 (non-tax RFCs) – WG notification • Oct 5 (60 days

The Industry Standard for Consumer Access to Financial Records

FDX Confidential. All rights reserved.

Questions