Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays New York 2023 - CATTS out of the bag, J...

apidays
June 29, 2023
16

apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDX

apidays New York 2023
APIs for Embedded Business Models: Finance, Healthcare, Retail, and Media
May 16 & 17, 2023

CATTS out of the bag. Bringing uniformity to financial industry APIs
Jean-Paul LaClair, Director of Product at FDX

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

June 29, 2023
Tweet

More Decks by apidays

Transcript

  1. The Industry Standard for Consumer Access to Financial Records CATTS

    out of the bag. Bringing uniformity to financial industry APIs Jean-Paul LaClair, Sr Director of Product May 16, 2023
  2. In our quest for more convenience in our financial lives,

    our financial lives have become more complex to manage. CATTS out of the bag. So what?
  3. The Industry Standard for Consumer Access to Financial Records 3

    FDX Confidential. All rights reserved. An end consumer’s desires begins to disintermediate financial services The situation with data sharing
  4. The Industry Standard for Consumer Access to Financial Records Where

    it all started… 5 FDX Confidential. All rights reserved. Software was developed in the 1990s that could log in for you, gather the data (screen scrape), and combine all the data into a single interface; but required consumers to share their IDs and Passwords Consumers with accounts at multiple banks had to manually combine the data. The situation with data sharing
  5. The Industry Standard for Consumer Access to Financial Records And

    where it’s likely to go 6 FDX Confidential. All rights reserved. The situation with data sharing Volume of data created, captured, copied, and consumed worldwide from 2010 to 2020, with forecasts from 2021 to 2025 © Statista 2023 (in zettabytes)
  6. More options to manage finances More complex financial lives More

    creation, consumption, and storage of data More data sharing
  7. The Industry Standard for Consumer Access to Financial Records Screen

    scraping requires sharing credentials 9 FDX Confidential. All rights reserved. Red alert… that situation is causing complications Customer provides credentials to a 3rd party 3rd party uses the credentials to log-in and scrape data. They can see ANY data the customer can see today.
  8. The Industry Standard for Consumer Access to Financial Records Credential-based

    data sharing 10 FDX Confidential. All rights reserved. Red alert… that situation is causing complications Consider the impact to the Banking Industry’s Infrastructure, Cyber Posture, and Privacy Posture Rules of Thirds • Approximately 1/3 of financial institution customers share their financial data with third parties1 • This equates to at least 100 million U.S. consumers Financial institution online traffic is, on average1,2: Just how big is it…?
  9. 11 Popular FinTech app breached. Millions of member IDs and

    PWs in paste bins all over the dark web. - June 1, 2023 …Chief Privacy Officer is on Line 1 …Board Risk Committee Chair is on Line 2 …60 Minutes is on Line 3 …Brian Krebs is calling your cell How many of our customers were affected? We don’t know, maybe as much as 15-20%. Customer data has been confirmed in multiple paste bins and call center call volume is intensifying. What data was at risk? Anything the customer’s eye can see, including PII and full account numbers. Are we seeing an increase in ATO and Fraud? There is an uptick, but attribution is not certain. What are we doing about it? We have blocked that app with our WAF, our SOC is monitoring things closely, and we are in contact with our peers and industry groups for signals and signature sharing and will reset compromised accounts and offer a year of privacy monitoring. How many of our customers were affected? None. We converted from credentials-based access to token based last year using FDX. Should the app itself become an issue, exactly nn,nnn customers use the app and we can revoke one or all tokens at any time with no impact to their access to our online bank or our mobile app. What data was at risk? Only the following fields were permissioned to the app: xx, yy, zz, Are we seeing an increase in ATO and Fraud? No. No credentials were lost, and customer data was limited to the minimum the app needed to function. What are we doing about it? We have blocked that app from our API using our ACL and WAF, our SOC is monitoring things closely, and we are in contact with our peers and industry groups for signals and signature sharing. Any tokens lost are unusable by external actors. Our Fraud and Info Sec teams are engaged with the app for forensic review and remediation steps as we are both FDX members. Which of these two conversations do you want to have with the callers? Future FICTIONAL Headline
  10. The Industry Standard for Consumer Access to Financial Records Lack

    of interoperability 12 FDX Confidential. All rights reserved. Red alert… that situation is causing complications
  11. The Industry Standard for Consumer Access to Financial Records FDX

    is an international, nonprofit technical standards body dedicated to unifying the financial industry around a common, interoperable, royalty-free standard for the secure access of permissioned consumer and business financial data, the FDX API. © FDX, all rights reserved FDX does not comment on policy or engage in lobbying. User Experience Security Certification API & Data Structures FDX Specifications v5.2.1 FDX is a subsidiary of FS-ISAC. Financial Data Exchange – A Standard Our Members > 230 members | ¼ of members are Fin-Tech firms | 2/3 are not banks | 1/3 are Canadian Our Leadership Our Board comprises 12 Financial Institutions, 5 Permissioned Parties, 5 Aggregators, 2 Industry Groups, FS-ISAC, 1 Canadian Fintech, 1 Canadian Financial Institution and 1 Consumer Advocacy Group observer. Our Adoption 53 Million Consumer Accounts using FDX API as of Spring 2023
  12. The Industry Standard for Consumer Access to Financial Records A

    Market Standard 15 FDX Confidential. All rights reserved. Technology Regulation Standardized Payload Connectivity Security & Auth User Experience Industry (the How) Government (the What)
  13. 80 kph 50 mph Technology Regulation User Experience Connectivity (TLS)

    Security & Authentication (FAPI & FIDO) Payload (JSON) JSON just tells us the type of object the truck is carrying – e.g., a shipping container. The contents can be anything the sender and receiver agree on: FDX format, ISO 20022 Format, IRS Tax (FIRE), or proprietary. Components of the FDX Standard
  14. The Industry Standard for Consumer Access to Financial Records Principles

    for Consumer-Permissioned Data Sharing 18 FDX Confidential. All rights reserved. AKA: CATTS C A T T S
  15. The Industry Standard for Consumer Access to Financial Records FDX

    Specifications 19 FDX Confidential. All rights reserved. API and Data Structures 1. Components 2. Core information – Accounts and Transactions 3. Customer Information 4. Consent, Recipient Registration 5. Tax, Money Movement, Metrics, Events, Fraud, and Registry User Experience 1. UX Guidelines – Consent Grant, Notification, Viewing, and Revocation 2. Data Clusters Mapping 3. Taxonomy Security 1. Security Model (AuthN & AuthZ), Security for Sensitive Data, Secure App Onboarding 2. Control Consideration 3. Recipient Registration Guidelines Certification 1. Provider Requirements 2. Recipient Requirements 3. Data Access Platform Requirements 4. Certification Use Cases 5. Certification Model