Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays New York 2023 - CATTS out of the bag, J...

apidays
PRO
June 29, 2023
0
8

apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDX

apidays New York 2023
APIs for Embedded Business Models: Finance, Healthcare, Retail, and Media
May 16 & 17, 2023

CATTS out of the bag. Bringing uniformity to financial industry APIs
Jean-Paul LaClair, Director of Product at FDX

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays
PRO

June 29, 2023
Tweet

More Decks by apidays

See All by apidays
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security Challenges by Eli Arkush, Akamai
apidays
PRO
0
26
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finnlines and Grimaldi Lines by Vesa Vähämaa, Finnlines
apidays
PRO
0
24
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hanna Sillanpaa, Abloy
apidays
PRO
0
17
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
apidays
PRO
0
27
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Testing with K6 by Ayush Goyal, Grafana Labs
apidays
PRO
0
16
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli Kilpeläinen, Betolar
apidays
PRO
0
13
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovský, Thermo Fisher Scientific
apidays
PRO
0
28
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giraldo, ING
apidays
PRO
0
25
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring Them Together by Merja Kajava, Aavista Oy
apidays
PRO
0
13

Featured

See All Featured
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
8.9k
Side Projects
sachag
451
42k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
36
1.7k
Designing Experiences People Love
moore
138
23k
BBQ
matthewcrist
83
9.2k
YesSQL, Process and Tooling at Scale
rocio
167
14k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.4k
Docker and Python
trallard
39
3k
Pencils Down: Stop Designing & Start Developing
hursman
119
11k
Learning to Love Humans: Emotional Interface Design
aarron
270
40k
Imperfection Machines: The Place of Print at Facebook
scottboms
263
13k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
278
13k

Transcript

  1. The Industry Standard for Consumer Access to Financial Records CATTS

    out of the bag. Bringing uniformity to financial industry APIs Jean-Paul LaClair, Sr Director of Product May 16, 2023

  2. In our quest for more convenience in our financial lives,

    our financial lives have become more complex to manage. CATTS out of the bag. So what?

  3. The Industry Standard for Consumer Access to Financial Records 3

    FDX Confidential. All rights reserved. An end consumer’s desires begins to disintermediate financial services The situation with data sharing

  4. Plus... Insurance Borrowing (student loans, car loans, mortgages…)

  5. The Industry Standard for Consumer Access to Financial Records Where

    it all started… 5 FDX Confidential. All rights reserved. Software was developed in the 1990s that could log in for you, gather the data (screen scrape), and combine all the data into a single interface; but required consumers to share their IDs and Passwords Consumers with accounts at multiple banks had to manually combine the data. The situation with data sharing

  6. The Industry Standard for Consumer Access to Financial Records And

    where it’s likely to go 6 FDX Confidential. All rights reserved. The situation with data sharing Volume of data created, captured, copied, and consumed worldwide from 2010 to 2020, with forecasts from 2021 to 2025 © Statista 2023 (in zettabytes)

  7. More options to manage finances More complex financial lives More

    creation, consumption, and storage of data More data sharing

  8. RED ALERT Things are getting complicated

  9. The Industry Standard for Consumer Access to Financial Records Screen

    scraping requires sharing credentials 9 FDX Confidential. All rights reserved. Red alert… that situation is causing complications Customer provides credentials to a 3rd party 3rd party uses the credentials to log-in and scrape data. They can see ANY data the customer can see today.

  10. The Industry Standard for Consumer Access to Financial Records Credential-based

    data sharing 10 FDX Confidential. All rights reserved. Red alert… that situation is causing complications Consider the impact to the Banking Industry’s Infrastructure, Cyber Posture, and Privacy Posture Rules of Thirds • Approximately 1/3 of financial institution customers share their financial data with third parties1 • This equates to at least 100 million U.S. consumers Financial institution online traffic is, on average1,2: Just how big is it…?

  11. 11 Popular FinTech app breached. Millions of member IDs and

    PWs in paste bins all over the dark web. - June 1, 2023 …Chief Privacy Officer is on Line 1 …Board Risk Committee Chair is on Line 2 …60 Minutes is on Line 3 …Brian Krebs is calling your cell How many of our customers were affected? We don’t know, maybe as much as 15-20%. Customer data has been confirmed in multiple paste bins and call center call volume is intensifying. What data was at risk? Anything the customer’s eye can see, including PII and full account numbers. Are we seeing an increase in ATO and Fraud? There is an uptick, but attribution is not certain. What are we doing about it? We have blocked that app with our WAF, our SOC is monitoring things closely, and we are in contact with our peers and industry groups for signals and signature sharing and will reset compromised accounts and offer a year of privacy monitoring. How many of our customers were affected? None. We converted from credentials-based access to token based last year using FDX. Should the app itself become an issue, exactly nn,nnn customers use the app and we can revoke one or all tokens at any time with no impact to their access to our online bank or our mobile app. What data was at risk? Only the following fields were permissioned to the app: xx, yy, zz, Are we seeing an increase in ATO and Fraud? No. No credentials were lost, and customer data was limited to the minimum the app needed to function. What are we doing about it? We have blocked that app from our API using our ACL and WAF, our SOC is monitoring things closely, and we are in contact with our peers and industry groups for signals and signature sharing. Any tokens lost are unusable by external actors. Our Fraud and Info Sec teams are engaged with the app for forensic review and remediation steps as we are both FDX members. Which of these two conversations do you want to have with the callers? Future FICTIONAL Headline

  12. The Industry Standard for Consumer Access to Financial Records Lack

    of interoperability 12 FDX Confidential. All rights reserved. Red alert… that situation is causing complications

  13. Let the CATTS out of the bag

  14. The Industry Standard for Consumer Access to Financial Records FDX

    is an international, nonprofit technical standards body dedicated to unifying the financial industry around a common, interoperable, royalty-free standard for the secure access of permissioned consumer and business financial data, the FDX API. © FDX, all rights reserved FDX does not comment on policy or engage in lobbying. User Experience Security Certification API & Data Structures FDX Specifications v5.2.1 FDX is a subsidiary of FS-ISAC. Financial Data Exchange – A Standard Our Members > 230 members | ¼ of members are Fin-Tech firms | 2/3 are not banks | 1/3 are Canadian Our Leadership Our Board comprises 12 Financial Institutions, 5 Permissioned Parties, 5 Aggregators, 2 Industry Groups, FS-ISAC, 1 Canadian Fintech, 1 Canadian Financial Institution and 1 Consumer Advocacy Group observer. Our Adoption 53 Million Consumer Accounts using FDX API as of Spring 2023

  15. The Industry Standard for Consumer Access to Financial Records A

    Market Standard 15 FDX Confidential. All rights reserved. Technology Regulation Standardized Payload Connectivity Security & Auth User Experience Industry (the How) Government (the What)

  16. 80 kph 50 mph Technology Regulation User Experience Connectivity (TLS)

    Security & Authentication (FAPI & FIDO) Payload (JSON) JSON just tells us the type of object the truck is carrying – e.g., a shipping container. The contents can be anything the sender and receiver agree on: FDX format, ISO 20022 Format, IRS Tax (FIRE), or proprietary. Components of the FDX Standard

  17. Security & Authentication Stack

  18. The Industry Standard for Consumer Access to Financial Records Principles

    for Consumer-Permissioned Data Sharing 18 FDX Confidential. All rights reserved. AKA: CATTS C A T T S

  19. The Industry Standard for Consumer Access to Financial Records FDX

    Specifications 19 FDX Confidential. All rights reserved. API and Data Structures 1. Components 2. Core information – Accounts and Transactions 3. Customer Information 4. Consent, Recipient Registration 5. Tax, Money Movement, Metrics, Events, Fraud, and Registry User Experience 1. UX Guidelines – Consent Grant, Notification, Viewing, and Revocation 2. Data Clusters Mapping 3. Taxonomy Security 1. Security Model (AuthN & AuthZ), Security for Sensitive Data, Secure App Onboarding 2. Control Consideration 3. Recipient Registration Guidelines Certification 1. Provider Requirements 2. Recipient Requirements 3. Data Access Platform Requirements 4. Certification Use Cases 5. Certification Model

  20. What else…

  21. Join us

  22. The Industry Standard for Consumer Access to Financial Records 22

    FDX Confidential. All rights reserved.