SlideShare a Scribd company logo

apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive Financial Data Shared via APIs

Download as PPTX, PDF
apidays
apidays

apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare July 28 & 29, 2021 Security Design Patterns that Protect Sensitive Financial Data Shared via APIs Dinesh Katyal, Product Director at Financial Data Exchange, Ray Voss, VP, Security Architect, JPMorgan Chase Bank, N.A and Co-Chair, Financial Data Exchange Security and Authentication Working, & Shawn Jobe, Director of Software Development at Factual Data

Technology
1 of 26
The Industry Standard for Consumer Access to Financial Records APIdays – New York Fall 2021 Security Design Patterns that Protect Sensitive Financial Data Shared via APIs Dinesh Katyal, Ray Voss, Shawn Jobe
The Industry Standard for Consumer Access to Financial Records Agenda 2 FDX Confidential. All rights reserved. • Introduction – 2 min • Financial Data Exchange • Overview – 5 min • Problem Context • Cross Industry Effort • Recommended Security Patterns – 10-15 min • Future Work • Q&A – 5 min
The Industry Standard for Consumer Access to Financial Records Financial Data Exchange (FDX) 3 FDX is not a policy or lobbying group. • We estimate that in North America alone there are ~100 million credential pairs being used to scrape data. • Typically 30%-35% of a given financial institution’s online user base has shared their credentials. • Typically 25%-40% of a given financial institution’s online logins are scraping sessions. FDX is dedicated to unifying the financial industry around a common, interoperable, royalty-free standard for the secure access of permissioned consumer and business financial data, aptly named the FDX Application Programming Interface (FDX API). Data Sharing Ecosystem FDX Mission © FDX, all rights reserved  100% of our FI members are using or plan to use FDX API  >16 million consumers are on FDX as of March 2021  FDX API averaged 99.91% availability. Who is using FDX  Adopt, Promote and Improve Data-Sharing Standards  Adopt, Promote and Improve Secure Authentication Standards  Develop a Certification Program  Develop User Experience and Consent Guidelines Best Practices FDX Objectives
The Industry Standard for Consumer Access to Financial Records 190+ Member Organizations on 4 continents 4 The current Board comprises 12 Financial Institutions, 5 Permissioned Parties, 5 Aggregators, 2 Industry Groups, FS-ISAC, 1 Canadian Fintech, and 1 Consumer Advocacy Group as an observer. FDX does not comment on policy or engage in lobbying. © FDX, all rights reserved Open Membership | ¼ of members are Fin-Tech firms | 2/3 are not banks ABA Adastra Corporation Affinity Credit Union Akoya Ally American Express apimetrics Apiture Assiniboine Credit Union ATB Financial Authlete Axway Back in the Black Bank of America Bank of Montreal Bank of Nova Scotia/ Tangerine Bank Policy Institute BillGo Blanc Labs Blend Labs, Inc. Blucora BNC BotKeeper Callsign Canadian Credit Union Assoc. CCUA Capital One Caspian One Celero Centime Inc Central 1 CU Cequence Security CIBC Citi Group Citizens Bank Cloud Entity CloudVector Codat Computer Services Inc (CSI) Concord Advice Connect Connexussecure Consumer Edge Credit Union Central Alberta Limited DAPI Datapro inc Decision Logic Desjardins Digits Discover Duality Technologies EarnIn EEI Emoney Advisor Empower Retirement Equifax Equitable Bank Everlink Payment Services Inc. EWS Experian F5 Networks Inc. Fairstone Financial Inc. Fannie Mae FGS - Fintech Growth Syndicate FI.Span Services Inc Ficanex FICO Fidelity Financial Apps Finconecta Finicity Finovera First Bank First Canadian Title Company Limited Fiserv Flinks Forge Rock FormFree Holdings Co FS-ISAC GT Software H&R Block Home Trust Company IBBIE LLC ICBA Iclose Inclusive Innovations Innovecture Intelliware Interac Internet Tax information Processing Services (ITIPS) Intuit Inverite Jack Henry Inc Japan Association for Financial API's JPMChase KOHO Konsentus Ltd L7 Defense LTD Large Credit Union Coalition LCUC Mass Mutual Mastercard Mazooma Merchant Treasury Meridian Credit Union Microbilt MorningStar Mountain America FCU Mscience MX MyFinApps Navy Federal Credit Union NCRC Neosec New Media IV Holdings Ninth-Wave Nivelo Tech Inc Okta Opportunity Financial Orum - Project Midas Ozoneapi PAI Payments Canada PayPal Petal Card Inc. Ping Identity Plaid Plenee Co PNC PointServ PPIJV Prarie Payments Price Water House Coopers LLP Principal PSCU QuadFI INC. Quicken Quicken Loans Raidiam Services Limited Rattlehub Digital Royal Bank of Canada Sage Salt Security Schwab Securekey self lender Servus Credit Union SIFMA Silicon Valley Bank Simpli Singular Key Skyflow Smart Solution Smart Vault Sovos Spring Labs Star Point Symcor TD Bank The Clearing House The Goldman Sachs Group The Pathfinder Group The Working Group TIAA Transunion True Layer Truist Trust Stamp US Bank USAA UW Credit Union Validifi Vantage Score Verify My Banks Visa Vopay Wells Fargo Xero Xtensifi Yodlee Varo Bank
The Industry Standard for Consumer Access to Financial Records 5 Every Working Group, Committee and the Board are co-chaired by a Financial Institution and a Non-Financial Institution © FDX, all rights reserved
The Industry Standard for Consumer Access to Financial Records How many consumers are on it? © FDX, all rights reserved. TLP AMBER UK Open Banking is at 3 million consumers as of March 5th The US also has a higher per-capita usage than the UK. (46 per thousand versus 44)
The Industry Standard for Consumer Access to Financial Records Problem Context Sensitive Data • Any individual or collection of data elements in transit that requires a combination of security and privacy controls • Evaluated Data: Account Number, Account Holder Name and Address In the Context of Use for Personal Financial Management, Credit and Lending, and Money Movement Need for Protection • Prevent use in a fraudulent transaction • Prevent compromise of private consumer information • Adherence to specific laws and regulations. Protection Approach • Layered set of security techniques across multiple parties with controls for both access and visibility FDX Confidential. All rights reserved. 7
The Industry Standard for Consumer Access to Financial Records Constraints • Increased Security • Proposed approach should result in a meaningful increase in security and privacy • Ease of Adoption • Solution should be implementable with reasonable resources and with a high degree of consistency and predictability • Pro-competitive • No business use cases, or ecosystem participants should be negatively impacted FDX Confidential. All rights reserved. 8
The Industry Standard for Consumer Access to Financial Records Detailed Benefits • Improved sensitive data protections through the ecosystem • Targeted protections e.g., field level encryption, focus on the relevant data • Complements existing data security models by layering techniques • End-user transparency into data usage • Reduce need for sensitive data sharing via alternate means of satisfying use cases • Reduces potential for 1st party fraud • Improves data integrity FDX Confidential. All rights reserved. 9
Recommended Security Patterns
The Industry Standard for Consumer Access to Financial Records Recommendation Overview • Categories • General Purpose • Use Case Specific • Emerging • Primary Assumptions • Patterns are recommended in the context of App2App integrations. Data at rest is not addressed. • All patterns are to be considered as additive to existing patterns in place (e.g.: Message encryption). FDX Confidential. All rights reserved. 11
General Purpose Patterns
The Industry Standard for Consumer Access to Financial Records Data Encryption and Consent • Asymmetric Encryption • Sharing of keys between a data provider and data recipient used for the encryption and decryption of sensitive data. • Granular Consent • Supplementary practice for setting permissions that are driven by the consumer and enforced throughout a multi-party ecosystem. FDX Confidential. All rights reserved. 13
The Industry Standard for Consumer Access to Financial Records Asymmetric Encryption FDX Confidential. All rights reserved. 14 Scope of Data All Use Cases in Scope All Considerations • Use only for hops between data provider to data access platform, and from data access platform to data recipient. Only encrypt relevant data keeping data needed by intermediary systems in clear. • Trust is established without exchanging private keys. • Partner public keys are signed and verified using a mutually trusted Certificate Authority’s public key • Certificate authority is responsible to establishing identity of the individual organizations. • FDX API Security Model and FDX API documentation describe the pattern and implementation techniques in detail. What Problem Can/Does It Solve • Prevents PII and sensitive data from traversing internal networks unencrypted. TLS will typically terminate at the API gateway and the raw content will traverse the internal network unencrypted. • Supports data minimization along with controlling what consumer information is being secured. Thus supporting bi-lateral agreements. • Layered prevention against first party attacks, compromised transport-layer-security encryption. In alignment with FDX security control considerations. Can be used with additional patterns to provide additional levels of security.
The Industry Standard for Consumer Access to Financial Records Granular Consent FDX Confidential. All rights reserved. 15 Scope of Data All Use Cases in Scope All Considerations • A granular consent should always be used where possible to separate use case consent that needs access to sensitive data from those that don’t. • Information on requested use case and the associated sensitive data should be made available to all parties - data providers and data access platforms - to enable them to trigger appropriate controls for the data and use case. • Supported by FDX User Experience Guidelines and FDX Consent API What Problem Can/Does It Solve • Limiting the delivery of data provided through exchanges between parties along with providing transparency to the end user. • Reduces consumer friction by providing a clear and concise understanding of the data use. • Provides consumers a means for increased control over the privacy of their data.
Use Case Specific Patterns
The Industry Standard for Consumer Access to Financial Records Substitution and Data Minimization • Data Masking / Truncation • Obfuscation of a value from it’s original form for the purpose controlling visibility and exposure. • Tokenization • Substitutes the value with an opaque identifier that can be used as a replacement of a sensitive data element within an ecosystem. • • Alternative Data • Limiting the sharing and collection of data in order to maintain consumer trust and reducing general security threats • Hashing • Process in which data of any size is mapped to a fixed length of characters and used for ensuring that the data has been unaltered. FDX Confidential. All rights reserved. 17
The Industry Standard for Consumer Access to Financial Records Tokenization FDX Confidential. All rights reserved. 18 Scope of Data Account Number Use Cases in Scope Money Movement Considerations • Implemented at the data provider for better security, and control. • Ensure tokens are as usable for the purpose as the original account number e.g., no change to ACH, SWIFT, or other money movement schemes should be needed. • Supported in FDX API v 4.5 onwards What Problem Can/Does It Solve • Protects the account number from being leaked by using a substitute value that can only be used to execute transactions. Substitute account numbers can be reissued and replaced without impacting the end customer. • Provide ability to the end-customer for deactivating a substitute account number and taking away any holder ability to move money. • Streamlines the replacement of account numbers for the account holder as it requires the customer to be involved. • Reduces the risk to all parties in the chain as nobody holds an the actual account number.
The Industry Standard for Consumer Access to Financial Records Alternative Data FDX Confidential. All rights reserved. 19 Scope of Data Account Number Use Cases in Scope Account Verification Considerations • Potential for removing sensitive data from transaction. • Account validation can be done through data such as transaction history rather than account number • Becoming more common that credit furnishers are not providing the full account numbers • Can impact the robustness of a automated verification process • Without the full account number it can lead to fraud What Problem Can/Does It Solve • Replaces the use of sensitive data with non-sensitive data reducing the need for additional security measures or design patterns associated with sensitive data • Accomplishes the same business objective using non-sensitive data, which is neutral from a business perspective, but superior from a compliance, risk and security perspective. The exact alternative data would be decided on a use case by use case basis • Minimizes the amount of sensitive data throughout ecosystem.
The Industry Standard for Consumer Access to Financial Records Verification Query FDX Confidential. All rights reserved. 20 Scope of Data All Use Cases in Scope Account Owner Identity Verification, Money Movement Setup Considerations • Sensitive data is gathered and transmitted to the provider for verification. • Can be combined with hashing to prevent data transmission in the clear. • Instead of requiring account number to verify, the data recipient sends an end-user identifier, e.g., account number, or phone number, to the data provider. The data provider compares that with the account number, or phone number on record and responding with yes if the data match, and no, if it does not. • Bank information becomes the primary source versus derived. What Problem Can/Does It Solve • Reduces the risk from rogue or poorly implemented data recipient apps. Since this method relies on end-user providing the sensitive data to verify, it prevents the data recipient from obtaining this data from data provider without the end-user knowing about it, or worse, under false pretexts. • It also reduces the risk surface for ATO fraud by making it difficult for a fraudulent user that took over legitimate user’s credentials from carrying out fraud, as the fraudulent user now also needs to know the sensitive data to complete the operation.
The Industry Standard for Consumer Access to Financial Records Masking / Truncation FDX Confidential. All rights reserved. 21 Scope of Data All Use Cases in Scope Account Verification, Account Identification, API call requirements. Considerations • Reconciliation of information with unmasked data element • Integrity of data structure with selective masking of data elements • Data Recipient discretion based on used case • Masking used in conjunction of alternative data and verification query increases • Generally accepted best practice when working with cardholder data What Problem Can/Does It Solve • Protects the data element from being leaked or re-distributed as source data is masked • Pseudonymization for analytical modeling, regulatory compliance and privacy scenarios
The Industry Standard for Consumer Access to Financial Records Hashing FDX Confidential. All rights reserved. 22 Scope of Data Account Number, Account Holder Name, Account Holder Address. Use Cases in Scope Account Verification Considerations • Used to verify the integrity and ensure the original value has not been modified or tampered. • Hashing is not the encryption of data in that it is a one-way transformation of the data. Whereas an encryption algorithms are two-way (encryption, decrypting) functions. • Requires use of SHA256 or SHA-3 (secure hashing algorithms). • It is recommended that it be combined with various encryption techniques for added security. • Use is well known and there are no real blockers to adoption. • Both parties know the original data that is used for comparing. What Problem Can/Does It Solve • Hashing provides a solution for ensuring the integrity of a given value while adding an additional level of security. • Recipients are able to perform verification without needing the value in clear text. • If encryption is not implemented/not being used than it is a feasible alternative to ensure the integrity of the data element and/or message payload.
Summary
The Industry Standard for Consumer Access to Financial Records Future Work • API Adoption of Security Patterns • API specifications for approved methods for sensitive data sharing e.g., verification query, hashing. • Decision Framework (Concept) • Multi-step process to assist FDX task forces in addressing the sharing of sensitive data for their given use cases. • Emerging Technology Use • Trust Frameworks/Verifiable Credentials, Homomorphic and Polymorphic Encryption, Secure Multi-Party Computation, Trusted Execution Environments. FDX Confidential. All rights reserved. 24
The Industry Standard for Consumer Access to Financial Records Additional References • FDX API v 4.6 • FDX API Security Model API v3.3 • FDX User Experience Guidelines 1.0 These documents are available on https://financialdataexchange.org for free. Login and terms acceptance is required. FDX Confidential. All rights reserved. 25
Q & A

Recommended

Digital Threats: Scenarios Exercise
Digital Threats: Scenarios ExerciseDigital Threats: Scenarios Exercise
Digital Threats: Scenarios Exercise
Elena Kvochko
 
DBX Open Banking
DBX Open BankingDBX Open Banking
DBX Open Banking
Base Camp
 
Open Banking - Bringing Regulation and Technology together for Digital Trans...
Open Banking - Bringing Regulation and Technology together for Digital Trans...Open Banking - Bringing Regulation and Technology together for Digital Trans...
Open Banking - Bringing Regulation and Technology together for Digital Trans...
WSO2
 
Beyond Open Banking : Uncovering The Opportunities Ahead- 21st april 2021 - N...
Beyond Open Banking : Uncovering The Opportunities Ahead- 21st april 2021 - N...Beyond Open Banking : Uncovering The Opportunities Ahead- 21st april 2021 - N...
Beyond Open Banking : Uncovering The Opportunities Ahead- 21st april 2021 - N...
Nouamane Cherkaoui
 
apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...
apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...
apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...
apidays
 
The Power Of Open Banking Coupled With Artificial Intelligence
The Power Of Open Banking Coupled With Artificial IntelligenceThe Power Of Open Banking Coupled With Artificial Intelligence
The Power Of Open Banking Coupled With Artificial Intelligence
IndusNetMarketing
 
apidays LIVE Australia 2021 - Empowering the fintech ecosystem with APIs by D...
apidays LIVE Australia 2021 - Empowering the fintech ecosystem with APIs by D...apidays LIVE Australia 2021 - Empowering the fintech ecosystem with APIs by D...
apidays LIVE Australia 2021 - Empowering the fintech ecosystem with APIs by D...
apidays
 
[APIdays Melbourne 2019] The Consumer Data Right: Building a Successful Open ...
[APIdays Melbourne 2019] The Consumer Data Right: Building a Successful Open ...[APIdays Melbourne 2019] The Consumer Data Right: Building a Successful Open ...
[APIdays Melbourne 2019] The Consumer Data Right: Building a Successful Open ...
WSO2
 

Recommended

Digital Threats: Scenarios Exercise
Digital Threats: Scenarios ExerciseDigital Threats: Scenarios Exercise
Digital Threats: Scenarios Exercise
Elena Kvochko
 
DBX Open Banking
DBX Open BankingDBX Open Banking
DBX Open Banking
Base Camp
 
Open Banking - Bringing Regulation and Technology together for Digital Trans...
Open Banking - Bringing Regulation and Technology together for Digital Trans...Open Banking - Bringing Regulation and Technology together for Digital Trans...
Open Banking - Bringing Regulation and Technology together for Digital Trans...
WSO2
 
Beyond Open Banking : Uncovering The Opportunities Ahead- 21st april 2021 - N...
Beyond Open Banking : Uncovering The Opportunities Ahead- 21st april 2021 - N...Beyond Open Banking : Uncovering The Opportunities Ahead- 21st april 2021 - N...
Beyond Open Banking : Uncovering The Opportunities Ahead- 21st april 2021 - N...
Nouamane Cherkaoui
 
apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...
apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...
apidays LIVE India - Standardising financial account aggregation by Vamsi Mad...
apidays
 
The Power Of Open Banking Coupled With Artificial Intelligence
The Power Of Open Banking Coupled With Artificial IntelligenceThe Power Of Open Banking Coupled With Artificial Intelligence
The Power Of Open Banking Coupled With Artificial Intelligence
IndusNetMarketing
 
apidays LIVE Australia 2021 - Empowering the fintech ecosystem with APIs by D...
apidays LIVE Australia 2021 - Empowering the fintech ecosystem with APIs by D...apidays LIVE Australia 2021 - Empowering the fintech ecosystem with APIs by D...
apidays LIVE Australia 2021 - Empowering the fintech ecosystem with APIs by D...
apidays
 
[APIdays Melbourne 2019] The Consumer Data Right: Building a Successful Open ...
[APIdays Melbourne 2019] The Consumer Data Right: Building a Successful Open ...[APIdays Melbourne 2019] The Consumer Data Right: Building a Successful Open ...
[APIdays Melbourne 2019] The Consumer Data Right: Building a Successful Open ...
WSO2
 
apidays LIVE Australia 2021 - Open Banking: Successful Implementation Strateg...
apidays LIVE Australia 2021 - Open Banking: Successful Implementation Strateg...apidays LIVE Australia 2021 - Open Banking: Successful Implementation Strateg...
apidays LIVE Australia 2021 - Open Banking: Successful Implementation Strateg...
apidays
 
FABRIC - Open Banking Teaser
FABRIC - Open Banking TeaserFABRIC - Open Banking Teaser
FABRIC - Open Banking Teaser
Gavin Payne
 
Open banking [Evolution, Risks & Opportunities]
Open banking [Evolution, Risks & Opportunities]Open banking [Evolution, Risks & Opportunities]
Open banking [Evolution, Risks & Opportunities]
Kannan Srinivasan
 
Open Banking in Australia - An Open Forum
Open Banking in Australia - An Open Forum Open Banking in Australia - An Open Forum
Open Banking in Australia - An Open Forum
WSO2
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
apidays
 
INTERFACE, by apidays - The future is a graph by Martin Buhr, Tyk
INTERFACE, by apidays - The future is a graph by Martin Buhr, TykINTERFACE, by apidays - The future is a graph by Martin Buhr, Tyk
INTERFACE, by apidays - The future is a graph by Martin Buhr, Tyk
apidays
 
Embedded Finance - the $7 Trillion market opportunity
Embedded Finance - the $7 Trillion market opportunityEmbedded Finance - the $7 Trillion market opportunity
Embedded Finance - the $7 Trillion market opportunity
Simon Torrance
 
apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...
apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...
apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...
apidays
 
Open Banking APIs with case studies for senior stakeholders
Open Banking APIs with case studies for senior stakeholdersOpen Banking APIs with case studies for senior stakeholders
Open Banking APIs with case studies for senior stakeholders
Mimi Ajayi, PMC
 
Digital banking as a service(v.e)
Digital banking as a service(v.e)Digital banking as a service(v.e)
Digital banking as a service(v.e)
Mehdi Arabzadeh Yekta
 
Chances of open banking
Chances of open banking Chances of open banking
Chances of open banking
Netcetera
 
apidays LIVE Jakarta - The future of hyper--personalised Financial Services i...
apidays LIVE Jakarta - The future of hyper--personalised Financial Services i...apidays LIVE Jakarta - The future of hyper--personalised Financial Services i...
apidays LIVE Jakarta - The future of hyper--personalised Financial Services i...
apidays
 
Webinar:Blockchain in Insurance - Here for Good? Insights from Hong Kong & B...
Webinar:Blockchain in Insurance - Here for Good? Insights from Hong Kong & B...Webinar:Blockchain in Insurance - Here for Good? Insights from Hong Kong & B...
Webinar:Blockchain in Insurance - Here for Good? Insights from Hong Kong & B...
The Digital Insurer
 
APIdays Singapore 2019 - Global Open Banking Frameworks and Standards: Luca F...
APIdays Singapore 2019 - Global Open Banking Frameworks and Standards: Luca F...APIdays Singapore 2019 - Global Open Banking Frameworks and Standards: Luca F...
APIdays Singapore 2019 - Global Open Banking Frameworks and Standards: Luca F...
apidays
 
APIdays Singapore 2019 - Open Banking is Here to Stay: How Will You Benefit f...
APIdays Singapore 2019 - Open Banking is Here to Stay: How Will You Benefit f...APIdays Singapore 2019 - Open Banking is Here to Stay: How Will You Benefit f...
APIdays Singapore 2019 - Open Banking is Here to Stay: How Will You Benefit f...
apidays
 
Digital Currencies: Where to from here?
Digital Currencies: Where to from here?Digital Currencies: Where to from here?
Digital Currencies: Where to from here?
Chartered Accountants Australia and New Zealand
 
apidays LIVE LONDON - How APIs are changing the fintech world by Chirine Ben...
apidays LIVE LONDON - How APIs are changing the fintech world by Chirine Ben...apidays LIVE LONDON - How APIs are changing the fintech world by Chirine Ben...
apidays LIVE LONDON - How APIs are changing the fintech world by Chirine Ben...
apidays
 
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...
apidays
 
PSD2: Open Banking with APIs
PSD2: Open Banking with APIsPSD2: Open Banking with APIs
PSD2: Open Banking with APIs
Jason Bloomberg
 
20211027 apidays london - business model innovation final v1.0 (1)
20211027 apidays london - business model innovation final v1.0 (1)20211027 apidays london - business model innovation final v1.0 (1)
20211027 apidays london - business model innovation final v1.0 (1)
apidays
 
Michael Josephs
Michael JosephsMichael Josephs
Michael Josephs
daveGBE
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
Financial Poise
 

More Related Content

What's hot

Open Banking in Australia - An Open Forum
Open Banking in Australia - An Open Forum Open Banking in Australia - An Open Forum
Open Banking in Australia - An Open Forum
WSO2
 
Digital Currencies: Where to from here?
Digital Currencies: Where to from here?Digital Currencies: Where to from here?
Digital Currencies: Where to from here?
Chartered Accountants Australia and New Zealand
 
PSD2: Open Banking with APIs
PSD2: Open Banking with APIsPSD2: Open Banking with APIs
PSD2: Open Banking with APIs
Jason Bloomberg
 

What's hot (20)

apidays LIVE Australia 2021 - Open Banking: Successful Implementation Strateg...
apidays LIVE Australia 2021 - Open Banking: Successful Implementation Strateg...apidays LIVE Australia 2021 - Open Banking: Successful Implementation Strateg...
apidays LIVE Australia 2021 - Open Banking: Successful Implementation Strateg...
 
FABRIC - Open Banking Teaser
FABRIC - Open Banking TeaserFABRIC - Open Banking Teaser
FABRIC - Open Banking Teaser
 
Open banking [Evolution, Risks & Opportunities]
Open banking [Evolution, Risks & Opportunities]Open banking [Evolution, Risks & Opportunities]
Open banking [Evolution, Risks & Opportunities]
 
Open Banking in Australia - An Open Forum
Open Banking in Australia - An Open Forum Open Banking in Australia - An Open Forum
Open Banking in Australia - An Open Forum
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
 
INTERFACE, by apidays - The future is a graph by Martin Buhr, Tyk
INTERFACE, by apidays - The future is a graph by Martin Buhr, TykINTERFACE, by apidays - The future is a graph by Martin Buhr, Tyk
INTERFACE, by apidays - The future is a graph by Martin Buhr, Tyk
 
Embedded Finance - the $7 Trillion market opportunity
Embedded Finance - the $7 Trillion market opportunityEmbedded Finance - the $7 Trillion market opportunity
Embedded Finance - the $7 Trillion market opportunity
 
apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...
apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...
apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...
 
Open Banking APIs with case studies for senior stakeholders
Open Banking APIs with case studies for senior stakeholdersOpen Banking APIs with case studies for senior stakeholders
Open Banking APIs with case studies for senior stakeholders
 
Digital banking as a service(v.e)
Digital banking as a service(v.e)Digital banking as a service(v.e)
Digital banking as a service(v.e)
 
Chances of open banking
Chances of open banking Chances of open banking
Chances of open banking
 
apidays LIVE Jakarta - The future of hyper--personalised Financial Services i...
apidays LIVE Jakarta - The future of hyper--personalised Financial Services i...apidays LIVE Jakarta - The future of hyper--personalised Financial Services i...
apidays LIVE Jakarta - The future of hyper--personalised Financial Services i...
 
Webinar:Blockchain in Insurance - Here for Good? Insights from Hong Kong & B...
Webinar:Blockchain in Insurance - Here for Good? Insights from Hong Kong & B...Webinar:Blockchain in Insurance - Here for Good? Insights from Hong Kong & B...
Webinar:Blockchain in Insurance - Here for Good? Insights from Hong Kong & B...
 
APIdays Singapore 2019 - Global Open Banking Frameworks and Standards: Luca F...
APIdays Singapore 2019 - Global Open Banking Frameworks and Standards: Luca F...APIdays Singapore 2019 - Global Open Banking Frameworks and Standards: Luca F...
APIdays Singapore 2019 - Global Open Banking Frameworks and Standards: Luca F...
 
APIdays Singapore 2019 - Open Banking is Here to Stay: How Will You Benefit f...
APIdays Singapore 2019 - Open Banking is Here to Stay: How Will You Benefit f...APIdays Singapore 2019 - Open Banking is Here to Stay: How Will You Benefit f...
APIdays Singapore 2019 - Open Banking is Here to Stay: How Will You Benefit f...
 
Digital Currencies: Where to from here?
Digital Currencies: Where to from here?Digital Currencies: Where to from here?
Digital Currencies: Where to from here?
 
apidays LIVE LONDON - How APIs are changing the fintech world by Chirine Ben...
apidays LIVE LONDON - How APIs are changing the fintech world by Chirine Ben...apidays LIVE LONDON - How APIs are changing the fintech world by Chirine Ben...
apidays LIVE LONDON - How APIs are changing the fintech world by Chirine Ben...
 
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...
 
PSD2: Open Banking with APIs
PSD2: Open Banking with APIsPSD2: Open Banking with APIs
PSD2: Open Banking with APIs
 
20211027 apidays london - business model innovation final v1.0 (1)
20211027 apidays london - business model innovation final v1.0 (1)20211027 apidays london - business model innovation final v1.0 (1)
20211027 apidays london - business model innovation final v1.0 (1)
 

Similar to apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive Financial Data Shared via APIs

CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
Financial Poise
 
Internet of things ecosystem: The quest for value
Internet of things ecosystem: The quest for valueInternet of things ecosystem: The quest for value
Internet of things ecosystem: The quest for value
Deloitte United States
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
IT Governance Ltd
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in Splunk
Precisely
 
Who changed my data? Need for data governance and provenance in a streaming w...
Who changed my data? Need for data governance and provenance in a streaming w...Who changed my data? Need for data governance and provenance in a streaming w...
Who changed my data? Need for data governance and provenance in a streaming w...
DataWorks Summit
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
Ulf Mattsson
 
12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated
wdsnead
 

Similar to apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive Financial Data Shared via APIs (20)

Michael Josephs
Michael JosephsMichael Josephs
Michael Josephs
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
 
Internet of things ecosystem: The quest for value
Internet of things ecosystem: The quest for valueInternet of things ecosystem: The quest for value
Internet of things ecosystem: The quest for value
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive data
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big data
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in Splunk
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
 
Who changed my data? Need for data governance and provenance in a streaming w...
Who changed my data? Need for data governance and provenance in a streaming w...Who changed my data? Need for data governance and provenance in a streaming w...
Who changed my data? Need for data governance and provenance in a streaming w...
 
SecureWeb3 - Developing a Comprehensive Cybersecurity Strategy for the Decent...
SecureWeb3 - Developing a Comprehensive Cybersecurity Strategy for the Decent...SecureWeb3 - Developing a Comprehensive Cybersecurity Strategy for the Decent...
SecureWeb3 - Developing a Comprehensive Cybersecurity Strategy for the Decent...
 
File Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial ServicesFile Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial Services
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 
12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated
 
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDX
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDXapidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDX
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDX
 
Isaca new delhi india - privacy and big data
Isaca new delhi india - privacy and big dataIsaca new delhi india - privacy and big data
Isaca new delhi india - privacy and big data
 
Aggregation Platforms-White Paper
Aggregation Platforms-White PaperAggregation Platforms-White Paper
Aggregation Platforms-White Paper
 
Secure and Compliant Data Management in FinTech Applications
Secure and Compliant Data Management in FinTech ApplicationsSecure and Compliant Data Management in FinTech Applications
Secure and Compliant Data Management in FinTech Applications
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 

More from apidays

Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
apidays
 

More from apidays (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...
 
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...
 
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...
 
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...
 
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...
 
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...
 
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...
 
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
 
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive Financial Data Shared via APIs

  • 1. The Industry Standard for Consumer Access to Financial Records APIdays – New York Fall 2021 Security Design Patterns that Protect Sensitive Financial Data Shared via APIs Dinesh Katyal, Ray Voss, Shawn Jobe
  • 2. The Industry Standard for Consumer Access to Financial Records Agenda 2 FDX Confidential. All rights reserved. • Introduction – 2 min • Financial Data Exchange • Overview – 5 min • Problem Context • Cross Industry Effort • Recommended Security Patterns – 10-15 min • Future Work • Q&A – 5 min
  • 3. The Industry Standard for Consumer Access to Financial Records Financial Data Exchange (FDX) 3 FDX is not a policy or lobbying group. • We estimate that in North America alone there are ~100 million credential pairs being used to scrape data. • Typically 30%-35% of a given financial institution’s online user base has shared their credentials. • Typically 25%-40% of a given financial institution’s online logins are scraping sessions. FDX is dedicated to unifying the financial industry around a common, interoperable, royalty-free standard for the secure access of permissioned consumer and business financial data, aptly named the FDX Application Programming Interface (FDX API). Data Sharing Ecosystem FDX Mission © FDX, all rights reserved  100% of our FI members are using or plan to use FDX API  >16 million consumers are on FDX as of March 2021  FDX API averaged 99.91% availability. Who is using FDX  Adopt, Promote and Improve Data-Sharing Standards  Adopt, Promote and Improve Secure Authentication Standards  Develop a Certification Program  Develop User Experience and Consent Guidelines Best Practices FDX Objectives
  • 4. The Industry Standard for Consumer Access to Financial Records 190+ Member Organizations on 4 continents 4 The current Board comprises 12 Financial Institutions, 5 Permissioned Parties, 5 Aggregators, 2 Industry Groups, FS-ISAC, 1 Canadian Fintech, and 1 Consumer Advocacy Group as an observer. FDX does not comment on policy or engage in lobbying. © FDX, all rights reserved Open Membership | ¼ of members are Fin-Tech firms | 2/3 are not banks ABA Adastra Corporation Affinity Credit Union Akoya Ally American Express apimetrics Apiture Assiniboine Credit Union ATB Financial Authlete Axway Back in the Black Bank of America Bank of Montreal Bank of Nova Scotia/ Tangerine Bank Policy Institute BillGo Blanc Labs Blend Labs, Inc. Blucora BNC BotKeeper Callsign Canadian Credit Union Assoc. CCUA Capital One Caspian One Celero Centime Inc Central 1 CU Cequence Security CIBC Citi Group Citizens Bank Cloud Entity CloudVector Codat Computer Services Inc (CSI) Concord Advice Connect Connexussecure Consumer Edge Credit Union Central Alberta Limited DAPI Datapro inc Decision Logic Desjardins Digits Discover Duality Technologies EarnIn EEI Emoney Advisor Empower Retirement Equifax Equitable Bank Everlink Payment Services Inc. EWS Experian F5 Networks Inc. Fairstone Financial Inc. Fannie Mae FGS - Fintech Growth Syndicate FI.Span Services Inc Ficanex FICO Fidelity Financial Apps Finconecta Finicity Finovera First Bank First Canadian Title Company Limited Fiserv Flinks Forge Rock FormFree Holdings Co FS-ISAC GT Software H&R Block Home Trust Company IBBIE LLC ICBA Iclose Inclusive Innovations Innovecture Intelliware Interac Internet Tax information Processing Services (ITIPS) Intuit Inverite Jack Henry Inc Japan Association for Financial API's JPMChase KOHO Konsentus Ltd L7 Defense LTD Large Credit Union Coalition LCUC Mass Mutual Mastercard Mazooma Merchant Treasury Meridian Credit Union Microbilt MorningStar Mountain America FCU Mscience MX MyFinApps Navy Federal Credit Union NCRC Neosec New Media IV Holdings Ninth-Wave Nivelo Tech Inc Okta Opportunity Financial Orum - Project Midas Ozoneapi PAI Payments Canada PayPal Petal Card Inc. Ping Identity Plaid Plenee Co PNC PointServ PPIJV Prarie Payments Price Water House Coopers LLP Principal PSCU QuadFI INC. Quicken Quicken Loans Raidiam Services Limited Rattlehub Digital Royal Bank of Canada Sage Salt Security Schwab Securekey self lender Servus Credit Union SIFMA Silicon Valley Bank Simpli Singular Key Skyflow Smart Solution Smart Vault Sovos Spring Labs Star Point Symcor TD Bank The Clearing House The Goldman Sachs Group The Pathfinder Group The Working Group TIAA Transunion True Layer Truist Trust Stamp US Bank USAA UW Credit Union Validifi Vantage Score Verify My Banks Visa Vopay Wells Fargo Xero Xtensifi Yodlee Varo Bank
  • 5. The Industry Standard for Consumer Access to Financial Records 5 Every Working Group, Committee and the Board are co-chaired by a Financial Institution and a Non-Financial Institution © FDX, all rights reserved
  • 6. The Industry Standard for Consumer Access to Financial Records How many consumers are on it? © FDX, all rights reserved. TLP AMBER UK Open Banking is at 3 million consumers as of March 5th The US also has a higher per-capita usage than the UK. (46 per thousand versus 44)
  • 7. The Industry Standard for Consumer Access to Financial Records Problem Context Sensitive Data • Any individual or collection of data elements in transit that requires a combination of security and privacy controls • Evaluated Data: Account Number, Account Holder Name and Address In the Context of Use for Personal Financial Management, Credit and Lending, and Money Movement Need for Protection • Prevent use in a fraudulent transaction • Prevent compromise of private consumer information • Adherence to specific laws and regulations. Protection Approach • Layered set of security techniques across multiple parties with controls for both access and visibility FDX Confidential. All rights reserved. 7
  • 8. The Industry Standard for Consumer Access to Financial Records Constraints • Increased Security • Proposed approach should result in a meaningful increase in security and privacy • Ease of Adoption • Solution should be implementable with reasonable resources and with a high degree of consistency and predictability • Pro-competitive • No business use cases, or ecosystem participants should be negatively impacted FDX Confidential. All rights reserved. 8
  • 9. The Industry Standard for Consumer Access to Financial Records Detailed Benefits • Improved sensitive data protections through the ecosystem • Targeted protections e.g., field level encryption, focus on the relevant data • Complements existing data security models by layering techniques • End-user transparency into data usage • Reduce need for sensitive data sharing via alternate means of satisfying use cases • Reduces potential for 1st party fraud • Improves data integrity FDX Confidential. All rights reserved. 9
  • 11. The Industry Standard for Consumer Access to Financial Records Recommendation Overview • Categories • General Purpose • Use Case Specific • Emerging • Primary Assumptions • Patterns are recommended in the context of App2App integrations. Data at rest is not addressed. • All patterns are to be considered as additive to existing patterns in place (e.g.: Message encryption). FDX Confidential. All rights reserved. 11
  • 13. The Industry Standard for Consumer Access to Financial Records Data Encryption and Consent • Asymmetric Encryption • Sharing of keys between a data provider and data recipient used for the encryption and decryption of sensitive data. • Granular Consent • Supplementary practice for setting permissions that are driven by the consumer and enforced throughout a multi-party ecosystem. FDX Confidential. All rights reserved. 13
  • 14. The Industry Standard for Consumer Access to Financial Records Asymmetric Encryption FDX Confidential. All rights reserved. 14 Scope of Data All Use Cases in Scope All Considerations • Use only for hops between data provider to data access platform, and from data access platform to data recipient. Only encrypt relevant data keeping data needed by intermediary systems in clear. • Trust is established without exchanging private keys. • Partner public keys are signed and verified using a mutually trusted Certificate Authority’s public key • Certificate authority is responsible to establishing identity of the individual organizations. • FDX API Security Model and FDX API documentation describe the pattern and implementation techniques in detail. What Problem Can/Does It Solve • Prevents PII and sensitive data from traversing internal networks unencrypted. TLS will typically terminate at the API gateway and the raw content will traverse the internal network unencrypted. • Supports data minimization along with controlling what consumer information is being secured. Thus supporting bi-lateral agreements. • Layered prevention against first party attacks, compromised transport-layer-security encryption. In alignment with FDX security control considerations. Can be used with additional patterns to provide additional levels of security.
  • 15. The Industry Standard for Consumer Access to Financial Records Granular Consent FDX Confidential. All rights reserved. 15 Scope of Data All Use Cases in Scope All Considerations • A granular consent should always be used where possible to separate use case consent that needs access to sensitive data from those that don’t. • Information on requested use case and the associated sensitive data should be made available to all parties - data providers and data access platforms - to enable them to trigger appropriate controls for the data and use case. • Supported by FDX User Experience Guidelines and FDX Consent API What Problem Can/Does It Solve • Limiting the delivery of data provided through exchanges between parties along with providing transparency to the end user. • Reduces consumer friction by providing a clear and concise understanding of the data use. • Provides consumers a means for increased control over the privacy of their data.
  • 16. Use Case Specific Patterns
  • 17. The Industry Standard for Consumer Access to Financial Records Substitution and Data Minimization • Data Masking / Truncation • Obfuscation of a value from it’s original form for the purpose controlling visibility and exposure. • Tokenization • Substitutes the value with an opaque identifier that can be used as a replacement of a sensitive data element within an ecosystem. • • Alternative Data • Limiting the sharing and collection of data in order to maintain consumer trust and reducing general security threats • Hashing • Process in which data of any size is mapped to a fixed length of characters and used for ensuring that the data has been unaltered. FDX Confidential. All rights reserved. 17
  • 18. The Industry Standard for Consumer Access to Financial Records Tokenization FDX Confidential. All rights reserved. 18 Scope of Data Account Number Use Cases in Scope Money Movement Considerations • Implemented at the data provider for better security, and control. • Ensure tokens are as usable for the purpose as the original account number e.g., no change to ACH, SWIFT, or other money movement schemes should be needed. • Supported in FDX API v 4.5 onwards What Problem Can/Does It Solve • Protects the account number from being leaked by using a substitute value that can only be used to execute transactions. Substitute account numbers can be reissued and replaced without impacting the end customer. • Provide ability to the end-customer for deactivating a substitute account number and taking away any holder ability to move money. • Streamlines the replacement of account numbers for the account holder as it requires the customer to be involved. • Reduces the risk to all parties in the chain as nobody holds an the actual account number.
  • 19. The Industry Standard for Consumer Access to Financial Records Alternative Data FDX Confidential. All rights reserved. 19 Scope of Data Account Number Use Cases in Scope Account Verification Considerations • Potential for removing sensitive data from transaction. • Account validation can be done through data such as transaction history rather than account number • Becoming more common that credit furnishers are not providing the full account numbers • Can impact the robustness of a automated verification process • Without the full account number it can lead to fraud What Problem Can/Does It Solve • Replaces the use of sensitive data with non-sensitive data reducing the need for additional security measures or design patterns associated with sensitive data • Accomplishes the same business objective using non-sensitive data, which is neutral from a business perspective, but superior from a compliance, risk and security perspective. The exact alternative data would be decided on a use case by use case basis • Minimizes the amount of sensitive data throughout ecosystem.
  • 20. The Industry Standard for Consumer Access to Financial Records Verification Query FDX Confidential. All rights reserved. 20 Scope of Data All Use Cases in Scope Account Owner Identity Verification, Money Movement Setup Considerations • Sensitive data is gathered and transmitted to the provider for verification. • Can be combined with hashing to prevent data transmission in the clear. • Instead of requiring account number to verify, the data recipient sends an end-user identifier, e.g., account number, or phone number, to the data provider. The data provider compares that with the account number, or phone number on record and responding with yes if the data match, and no, if it does not. • Bank information becomes the primary source versus derived. What Problem Can/Does It Solve • Reduces the risk from rogue or poorly implemented data recipient apps. Since this method relies on end-user providing the sensitive data to verify, it prevents the data recipient from obtaining this data from data provider without the end-user knowing about it, or worse, under false pretexts. • It also reduces the risk surface for ATO fraud by making it difficult for a fraudulent user that took over legitimate user’s credentials from carrying out fraud, as the fraudulent user now also needs to know the sensitive data to complete the operation.
  • 21. The Industry Standard for Consumer Access to Financial Records Masking / Truncation FDX Confidential. All rights reserved. 21 Scope of Data All Use Cases in Scope Account Verification, Account Identification, API call requirements. Considerations • Reconciliation of information with unmasked data element • Integrity of data structure with selective masking of data elements • Data Recipient discretion based on used case • Masking used in conjunction of alternative data and verification query increases • Generally accepted best practice when working with cardholder data What Problem Can/Does It Solve • Protects the data element from being leaked or re-distributed as source data is masked • Pseudonymization for analytical modeling, regulatory compliance and privacy scenarios
  • 22. The Industry Standard for Consumer Access to Financial Records Hashing FDX Confidential. All rights reserved. 22 Scope of Data Account Number, Account Holder Name, Account Holder Address. Use Cases in Scope Account Verification Considerations • Used to verify the integrity and ensure the original value has not been modified or tampered. • Hashing is not the encryption of data in that it is a one-way transformation of the data. Whereas an encryption algorithms are two-way (encryption, decrypting) functions. • Requires use of SHA256 or SHA-3 (secure hashing algorithms). • It is recommended that it be combined with various encryption techniques for added security. • Use is well known and there are no real blockers to adoption. • Both parties know the original data that is used for comparing. What Problem Can/Does It Solve • Hashing provides a solution for ensuring the integrity of a given value while adding an additional level of security. • Recipients are able to perform verification without needing the value in clear text. • If encryption is not implemented/not being used than it is a feasible alternative to ensure the integrity of the data element and/or message payload.
  • 24. The Industry Standard for Consumer Access to Financial Records Future Work • API Adoption of Security Patterns • API specifications for approved methods for sensitive data sharing e.g., verification query, hashing. • Decision Framework (Concept) • Multi-step process to assist FDX task forces in addressing the sharing of sensitive data for their given use cases. • Emerging Technology Use • Trust Frameworks/Verifiable Credentials, Homomorphic and Polymorphic Encryption, Secure Multi-Party Computation, Trusted Execution Environments. FDX Confidential. All rights reserved. 24
  • 25. The Industry Standard for Consumer Access to Financial Records Additional References • FDX API v 4.6 • FDX API Security Model API v3.3 • FDX User Experience Guidelines 1.0 These documents are available on https://financialdataexchange.org for free. Login and terms acceptance is required. FDX Confidential. All rights reserved. 25
  • 26. Q & A

Editor's Notes

  1. https://financialdataexchange.org/FDX/The%20Consortium/FDX/The-Consortium/Members.aspx Some members are non-disclosure.
  2. https://www.openbanking.org.uk/ https://www.reuters.com/article/us-britain-banks/uk-watchdog-looks-to-open-banking-apps-to-help-boost-competition-idUSKBN2AX1EO