1.
The Global Influence of Open Banking, API
Security, and an Open Data Perspective
BILL DOERRFELD AND OLAF VAN GORP

2.
2 | Open Banking akana.com
Presenters
Olaf van Gorp
Senior Product Specialist
Akana
Bill Doerrfeld
Editor in Chief
Nordic APIs Blog

3.
3 | Open Banking akana.com
Agenda
1
2
3
4
5
What is Open Banking (and what is it not)?
Global Developments and case studies
Open Banking and the API mindset
Open Banking and the benefits of API management
Conclusion

4.
@DoerrfeldBill
Introduction
● Bill Doerrfeld
● Tech Journalist, API economy
● Following Open Banking since 2015
● Editor in Chief of Nordic APIs
● Twitter: @DoerrfeldBIll
● Portfolio: doerrfeld.io

5.
@DoerrfeldBill
An API Community
API Tooling Specialists
API Consumers
Thought Leaders, Bloggers
API Owners, Practitioners
Blog, Digest
Events

6.
@DoerrfeldBill
What Is Open Banking?
● Programmable: Read/write bank data
programmatically
● FinTech Ecosystem: Enabling others
access
● Consumer Rights: Democratizing data
● Consumer Convenience: Let banks
specialize on core, allow innovators increase
UX
● EU Origin: Regulation influences, ripples
worldwide
● Regulation: PSD2

7.
@DoerrfeldBill
Open Banking is NOT:
● Less Secure: Arguably more secure than
screen scraping
● Less Private: Consumers own data,
Integrations are not opaque
● Damaging for Bank Business: Instead, a
Change. Vertical → Horizontal. Opening
new business channels, services, drive
growth

8.
@DoerrfeldBill
The Old, Monolithic Bank
● Siloed: Data is highly inaccessible
● Poor Visibility: PDF downloads :(
● Bad UX: Banks traditionally not tech
companies, difficult transition to mobile.
● No Interoperability: No easy access for
partner integration
● Screen Scraping: Prevalent, and
insecure
● Sluggish: Infrequent updates

9.
@DoerrfeldBill
The Open Data Bank
● De-Siloed: Data integrations
● Composable: Microservices
architecture
● Transparent: API-enabled access
● Partner UX: Partners innovate and
increase end UX
● Interoperable: Read and write
capabilities
● Secure: Connections are secured
● Agile: Advanced functionality

10.
@DoerrfeldBill
A Sample Open Banking Ecosystem

11.
@DoerrfeldBill
The Real FinTech Landscape
FROM: VentureBeat, 2017.

12.
@DoerrfeldBill
Open Banking Company Benefits
1. Partner Programs: Niche FinTech services
can optimize front-end user interfaces.
2. Integrations: A bank API allows seamless
integration financial-oriented products
3. Stickiness: Increase consumer options and
confidence in service
4. Revenue Model: Banking-as-a-Services can
be productized

13.
@DoerrfeldBill
Open Banking Consumer Benefits
1. Own Data: Open Banking is progressive, granting user data rights
2. Visualize: Standardized integrations allow better visibility
3. Flexibility: Mobile, voice, platform agnostic
4. Experience: More-informed, confident users
5. Security: Lost credentials, re-entering logins

14.
@DoerrfeldBill
Q: Why Is This Change Happening Now?
Answer #1: Regulation (PSD2)

15.
@DoerrfeldBill
PSD2: More Details
1. EU-based initiative
2. 9 largest: HSBC, Barclays, RBS, Santander, Bank of
Ireland, Allied Irish Bank, Danske Bank, Lloyds and
Nationwide
3. Startups / FinTechs
4. Standards: Debate, but APIs most
obvious choice
5. Tooling: JSON web tokens,
OAuth/OpenID Connect for authentication

16.
@DoerrfeldBill
PSD2: An Overview
(Payment Services Directive)
"PSD2 will force banks to allow third parties to access
a given customer’s data, where that third-party is
acting as a data consumer or a delegated authority: The
EU describes these as “third party providers (TPPs)
[who] offer specific payment solutions or services to
customers”
- CHRIS WOOD
Nordic APIs blogger,
Open Banking standards
author in the UK
FROM: How Does Open Banking Apply to US Banks? On the Nordic APIs blog

17.
@DoerrfeldBill
Other Open Banking Legislative Bodies
● UK: CMA (Competition
and Markets Authority)
● US: The Senate Banking
Committee discussed in
2018. No regulation yet.
● "the US has a lot of
catching up to do" -
American Banker

18.
@DoerrfeldBill
Q: Why Is This Change Happening Now?
Answer #2: Market Pressure
"87% of individuals preferred to adopt a fintech
application rather than use a product or service
offered by a traditional financial services provider."
FROM: https://www.americanbanker.com/opinion/us-way-behind-the-curve-on-open-banking

19.
@DoerrfeldBill
Banks Respond to Market Pressure
"Citigroup, BBVA Compass, Bank of America and
Capital One are among the large U.S. banks that have
been making pieces of their internally developed
software code available to outsiders. Other banks are
likely to follow."
- PENNY CROSSMAN,
AMERICAN BANKER
FROM: https://www.americanbanker.com/news/fintech-glasnost-why-us-banks-are-opening-up-apis-to-outsiders

20.
@DoerrfeldBill
How Does Open Banking Apply to US
Banks?
"The future of Open Banking in the US market,
therefore, looks more likely to be driven by the
market than regulation. However, there is still an
opportunity to introduce standardization through open
APIs behind the scenes."
- CHRIS WOOD
Nordic APIs blogger,
Open Banking standards
author in the UK
FROM: How Does Open Banking Apply to US Banks? On the Nordic APIs blog

21.
@DoerrfeldBill
Case Study: Canadian Imperial
Bank of Commerce (CIBC)
● The API Foundation is used
across the bank
● Container environment with
development network
● Developer training program to
promote internal community
● Self-service API marketplace
available (cost savings of 50–
70% per integration)
FROM: https://nordicapis.com/how-banks-are-becoming-uberized/

22.
@DoerrfeldBill
Banks Are Becoming Uberized
“The critical skill here; treat your assets more like
products...[Acting like a tech company is] a shift for
banks to survive.”
- Eyal Sivan, CIBC

23.
@DoerrfeldBill
Case Study:
FROM: https://bbvaopenplatform.com

24.
@DoerrfeldBill
The Amazon Mantra on Externalization
"All service interfaces, without exception, must be
designed from the ground up to be externalizable.
That is to say, the team must plan and design to be
able to expose the interface to developers in the
outside world. No exceptions."
- Jeff Bezos internal
mandate, 2002

25.
@DoerrfeldBill
Banks Must Consider:
(Developer Experience)
● DX is UX for developers
● Performance: Is the API usable?
Call successful? Available?
Uptime? Response time?
● Dev Onboarding: Testing,
sandboxing, SDKs, libraries.
● API Monitoring & Testing now
crucial
FROM: https://www.openbanking.org.uk/providers/account-providers/api-performance/

26.
@DoerrfeldBill
Future of The Bank
● Banks are now tech companies
● Architecture: composable Microservices
● Banking-as-a-Service
● Agility = Competitive Advantage
● Amazon Model: Future infrastructure must be built to be externalized
○ API-first development

27.
@DoerrfeldBill
API Thinking not Doing
When Flavia joined ING, they weren’t just lacking in
API execution, or “API doing”, but they were also
lacking in API understanding, or “API thinking.” This
was making it hard to execute a definite platform
strategy.
Flavia Sequeira, ING Bank
Presented at Nordic APIs
Platform Summit 2017
FROM: https://nordicapis.com/from-api-doing-to-api-thinking-in-a-major-bank/

28.
@DoerrfeldBill
Business Benefits From API-First Mindset
● Regulation: Helps to conform to
regulation
● Reusability: Transforms all
infrastructure into reusable
components
● API-as-a-Product: Banking-as-
a-Service can be monetized as a
product
● Partnerships: Enables new
business partnerships to form.
Ex. 300 Signups in 72 Hours,
Nordea Bank.
● Brand Awareness: Can help
spread brand awareness
● Indirect: Open data & open
source breeds innovation

29.
@DoerrfeldBill
Further Resources on Open Banking
Nordic APIs has covered a lot!

30.
Market vs Regulation

31.
31 | Open Banking akana.com
The Value of APIs
• Decoupling
• Delegation of specific
responsibilities

32.
32 | Open Banking akana.com
Open Banking
Standards
• Service and data model
• Security profile

33.
33 | Open Banking akana.com
Open Banking – Sample Solution Building Blocks
Open
Banking
IAM
(Identity and Access
Management)
APIM
(API Management)
Banking
System
Onboarding
Fraud
Detection

34.
34 | Open Banking akana.com
Overview of Technical Requirements
• Effectively create API interface
(based on Swagger/OAS as part
of OB standard)
• Map the API interface to back-
end resources (banking services)
• Satisfy security requirements
(security profile)

35.
35 | Open Banking akana.com
APIs and API Management
API Management
Gives you control over the API across
its entire lifecycle, from design to
deployment to operational health.
APIs
Expose a business capability to
designated consumers in a secure
and controlled manner.
API Management Solutions
Provide the capabilities to address
and automate your API management
requirements.

36.
36 | Open Banking akana.com
Import Open Banking API Specification

37.
37 | Open Banking akana.com
Connect API Interface to Back-End
This typically calls for effective:
• Orchestration (back-end resources)
• Transformation (data)
• Mediation (security context)

38.
38 | Open Banking akana.com
Implement the Security Profile
Consumer Authentication
and Authorization
Transport Layer Security Content Security

39.
39 | Open Banking akana.com
Security Profile Implementation Summary
Consumer Authentication
and Authorization
OAuth2.0 (and OpenID Connect)
Transport Layer Security
Mutual TLS
Content Security
JSON Web Tokens (JWS/JWE)

40.
40 | Open Banking akana.com
Open Banking Security Summary
Ensure that each request is coming from a trusted source
OAuth
Ensures client authorization
MTLS
Ensures client authenticity
JWT
Ensures message integrity,
confidentiality, and non-repudiation

41.
41 | Open Banking akana.com
API Security Policies
Policies should be:
- configurable
- reusable
- versioned

42.
42 | Open Banking akana.com
Open Banking API Portal

43.
43 | Open Banking akana.com
Benefits of an APIM Solution for Open Banking
• Decouple Open Banking API from back-end systems
• Delegate Open Banking requirements
• In particular: consumer authentication, authorization, message security
• In addition, take care of ‘implicit’ API requirements
• API security, rate limiting, consumer management, API versioning, etc.
• Allow for evolution
• API lifecycle management (maintainability, interoperability, premium APIs,…)

44.
Q&A