Original article. As this is an FDX article, we have decided to publish an English version as well, as we have received requests to introduce it to English-speaking people. Thank you for the request.
I am Chikashi Toyoshima from Zerobank Design Factory.
I usually work mainly on the implementation & maintenance of back-end systems for Minna Bank, which is the first digital bank in Japan.
I was invited by Authlete to speak at the FDX (Financial Data Exchange) event, which promotes open banking in the US.
It's been about half a year now, but things have settled down, and this is a belated post.
About FDX
The Financial Data Exchange (FDX) is a US/Canada-based non-profit organisation that develops industry standards to support secure and easy-to-use consumer and business financial data sharing. The standards aim to facilitate the sharing of data between financial service providers and data users using APIs; FDX's goal is to improve user access to financial information while ensuring data privacy, security, and transparency.
When it comes to international open banking, perhaps the UK's Open Banking, the EU's PSD2, and others are the first to come to mind. More recently, Brazil (Brazil FAPI), which also contributes to FAPI 2.0, seems to be the way ahead. In the US and Canada, there is no government-approved standard at present, but the FDX is gaining momentum.
As an implementer of open banking, my personal impression is that the FDX specification is new and of high quality, but the details of the FDX specification are not the purpose of this article and will perhaps be discussed at another time.
FDX Global Summit Report
There were many sessions over the three days. From an engineering perspective, I felt that much of the content was business-oriented, while a technical overview was provided on the side. I will touch only on the main points.
- The transition from OAuth2 to FAPI
- API standardization and interoperability
- Financial solutions: account aggregation, A2A payments, loans, etc.
- Face-to-face meetings with regulators
From OAuth2 to FAPI
In the dark ages of scraping, users gave their usernames and passwords to aggregators and paid $5 a month to the aggregators themselves, according to Authlete CTO Joseph. (He had the audience in stitches with his British-style jokes.)
Back to a serious note,
After PSD2, the world has changed.
And OAuth2 is now mainstream.
But OAuth2 is also too broad, with many old and deprecated specifications mixed in, and it cannot be secure unless the right choices are made.
Today, banks around the world are starting to adopt FAPI everywhere.
While FAPI 1.0 focused on security, FAPI 2.0 (now in draft) is also said to focus on UX and developer experience, which have been missing from the perspective in FAPI 1.0. The latest FDX API specification uses FAPI 2.0 (Draft).
API Standardization and Interoperability
The situation in the US is somewhat similar to that in Japan, where there is still no standard government-approved financial API, making FDX activity significant. The number of users of the FDX API is reported to be over 50 million. The statistics are unique, so it is not clear whether this is simply synonymous with the number of users, but it is probably true that the number of users has expanded significantly.
As the interoperability ecosystem expands through the standardization of financial APIs and the proliferation of common interfaces, various business opportunities will expand. At the FDX Summit, a number of solutions such as FDX API Gateway-like platforms were presented. Of particular interest was a platform that allows FDX APIs to be built without code (No Code Platform). Open banking is essentially about exposing the banking system in a secure and elegant way, and such solutions are more valuable when the uniform API interface is defined. It is faster to implement. The more unified and easier it is to connect, the more SDKs and surrounding solutions will expand, reducing the design and implementation burden and allowing us to focus on the business, which is what we should be focusing on.
At Minna Bank BaaS (Banking as a Service), we have always felt that improving the DX (Developer Experience) is a major business challenge. While it is a prerequisite that it is secure, if it is not easy to connect, business collaboration through APIs will not be easy to expand.
Financial Solution
Account aggregation is a typical use case, as is the functionality provided by Minna Bank's "Record" feature. This alone would be too familiar and uninteresting, so here are some interesting aggregation use cases that have been presented.
Credit score aggregation to solve the "Credit invisibles" problem.
In the US, with its large immigrant population, credit invisibility is accordingly a social problem. For example, an immigrant from Brazil cannot easily apply for a credit card in the first year because she/he has no credit score in the US. The intervention of a credit score aggregator allows financial institutions to seamlessly assess the credit score in the country of origin. If there are differences in financial APIs between countries, it is not so easy from the aggregator's point of view. However, if the relevant financial institution is FDX compliant, it can legitimately and smoothly confirm that, whether you are Brazilian or Colombian, if you have its credit score aggregation application. The presenter also said that such a strong experience between the bank and the individual would also lead to a long-term relationship.
Another typical use case is A2A payments. This is a service that is also provided by the Minna Bank BaaS API.
It is a system of direct payments from a personal bank to a corporate bank. By the way, in Brazil it is called PIX. I often hear the term used in discussions with FDX members. Perhaps the term is becoming ubiquitous, whereas in Japan it's still not common. Several companies were talking about A2A payments, so I had the feeling that it was popular.
There was also a session on the system design of real time payment notification using webhooks in the implementation of A2A payments, and Minna Bank's webhook would be also implemented with partially reference to the "FDX Event Notification Framework".
Listening to the various use cases and implementations, there was a sense of empathy and déjà vu, and also a sense that the rails that we are walking are not out of alignment.
Facing to regulators
KeyNote featured a conversation between Michael J. Hsu, Acting Comptroller of the Currency, government officials, and Don Cardinal, FDX Managing Director.
Full text of Michael J. Hsu's speech
To be honest, I didn't fully grasp the gist of this session due to my limited understanding of affairs in the US. However, I got the general impression that the FDX is in the process of maturing, deepening cooperation with regulators, and solidifying its position in API standardization. In Japan, it may be easy to imagine that the FISC or the Japanese Bankers Association (a.k.a Zengin) WG's open API specification will be approved by the FSA. However, Japan currently lacks a concrete standard specification. Nonetheless, Japan has clearly not reached the level of FDX.
These are my reports from the FDX Global Summit.
ZDF's presentation - Pioneering Approach to Secure Open Banking in Japan -
I presented together with Mr. Viktors Garkavijs from Mixefy, who is developing the BaaS API with us.
Here are some of the contents of the presentation.
Our approach to implementing open banking was
- to follow what needs to be followed, 2. to pursue best practices in the authentication and authorization infrastructure, and 3. to roll out domain-specific APIs on top of that.
The API currently used by our customers (TPPs) in the production environment is the FAPI 1.0 Advanced compliant API.
The following is a rough architecture diagram.
※ Our BaaS API has been certified by the OpenID Foundation as FAPI 2.0 Security Profile Second Implementer's Draft & Message Signing First Implementer's Draft of OpenID Foundation. It is also published on FAPI 2 Providers & Profiles.
Conclusion
Much appreciation to Authlete for the invitation.
FDX is a North American organization, but they also hold APAC General calls on a monthly basis, and it seems that they are considering expanding into the Asian region. When we informed Don Cardinal, FDX Managing Director, of the current status of open banking in Japan, the conversation led to the establishment of the FDX JP Research Task Force. (We will share more about this activity as it develops.) We would like to work with FDX on how we can improve the open banking scene in Japan.
The next Global Summit will be held in Washington D.C. in March. I would like to participate if possible.