Financial-grade API – the new highly secure specification of data schemas, security and privacy protocols.
Open Banking APIs expose sensitive customers’, account and payment data to third-party solution providers such as payment initiators, account aggregators and other emerging fintechs.
While opening up interfaces is aimed at making financial services easily available to customers, this leads to an environment that can be exploited by cyber criminals, if adequate security measures are not implemented.
To ensure the integrity of transactions and the safeguarding of data, a new level of market standard has recently emerged: FAPI (Financial-grade API).
Although FAPI was introduced not long ago, UK OpenBanking and Open Banking Brasil are already built on FAPI. As the role of digital identity and an open everything ecosystem evolves more and more, leveraging FAPI protocols is increasingly critical to streamline user experience and remain secure in an open banking world.
FAPI – High security for your confidential data
FAPI is an industry-led specification of JSON data schemas, security and privacy protocols. The new highly secure standard supports use cases for commercial and investment banking accounts as well as insurance and credit card accounts. Thus, individually encrypted documents, financial data, account information and other confidential data are kept safe.
FAPI is a tightened variant of the two security protocols OAuth 2.0 and OpenID Connect, and defines additional technical requirements for higher API security.
- OAuth 2 is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user, hence it’s a framework for secure API authorization
- OpenID Connect is an extended identity layer for the OAuth 2, which makes it possible to authenticate the end user.
FAPI security objectives:
Stops attackers from logging in under a false identity and impersonating another user.
Attackers cannot access resources of another user
Ensures that no attacker is able to force a user to be logged in under the identity of the attacker.
Full traceability – The authorship or validity of queries/data cannot be disputed
Through our memberships and our active participation in the most important open banking bodies, we do not only shape the financial market, but also form the necessary bridge to our customers.
Not only did we acquire the FAPI expertise, but we also participated in the development as part of the OpenID community. We were able to set a valuable milestone by successfully implementing our FAPI prototype at a major national bank.
Get a deeper insight into how FAPI works in our whitepaper.