adorsys FAPI

Financial-grade API

The new high-security specification for data schemas, security, and privacy protocols.

The challenge

Open Banking APIs expose sensitive customer, account and payment data to third-party solution providers such as payment initiators, account aggregators and other emerging fintechs.

While the opening of interfaces is intended to make financial services easily accessible to customers, it creates an environment that can be exploited by cybercriminals if appropriate security measures are not implemented.

To ensure the integrity of transactions and the security of data, a new level of market standard has recently emerged: Financial-grade API (FAPI).

Although FAPI has only recently been introduced, UK OpenBanking and Open Banking Brasil are already based on FAPI. As the role of digital identity and an open-everything ecosystem continues to evolve, the use of FAPI protocols will become increasingly important to streamline the user experience and remain secure in an open banking world.

The solution

FAPI – High Security for Your Sensitive Data

FAPI is an industry-led specification of JSON data schemas, security and privacy protocols. The new high-security standard supports use cases for commercial and investment banking accounts, as well as insurance and credit card accounts. It protects individually encrypted documents, financial data, account information, and other sensitive data.

FAPI is a tightened version of the OAuth 2.0 and OpenID Connect security protocols, and defines additional technical requirements for increased API security.

  • OAuth 2 is a standard designed to allow a website or application to access resources hosted by other web applications on behalf of a user, so it’s a framework for secure API authorization.
  • OpenID Connect is an extended identity layer for OAuth 2 that enables end-user authentication.

The benefits

  • Authentication
    Prevents attackers from logging in with a false identity and impersonating another user.
  • Authorization
    Prevents attackers from accessing another user’s resources
  • Session integrity
    Ensures that no attacker can force a user to log in under the attacker’s identity.
  • Non-repudiation
    Full traceability – authorship or validity of requests/data cannot be disputed