Guidance to the CFPB regarding US Open Banking

Published July 24, 2024
Authors: Gail Hodges, Joseph Heenan, Dima Postnikov, Mark Haine, Mike Leszcz, Elizabeth Garber 

Following our May 16 open letter to the Consumer Financial Protection Bureau, the OpenID Foundation has been engaged in discussions about their rule-making on Personal Financial Data Rights. This post summarizes our guidance to the CFPB.

Why are we engaged?

The OpenID Foundation is committed to supporting Open Banking ecosystems worldwide - all ecosystems that rely on identity data. In particular, we develop and continuously iterate upon world-class identity standards that improve security and underpin interoperability. This creates conditions for competitive marketplaces that protect consumers. 

By offering this guidance to the CFPB, we are answering a call from those seeking to enhance the security of US digital infrastructure. In its March 2024 report, the United States Cyber Safety Review Board (CSRB) called on us to continue iterating on our standards to ensure they are fit for purpose in use cases requiring heightened security - and they called on Cloud Service Providers (CSPs) to adopt those standards. We believe that the US Open Banking ecosystem, to best protect consumer data, should follow suit. 

FAPI as a Secure Communications Protocol

We recommend that the CFPB, in its rule-making, ensures the use of a secure communications protocol for the exchange of identity data. We also propose that the widely adopted FAPI family of specifications performs this role.

The FAPI profile enhances the OAuth 2.0 framework for high-security use cases. It is based on an advanced attacker model and closes critical security gaps that OAuth 2.0 does not address. We provided the CFPB with the example of Client Authentication:

This image shows how the OAuth2.0 framework allows for multiple client authentication methods, while FAPI limits options to only the most secure.

This slide also shows how each jurisdiction may develop its own local profile for any final configuration choices.

Current global ecosystem adoption of FAPI includes: 

 

Selected FAPI

Mandated FAPI

Deployed FAPI

United Kingdom - Open Banking

Australian Treasury & Data Standards Body

Australian ConnectID

Brazilian Open Finance

Saudi Arabian Monetary Authority

United Arab Emirates Government

2024 launch

Chilean Ministry of Finance

 

Colombian Government

Expected 2024

 

Norwegian HelseID (Health)

  

German Verimi

Canadian Open Banking 

Expected

  

US FDX 

Recommended

  

The Benefits of Interoperability

By reducing the optionality inherent in the OAuth 2.0 framework, FAPI also promotes interoperability within and across ecosystems. We shared an example of one startup that sought to integrate with the US and other banks & open banking partners globally. They encountered a wide variety of:

  • Cryptographic Methods, including less secure signing methods (covered by FAPI)
  • Client Authentication, including less secure authentication methods (covered by FAPI)
  • Data formats and payloads, each of which required interpretation 
  • Approaches to data minimization, including many cases of receiving more data than requested
  • Security Culture & Practices, enabling the selection of less secure options (somewhat addressed by selecting FAPI)

This wide variety prevents interoperability and places heavy burdens on fintechs and new market entrants. Interoperability, on the other hand, ensures:

Our original Open Letter provides more information about FAPI and its role in underpinning security and interoperability.

Other Relevant Standards: Federation and Shared Signals

While the conversation with the CFPB began as a strong recommendation to name a secure communications protocol, we would be remiss if we did not also refer to other OpenID Standards designed to improve the security and viability of open data ecosystems. In particular:

  • OpenID Federation is designed to quickly establish trust between parties who have been onboarded to an ecosystem. This is how banks can ensure that data requests are coming from legitimate actors - and how legitimate actors can quickly gain access to an open banking ecosystem. 
  • Shared Signals and Events is an open API built upon a protocol suite that enables applications and service providers to communicate about security events to make dynamic access and authorization decisions. It acts as a signaling layer on a back channel that helps secure near real-time sessions. We wrote about its benefits in a read-out from a recent interoperability event here.

What's Next?

The OpenID Foundation is engaged in ongoing discussions with the CFPB and is exploring the requirements for approved standard-setting bodies. Those interested in promoting a secure and thriving Open Banking ecosystem in the United States and around the world should stay tuned!

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy-preserving. The Foundation's OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation's standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling "networks of networks" to interoperate globally. Individuals, companies, governments, and non-profits are encouraged to join or participate.
 
Find out more at openid.net.
Tagged