Authors: Gail Hodges, Joseph Heenan, Dima Postnikov, Mark Haine, Mike Leszcz, Elizabeth Garber
Following our May 16 open letter to the Consumer Financial Protection Bureau, the OpenID Foundation has been engaged in discussions about their rule-making on Personal Financial Data Rights. This post summarizes our guidance to the CFPB.
Why are we engaged?
The OpenID Foundation is committed to supporting Open Banking ecosystems worldwide - all ecosystems that rely on identity data. In particular, we develop and continuously iterate upon world-class identity standards that improve security and underpin interoperability. This creates conditions for competitive marketplaces that protect consumers.
By offering this guidance to the CFPB, we are answering a call from those seeking to enhance the security of US digital infrastructure. In its March 2024 report, the United States Cyber Safety Review Board (CSRB) called on us to continue iterating on our standards to ensure they are fit for purpose in use cases requiring heightened security - and they called on Cloud Service Providers (CSPs) to adopt those standards. We believe that the US Open Banking ecosystem, to best protect consumer data, should follow suit.
FAPI as a Secure Communications Protocol
We recommend that the CFPB, in its rule-making, ensures the use of a secure communications protocol for the exchange of identity data. We also propose that the widely adopted FAPI family of specifications performs this role.
The FAPI profile enhances the OAuth 2.0 framework for high-security use cases. It is based on an advanced attacker model and closes critical security gaps that OAuth 2.0 does not address. We provided the CFPB with the example of Client Authentication:
This slide also shows how each jurisdiction may develop its own local profile for any final configuration choices.
Current global ecosystem adoption of FAPI includes:
Selected FAPI | Mandated FAPI | Deployed FAPI | |
United Kingdom - Open Banking | ◉ | ◉ | ◉ |
Australian Treasury & Data Standards Body | ◉ | ◉ | ◉ |
Australian ConnectID | ◉ | ◉ | ◉ |
Brazilian Open Finance | ◉ | ◉ | ◉ |
Saudi Arabian Monetary Authority | ◉ | ◉ | ◉ |
United Arab Emirates Government | ◉ | ◉ | 2024 launch |
Chilean Ministry of Finance | ◉ | ◉ | |
Colombian Government | ◉ | Expected 2024 | |
Norwegian HelseID (Health) | ◉ | ||
German Verimi | ◉ | ◉ | ◉ |
Canadian Open Banking | Expected | ||
US FDX | Recommended |
The Benefits of Interoperability
By reducing the optionality inherent in the OAuth 2.0 framework, FAPI also promotes interoperability within and across ecosystems. We shared an example of one startup that sought to integrate with the US and other banks & open banking partners globally. They encountered a wide variety of:
- Cryptographic Methods, including less secure signing methods (covered by FAPI)
- Client Authentication, including less secure authentication methods (covered by FAPI)
- Data formats and payloads, each of which required interpretation
- Approaches to data minimization, including many cases of receiving more data than requested
- Security Culture & Practices, enabling the selection of less secure options (somewhat addressed by selecting FAPI)
This wide variety prevents interoperability and places heavy burdens on fintechs and new market entrants. Interoperability, on the other hand, ensures:
- A level playing field for new fintech entrants
- Less reliance on aggregators
- Opportunities for banks and fintechs to work with partners across borders (see "Open Banking and Open Data: Ready to Cross Borders?" and our contributions to the "Global Assured Identity Network" and "Sustainable Interoperable Digital Identity" movements)
Our original Open Letter provides more information about FAPI and its role in underpinning security and interoperability.
Other Relevant Standards: Federation and Shared Signals
While the conversation with the CFPB began as a strong recommendation to name a secure communications protocol, we would be remiss if we did not also refer to other OpenID Standards designed to improve the security and viability of open data ecosystems. In particular:
- OpenID Federation is designed to quickly establish trust between parties who have been onboarded to an ecosystem. This is how banks can ensure that data requests are coming from legitimate actors - and how legitimate actors can quickly gain access to an open banking ecosystem.
- Shared Signals and Events is an open API built upon a protocol suite that enables applications and service providers to communicate about security events to make dynamic access and authorization decisions. It acts as a signaling layer on a back channel that helps secure near real-time sessions. We wrote about its benefits in a read-out from a recent interoperability event here.
What's Next?
The OpenID Foundation is engaged in ongoing discussions with the CFPB and is exploring the requirements for approved standard-setting bodies. Those interested in promoting a secure and thriving Open Banking ecosystem in the United States and around the world should stay tuned!