Joseph Heenan is part of the OpenID Certification Program team provided an update on the Financial-grade API (FAPI) at the OIDF Workshop at the 2019 European Identity Conference on Tuesday, May 14, 2019 in Munich.
2. Joseph Heenan: FAPI Certification Program – May 2019 Update
Who Am I?
Joseph Heenan, CTO at fintechlabs.io
OpenID Certification Team member
Software engineer & architect with over 25 years’ experience
Active contributor to the OpenID Connect FAPI/MODRNA WG & specifications
Team lead/product owner on the Open Banking Security Profile Conformance Suite
Assisted many of the largest UK banks with achieving compliance to the OpenID
specification
https://www.linkedin.com/in/josephheenan/
3. Joseph Heenan: FAPI Certification Program – May 2019 Update
OIDF FAPI-RW Certification Program
OP testing launched 1st April 2019
o Two implementors certified on day 1 & several more close to certifying
RP testing in ‘pilot phase’
oRP Certification free until June 2019
Visit https://openid.net/certification/instructions/ for details
4. Joseph Heenan: FAPI Certification Program – May 2019 Update
FAPI-RW Certification: Core goals
Interoperability
Security
Correct deployment of certified software
However:
Does not test all of OpenID Connect Core or OAuth
o ‘Pretty good’ coverage of relevant parts though
o Run python OpenID Connect Core tests as well
5. Joseph Heenan: FAPI Certification Program – May 2019 Update
Conformance Suite Design Goals
Multi-party protocol testing
Structured configuration
Structured logging and results
Separation of test logic & web frontend
Deterministic, modular execution units
Protect sensitive configuration and results data
Transparent process
Usable as part of CI
6. Joseph Heenan: FAPI Certification Program – May 2019 Update
Major differences vs current certification suite
private_key_jwt client authentication
Mutual TLS client authentication
Signed request objects
Certificate Bound access tokens
Browser automation
API
Automated public regression test
Automated regression testing of all source code changes
Predictable fixed redirect URIs
Two registered clients are required (to verify certificate binding etc)
Resource server (with a trivial protected API) is required
Extensible to support further profiles
o e.g. the UK OpenBanking profile of FAPI
7. Joseph Heenan: FAPI Certification Program – May 2019 Update
FAPI-RW: Help Wanted
Conformance suite has automated regression tests
Ensures that conformant implementations still pass the tests
We need access to conformant implementations!
o In return, our team will let you know about any potential non-
compliances
Only 1 OP vendor has signed up for ‘continuous conformance’
RP testers also wanted
8. Joseph Heenan: FAPI Certification Program – May 2019 Update
CIBA Certification
FAPI-CIBA OP tests
o Entering pilot phase imminently
o Spec still a little in flux
o Negative tests still being added
oDue to launch late June 2019
o Please email / talk to me if you have an implementation you’d like to
test!
FAPI-CIBA RP tests
oEntering pilot phase July 2019
9. Joseph Heenan: FAPI Certification Program – May 2019 Update
Other available tests
FAPI-R: Positive tests only
FAPI-RW-OB: FAPI-RW tests that register intent prior to
authorization
o Intent registration APIs are specific to UK OB ecosystem
HEART: Some tests available
Certification program does not cover above
Individual WGs should drive their tests & certification program
oCertification team can help/advise
o Fintechlabs.io can help
10. Joseph Heenan: FAPI Certification Program – May 2019 Update
Current roadmap
June 2019: Full launch: FAPI-RW RP & FAPI-CIBA OP
July 2019: Pilot launch: FAPI-CIBA RP
September 2019: Full Launch: FAPI-CIBA RP
Later (TBC):
o CIBA core OP tests
o FAPI-JARM OP tests
11. Joseph Heenan: FAPI Certification Program – May 2019 Update
Wrap up
Conformance Suite source code etc publicly available on gitlab:
https://gitlab.com/openid/conformance-suite
Contributions welcome!
Production deployment:
https://www.certification.openid.net/login.html
(Login with any google/gitlab/openid account)
Contact me if you’d like some help:
o joseph.heenan@oidf.org or certification@oidf.org
o https://twitter.com/josephheenan
13. Joseph Heenan: FAPI Certification Program – May 2019 Update
A Quick Recap
Largest 9 banks (the ‘CMA9’) in the UK were found to be having
an ‘adverse effect on competition’
UK Government required these 9 banks to implement APIs
similar to PSD2
o 18 months ahead of PSD2 timelines
oUsing a standardised API
o Covering only current accounts
Security profile derived from FAPI-RW specifications
14. Joseph Heenan: FAPI Certification Program – May 2019 Update
UK Banks
Largest 9 banks (the ‘CMA9’) are using standards derived from
AIB, Barclays, BOI, Danske, HSBC, Lloyds, Nationwide, RBS,
Santander
Further UK banks due to deploy same standards
o Sainsbury’s, Creation, Cynergy, ClearBank, Cumberland BS, Yorkshire
BS, Vanquis, …
Currently banks are not returning customer identity
CMA9 have all passed an older (pre-FAPI) version of the FAPI
conformance tool
Banks aligning to FAPI standard within the next year
CIBA is allowed but not required
15. Joseph Heenan: FAPI Certification Program – May 2019 Update
UK API Consumers
>23 API-consuming services live with end-users as of March
2019
>38 million API calls in March 2019
Uses vary
o Account aggregation
oAffordability checks
o Credit scoring
o Financial forecasting
16. Joseph Heenan: FAPI Certification Program – May 2019 Update
The End
Thank you!
Hinweis der Redaktion
EU regulators ask for conformance results as part of PSD2 complliance
(vendor is authlete)
The smaller banks are effectively required to adopt an established standard by PSD2, as doing otherwise is essentially impossible due to the requirement to prove to the relevant regulator “'is widely used and is easy for TPPs to use’”, a requirement that’s almost impossible for a small bank that few TPPs are keen to integrate with.
https://www.fca.org.uk/publications/policy-statements/ps18-24-approach-final-regulatory-technical-standards-and-eba-guidelines-under-revised-payment
Banks are actually aligning to a OB specific profile of API with a few extra requirements, however (unlike the previous Open Banking Security Profile) it is now a true profile, nothing conflicts with or weakens FAPI.