Why secure data exchange is vital for the fintech industry [Q&A]
Over the past few years, we've seen a surge in popularity for both consumer fintech apps, as well as fintech services for businesses.
This shift in the financial services ecosystem has empowered users to take greater control of their financial lives, equipping them with tools to better understand how and where they spend their money, increase their credit scores, prepare taxes, aggregate disparate financial and investment accounts, among many other applications.
But in order for it to work effectively there needs to be an easy and safe way to access and transfer data between systems. We spoke to Don Cardinal, managing director of the Financial Data Exchange (FDX) to find out how these challenges are being addressed.
BN: What is driving the need for an FDX?
DC: The critical component in all of this fintech innovation is a user's ability to access and share their financial data with the fintech application they are seeking to use. And to date, this process has been anything but interoperable, with access and transfer of data between both the requesting and data-providing party fragmented in proprietary platforms protocols and scripts. This has resulted in an expensive, and at times, unreliable system that create barriers for innovators.
In tandem with both the widespread adoption of fintech apps and the complexity of data-access methods, the users’ awareness of the value of their own data has grown, along with the expectation of more transparency, security and ultimately control over their financial data.
The Financial Data Exchange (FDX) was founded to address these challenges and to unite the financial services industry around a common, interoperable and royalty-free data-sharing standard. We call this standard the FDX API and we’ve been working diligently to develop and promote the industry-wide adoption of this API since our inception in 2018.
Unlike many other industry groups, we are a diverse consortium that brings together participants from all corners of the financial services industry to collectively work on a solution that benefits fintechs, financial institutions, data service providers (aggregators) and other financial services providers equally, all while putting the consumer first.
BN: What are the predecessors of the FDX API?
DC: While FDX started taking shape in 2017, our API can trace its lineage to the path-breaking Open Financial Exchange (OFX) standard, which was first introduced by Microsoft, Intuit (a founding member of FDX), and CheckFree (now Fiserv, which is also a member) in 1997. By 2015, this standard was in use by over 7,000 financial institutions worldwide, making it one of the most successful 'open banking' standards in the last two decades.
With OFX starting to show its age, the FS-ISAC's (Financial Services Information Sharing and Analysis Center) Aggregation Working Group made significant progress with its Durable Data Application Programming Interface (DDA) standard between 2015 and 2017, which had already been adopted by some of the largest financial institutions in the United States.
In 2017, FDX was created to be an inclusive effort encompassing all participants of the financial services ecosystem, from financial institutions, fintechs, data service providers, to advocacy- and industry groups. As part of FDX's inclusive agenda, it recognized FS-ISAC's work and agreed to be incorporated as a wholly owned FS-ISAC subsidiary in 2018 -- with its own independent charter. In conjunction with our launch in October 2018, FS-ISAC assigned the DDA 2 to FDX and renamed it FDX API.
In July 2019, OFX formally joined FDX with the intention of establishing a unified governance framework across the two most widely adopted standards globally. As the FDX API continues to gain adoption, FDX provides ecosystem participants a single forum for maintenance, migration, and development of financial data access methods.
BN: What security and authentication protocols does the FDX API standard use?
DC: Consumers and businesses have come to expect the ability to use their financial data to drive better financial outcomes. And there has been a proliferation of vendors that have emerged seeking to deliver many different services to meet this demand. That said, access to data across myriad financial applications provisioned by a variety of organizations – big and small, financial and non-financial, regulated, and unregulated – creates significant cost, security, risk, fraud, customer experience, and operational concerns for all involved, including consumers, data service providers (aggregators), and financial institutions.
As part of the FDX charter, we define the FDX API's security architecture with the goal of providing a new standard for data exchange that is secure and based on industry-leading security frameworks. This reference architecture also provides recommendations for ongoing governance of the standard and specifies common certification procedures.
FDX's security framework is based on NIST and ISO standards. The framework covers authentication, authorization and secure information exchange between various ecosystem participants. The solution stack for each category of consumer protection are industry-adopted and standardized patterns with well-documented specifications and threat models for usage and deployment best-practices guidance.
• Federated user authentication interoperability with OpenID Connect 1.0 (OIDC).
• Delegated user authorizations within and across organizations using OAuth 2.0.
• Specific user identification pattern using Fast Identity Online 1.2 (FIDO) Universal Authentication Framework (UAF).
• Mutual TLS must be used for all communication to ensure fundamental host identification integrity and privacy for information exchanged between clients, aggregators, and financial institutions. The most updated versions of TLS (1.2 or higher) should be used to avoid known vulnerabilities along with proper certificate procurement and management practices.
In addition -- the data sources (typically financial firms) have their own connectivity rules like Access Control Lists, NATing, and device/IP blacklists to name a few. For customer authentication, we recommend multifactor authentication, MFA, (sometimes referred to as Strong Customer Authentication) and encourage the use of FIDO-compliant biometrics.
BN: What mechanisms are in place to protect consumer privacy and ensure consumers have control over their data?
DC: We believe that privacy is achieved when you have transparency, security and control over your data. For a seamless data sharing ecosystem, you also need to assure data access and traceability. In August 2019, we formulated these concepts in what we call the Five Core Principles of Financial-Data Sharing: Control, Access, Transparency, Traceability, and Security. These principles lay out our vision for the financial services industry and also serve as operating principles for FDX.
When considered together, these principles mean that account owners should have access to their data, be in control of which aspects they want to share and be able to modify or revoke such access freely, know for what purposes their data is used and what parties will have access to it, and have confidence in the security and privacy of their information.
We've seen these principles manifest themselves in consumer data sharing dashboards at banks like Wells Fargo, Bank of America, USAA, and others, which allow consumers to easily grant and revoke access to their data. As more ecosystem participants join us in our mission, we anticipate more standardized mechanisms to evolve that assure data traceability.
We believe that these principles, along with the adoption of the FDX API standard, will ensure that users of fintech services are in control in every step of the data sharing process.