Authorization for OpenBanking
A bank needs to achieve open banking compliance.
Problem
A bank with branches in multiple countries around the world has to meet country-specific open banking regulatory requirements and needs a common open banking security profile provider.
Overview
The occurrence of open banking regulations is a consequence of the introduction of PSD2 in the EU. Regulations are specific for each country but there are a few generic requirements worldwide:
- Strong OAuth2-based security profile, in many cases FAPI-compliant
- Service APIs protection bound with an advanced enforcement, stronger than with regular Internet services
- Regulatory-compliant application and developer registration
- Advanced API governance.
The bank has to adapt its EU branches to local regulations in force. Still, the problem is not solved for the bank neither in the EU nor globally. The far-from-optimal approach taken in the EU is not extendable to the rest of the world at a reasonable cost.
The EU regulations have resulted in a few standards introduced by member states, such as Open Banking UK, NextGenPSD2, STET API, Polish API, or Slovak API. Given a limited time to achieve the compliance, the bank allows its branches to use separate security products for each of these standards. The bank cannot afford using this expensive strategy all over the world.
The bank intends to provide its branches worldwide with a single versatile product that is comprehensive enough to meet security requirements of most, if not all, upcoming open banking standards.
The next and currently most important region for the bank is North America, where the bank wants to test the new strategic approach. The selected product has to satisfy security requirements of the Financial Data Exchange (FDX) standard and the emerging open banking standard in Canada.
Solution
The bank selects Cloudentity with the following benefits in mind:
- Cloudentity provides advanced authorization and enforcement.
- Cloudentity is one of few FAPI certified providers.
- Cloudentity is a Financial Data Exchange (FDX), Cloud Security Alliance and OpenID Foundation member.
Result
Cloudentity’s solutions allow the company to
- Provide the FAPI compliant authorization server to register applications, issue tokens for the service consumption, and more,
- Integrate with their existing customer identity stack using the bring-your-own-identity model,
- Allow third-party developers to register,
- Let third-party developers use APIs and UIs to register their applications,
- Define authorization policies validated and enforced prior to issuing tokens required for the service consumption,
- Define authorization policies validated and enforced during during the service consumption,
- Perform the API protection level in the FAPI compliant manner,
- Improve API governance.
Certified provider
As of December 2019, Cloudentity is one of the nine FAPI R/W OP w/ MTLS certified providers.