Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
IBM Services / © 2021 IBM Corporation
Next Stage for Open API at
Banking Industry
for
25,26 August 2021
IBM Services / © 2...
IBM Services / © 2021 IBM Corporation
BANK
BANK
BANK
Different Ways of Open API with Banks
BANK
Open API
Calls
Open API
Ca...
IBM Services / © 2021 IBM Corporation
Customer
Establish an API Ecosystem to support Business Use Cases
which are benefici...
IBM Services / © 2021 IBM Corporation
BANK
R
e
q
u
e
s
t
S
e
r
v
i
c
e
/
P
r
o
d
u
c
t
Transaction Based Customer Consent
...
IBM Services / © 2021 IBM Corporation
Transaction Based Customer Consent
OAuth2.0 specified only API authorization
Custome...
IBM Services / © 2021 IBM Corporation
Transaction Based Customer Consent
Aligned with HKMA Phase III
• Also defined Custom...
IBM Services / © 2021 IBM Corporation
Our Solution to meet HKMA Phase III
Pre-built Accelerators for API
developments & Mi...
IBM Services / © 2021 IBM Corporation
Our Solution to meet HKMA Phase III
Developer
Portal
Management & Monitoring Server
...
IBM Services / © 2021 IBM Corporation
When we are moving on to more security sensitive business use cases, additional cons...
IBM Services / © 2021 IBM Corporation
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
What to Upload to SlideShare
Next
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

Share

apidays LIVE Hong Kong 2021 - Next Stage for Open API at Banking Industry by Nicky Ng, IBM

Download to read offline

apidays LIVE Hong Kong 2021 - API Ecosystem & Data Interchange
August 25 & 26, 2021

Next Stage for Open API at Banking Industry
Nicky Ng, Architect at IBM

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

apidays LIVE Hong Kong 2021 - Next Stage for Open API at Banking Industry by Nicky Ng, IBM

  1. 1. IBM Services / © 2021 IBM Corporation Next Stage for Open API at Banking Industry for 25,26 August 2021 IBM Services / © 2021 IBM Corporation IT Architect Global Business Services
  2. 2. IBM Services / © 2021 IBM Corporation BANK BANK BANK Different Ways of Open API with Banks BANK Open API Calls Open API Calls Open API Calls As API Provider As API Consumer Bank-to-Bank Transactions • Mostly focused as part of Open Banking journey • Hong Kong Monetary Authority (HKMA) Open API Framework • Banks are traditionally more regulated & trustworthy, governing also TSPs at same standard is a challenge • Account Aggregator use case as an example TSP Has long been relying on SWIFT as the global standard and centralized hub • Growth of industry/technology giants having huge customer base will attract banks to offer more tailored joint services • Banks gradually may build trusts on consuming APIs from external provider to enrich real-time transactions • Bancassurance can be this use case Third-party Service Provider (TSP) Insurances
  3. 3. IBM Services / © 2021 IBM Corporation Customer Establish an API Ecosystem to support Business Use Cases which are beneficial to Customers $ Customer Insurances Properties Developers Food & Beverages Retails Games & E-Sports BANK TSP
  4. 4. IBM Services / © 2021 IBM Corporation BANK R e q u e s t S e r v i c e / P r o d u c t Transaction Based Customer Consent Consented (Authorized) API Transaction TSP TSP Side REQUEST Read Account Balance Bank Side CONFIRM Read Account Balance Grant Consent For Transaction 1 2 3 • Involving end-customer different from traditional B2B system integrations • End-customer instantly participates through their own digital device • Authentication conducted on the bank side without exposing personal credentials to third-party service provider • Allow him/her to grant consent to own transaction directly to the bank side Customer
  5. 5. IBM Services / © 2021 IBM Corporation Transaction Based Customer Consent OAuth2.0 specified only API authorization Customer Consent is a Business Entity which should support: • Lifecycle - status includes Pending, Authorized, Revoked, Rejected which are not supported by OAuth spec. • Auditability - track the full provenance of when / whom manipulated the consent • Consistency Check - validation business logic upon authorized APIs to ensure expected transaction context or to conduct data level access control • Extensibility - handle different consent types for different business transactions on new use cases BANK R e q u e s t S e r v i c e / P r o d u c t Consented (Authorized) API Transaction TSP TSP Side REQUEST Read Account Balance Bank Side CONFIRM Read Account Balance Grant Consent For Transaction 1 2 3 Customer
  6. 6. IBM Services / © 2021 IBM Corporation Transaction Based Customer Consent Aligned with HKMA Phase III • Also defined Customer Consent Management Endpoints • Specified a "consentId" as unique reference of consent entity in the bank • Listed the expected status of consent entity • Target to support Account Aggregator related use cases with business functions: • Account Availability • Account Status • Account Balance • Account Transaction • Aggregate personal financial profile which may includes spending, income or loans • Feasible for implementing collective reminders or insights, e.g., for credit card repayments, total card expenses. • Refer customers to bank services e.g. loans, time deposit offers
  7. 7. IBM Services / © 2021 IBM Corporation Our Solution to meet HKMA Phase III Pre-built Accelerators for API developments & Microservices Framework which are well adopted & proven in previous implementation projects Industry Expertise and Experience with local reference on various API-First Microservices & Cloud projects at local Banks & large enterprises Market Leading API & Cloud Platform Products to support the security and availability requirements for the solution Experiences on HKMA Open API Phase I & II & global EU PSD2 implementations are the foundation references
  8. 8. IBM Services / © 2021 IBM Corporation Our Solution to meet HKMA Phase III Developer Portal Management & Monitoring Server API Gateway Customer Authentication & Authorization (AZ/AU) Backend Consent Management Service Open API Provider Services IBM API Connect • Enterprise grade all-in-one package for API management with Developer Portal and API Gateway • Support of multi-tenant design to serve various business domains • API Gateway using IBM DataPower technology for security, control & integrations Red Hat OpenShift Container Platform • Support the microservices architecture solution to achieve high availability TSP Notification Events Service We have already prepared a reference architecture & pre-built modules to serve the transaction based customer consent which will work together with the bank's facilities to meet HKMA's Open API Phase III. Customer Notification Service OAuth Server Enterprise Service Bus / Existing Integration Tier Bank's Systems of Records Customer AZ/AU Web Frontend Bank's Customer Authentication Engine Bank's Customer Notification Facilities Customer TSP Side REQUEST Read Account Balance TSP Redirect authentication
  9. 9. IBM Services / © 2021 IBM Corporation When we are moving on to more security sensitive business use cases, additional considerations should be considered to further evolve the Open API solution in the near future. For example but not limited to: Data Tokenization Transaction Signing More Security Considerations FAPI 1.0 Part 2: Advanced PKCE for OAuth Replay Attack Protection
  10. 10. IBM Services / © 2021 IBM Corporation

apidays LIVE Hong Kong 2021 - API Ecosystem & Data Interchange August 25 & 26, 2021 Next Stage for Open API at Banking Industry Nicky Ng, Architect at IBM

Views

Total views

371

On Slideshare

0

From embeds

0

Number of embeds

5

Actions

Downloads

12

Shares

0

Comments

0

Likes

0

×