Six Things You Should Know About the Financial-grade API (FAPI) specification

By Rory Blundell, CEO at Gravitee

There has been a global move to digital infrastructure for all kinds of diverse global systems, covering everything from banking and finance to health, intellectual property, and supply chain management.

APIs are both ‘the glue’ and ‘the product’ in these systems: on a technical level, they enable systems to be connected together (glue), and, at a business level, they provide the opportunity to generate revenue as products and services that can be delivered as a part of a platform economy (product).

APIs are awesome, but make sure that security is top of mind

While APIs and platform economies are incredibly valuable, teams must remain keen on ensuring a strict security posture. Exposing large amounts of services and APIs means that the potential attack surface area when sharing data and digital services between various stakeholders expands.

Security breaches are becoming more prevalent, more costly, and are eroding trust in using the emerging digital systems that are expected to become our global infrastructure in the future. They also come in more forms: data leaks and exposures, website hacks and denial of service, ransomware, and so on. Because APIs connect so many systems, they are often an entry route for hackers, if they are not properly controlled and robustly built.

This is especially relevant to organizations operating within banking and finance, as new trends push vendors towards needing to modernize and expose services via APIs while still remaining compliant and keeping PII safe and secure.

Introducing FAPI: six things to know

The Financial-grade API (FAPI) specification was introduced by the OpenID Foundation to act as a defense against security risks and vulnerabilities that could be exploited via APIs. FAPI creates and requires an additional security level between banking APIs and third-party applications to ensure that, when sensitive data or digital services are being connected, there are no leaks and vulnerabilities that could expose sensitive information.

1. What exactly is FAPI?

FAPI is an industry-led specification that uses enhanced OAuth 2.0 and OpenID Connect (OIDC) processes to ensure greater security between APIs and third-party front-end applications.

1. Why is FAPI Important?

While the combination of OAuth 2.0 and OIDC provides a strong security baseline, it still contains several loopholes and vulnerabilities. FAPI strengthens security by mandating the use of specific, safe processes. The standardization of these processes improves interoperability and allows for the acceleration of secure digital systems to enable open banking.

1. What is open banking?

Open banking (that is, the process of opening data, like customer account information, and services, like payments, from banks and financial institutions for third-party use) is a key use case for FAPI. Open banking APIs share a wealth of information with other users in the financial ecosystem, such as developers, fintech vendors, and partners. FAPI standardizes the security measures used in these exchanges of information and services to ensure that any exchange between systems is secure. Additionally, the FAPI framework adheres to local open banking regulatory requirements, such as Europe’s PSD2 compliance and the UK’s OBIE regulations.

1. How Does FAPI Work?

FAPI addresses shortcomings in OAuth 2.0 and OIDC to build a more robust security framework. OIDC authenticates users via the OAuth authorization server, providing a layer of consent for the client. The server requests user consent to confirm the client can access the resource they’ve requested. Once consent is given, the client is granted an access token allowing them to view their requested resource. FAPI builds upon this by mandating the use of specific and safe processes. With FAPI specifications in place, additional features are offered such as:

• Enforced mutual TLS authentication
• Pushed authorization requests
• Enforced asymmetric metric cryptography keys
• Certificate-bound access tokens

1. When Should You Use FAPI?

FAPI isn’t solely for open banking. Any business dealing with sensitive customer information would benefit from the implementation of the FAPI framework. Telecommunications, healthcare, insurance industries, and the aforementioned intellectual property and supply chain management are just a few of the industry sectors that deal daily with sensitive information that could be targeted for data breaches.

1. Why Is FAPI Certification Important?

FAPI offers a self-certification program for vendors and builders of applications, allowing them to conduct their own conformance testing to ensure their products align with FAPI standards and specifications. Obtaining certification assures users that their sensitive data will be in good hands while also allowing businesses to stay competitive and comply with legal obligations.

About the author

Rory Blundell is the CEO of Gravitee, a leading API Management and modernization vendor.

Blundell joined Gravitee in March 2020 as Chief Revenue Officer, before becoming Chief Executive Officer in September, 2020. Prior to joining Gravitee, Rory led SnapLogic’s EMEA expansion from a technical sales perspective. Rory was also the CEO and Founder of Velinko, a UK software and consulting company for the legal and accounting industries.

He has recently overseen expansion into the USA and APAC markets, and bringing new customers including TIDE, Sodexo, the University of Helsinki, SDFE and CiputraLife onto the Gravitee platform.