December 29, 2020

What Is FAPI (Financial-grade API)?

API Lifecycle Management

FAPI is an important framework. In this blog, you'll learn what FAPI is, why it matters, and how it works.

Back to top

What Is FAPI?

FAPI — financial grade API — is a security framework pioneered by the OpenID Foundation providing technical guidance and requirements for securely using APIs in the financial industry, as well as across industries requiring higher security protocols.

As organizations scale up API strategies, security has grown increasingly important when dealing with private consumer accounts, banking details, and customer records. In response, the Financial-grade API Working Group of OpenID Foundation pioneered industry standards for safely leveraging APIs in the banking sector.

Back to top

Why FAPI Matters

This represents a huge leap forward in API security best practices, while providing a framework for enhanced API security in other industries such as insurance, telecommunications, financial services, and healthcare. At first glance, those new to FAPI may see it as a set of guidelines and protocols. In reality, FAPI seeks to close all OAuth 2.0 and OIDC security gaps by providing a binding between end user, client and API endpoints. FAPI does this in four critical ways:

  1. All exchanges between client and server use JSON Web Tokens (JWT).
  2. JWT must use asymmetrical key pairs ensuring a cryptographic password exchange.
  3. A limited set of secure algorithms are allowed in JWT exchange.
  4. It provides conformance testing methods, which can be automated.

While FAPI has emerged as a leading security framework, a few key trends have led to the need for enhanced security. Before diving into FAPI specifics, let’s explore how we got here.

Back to top

Open Banking and the Rise of APIs

In the early 2000s, screen scraping became a regular means for payment initiation service providers (PISPS) and third-party providers to process payments on behalf of customers. This allowed them to scale payment services without accessing banking APIs. As a result, services like PayPal, Venmo, and Square gained rapid adoption and continue to thrive.

While payment and basic account banking functions were being democratized by new players, lawmakers in the European Union were taking steps to create a more uniform payment landscape in the EU.

In 2007, the first Payment Services Directive (PSD) law was passed in the European Union, effectively opening up the EU to FinTech companies. The results of this legislation include the introduction of the trans-European bank account number (IBAN), and more uniformity in European payment processing practices.

As banks slowly adopted more open payments and account functions, many third-party payment services remained security risks for consumers. In 2018, the second Payment Services Directive (PSD2) law was passed in the EU, effectively beginning a more formal open banking environment in Europe. Along with these new requirements, banks were mandated to provide interfaces and APIs for third-party providers while meeting a range of security thresholds in these environments. This brought third-party providers into the regulatory process, while enhancing the safety of customer account and payment data.

Because of these new standards, sound API security practices such as FAPI have become critical for financial institutions trying to remain competitive. Other industry standards and groups, such as BIAN APIs, have also helped. Yet, it’s not just banks in Europe that face these security challenges. In the United States and many other markets, institutions that process sensitive consumer information are looking to FAPI and open banking as a potential model for securely scaling competitive products within insurance, healthcare, and telecommunications.

So, how exactly does FAPI work?

Back to top

How FAPI Works: Improving OAuth 2.0 and OpenID Connect

FAPI provides technical specifications for scaling open APIs using enhanced OAuth 2.0 and OpenID Connect (OIDC) processes. Each provide unique security features when combined with the more stringent FAPI guidelines. 

OAuth 2.0 is an authorization protocol that safely grants third-party applications delegated access to an HTTP resource. In the simplest terms, it allows a client application to access an HTTP resource on behalf of an authenticated party, such as an end user. 

OpenID Connect operates as an added security layer, working in conjunction with OAuth 2.0. In short, OIDC allows users to authenticate via the OAuth authorization server, thus providing a consent layer for the client (software, app, or service). First, the authorization server asks the user to authenticate and agree that the client can have access to a specific resource. Assuming the user consents, the auth server grants an access token which the client can use to access this specific resource. This significantly reduces the chances of a password being corrupted, or a third-party software unnecessarily gaining access to sensitive user information. 

Despite providing a strong baseline for security, OAuth 2.0 and OIDC contain some vulnerabilities and loopholes. In addition, the broadly defined specifications of these guidelines can negatively affect interoperability. FAPI was created to address both of these shortcomings, effectively removing optionality by mandating the use of specific and safe processes. In short, FAPI expands upon OAuth 2.0 and OIDC to close the vulnerabilities and significantly improve interoperability.

In an API-dominant world, leveraging FAPI protocols has become increasingly critical to streamlining user experience and remaining secure in banking. While FAPI continues to evolve, OAuth 2.0 and OIDC remain two important aspects in securing financial APIs by ensuring the binding between end user, client, and endpoint. 

Back to top

Does FAPI Matter Outside Financial Services?

While these stringent security methods are being leveraged most readily in banking, many other industries could benefit greatly by implementing FAPI protocols.

As FAPI spreads in the European banking sector, many leaders within insurance, healthcare, and telecommunications have watched with great interest. Why? Because increased regulation has given EU banks a new competitive edge among FinTech disruptors.

In the United States, large banking and insurance organizations still struggle with aggregator services and FinTech companies who continue using screen scraping as a means to an end. These larger enterprises have looked to FAPI and open banking as a potential route to greater competition and as a check on risky FinTech organizations.

Healthcare and telecommunications players could likewise benefit, as both of these sectors face heated competition from emerging technology platforms while dealing with sensitive consumer records. By adopting FAPI protocols and prioritizing an API-first methodology, many could speed their market competitiveness by offering similar disruptive services at greater scale.

As emerging security protocols like FAPI gain popularity, one thing is certain – end consumers stand to benefit most. With disruptive startups and established organizations clambering to scale API-first frameworks, the next few years could provide significant market shifts, with end users gaining greater security and access to more advanced products in traditional markets.

FAPI and Akana 

At Akana, FAPI is more than a fancy concept. Our API management solution provides an out-of-the-box FAPI toolset, allowing for secure API management and accurate conformance testing. Akana provides a secure JWT-based exchange between client, authorization server, and resource server, while providing support for mTLS.

Ready to put secure API management software to work in your organization?

Start Free Trial

Back to top