At FIN/SUM 2022 in March 2022, Authlete invited leaders from companies using our solution to participate in a panel discussion. The following companies gave their opinions on strengthening open APIs, the benefit of Authlete, and future use cases and perspectives for leveraging Financial-grade API (FAPI) / Client Initiated Backchannel Authentication (CIBA).
Minna Bank launched its services in May 2021, targeting the digital-native generation, who are familiar with smartphones, and aims to be a digital bank that creates new value for the coming age. In addition to the digital banking provided via smartphones (B2C), Minna Bank is currently implementing and deploying FAPI on the top of their API platform for their B2B2X business, aiming to provide more convenient services to the world by connecting non-financial customers with its partners.
SBI DigiTrust, a joint venture between SBI Security Solutions and NEC, is developing support for sophistication through the use of fintech and other technologies, as indicated by guidelines published by the Financial Services Agency in Japan. It is also providing solutions, such as identity verification and next-generation authentication for financial institutions. Open APIs and identity are the core of the solutions. Trust Idiom, the company’s authentication and authorization solution for financial institutions, has been using Authlete to implement API authorization. Authlete enables both enhanced usability and strong security assurance.
ITOCHU Techno-Solutions (hereafter CTC) is one of the largest system integrators in Japan with over 10,000 engineers. With increasing attention to open APIs, the risks of unauthorized access, information leakage, and data tampering have arisen. Such a situation creates the need to build an infrastructure that can provide robust security measures and also maintain usability. With this background, CTC provides a FAPI-compliant API gateway solution called C-FAPI. The API infrastructure solution leverages FAPI to rapidly enhance API security for enterprises, using Authlete as the authorization back-end component.
Masaaki Miyamoto (Director and CIO, Zero Bank Design Factory / Executive Officer and CIO, Minna Bank) stated that they had been enhancing open APIs “to connect various services as simply as possible, in a different way from traditional banks.”
“Even in the traditional banking space, open APIs are encouraged, and read-only APIs are becoming available to external systems. However, they are not well utilized due to lack of usability. On the other hand, there are many useful services that utilize banking APIs around the globe. We, Minna Bank, have already been providing a variety of banking services, and want to establish an infrastructure where money can flow through an easy and simple connection with our partners, without being restricted by the form of a bank and also without necessarily being upfront. This is the background that we are strengthening our open APIs.”
Mr. Masaaki MiyamotoDirector and CIO, Zero Bank Design Factory Co., Ltd /Executive Officer and CIO, Minna Bank, Ltd.
Osamu Uetsuki (Deputy General Manager and C-FAPI Business Lead, ITOCHU Techno-Solutions Corporation) pointed out that “there is a high demand for open APIs.”
“These days, we are seeing many non-financial customers publishing their APIs. Their requirements are relatively high, like the same level as financial services. For example, a temporary staffing company is developing an application for flexible payroll payments to temporary staff. Since money is involved, the requirements are, in a way, no different from financial services.”
Mr. Osamu UetsukiDeputy General Manager and C-FAPI Business Lead, ITOCHU Techno-Solutions Corporation
So what is the SBI Group's perspective on strengthening open APIs? Fernando Luis Vázquez Cao (CEO, SBI Digital Asset Holdings /CEO, SBI DigiTrust) said the following.
“The SBI Group is involved with various financial institutions, including regional financial institutions and banks. In this situation, we are aware that the liquidity of the money held by each institution is surprisingly low. Therefore, we would like to create new businesses and new payment applications to increase the liquidity. However, unlike large and well-funded banks, regional banks don’t have enough budget and internal development resources. Thus it is difficult for them to make progress.”
With this background, the SBI Group is working on the development of the next generation core banking system, and API layer will play a crucial role in this, claimed Fernando.
“We would like to bring the banks invested in by the SBI Group as well as other regional and second-tier regional banks to participate in a common infrastructure that ensures security and has the new core banking system and its tools, as APIs. We believe we will eventually be able to compete with major banks in that way.”
Fernando Luis Vázquez CaoCEO of SBI Digital Asset Holdings Co., Ltd /CEO of SBI DigiTrust Co., Ltd
We then asked the companies why they had adopted Authlete and what benefits they had achieved due to its adoption. Mr. Fernando from SBI DigiTrust highlighted the “improved customer experience with CIBA” as one of the benefits of the deployment.
“Authlete is compliant to the CIBA, which is a specification defining seamless identity federation and API authorization using smartphones. Deploying Authlete as an API authorization platform allows for smooth screen transitions between applications, even when applications for banking service and for user authentication are separated. This improves the customer experience and enables us to provide services that can be used with ease by a wide range of customers.”
Mr. Miyamoto from Minna Bank agreed that Authlete had improved the customer experience. And he added the following reasons for its adoption.
“Minna Bank’s service operation infrastructure is based on Google Cloud. Authlete is also on the cloud. This is one of the reasons for the adoption, as it achieves a very high degree of affinity. Building an API infrastructure for B2B2X business had been planned when the bank was first established. At that time, FAPI was still at draft level, but I had already decided on my mind to implement it. Therefore, choosing Authlete, which had the FAPI option, was inevitable. Furthermore, Authlete has a lot of high-level security expertise.”
On the other hand, Mr. Uetsuki of CTC, who focused on FAPI from the perspective of a system integrator and led to the adoption of Authlete, said:
“At CTC, we decided to become FAPI compliant as our policy, in advance of considering the adoption of Authlete. If the target system is expected to be subject to some tampering activity, a security assessment must be conducted to design the system. If you proceed the assessment and the design process without any basis, you will either under-assess the risk or overestimate it, which is undesirable. Therefore, we decided to use the FAPI as a baseline. However, the API world is changing so fast, and it is hard for us to keep up with it forever. We also faced the issue of who will cover the cost of having a dedicated person because it is reflected in the cost to our customers. That aspect of financial efficiency was also a factor in our decision to adopt Authlete.”
We asked the panelists how they plan to utilize FAPI / CIBA in the future.
Mr. Uetsuki explained the recent user trend: “We have recently received many inquiries about our services from customers that are not financial institutions. One of the platform providers, for example, believes that the expansion of financial functions is inevitable in the future and that a high level of security is needed. Even in the non-financial sector, many customers think in the same way. “
Mr. Fernando then gave his opinion on defining and complying with “standardization.”
“Standardization initiatives in Japan are not enough. The Center for Financial Industry Information Systems (FISC) and the Japanese Bankers Association (JBA) have issued various guidelines on system security measures in Japan. However, these are vague compared to the European Union’s Payments Services Directive 2 (commonly known as PSD2). Both the bank and the operators using the bank’s API need to meet the same level of security. Should this not be voluntary and should this be actively monitored and guided by the authorities?”
Mr. Miyamoto also commented: “Even if we comply with security standards, we are also concerned about how far we need to verify and be responsible for third parties. We believe we should check whether the companies directly connected to the bank comply with these standards and the organizations behind them. We think that there should be some standards that must be complied with when connecting to banks. “ He added: “We also believe that the cost of open APIs is a point to be considered. I think each financial institution has a different view on resources. Still, from the point of view of the third parties using various banks’ APIs, if the cost structure is easy to understand, the APIs will be easier to use. I hope we can work on standardization of costs and agreements and standardization of security standards.”
Fernando added “As they did with PSD2, I would like to see the private sector and the authorities cooperate and start standardization work immediately. The current situation is not ideal, as it seems that we, the private sector, are building up a lot of existing facts, and there is a concern that many ‘standards’ could be formed in a disorderly manner. It would be good to have standardization proposals from the private sector to the authorities. We also want the authorities to regulate appropriately, and the control should be strengthened. The private sector should not be afraid of regulations but should be proactive and put technology at the forefront of their activities.”
The three companies have shared their thoughts on the above from the perspective of open APIs security measures and the FAPI / CIBA standards that Authlete supports. In the future, not only FAPI / CIBA but also standardization at the business level will be taken up as a common agenda. Authlete look forward to further discussions to promote innovation through the expansion of the API ecosystem.