The OpenID Foundation’s Gail Hodges and Joseph Heenan presented a talk on “If, when, and why to implement the FDX ‘blue’ security profile with FAPI 2.0” on Tuesday April 22nd for the benefit of North American attendees at the Financial Data Exchange’s Spring Global Summit held at the Gaylord National Harbor. This talk is especially timely as members decide what RFCs to approve this month, including a proposed 'blue' profile that contains FAPI 2.0, the OpenID Foundation’s leading communications protocol for open banking and open data. Assuming the RFC comes into effect, implementers in North America will be considering this new FDX profile for their open banking deployments and compliance to local regulations in the U.S. and Canada. 

FAPI specifications recommended by FDX    

FAPI has long been “recommended by FDX” but an important milestone came this spring when the FDX Security and Authorization Work Group unanimously recommended FAPI 2.0 as part of the “blue” profile in a new RFC proposal. The OpenID Foundation, as a new member of the Financial Data Exchange, applauded this encouraging milestone and hopes to see this RFC come into effect this month for the benefit of shared FDX and OpenID Foundation members and contributors. 

The OpenID Foundation sees great potential for FAPI 2.0 to help US and Canadian implementers to meet their regulatory compliance obligations, and to do so in a way that delivers security, interoperability, and operational efficiency by default, leaving no entity (large or small) behind.  

Other ecosystems in other parts of the world like Brazil, UAE, Saudi Arabia, Norway, and Australia are already benefiting from FAPI, and the prospect of North American implementers implementing FAPI 2.0 at scale looks promising through the FDX relationship. 

As Executive Director Gail Hodges said, “The FDX expertise in data specifications perfectly complements the OpenID Foundation expertise in highly secure and interoperable communications profiles, and we value the ongoing collaboration with the Financial Data Exchange.”

Key messages shared with FDX members and stakeholders

Hodges and Heenan made a series of key points in their talk on Tuesday, which included an audience of North American banks, fintechs and aggregators, as well as civil society and government representatives. The first was the summary of key benefits of FAPI 2.0: 

The second was to illustrate the comprehensive nature of FAPI, which fully addresses and specifies security, authorization, authentication, interoperability, and conformance. This is a different approach to US and Canadian implementations that are using OAuth2.0 in custom environments and integrations.

The third point was the confidence implementers can have in this proven set of standards, regardless of whether their own operation crosses borders with other jurisdictions or not. Many thousands of implementers have self-certified to FAPI in these jurisdictions, and the OpenID Foundation is proud to partner with many of these jurisdictions, both those that are private sector led and those that are government led. We expect the number of jurisdictions moving to adopt FAPI to grow in line with global adoption of open banking and open data regulation and best practices. 

Last, Hodges and Heenan underscored the rationale for banks, fintechs and aggregators, all who can benefit from implementing FAPI in North America: 

Key decision points FDX implementers in North America may consider

For those in North America actively conducting due diligence on what they may need to do to conform to US or Canadian regulation, Hodges and Heenan provided a generic decision tree to help them in their analysis.  

How to enable FAPI 2.0 From OAuth 2.0

Heenan offered implementers a simple playbook if they have OAuth2.0 enabled and wish to now enable FAPI 2.0:

1. Implement secure client authentication private_key_jwt or MTLS
2. Implement sender constrained tokens DPoP or MTLS
3. Implement Pushed Authorization Requests (IETF RFC9126)
4. Implement PKCE (IETF RFC7636)

Any implementer can start now by building to the freely available, open source tests at the OpenID Foundation. They can even self-certify as members ($1k) or non-members ($5k). The full resource information was provided to participants as published on the OpenID Foundation’s website: 

• FAPI 2.0 Final Specification: https://openid.net/fapi-2-security-profile-attacker-model-final-specifications-approved/
• Source code publicly available on gitlab: https://gitlab.com/openid/conformance-suite
• Instructions for testing/certifying: https://openid.net/certification/instructions/
• Production deployment: https://www.certification.openid.net/
  •  Login with any google/gitlab/openid account

Going forward together

The OpenID Foundation welcomes FDX’s Security and Authorization WG/ FAPI WG collaboration on the emerging FDX profile containing FAPI 2.0 and hopes that together our mutual members will benefit from a continued and deepening strategic relationship. 

One area of mutual interest is to consider running an interoperability event amongst early North American implementers of the blue profile containing FAPI 2.0. Those interested in being part of the interop should contact director@oidf.org. 

More broadly the OpenID Foundation looks forward to supporting the Financial Data Exchange’s technical roadmap. We also look forward to sharing our insights on the role that RAR and Grant Management are starting to play in other markets like Australia and the UK, and how such fine granted authorization could be of value in North American markets as well. Together we hope to offer useful facts that can help inform the due processes and multi-stakeholder discussions in North America. 

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, FAPI has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling ‘networks of networks’ to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.