Api standards for data-sharing (account aggregator)
Download 1.78 Mb. Pdf ko'rish
|
othp56
|
Restricted CGIDE – API standards for data-sharing – October 2022 6 Executive summary Application programming interfaces (APIs) are a critical part of open finance, and they are particularly important for enabling the secure exchange of information between different parties. Yet to achieve this, a certain level of standardisation is necessary, as well as agreements on the technical model which enables data to be shared. This report dives into these technical issues. The objective is to provide central banks with important elements according to which the introduction of data-sharing infrastructures in their economies can be evaluated. Data-sharing can be defined as the provision of data by a data holder or data provider to a third party or data consumer with the consent of the data owner. It is one of the main pillars of open banking initiatives and incorporates a collection of practices, technologies, architecture, cultural elements and legal frameworks that relate to the exchange of digital information between individuals or organisations. Introducing explicit data-sharing models has several benefits. It can promote transparency, competition and market entry, and contribute to reciprocity and cooperation in the financial ecosystem. It can improve the performance and value of services by combining data from diverse sources. Finally, it can enable better decision-making, deliver better products and empower citizen data ownership. Account aggregators (AAs) are an intermediate technological platform responsible for managing and transferring data flows between data providers and data consumers. AAs are an important mechanism for the implementation of data-sharing. One of their functions is to develop interoperability between participants. But AAs are only intermediaries and cannot store the data or redirect it to unauthorised entities. An important feature of AAs is how they develop mechanisms to gain consent for data flows from and for the end users. This report presents three types of data-sharing model: centralised, decentralised and trust ecosystem. In a centralised model, an AA collects the data. In a decentralised model, participating members agree to share their data with other participants individually. The trust framework is hybrid; it is decentralised for data-sharing and centralised for identity management. It integrates with a trusted third party instead of an aggregator. This last model requires operators to correctly establish the registration process for participants, as well as to ensure security in communications and agree on a standard for the exchange of information. APIs are important to share information in the data-sharing models. To develop them, an authority must evaluate their functionalities, access levels, standards, protocols and security mechanisms. The three main access levels for APIs are public, private and partner. Access levels depend on the regulatory stance and on how the authority implements data-sharing. Public APIs are generally open and accessible. Private or internal APIs are available only to specific service consumers. Partner APIs are available for external access for pre-defined service consumers, usually from partner organisations. APIs’ security mechanisms must be robust and must keep data safe. The first process, authentication, identifies if the client and users are who they claim to be. The second process is access control, which limits API consumers’ actions after correct authentication. The third is encryption. Encrypted tokens store vital information such as the username and password. These tokens expire after a certain time, strengthening the API’s security. Finally, audit logging in a registry stores actions and calls made to the API. Some recommended standards for the implementation of security mechanisms for APIs are JSON (JavaScript Object Notation) Web Token, OAuth 2.0, OpenID Connect and FAPI (financial-grade API). Central banks have a common interest in implementing data-sharing, with the aim of increasing efficiency and promoting competition in their ecosystems. The main challenges are coordination among participants, standardisation and technological infrastructure. Cooperative technical work can help to mitigate these challenges. |
