More Related Content Similar to Open Banking APIs on AWS (20) More from Amazon Web Services (20) Open Banking APIs on AWS1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ronan Guilfoyle, Solutions Architect
Oct 1st 2018
Open Banking
Deploying Open Banking APIs on AWS
2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why Open Banking?
Open Banking is the secure way to give providers access to financial information1
• Works with online or mobile banking
• Provides a clearer view of a consumer’s finances
• Quick, easy, and direct payments
• Transform price comparison websites
1. “What is Open Banking?” https://www.openbanking.org.uk/customers/what-is-open-banking/, Open Banking Limited, 2018,
The Competition Markets Authority (CMA) investigated retail banking and
found a lack of competition.
The CMA produced a wide-reaching package of reforms – one of the remedies
is Open Banking.
3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A bitter pill?
4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Or the best medicine?
“Banks aren’t being disrupted by FinTech technology,
they’re being disrupted by customer expectations.”
- McKinsey & Company
5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
European standards are accelerating adoption
Open Banking regulation requires banks to release data and provide access to
payments transactions in a secure, standardized form, so authorized
organizations can easily access it online for their own consumer applications.
PSD2 is a directive that specifies only
technical framework conditions, but no
standards for interfaces.
Open Banking is a technical standard for
APIs that allow authorised third party
providers (TTPs) access to current account
transactions and to initiate payments on
behalf of a payment service user (PSU).
6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why build Open Banking in the cloud?
With AWS, financial institutions can meet regulatory requirements while creating
strategic value - build a secure, scalable, innovative platform for Open Banking.
Build unified APIs on
multiple microservices
Scale APIs based on
demand
Innovate faster
Implement high levels of
security
Authenticate and authorize
requests
Enable throttling and protect
against DDoS attacks
7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Requirements
• Mutual TLS Authentication (API and IdP)
Ø Specified by Open Banking & Berlin Group
• OSCP Certificate validation, CRL fallback
• FAPI & CIBA security profiles
• OAuth2 Hybrid flow
Open Banking APIs are complex
8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Graphic © Open Banking Limited, 2018, https://www.openbanking.org.uk/customers/what-is-open-banking/
New payment flows and authentication methods
9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Reference architecture
AWS
CloudHSM
NLB
Subnet
API
Endpoint
NLB
Auth
Endpoint
NLB
AWS Shield
Private
Endpoint
Payment
Service
User
Third Party Provider
Reverse
Proxy or
Marketplace
API-Gateway
10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Reference architecture
AWS
CloudHSM
NLB
Subnet
API
Endpoint
NLB
Auth
Endpoint
NLB
AWS Shield
Banking
Application
Private
Endpoint
Payment
Service
User
Third Party Provider
Core Banking
on-premises
Development or Mock
API back-end
instance instance
Reverse
Proxy or
Marketplace
API-Gateway
Amazon
API
Gateway
11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
N – Tier API architecture
Consumer Facing
Core Facing
APIs: Open Banking, PSD2 etc.
APIs: Core, Fraud, CRM, KYC etc.
12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Deploy software on demand
• 1280+ ISVs
• 4200+ product listings
• Procure new or BYOL
• Billed through AWS account
• Deployed in 15 Regions
• 160,000 Active Customers
• 481M EC2 hours deployed per month
Find, test, buy, and deploy software in the cloud
“Cloud will increasingly be the default
option for software deployment.”
- Gartner
13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Systems Integrators & Consultants Financial Technology Providers
AWS has an expansive Financial Services network
14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Open Banking
https://www.openbanking.org.uk/providers/standards/
• Technical Specifications
• Security Profile (FAPI and CIBA profiles)
• Customer Experience Guidelines
https://www.mckinsey.com/industries/financial-services/our-
insights/data-sharing-and-open-banking
https://www.capgemini.com/2017/06/open-banking-0/
Further Reading
17. 17© Capgemini 2018. All rights reserved |
Open Banking - Dynamic Network of Financial Services
Open Bank
Other Banks
Payment
Services
Account Info
& Aggregation
FinTech Partners
Bank Apps
& Experiences
Payment
Networks
Intelligent Insight
& Smart Products
18. 18© Capgemini 2018. All rights reserved |
• Global Leader
• A global leader in consulting, technology services and digital transformation, Capgemini is at the forefront
of innovation to address the opportunities and challenges faced by clients in the evolving world of cloud,
digital and platforms.
• Serving two-thirds of the world’s largest financial services institutions
• Capgemini’s Financial Services Strategic Business Unit helps banks, capital markets firms, and insurers
meet today’s industry disruptions with innovative business and IT solutions which create tangible value.
• 45,000 FS professionals
• 45,000 FS professionals around the world collaborates across geographies, domains, and technologies to
deliver the best tailored solutions to its clients.
• Over 25 years of global delivery excellence
• Capgemini’s Financial Services Unit brings award-winning industry expertise, leading market insights and
over 25 years of global delivery excellence to client engagements.
Capgemini Financial Services
19. 19© Capgemini 2018. All rights reserved |
The Challenge - Traditional Banks vs Fin Techs
1. Aggressive timelines to
achieve compliance
2. Risk of opening access to core
banking systems and payment
engines
3. Difficult to estimate scale and
volume requirements
4. Cost
20. 20© Capgemini 2018. All rights reserved |
Our solution brings together all pillars needed for banks to
thrive in Open Banking era
Industry standard
domain models -
BIAN
Micro services
based middleware
Complete auto
provisioning
End to end DevOps
tooling
Developer portal
API sandbox
AIE innovation
ecosystem
EnablingAgility
Security
Digital
Banking
Platform of
the Future
OpenInnovation
Open APIs
API factory
blueprint
API
analytics
DDos protection
End to end
encryption
Two-way secure
digital trust
Explicit customer
consent
API Gateway
Pre-built Open
Banking API
Standards
21. 21© Capgemini 2018. All rights reserved |
The Challenge - Traditional Banks vs Fin Techs
1. Aggressive timelines to
achieve compliance
Use Capgemini's Ready to Run solution
2. Risk of opening access to core
banking systems and payment
engines
Don't open
Capgemini's AWS based solution provides "Open
Bank on Cloud", enabling secure access for open
banking APIs while keeping the core banking
secure
3. Difficult to estimate scale and
volume requirements
Don't Estimate
Using AWS services and Serverless technology
removes the guess work around scale and provide
ability to scale as per business and market needs
4. Cost Benefit from competitive cost of AWS
Services and Serverless technology.
Option of using industry leading 3rd party
packages and products as required
22. 22© Capgemini 2018. All rights reserved |
Benefits
Speed of
Development
Power of infrastructure as code - With AWS, it is easy to spin
different environments for development testing and integration
80% reduction in environment creation and maintenance efforts
Run Cost
Power of AWS Services and Serverless - By using AWS Serverless
technologies, start at a low cost and scale as needed.
65% reduction in infrastructure cost of production systems
Security
Security As needed in the Cloud - By using AWS WAF and DDoS
shield, along with firewall, NACLS, security groups, KMS and IAM, we
are able to offer the security as per the financial institutes standards
and beyond.
Path to cloud
Experience and Embrace Cloud - Enabling Bank's to experience the
power of Cloud for their Production runs and enabling future
development on Cloud
23. 23© Capgemini 2018. All rights reserved |
Platform Architecture
Adapter Layer
(Java / Camel)
Database
Service Monitoring &
logging
Security
API Gateway
Developer
Portal
Analytics & Reports
API Key
Management
Account Request
JSON (REST HTTPS)
JSON (REST HTTPS)
Bank's Integration Layer and Core Banking Systems
VPC
JSON (REST HTTPS)
API Orchestration
API Load Balancing
Config Server
API Discovery
Payment SetupAccount Funds Check Payments
API Adapter
Consent
SOAP
Adapter
JSON (REST HTTPS)
SCA/MFA
Adapter
JSON (REST HTTPS)?
API
Management
Authentication / SCA / MFA
Consent
Managemen
t
TPP
Onboarding
Routing
Adapter
Identity Provider
NoSQL DB
Adapter
REST
Adapter
Fraud Prevention
System Integration
TPP
DNS Routing and
Health checks
WAF & DDoS Protection
TLS Termination and
Certification Verification Load Balancing
OAuth2
Infrastructure
Monitoring
Central
Logging &
Reports
NoSQL Database
OIDC OP
KMS /
HSM
Encryption LDAP
RBAC
Customer Device
Management Integration
24. 24© Capgemini 2018. All rights reserved |
Multi Dimensional Security on Cloud
As the banks are becoming more open and connected, security of data at rest and in motion is of major concern.
Capgemini platform provides Multi Dimensional Security to ensure tight Security & Authentication, Threat
Protection, Compliance to standard and regulations all the while marinating ease of use of the APIs.
Threat Protection
§ Protection against DDoS attacks and
malformed messages
§ Intrusion prevention and network attack
protection using Network Firewall
§ Client and Server certificates to ensure
positive identity
Secure API Access
§ API access secured by oAuth 2.0 and Reference Access
and Refresh tokens
§ LDAP Directory Server based strong developer and
application registration process
§ Verification of PoP and additional TPP signature validation
§ Strong customer consent management for private data
access
Vulnerability Protection
§ WAF for detection & prevent of SQL,
JavaScript and XPath/XQuery injection
attacks
§ Protection against excessive XML/JSON
depth and breadth, malicious contents
§ Viruses and malware protection using
Antivirus
Platform Security
§ Hardened AMIs to secure OS & PCI compliance
§ Secure Virtual Private Cloud (VPC)
§ Network isolation using Subnets and Security groups
and ACLs
§ Secure, Role Based platform access using IAM
§ Secure Direct Connect link for connectivity with Bank
Analytics and Monitoring
§ Tracking and monitoring of all network
activities
§ Detailed access and audit logs
§ Analytics Reports and Dashboard for API
status and performance monitoring
Encryption of Data in Motion and at Rest
§ EBS and S3 volume level encryption
§ Amazon KMS for storage, management and
rotation of encryption keys
§ End to end encryption of communication channel
using TLS and MTLS
§ Encryption of stored files, databases and logs
25. 25© Capgemini 2018. All rights reserved |
Platform Highlights
§ Independent layers with clear separation
of concerns
§ Standard interfaces for inter-layer
connectivity
§ Each layer can be scaled, managed and
upgraded independently
§ Scalable micro services with service id
based invocation
Flexible
Layered
Architecture
§ Pre Built API’s for Open Banking (AISP, PISP,
PIISP)
§ API Lifecycle Management
§ API Performance management
§ API Monitoring
§ API Traffic Management /Throttling
§ API Analytics
API
Managemen
t
§ DDoS protection, WAF and Network Firewall
§ End to end encryption of data in motion and
at rest
§ API security using OAuth 2.0, JWT Reference
Tokens [Optional]
§ API Gateway policy enforcement
§ PoP (proof of possession) validation for
tokens
Security
§ Adherence to Open Banking Standards and
security requirements
§ ISO 20022 based messages
§ FAPI & OB Security Profile Compliance
Standards &
Compliance
§ Developer portal with developer
registration flows
§ Third party registration, onboarding
§ Consent management application
§ Service Monitoring, alerts, service resilience
§ Data Masking, Logging & reports dashboard
[Optional]
Functional
Components
§ Configured to work on AWS
§ Provision to Sandbox
§ Full auto provisioning of all components
enabling single click deployment
§ High Availability and Load Balancing
§ Full CI-CD pipeline for dev, deployment and
versioning
Platform
26. 26© Capgemini 2018. All rights reserved |
Continuous Integration and Continuous Deployment Capabilities
Production Environment
Static AnalysisUnit Test
Commit StageCommit Stage
Monitoring & Control
Development &
Configuration
Project/Task
Management
Source Code Repository
Compile Packaging
Environment
Provisioning
System of
Records –
Service
Virtualization
Release Stage
Deployable
Software
Load Testing
Perf Testing
Ready to
release
Software
Release Stage
Static AnalysisUnit Test
Development &
Configuration
Project/Task
Management
Source Code Repository
Compile Packaging
Environment
Provisioning
Acceptance
Test
Deployable
Software
Load Testing
Perf Testing
Ready to
release
Software
IDE’s – Eclipse, etc..
Acceptance StageAcceptance Stage Load + Perf StageLoad + Perf Stage
Rapid deployments enabled through fully integrated CI/CD pipeline
27. 27© Capgemini 2018. All rights reserved |
Usecases
• Account Information (For
multiple accounts)
• Account Information (For one
account)
• All Transaction Information
(For one account)
• Balance Information (For one
account)
• Beneficiaries Information (For
one account)
• Consent Authorization
• Consent Record Retrieve
• Consent Revoke
• Consent Setup
• Credit Transaction
Information (For one account)
• Debit Transaction Information
(For one account)
• Direct Debits Information (For
one account)
• Get Consent List for a
Customer (Utility)
• Products Information (For one
account)
• Standing Orders Information
(For one account)
AccountInformation
• All API Analytics
• All API Summary
Report
• API wise response time
• API wise TPP activity
• Calls made by a TPP
based on the time
range
• PSU wise API
Invocation Count
Dashboard
• PSU Wise TPP Activity
Report
• Reports Audit Log
• TPP activity for a given
PSU
• TPP On boarding
summary report
• TPP Role Wise activity
report
• Developer Account
Management
• Developer Application
Registration (Getting
CID/SECRET)
• Developer Login
• Developer Registration
• View API
Documentation
BusinessMonitoringDeveloperPortal
• Perform Platform
tuning and
modifications
• Review Health and
Alerts
• User Activity
Monitoring
• TPP Account
Management
• TPP Application
Registration (Getting
CID/SECRET)
• TPP Login
• TPP Registration
PlatformmonitoringTPPPortal
Our professional view on bare minimum use cases in scope for the solution.
28. Capgemini Open Banking (CMA/PSD2) platform for a leading bank in Ireland
Business challenges
§ The client is an Irish major (part of
CMA9) and was looking for a solution
to implement PSD2 APIs as per CMA
Open Banking UK specification
§ The client was facing very tight
regulatory timelines so was in need
of a solution which could be
implemented as per required
timelines
§ The client was looking for a solution
that would cover their needs of CMA
for UK as well as PSD2 compliance for
rest of European market
§ The client wanted to have a partner
to guide them on the Open Banking
journey: PSD2 compliance and value
added services
§ The client was also interested in
utilizing power of cloud for
implementing such a platform and
was looking for a partner who can
guide them to develop cloud
infrastructure and also was planning
to migrate other systems to cloud.
Capgemini played a pivotal SI role in developing CMA/PSD2 compliant Open Banking Platform.
Delivered complex multi-vendor platform on time as per regulatory timelines and with high quality
Capgemini's
Role
§ Acted as a single point of
contact for the Bank for multi
vendor platform
§ Managed vendor SLA and
contract
§ Worked with different vendors
to influence their product
roadmap to develop required
product features
§ Engaged vendor and 3rd party
consultants for product
expertise
29. 29© Capgemini 2018. All rights reserved |
Case Study: Capgemini Open Banking PSD2 platform for a European Credit Card
company
Business challenges Capgemini approach Value delivered
§ The client is a European cards major and was
looking for a ready-to-use solution to become
compliant with PSD2 guidelines
§ The client wanted quick adoption of the open-
banking regulations and was looking for a solution
with low turnaround times
§ Client wanted a single system which could cover
multiple countries and branches
§ The client was looking for a partner who can build
and operate the system on their behalf.
§ The client wants to have a partner to guide them
on the Open Banking journey: PSD2 compliance
and value added services.
Capgemini Open Banking API platform
• Capgemini utilized its Open banking API Platform
with ready to use PSD2 compliant APIs to
implement the PSD2 APIs for the client
• The ready to use platform provide complete
infrastructure, security and access functionality to
implement APIs.
Distributed Delivery Model
• Utilized Distributed delivery model with Product
team and Development team located in Pune
(India) and implementation team supporting the
bank locally in Netherlands.
Expertise
• Capgemini deployed its PSD2 domain experts to
enable bank's business teams with the required
domain knowledge.
Software As A Service
• Capgemini deployed its PSD2 platform on AWS
Cloud and provided complete management and
operation of the system in SAS model.
§ Client could achieve PSD2 compliance well ahead
of the regulatory timelines
§ Client started planning and development of their
value added APIs and services which would also
be deployed on the same platform along with the
regulatory APIs
§ Developer portal – a secure environment for
external third party developers to utilize client’s
services to develop new services and integrate the
APIs in different consumer facing applications
§ Fully supported SAS model. Does not need any
time investment from the Bank's business and
technical teams and enable them to focus on the
core business and value adds
30. A global leader in consulting, technology services and digital transformation,
Capgemini is at the forefront of innovation to address the entire breadth of clients’
opportunities in the evolving world of cloud, digital and platforms. Building on its
strong 50-year heritage and deep industry-specific expertise, Capgemini enables
organizations to realize their business ambitions through an array of services from
strategy to operations. Capgemini is driven by the conviction that the business value
of technology comes from and through people. It is a multicultural company of
200,000 team members in over 40 countries. The Group reported 2016 global
revenues of EUR 12.5 billion.
About Capgemini
Learn more about us at
www.capgemini.com
This message contains information that may be privileged or confidential and is
the property of the Capgemini Group.
Copyright © 2017 Capgemini. All rights reserved.
People matter, results count.