By Roy Urrico
The Financial Data Exchange (FDX) wants its foundational application programming interface (API) to provide the same type of standardization for financial data sharing that the Bluetooth standard did for short-range wireless data exchange.
FDX, an independent subsidiary of the Financial Services Information Sharing and Analysis Center (FS-ISAC), is a Reston, Va.-based nonprofit dedicated to uniting the financial industry around a shared, interoperable, royalty-free standard for data sharing through an industry consortium of financial institutions, data aggregators, fintechs and consumer groups. Some 28 million consumer accounts now use FDX’s API for open finance and open banking data sharing.
“The financial services industry is continuing to implement the FDX API at a rapid rate,” says FDX Managing Director Don Cardinal. “The collaborative work of our members provides enormous benefits to the financial data ecosystem.”
The development and increasing importance of digital banking to consumers, financial institutions and financial technology suppliers revolves around the emergence of open banking and even more broadly, open finance systems — strongly aided by APIs.
FDX uses the model set by the Bluetooth Special Interest Group (SIG) — formed in 1988 to unite the siloed protocols developed by electronics manufacturers, telecommunication carriers, and cell phone suppliers — that still publishes and promotes its standard and subsequent revisions.
“Consumer demand to share financial data with fintech apps continues to expand. Consequently, we believe it is only fitting for the financial industry to occupy the role of defining the technical means and methods to accomplish consumer-centric financial data sharing through FDX,” added Cardinal.
FDX API Opens Finances
FDX began in early 2017 as a grassroots effort led by financial institutions, financial technology companies and data aggregators seeking to find common ground for a secure, consumer-focused data sharing framework.
“Consumers were rapidly beginning to adopt and utilize data-sharing benefits though shared login credentials and screens scraping,” said FDX’s Tom Carpenter, director of public affairs and marketing at FDX. The problem, he explained, was credit unions and banks obviously hated sharing login credentials, especially with non-regulated entities holding massive amounts of consumer logins. “They were getting hit on essentially the front door of their servers and websites with a ton of automated logins that they couldn't always tell and distinguish between those that were malicious versus those that were actually being initiated by one of their customers.”
The aggregators and the fintechs did not like screen scraping and login credentials because of the bad data quality. “Every time you had a bank or a credit union change a screen, then the scraper broke, or you would have to go and fix it. So, an enormous amount of cost went in to trying to maintain those connections. And basically, for every single financial institution in the country, you had to have some type of tailored approach in order to get the data.”
Despite lots of competitive pressure, and lots of disagreements around policy or screen scraping that ecosystem, a small group started gathering to discuss a way to standardize an API. “Regardless of which side of the fence you fall on these issues, everybody agreed screen scrapings and shared login credentials were certainly not the best path forward,” said Carpenter.
FDX launched in October 2018 with about 20 organizations across a spectrum of participants, and introduced the FDX API (formerly Durable Data API, or DDA) standard a few months later. (Upon the public launch of FDX in October 2018, FS-ISAC assigned DDA to FDX and renamed it FDX API).
FDX continues to evolve:
· In July 2019, the Open Financial Exchange (OFX) joined FDX as an independent working group, with the goal of aligning all users to a single interoperable FDX API standard.
· In July 2021, the Credit Union Financial Exchange (CUFX), which supplied the credit union industry’s open integration standard, expanded its support of open banking and interoperability by joining the FDX consortium.
· In October 2021 FDX announced a major update of its common open finance standards via the release of FDX API version 5.0. FDX indicated the new version of the FDX API significantly increases market standardization of financial data sharing around consent, user control and consumer dashboards, and aligns with other global standards like the Open ID Foundation’s Financial-grade API (FAPI) security standard and the insurance industry’s ACORD annuity standards to promote greater interoperability and industry adoption.
· By November or December 2022, FDX expects to launch beta certification for FDX in a Bluetooth-like way said Carpenter. “It is really going to turbocharge the effort even more, because now the spec is certified. So, if I am Chase or if I am Navy Federal Credit Union, or if I am an aggregator and I want to latch onto the common standard, I get a certification badge. And that way the ecosystem knows this entity has gone through a certain number of steps, to get here.”
Regulating Open Banking
The concept of open banking continues to evolve internationally as policymakers push for consumers to have better control over their banking information.
The United Kingdom in its open banking oversight over the last several years outlawed screen scraping for accessing consumer payment account data; required third-party providers, including fintechs and data aggregators, to acquire regulatory consent and establish proper data privacy, insurance and security measures; and permitted participants to only collect consumer data for the product or service consumers authorize.
In 2019, the European Union mandated open banking and APIs under its revised Payment Services Directive (PSD2) and General Data Protection Regulation (GDPR) to govern data protection and privacy. The EU provided regulatory framework that requires financial institutions to allow third-party providers access to customer data via open APIs; and outlines how financial institutions and third-party providers can share and protect the consumer data they collect and use.
To date, U.S. regulators have taken a mostly hands-off approach to open banking by delivering non-binding guidelines. While the United States does not have an open banking regulatory body, the recent FFIEC “Proposed Interagency Guidance on Third-Party Relationships,” does offer a framework. The guidance calls for financial institutions to conduct due diligence over data aggregators and the monitoring of screen scraping activities; as well as control for both credential and API-based authentication.
“When you look at even the U.K., the perfect example of the leader in open banking, they have the regulations that are in place, and have a common API standard,” pointed out Carpenter. He added, the rule in the United Kingdom really drove the development of the standard. “But in every jurisdiction with open banking, you usually have two pieces. You have the standard, the tech, and then you have the regulations or the rules.”
“In the U.S. and in Canada, the market has defined the standard and is basically waiting on the regulators to define some of the rules of the road,” said Carpenter. “We're agnostic on the policy. The standard will take into account whatever rules or requirements are needed in a given jurisdiction.”
FDX thinks the market is best suited to define and adapt the technology much quicker than the regulators can react. Carpenter held, “We've seen that play out in the UK (where they have) a slow adoption of the API, because it was more of a compliance exercise rather than trying to actually meet the needs of the market.”
You can build a great standard, suggested Carpenter. But the other side of the coin, he added, is how do you get people to adopt it and use it and implement it? “It has to accomplish kind of all the things standardization seeks to accomplish in any industry, which is save us some money from having to build this ourselves and create a greater and more efficient marketplace.”
FDX Membership Using Data Sharing Standard
Carpenter noted, nearly all of FDX’s members, especially financial institution core tech technology providers, such as FIS, Fiserv and Jack Henry, are currently in development or in process for making a change away from a screen scraping and login credentials universe to the FDX API,” said Carpenter. “We really feel like we've got the market buy-in and the momentum around the standard.”
Carpenter also said almost all of the major banking core technology providers, FIS, Fiserv and Jack Henry, are FDX members and at different levels of FDX API development. “But Jack Henry is probably the leader among the cores of really leaning in and saying, ‘Hey, we are doing a full FDX build, and we're making it available to our customer financial Institutions.’”
A common standard, however, is not a silver bullet, Carpenter insisted. “There's still a lot of big questions that are more in the policy universe around how do you define consumers’ data? Where does it begin? What should a consumer be able to do with their data? What are consumer data rights?”
FDX from the start has tried to consider what consumers are demanding to utilize and share today, maintained Carpenter. “And then define all those data elements in an API. We really started from open finance, which is much broader than just f traditional banking data.” Added Carpenter, “We are also defining specification and standards around user experience, around the security layer, around the taxonomy. We see ourselves coming in as that initial and foundational API that can then be tailored.”
Carpenter continued, “We're proud to say, you know, we've got kind of every corner of the financial services ecosystem, including a fair amount of individual credit unions.” These include Community Savings Credit Union, Mountain America Credit Union, Navy Federal Credit Union, Servus Credit Union and UW Credit Union, as well as the Canadian Credit Union Association (CCUA).
FDX has a global membership and predominantly operates in the U.S. and Canada. The organization is comprised of more than 200 financial industry members and stakeholders, besides the aforementioned credit unions and core providers. Other members include Bank of America, Citi, Capital One, Envestnet, Yodlee, Experian, Fannie Mae, Fidelity, Finicity, FS-ISAC, Interac, Intuit, JPMorgan Chase, MX, Plaid, PNC, Quicken Loans, Royal Bank of Canada, Schwab, SIFMA, TD Bank, The Clearing House, Truist, USAA, US Bank, Wells Fargo, Xero, and a rotating observer-level seat for consumer advocacy groups.