Engineering secure and scalable open banking with AWS

by Julia Morozova (Kulagina), Solution Architect at DataArt

Share this post

The finance industry is evolving at breakneck speed due to changing customer preferences, regulatory requirements, and the growth of digital ecosystems. This shift has paved the way for open banking, a transformation in how financial services are delivered, made possible by a fundamental technology – Application Programming Interfaces (APIs). Open banking allows financial institutions to share their APIs, making it easier to develop new applications and services. Customers can access their financial accounts and services through digital channels, while third parties can offer a broader range of services on their behalf. APIs enable secure data exchange with third-party developers and service providers, automating access to core banking functionalities. The key benefit of open banking is providing access to financial products and services without the complexity and costs of traditional banking systems.For many banks, Amazon Web Services (AWS) has become the preferred platform for open banking initiatives. AWS’s scalability, cost-efficiency, and robust data analytics services make it an ideal choice. Additionally, AWS simplifies regulatory compliance by providing a platform where key compliance assessments are already in place.

How does AWS improve open banking?

Amazon Web Services (AWS) plays a pivotal role in enhancing open banking by offering a robust and reliable foundation for banks and financial institutions. AWS’s cloud infrastructure empowers banks to streamline their operations, boost security, and foster innovation.

Let’s explore how AWS improves the open Banking landscape:

  1. Unified APIs: AWS allows banks to build unified APIs on multiple microservices, increasing agility and velocity. This means faster development and adaptation to evolving market demands.
  2. Scalability: AWS enables banks to scale their APIs on demand. This scalability ensures that businesses only pay for the resources they truly need, effectively managing cloud costs.
  3. Security Standards: AWS implements high levels of security standards by adhering to best practices and data regulations. This commitment to security ensures that customer data remains protected.
  4. Authentication and Authorization: AWS provides tools to create robust authentication and authorization requests, enhancing the security of transactions and data access.
  5. Throttling and DDoS Protection: AWS offers features like throttling and protection against Distributed Denial of Service (DDoS) attacks. This safeguards sensitive data from theft and ensures the continuous availability of services.

What does AWS offer for open banking?

Here’s a closer look at what AWS brings to the table for open banking:

Well-Architected Framework: AWS offers the Financial Services Industry Lens, a framework tailored to the financial sector. It promotes security by design, automated governance, automated infrastructure, application deployment, and documented operational planning.

Compliance: Open banking architectures that work with AWS are designed to meet key compliance standards.

These solutions share the following characteristics:

  • OAuth 2.0 Authorization Standard: AWS supports OAuth 2.0, a widely accepted authorization standard, ensuring secure access to customer data.
  • API-Driven Infrastructure: The architecture is built around APIs, offering an elastic and scalable environment, which is crucial in meeting the dynamic demands of the financial industry.
  • Instant Data Access: AWS facilitates instant or near-instant access to customer account data, ensuring that transactions and data retrieval happen without delays.
  • Tamper-Resistant Logging and Audit Capabilities: A robust logging system and audit capabilities provide banks with tamper-resistant data, ensuring the security and integrity of financial transactions.

Ensuring Payment Compliance and Security Standards in open banking

When using open banking payment initiation, a significant advantage is that it avoids processing card data in payments. This means that all payments fall outside the scope of the Payment Card Industry Data Security Standard (PCI DSS), reducing or even eliminating compliance burdens.

In the realm of global payments regulations, the Payment Services Directive 2 (PSD2) marked a significant milestone, gaining recognition worldwide. However, the progress in implementing PSD2 has been somewhat slower than expected.

To address this, the emergence of PSD3/PSR brings renewed momentum to the development of open banking in Europe. In terms of timelines, the best-case scenario envisions the passing of PSD3/PSR regulations before the summer of 2024, with enforcement set to take effect by the end of 2025.

The impact of open banking extends globally. Some regions, like Europe with PSD2 and Australia with the Consumer Data Right (CDR), have mandated open banking through regulatory measures. In contrast, other regions, such as the United States, are witnessing market-driven adoption.

On a technical front, open banking sets the standard for APIs that authorize third-party providers (TPPs) to access current account transactions and initiate payments on behalf of payment service users (PSUs). These APIs encompass a range of specifications, including security profiles, customer experience, and operational guidelines. However, it’s important to note that open banking APIs can be complex and may require:

  • Mutual TLS Authentication for both APIs and Identity Providers (IdP)
  • Online Certificate Status Protocol (OSCP) certificate validation
  • Certificate Revocation List (CRL) fallback
  • Implementation of Financial-grade API (FAPI) & Client-Initiated Backchannel Authentication (CIBA) security profiles
  • Implementation of OAuth2 Hybrid Flow

These security measures ensure the reliability and integrity of open banking transactions and data, making it a robust and secure system for financial interactions.

Securing open banking with AWS

Ensuring the security of open banking operations is key. Here’s how cloud services like AWS help maintain a strong security posture:

Network Connectivity: To connect the bank’s data center with AWS, a combination of AWS Direct Connect and AWS Site-to-Site VPN is used. For resilience, it’s advisable to have two diverse AWS Direct Connect connections. AWS Transit Gateway serves as a central hub within AWS, managing connections between different workloads across multiple AWS accounts, ensuring efficient connectivity.

Intrusion Prevention: Network Firewalls are employed to prevent intrusions and protect against network attacks.

Transport Layer Security: Mutual TLS (mTLS) provides a secure transport layer. Banks authenticate accredited third parties, and issue access tokens for open banking API calls.

API Management: Amazon API Gateway acts as the API management layer, exposing open banking APIs and Authorization APIs. It integrates with AWS Web Application Firewall (WAF) for web protection. API Gateway connects to microservices in other AWS accounts through a private integration VPC and AWS PrivateLink.

DDoS Protection: AWS Shield, automatically available with CloudFront, safeguards against network-level DDoS attacks (L3/L4). AWS Shield Advanced, available with sign-up, offers additional protection.

Identity Provider (IdP): The IdP, crucial for OAuth 2.0 implementation, resides in a separate AWS account to ensure secure consumption by other bank workloads. Customers can opt for AWS partners’ IdP solutions or create custom IdPs.

Enhanced Security: AWS offers various services to bolster security. Amazon GuardDuty monitors for malicious activity and unauthorized behaviour. AWS Security Hub provides a comprehensive view of security alerts and the overall security posture across AWS accounts. Additionally, utilizing Macie alongside Athena enhances the team’s visibility into sensitive information presence.

Conclusion

In summary, open banking, with its API-driven approach, is revolutionizing access to banking services and data. Amazon Web Services (AWS) emerges as a trusted ally, offering a robust infrastructure for secure, compliant, and scalable open banking solutions. AWS simplifies compliance, streamlines network connectivity, enhances security, and empowers financial institutions to meet regulatory standards while providing customers with seamless, data-rich financial experiences.

This partnership, backed by global regulatory support and AWS’s cloud capabilities, promises a future where open banking not only simplifies access to financial services but also strengthens security and innovation. The synergy between open banking and AWS offers a promising path toward a more accessible and secure financial future.

Dataart-Logo-Colour-RGB
Article by DataArt

More To Explore

Membership

Merchant Community Membership

Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.

Welcome

Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?