Developer Programs

Learn

Docs

Open Banking

Open Banking

What is Open Banking?

The term “Open Banking” can mean different things around the globe, but in the USA the meaning of the term is captured by this quote from Investopedia:

Open banking is a banking practice that provides third-party financial service providers open access to consumer banking, transaction, and other financial data from banks and non-bank financial institutions through the use of application programming interfaces (APIs).

That’s a lot to absorb. What does that really mean?

A different way of describing this is that Open Banking is about the secure exchange of financial data, for the user’s benefit.

What is NOT Open Banking?

Screen scraping is the opposite of Open Banking.

Screen scraping is problematic for several reasons:

  • Requires the user to hand over sensitive information for their financial institution (i.e., username and password) to automated bots, web crawlers, and other proprietary tools.
  • Increases the difficulty for financial institutions to distinguish legitimate login attempts from fraudulent ones.
  • Reduces the ability for users to specify, minimize, and fully control their data (including granting and revoking permission) and how that data is shared with third-party providers.

Jack Henry has announced that it is phasing out screen scraping by replacing inbound screen scraping with more secure API-based connections with leading data aggregators.

Open Banking and the Digital Toolkit

The Banno Digital Platform™ enables Open Banking via the Digital Toolkit.

Philosophically, the Digital Toolkit offers financial institutions a self-service platform that empowers them to improve their user experience by building their own solutions or collaborating with fintechs to build solutions.

Mechanically, the Digital Toolkit is based on modern, battle-tested, tech industry standards such as OAuth and OpenID Connect (which continue to be updated as those standards evolve).

How Jack Henry helps

Jack Henry ensures that credentials are provisioned in a secure manner and only by financial institution employees which are specifically authorized to do so.

Jack Henry helps ensure security of the platform itself on these topics for all Banno-powered financial institutions:

  • Authentication methods
  • Session length
  • Encryption

What financial institutions should do

Financial institutions should do these things to help ensure security for their institution and their users:

  • Periodic reviews of credentials (quarterly, annually) for continued use of those credentials.
  • Ensure that the principle of least privilege is used when provisioning credentials.
  • Review user activity events to ensure that API-created actions were appropriate, and deprovision credentials if necessary.
User events and API events are co-located in the activity shown for a user.
Example: Screenshot of activity which is inclusive of both user events and API events.
User activity and API activity

If a financial institution deprovisions credentials for an application, all connectivity will be lost for all users of that application.

It’s a good idea to contact that specific partner/vendor for that application prior to deprovisioning credentials.

Large data aggregation partners provisioned by Jack Henry and listed on the data aggregators page will be managed by Jack Henry.

Financial institutions can evaluate whether to participate with that partner in total and do not need to individually review each client application for that partner.

New data aggregation partners are announced as part of the monthly statement on product updates.


Have a Question?
Have a how-to question? Seeing a weird error? Get help on StackOverflow.
Register for the Digital Toolkit Meetup where we answer technical Q&A from the audience.
Last updated Thu Jul 20 2023