Guest post by Verena van Engen, Marketing Manager and Kai Kasper, Head of IT Operations, finAPI
Have you ever thought about the impact of digitalization on the financial world? Most people have heard of online banking, and the vast majority of banking customers in Germany are already using it; however, that is only a small portion of digitization. Today, banks and fintech companies are developing service-based banking data and combining it with other data sources. This results in new solutions for customers such as multi-banking (linking several accounts of different banks in one application), financial apps (e.g. a personal finance manager), “Beyond Banking” (concepts that lie outside the traditional banking business) and numerous other applications that are precisely tailored to specific needs.
Access and Analysis of Account Data via finAPI Banking-API
Fintech companies like finAPI enable access to and analysis of banking data and thus support banks, financial service providers, insurance companies, and many other software providers to reposition their digital services and create customer-friendly value-added services. Thanks to increasing digitalization, many financial services such as loan applications can already be handled 100% digitally today, and more and more customers are accepting this offering. It also helps the security-conscious user if the company has a secure and reliable technology partner, as in our case, with AWS. finAPI is one of the pioneers of this development and was one of the first fintech companies to receive the necessary license from the German Federal Financial Supervisory Authority (BaFin) to provide account information and payment initiation services.
With the finAPI interface Access-to-Account (short XS2A), it is possible to analyze account data on behalf and with the consent of the customer and to evaluate the data for new services. Using the numerous REST services (Representational State Transfer), account holders can be verified, account transactions can be retrieved and, with additional information, integrated into existing applications within a minimum of time.
Improve or Enable Processes with Smart Data
An illustrative example is the implementation of finAPI services in applying for credit. Instead of the classic manual process, finAPI allows the entire process to be done digitally without any paperwork: First, the customer starts the application for credit online. He logs into his online banking via a secure finAPI page. finAPI accesses and analyzes the account data, e.g. compares the name of the applicant with the account holder. Thus, an identity check is performed in real time. Next, the account transactions are analyzed and categorized. Income and expenses, but also special risk factors such as debt collection transactions, can be detected automatically. Based on this information, the bank can make a secure credit decision. The customer also saves an enormous amount of time and effort: no visits to the branch, no submission of account statements and pay slips in paper form. Within minutes, everything is done, and a credit decision is made.
The Absolute Priority: Secure Authentication and Data Protection
In a digital world, topics such as the secure handling of data, the protection of one’s own identity, and the strengthening of everyone’s data sovereignty have the highest priority. Due to legal requirements, customers must double authenticate themselves with the so-called two-factor authentication every time they log on to the banking system. This means that the login with login name and password must also be confirmed by a TAN. finAPI also makes high demands on the systems and technologies used to guarantee our customers or users an absolutely secure, smooth, and highly available service at all times. Due to the need for reliability coupled with high security standards as well as matching compliance frameworks, finAPI’s whole technical architecture is based on a variety of AWS services hosted in the AWS Frankfurt region for data sovereignty. These include Amazon Cloudfront, Amazon Route 53, and the AWS Web Application Firewall (WAF) to ensure the speed and security of the environments.
Walkthrough through the process and the respective AWS services
Each request from an end user goes through the entry point of the diagram. A request is, for example, to get an authentication token. Amazon CloudFront chooses the best entry point that is closest and fastest for the customer. The request goes through the web application firewall and is scanned according to the most common as well as custom security rules defined by finAPI. After that, the request will be passed on to the VPC frontend and is routed to various forward proxies using Application Load Balancer (ALB), which are operated within Amazon Elastic Container Service (ECS). In this case, Amazon Route53 is used to route the request to the correct application VPC. AWS Security Hub and Amazon GuardDuty are active to ensure secure processing with intelligent threat detection and automated security checks across all AWS accounts.
The request will be forwarded to the application VPC. The technical foundation per application varies. The legacy applications still run server-based on Amazon EC2 and Amazon RDS database, while the newer applications have been developed based on AWS serverless technologies such as AWS Fargate, a serverless compute engine for container, and the Amazon Aurora serverless database to remove the need to provision and manage infrastructure.
A wide variety of AWS services are used to protect data, monitor operations and fulfill regulatory requirements.
For data storage, we use encrypted Amazon Elastic Block Store (EBS/ non-persistent) and Amazon Elastic File System (EFS/persistent) volumes. Data that needs to be stored for a longer period is pushed into Amazon S3 buckets and then, based on retention polices, copied to Amazon S3 Glacier as a secure, durable, and low-cost archiving solution. To make the data searchable, we use Amazon Athena query attachment for S3 data and an Amazon ElasticSearch cluster for application logs. To secure every individual resources we use encryption “at-Rest” and “at-Transit.” Here, the AWS Key Management Service (KMS) and the AWS Secrets Manager are used. AWS Certificate Manager manages the encrypted connections and each connection point contains an internal WAF. Finally, the response is routed out through the VPC Transit via our Internet gateway, where we link the VPCs using VPC peering and Site-to-Site VPN. Staying with the authentication process example, the customer receives a valid authentication token to work with our API.
For observability of our AWS resources and ensure high availability we leverage Amazon Cloudwatch for various metrics. We use DB Audit Logs (CloudWatch Log groups) to track operations and activities in the databases. We stream our application logs and data model to Amazon ElasticSearch to allow customer support to track and mitigate issues immediately.
To meet our legal and regulatory requirements, there is a dedicated cloud formation stack that stores regulatory log files on the one hand in real-time on a dedicated Amazon ElasticSearch cluster, and on the other hand via AWS Lambda capabilities in Amazon S3 (Standard and Glacier), making them searchable via Amazon Athena.
Overall, we chose AWS due to their track record as a trusted partner for financial institutions as well as the secure, resilient, and reliable global cloud infrastructure they provide to its customers. The wide range of AWS security services and assurance programs, such as the BSI Cloud Computing Compliance Controls Catalog (C5) certificate in Germany, enable us to differentiate ourselves and shape the future of financial services, while retaining full ownership and control of our data as well as stay compliant with all regulatory requirements.
Use of Banking API in a wide variety of companies across all industries
Especially in the competition for customer contacts and thus customer loyalty in digital processes, many offers are currently being developed in the B2C and B2B area, such as multi-banking or finance apps for a consolidated overview of finances across all accounts and portfolios at different banks with a wide range of filter and analytics functions. Other use cases besides the already mentioned digital credit checks for faster secure credit applications, include the simplification of processes in accounting through automatic payment reconciliation or liquidity analysis, identity checks (KYC checks) via online banking, or payment solutions for online shops, to name a few. The development has only just started, and a lot of new ideas are being created. We are excited and proud to be part of the future of financial services in Germany and internationally.
Since 2008, finAPI’s customers include banks, financial service providers and companies from completely different industries, such as ERP service providers, insurance companies, telecommunications companies, and energy suppliers – many other companies are gradually discovering the possibilities offered by Open Banking technology from finAPI.
finAPI GmbH is a subsidiary of SCHUFA Holding AG and is one of the leading providers of intelligent banking APIs in Germany. As a licensed payment institution, finAPI is authorized by the German Federal Financial Supervisory Authority (BaFin) to provide account information and payment initiation services according to the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz, ZAG). At its location in Munich finAPI has been developing and implementing sophisticated software and solutions for the aggregation and analysis of financial data since 2008. The focus is on the product areas Open-Banking, Data Intelligence, KYC (“Know your Customer”), Payment and PSD2 as a Service (Payment Services Directive 2).