Financial Data Exchange API – FDX

The Financial Data Exchange

North America (United States of America and Canada)

Token based consent permits the avoidance of personal credentials, in the management of access to personal data.

The API concerns itself with how long the data recipient will have access to the end user’s data. Its consent mechanism defines whether that access is persistent (or ongoing), time-based or single use.

Data sharing is built as three discrete phases: the initial granting of consent, the ongoing managing of consent, and, finally the revoking of consent.

In April 2020, Envestnet | Yodlee, a data aggregator and analytics platform, announced a financial data access agreement with Charles Schwab, a financial services company. This allowed Charles Schwab clients access to more than 1200 third-party financial service providers using client consent and tokenisation, thus avoiding entering usernames and passwords with a third party.

In September 2020, AllData Connect, an account aggregator from Finserv, a provider of payments and financial services technology solutions, allowed a single point of access for third-party aggregation. Consumer data consent was enabled by directing consumers to a Finserv-hosted portal for identity validation and consent. Information is kept secure within Finserv’s firewall, and data is delivered to third-party applications for a specific application or transaction. Screen scraping and sharing of usernames and passwords with multiple third parties are therefore avoided.

Based on US and Canada’s retail, SME, tax and investment accounts.

v6.0 / 2024

Access to the FDX API is without charge, with an agreement to the terms and conditions of the FDX API license agreement.

The standard has been developed according to market need.

The fraud detection ability is enhanced by a low signal-to-noise ratio with regards to unexpected activity.

The FDX standards apply to Open Finance, including data and payment standards for insurance, annuities, investments, retirement, deposits, loans, US tax forms and bill payments and transfers.

Version 5.2 (released Dec 2022) includes new requirements for Certification by Data Recipients, and a prescribed user journey in the UX Guidelines for setting up and consenting to payment functionality.

Open Banking 

• Account information

Open Finance

• Investments
• Pensions

A duration of consent must be defined, stating how long the data recipient will have access to the end user’s data. This is defined as either persistent, time-based or single use.

Data sharing is explicitly permissioned by the end user. Any changes to the data included must be re-consented by the end user.

The FDX API supports customer authentication using token-based access (OIDC(FAPI)) and biometrics (FIDO).

OAuth is required for secure access to end-user data.

The FDX API security profile is based on FAPI Advanced Security Profile from OpenID Foundation and incorporates FIDO and CIBA.

It supports DCRP-based app registration, as well as delegated ecosystem Registry based app registration methods.

The profile supports the declaration of intermediaries for traceability.

FDX provides guidelines for handling sensitive data and specifies the number of techniques for enhanced security and privacy.

FDX’s security model is based on the NIST Cybersecurity Framework.

Account Information includes rewards programmes.

Payment is restricted to money movement.

There are comprehensive Developer Resources, primarily documentation, available to registered members.

Join FDX (financialdataexchange.org) to access developer resources for members.

FDX Registry includes a list of Open Finance participants.

The American financial services are historically fragmented, with individual financial institutions vetting the specifications for each application from a service provider.  The FDX is attempting to unify the financial services market in the US and Canada.

The FDX API (formerly Durable Data API, or DDA) standard began under the stewardship of the Financial Services Information Sharing and Analysis Centre (FS-ISAC). At the public launch of FDX in October 2018, FS-ISAC assigned the DDA to FDX and renamed the FDX API.

OFX merged into FDX in 2019 and remains its own standard with FDX as the designated successor standard.

FDX is an independent subsidiary of the Financial Services Information Sharing and Analysis Center (FS-ISAC), and has a global membership that includes financial institutions, financial data aggregators, Fintechs, industry utilities, payment networks, consumer groups, financial industry groups and other stakeholders in the financial sector.

It’s run by a board of directors, with many board co-chairs, made up from members of financial institutions, financial technology companies, data access platforms (data aggregators), consumer groups and industry trade associations participating in the user-permissioned financial data ecosystem. Votes are applied as one per member, therefore they are equality distributed and not linked to the size of the institution.

It uses a community driven proposal development process pioneered by IETF to ensure the proposals are community developed, peer reviewed and governed.

There is a Canadian working group looking to adapt the FDX standards for the Canadian market.

Version 5.0 introduced reciprocal data sharing, permitting a flow of information in the opposite way of conventional banking APIs. This is to allow for fraud detection by allowing Fintechs and data aggregators to share information with data providers.

Compliance is handled commercially between the recipient and the provider, similar to PaymentsNZ (but with no model contract).

US:

Section 1033 of the Dodd-Frank Act establishes rules around consumer financial data sharing. 

2017 – CFPB Guidelines for Consumer Permissioned Financial Data Sharing issued in 2017.

2021 – CFPB announced a proposed rule-making to update and extend Section 1033: Advance Notice of Proposed Rulemaking.

CA:

2021 – Canada Advisory Committee on Open Banking’s report issued

2022 – Canada Open Banking Lead named

2023 – Canadian government commits to ‘consumer-driven banking’ in Fall Statement

2024 – The Canadian government will mandate the use of a single technical standard, after consultation with stakeholders and a review of international best practices revealed a clear preference for a single standard. Canada will also mandate a government-led entity tasked with supervising and enforcing the framework, much like the UK’s Open Banking Implementation Entity was.