API Security For Open Banking Summit

API Security Summit - 21st November, 2018




Chair’s Welcome

Dave Tonge, CTO, Moneyhub


API standards: without them, are we floundering or innovating?Panel Discussion

  • Brainstorming what a universal API structure may look like and the accompanying standards and regulations
  • How can banks prepare for the upcoming regulatory changes?
  • Is finding a universal standard an old way of thinking? What’s the alternative?
  • Sustainability for TPPs when using unique APIs to communicate with each bank
  • Scalability of APIs with varied cross-country infrastructure
  • What the final RTS secure encryption standards should look like

Jacques Declas, CEO, 42 Crunch

Sam Everington, Lead Engineer, Open Banking & Payment Services, Starling Bank
Jean-Louis Rocchisani, Enterprise Architect, Société Générale
Dave Tonge, CTO, Moneyhub
Chris Michael, Head of Technology, Open Banking


OAuth and OpenID Connect for PSD2, Open Banking and Third-Party AccessSolution Spotlight

Third-party systems needing access to APIs is a challenge for many organisations, not only in financial services. In this talk, Travis will discuss how this can be done for Open Banking, PSD2 and also for other sectors where trust of third-parties is of great importance.

Travis Spencer, CEO, Curity


Implementing OAuthPresentation

  • The basics of implementing OAuth into an API
  • Preparing your API infrastructure and OAuth processes for the next step in PSD2
  • Using intrusion detection and heuristics engines with OAuth to allow your API to make better access decisions


Networking Break


ProofID Managed IAM Platform for Open BankingSolution Spotlight

Deploying a PSD2 and OpenBanking compliant platform involves many components. Therefore within this session we will look at how the ProofID managed IAM platform can be utilised by both TPP’s and ASPSP’s allowing them to handle all their identity and security requirements, in turn giving them the ability to focus on running the leading services that will set your business apart.

Paul Heaney, CISO, ProofID


FAPI - Vanilla OAuth isn't enoughPresentation

  • OAuth 2.0 – is it a solid foundation or an outdated and failed standard?
  • What is FAPI and what attacks does it prevent?
  • Demonstration of attacks against many OAuth 2 APIs and how they can be prevented
  • Decoupled flows – how to support a new interaction flow without opening security holes
  • Standardisation – the unsung hero of security and an aid to innovation

Dave Tonge, CTO, Moneyhub


Do Open APIs Also Open Up The Attack Surface?Solution Spotlight

  • How Open APIs change the attack landscape
  • Why user authentication is necessary but not enough
  • How mobile app authentication can help

David Stewart, CEO, CriticalBlue


Cybersecurity concerns, digital identity and data integrity Roundtable

  • Does a secure API capable of scaling for use actually exist today?
  • Working together with the TPP for end-to-end security and facilitating a mutually beneficial relationship
  • Digital identity is the heart of the discussion: who’s authentication do you trust and how do you verify a consumer is the one making a transaction?
  • Practical security measures that can be implemented now
  • The impact of a data breach on the open banking initiative
  • Data integrity: who should have access to account information? For how long? What are the risks and countermeasures for errors? Does it comply with GDPR?


Networking Lunch


Real world use casesPANEL DISCUSSION

  • Practical examples of the adoption and implementation of microservices and APIs
  • Cross-industry APIs: what have other companies done to secure their APIs? What lessons can be learned for banking?

Dave Tonge, CTO, Moneyhub

Marco Tedone, Global Head of API, Integration & Microservices, HSBC
Alex Michael, Co-founder & CTO, Plum
Deepanshu Chauhan, Product Owner (DevOps and API Platform), Nationwide Building Society


Protecting Banking APIs Against Attacks

  • No, SSL and OAuth are not enough for full API security- there is a full spectrum of things to care about!
  • OAuth yes, but it must be used properly
  • Developers must be security-aware, but they can’t be responsible of API security
  • We need collaboration across Dev, Sec and Ops teams for better API security

Isabelle Mauny, CTO, 42 Crunch


Networking Break


Seizing the value of APIsPresentation

  • API monetisation and business models
  • How the API ecosystem is evolving
  • Cooperating with third parties and creating meaningful partnership propositions

Stepan Kouba, API & Third Party Leader, Česká Spořitelna


The business perspective: standardisation, security and customer usePANEL DISCUSSION

  • What’s being developed and how are APIs being sold and used by the customers?
  • Customer adoption: use analysis within FinTechs, and the lack of consumer and internal education
  • Providing a positive customer experience that successfully secures data
  • Lessons learned from consumer interaction: is security a demand?


David Stewart, CEO, CriticalBlue

Eduardo Martinez Barrios, Open Banking & PSD2 Product Head, Santander UK
Sam Everington, Lead Engineer, Open Banking & Payment Services, Starling Bank
Jean-Louis Rocchisani, Enterprise Architect, Société Générale
Ronan Connaire, Product Manager, Digital Ecosystems/API Development, AIB


Chair’s Summary and Close of Summit

Dave Tonge, CTO, Moneyhub

Latest News

Open finance highs and lows in 2019

Gavin Littlejohn head shot (1)Read More

Top 10 API Threats & How to Prevent Them

Copy of Copy of Weekly NewsRoundup (3)Read More

Speaker Interview: Roger Vincent

Copy of Weekly NewsRoundup (1)Read More

Speaker Interview: Victor Trokoudes

Read More

Speaker Interview: Timothy Vincent

Read More

Event Updates

Receive notifications of upcoming events and access to exclusive content.

Receive Updates

Finance Edge on Twitter

@ANZ_AU CDO Emma Gray rejects claims the big four sabotaged open banking hubs.ly/H0n3RnB0 #openbanking

Yesterday from Open Banking World Congress's Twitter via HubSpot