FS-ISAC enables safer financial data sharing with API

The global financial industry's body for cyber and physical threat intelligence analysis and sharing has published an API to facilitate safer sharing of consumer financial information

Embargo 12h00

In an effort to keep consumer financial information and businesses safer from cyber attacks, the Financial Services Information Sharing and Analysis Center (FS-ISAC) is providing a new API free of charge.

The application program interface (API) is designed to enable secure, tokenised consumer data transfers between financial institutions and technology companies, and meets the security and privacy requirements of US and European regulators, FS-ISAC said.

Through tokenisation, the API improves security so that financial institutions can share information with account aggregators more securely. It also facilitates faster secure transfer of tokenised information from point to point.

The API and associated report on security control considerations was developed by the FS-ISAC Data Aggregation Work Group, comprising more than 25 financial services firms, with input from multiple fintech firms that provide data aggregation tools and services. 

“Creating a standard API for secure data sharing benefits everyone in the data aggregation ecosystem,” said Eric Guerrino, FS-ISAC chief operations officer. “We want to ensure that everyone from the consumer to the financial institution and the data aggregators can share information safely, quickly and accurately,” he said.

Once a financial services firm adopts and uses the API, Guerrino said consumers will be able to access their own information seamlessly and securely, creating a higher degree of awareness, control and accuracy over sensitive data.

According to FS-ISAC, financial institutions and fintech companies benefit by shifting the aggregation traffic away from the consumer login pages to a more efficient and light-weight secure format.

This requires less infrastructure to support, and eliminates the risk of storing credentials. Aggregators benefit by eliminating the need to maintain thousands of unique versions of screen-scraping scripts, also significantly reducing risk of stored credentials, FS-ISAC said.

How it works

When a financial application user wishes to set up or add a bank, brokerage, or insurance account, they will be passed to a secure server at the financial institution to begin the enrollment process.

The consumer is presented with the financial institution’s consent page, where they authorise the data they wish to share with the financial application.

After authenticating, the consumer is then passed back to the financial application. Data sharing between financial application servers and financial institution servers is then done securely via a unique virtual token that identifies the consumer and their respective accounts.


FS-ISAC said the API specification is made available and licensed to financial institutions and financial technology firms free of charge to foster universal adoption of a more secure and robust data sharing framework.

FS-ISAC member financial institutions can access the specifications and supporting materials through the secure FS-ISAC member portal. Non-member firms and fintech firms wishing to receive a copy may contact the FS-ISAC directly.

Publication of the API comes just weeks after the publication of the results of a survey that revealed that UK financial sector IT security teams face immense challenges that are undermining business opportunities and continuity in financial services.

The survey found that two-thirds of UK information security practitioners admit to cyber security practices in their organisation that would “shock outsiders” and that IT security professionals in financial services firms are losing the battle to keep vital data safe against a rising tide of cyber threats.

Some 90% of respondents said they have to make compromises which could leave other areas exposed when protecting their organisation against cyber threats, with half admitting that they do this regularly.

As the financial services industry continues to digitise, the study suggests too great a focus is placed on protecting the more visible consumer services, such as customer websites, potentially leaving exploitable holes surrounding internal systems and trading data.

Read more about cyber security for financial services

- UK finance sector cyber security pros admit shocking practices

- Financial institutions need to rethink security, say analysts.

- The UK’s Financial Conduct Authority voices concerns about weaknesses in banks’ IT systems.

- There was a 48% rise in the amount of money stolen from UK online banks in 2014, as criminals pilfered more than £60m.

Read more on IT risk management

Data Center
Data Management