The following scenarios using three personas will walk you through the user stories about banks’ and third-party service providers (TSPs)’ requirements of API management in response to Taiwan’s three-phased open banking program rollout, and further illustrate how resource owners (bank customers) leverage the services in the context of open banking. These scenarios aim to help you apply the use cases to your business operations in practice, and guide you to understand the benefits of open banking to the banking industry.
Open Banking refers to the practice of providing third-party service providers (TSPs) open access to financial data of bank customers (resource owners) with their consent through the use of open application programming interface (OpenAPI), which enables more diverse and convenient services for customers.
In compliance with open banking infrastructure, TPI Bank opens up shared data to third-party service providers, including specific personal information granted access by the users, facilitating greater service flexibility and value-added applications.
Enjoy Life provides connection and integration of various services (including some personal financial services), accesses specific personal information from banks with the consent of users, and offers a single-interface integrated service platform to bring more convenience to users’ lives.
As a user of digital services and an individual (i.e. consumer) who can grant access to protected resources, Steve hopes to use banking services via integrated resources rather than separate platforms.
In this scenario, you will learn how digiRunner platform fully meets Taiwan’s Open Banking specifications for banks when it comes to opening up APIs to third-party service providers. It features OAuth 2.0 for authentication and authorization, and configuration of expiration period and validity times for access token & refresh token.
TPI Bank needs to provide its cooperative third-party service provider (TSP) “Enjoy Life” with the open access to the APIs. Enjoy Life has been granted an account “tsp2” to access the developer portal for authorized API resources. For this client (tsp2), TPI Bank has limited the expiration period and the number of validity times for access token & refresh token to prevent API abuse. Access token of cooperative TSP of TPI Bank expires: 3 times a day; Refresh token expires: 3 times every 7 days.
Click [Client Management] > [Client Management] to find the account (tsp2) you want to configure.
Click [Security] in the Action column on the right for advanced settings.
In this user story, you will learn how to leverage the digiRunner management platform to configure JWT encryption for your APIs with ease in compliance with Taiwan’s Open Banking regulations on token encryption mechanism in different phases. Whenever you want JWS format for a request or JWE encryption for a response, all can be achieved through digiRunner.
TPI Bank has encrypted the request/response of APIs in compliance with OpenAPI specification for open banking. According to the API specification, the “Personal Account Query” requires JWE encryption for responses, while the “Account Application Service” requires both JWE encryption for responses and JWS for requests to ensure its non-repudiation.
Here we take two functions as examples: “demandDeposit/accounts” and “creditCards/roadsideAssistance”.
Click [API Management] > [API List], and click [Search] to select the target API.
In this scenario, you will learn how third-party service providers can apply for an account to view/request access to API resources through digiRunner developer portal when API resources are shared by banks. Banks can easily approve the request through the Admin Console of digiRunner.
TPI Bank has many collaborative third-party partners to expand its service scope and provide end users/customers with better service experience. However, it would take much effort to set up accounts one by one. Through digiRunner’s developer portal, TSP partners can conduct self-service account requests and view available APIs. The API developers (tsp2) of Enjoy Life also create their own accounts on their own through the developer portal and request authorization to access the APIs.
Log in to the portal and click [Sign Up]; after entering the information required, click [Create an Account], and a message “Registration Completed” will be displayed.
*The verification of the account request will be processed in the digiRunner Admin Console based on the internal approval flow of the organization.
After logging in with “tsp2” account, click [My Account]> [My Profile], and you will see the profile details.
Click [My Account] > [API Application] to request API authorization.
Select the API you wish to request, click [Submit], and a message “Request submitted successfully” will be displayed.
Click “Status”, confirm the request form and click [Submit]; a message “Request submitted successfully” will be displayed.
*The approval of the submitted request will be processed in the digiRunner Admin Console based on the internal approval flow of the organization.
After the request is approved, the developers of Enjoy Life can log in to the portal with the user account tsp2. They can search for the authorized APIs by clicking [My Account]> [My API].
(This scenario usually happens in the interaction between third-party service providers and users, and is not directly related to banks. Banks only perform user verification, and provide user personal data to TSPs for value-added services after being granted consent from users. The actual process may vary depending on a TSP’s business model and service design.)
This scenario is intended to help banks and third-party service providers (TSPs) better understand how open banking leads to changes of consumer behavior and optimized service experience through resource owners (consumers)’ access to banking services via TSPs.
Anne is a typical user of digital services. She uses online banking and other online financial services to conduct financial transactions in her daily life. One day, she started to feel that it is such a hassle trying to manage a number of applications/accounts/portals. She was looking for an integrated platform where she can access the services simply through a single portal, and she chose the platform Enjoy Life.
In her use of Enjoy Life, Anne only needed to grant the platform access to her specific protected information in banks following the instructions, and she could enjoy the integrated services provided by Enjoy Life. Moreover, Anne could cancel the unneeded services anytime, and Enjoy Life would no longer obtain the relevant information of her from banks without information security concerns.
Enjoy Life Interface (TSP): Click [Bank Account Operation] to grant Enjoy Life access to her bank account information, and enter integrated service interface of Enjoy Life.
When users select the services they want to use for the first time (the information that has not been granted access by banks), they will be automatically redirected to the bank verification system for verification and authorization.
TPI Online Banking Interface: Enter the account number and password, and click [login].
Bank Authorization Interface: After selecting the items you authorize the sharing with the TSP, click [Authorize] to finish the process.
You will be redirected back to the Enjoy Life (TSP) service interface automatically after the authorization is completed.
Now users will be able to access services authorized by the bank from a single service interface of Enjoy Life (TSP) (illustrated in step 7).
Enjoy Life Interface (TSP): Click [View Time Deposit Balance], and click [Query].
Enjoy Life Interface (TSP): Click [Request Credit Card Roadside Assistance], enter the “Credit Card Number” and “Vehicle Plate Number”, and click [Request].
Cancel the permission to access “View Demand Deposit Balance” and “View Time Deposit Balance”.
Repeat the service authorization steps: to give consent to access personal information, please refer to the figures above. On the “Select Authorization Items” page, check “CreditCards” only, and then click [Authorize] to complete the authorization item adjustment.
For unauthorized items (e.g. View Demand Deposit Balance), a message “the user has not authorized this function” will be displayed.