FDX is a nonprofit organization operating in the US and Canada that is dedicated to unifying the financial services ecosystem around a common, interoperable, and royalty-free technical standard for the secure and convenient access of permissioned consumer and business financial data, aptly named the FDX Application Programming Interface (FDX API). FDX is governed by a diverse board of directors from across the financial services ecosystem, and FDX has a global membership that includes financial institutions, financial data aggregators, fintechs, industry utilities, payment networks, consumer groups, financial industry groups and other stakeholders involved user-permissioned financial data sharing.

All FDX members are given the opportunity to participate in the development, growth, and industry adoption of the FDX API and other objectives through FDX working groups and task forces.

FDX exists as an independent subsidiary under the umbrella of the Financial Services Information Sharing and Analysis Center (FS-ISAC), whose mission is to ensure resilience and continuity of the global financial services infrastructure.

The FDX board of directors is comprised of sustaining member financial institutions, financial data aggregators, permissioned parties, and financial industry groups within the user-permissioned financial data sharing ecosystem. Each board group maintains a consistent number of voting seats on the board. The FDX board will oversee and direct all aspects of the development and deployment of the FDX technical standards and will set other objectives as needed.

Tiered membership opportunities are available to any interested parties within the user-permissioned financial data sharing ecosystem. Most FDX members are stakeholders in the financial services arena and include financial institutions, financial data aggregators, fintechs, industry utilities, payment networks, consumer groups and non-profit financial industry groups. Specific information about membership tiers, pricing and enrollment can be found on the FDX Membership page.

FDX supports the FDX API (formerly Durable Data API, or DDA) standard.

The FDX API began under the stewardship of the FS-ISAC and offers secure authentication with a restful API for data access to accommodate existing protocols. Upon the public launch of FDX in October 2018, FS-ISAC assigned the DDA to FDX and renamed it the FDX API. FDX recently released version 5.2 of the FDX API and some of the largest financial institutions in the world have implemented the FDX API standard.

FDX supports broad migration of the industry to a common standard to provide consumers and business a convenient, safe, and reliable method to access their financial records. The Open Financial Exchange (OFX) joined FDX in 2019 as an independent working group, with the goal of aligning all users to a single interoperable standard built on the most cutting-edge data specification, security, and authentication protocols. All existing implementations of OFX will continue to be supported, and users of OFX will have assistance to migrate to the FDX API standard at an appropriate juncture, such as during a technology refresh. FDX understands that this migration will take time and that other records access methods will continue to be used during the migration.

The FDX API standard is fully predicated on user permissioned access to financial data. In other words, no financial records will be accessed or shared through the FDX API standard without a user’s full permission and control.

In addition, FDX is committed to five core principles of user permissioned data sharing which serve both as operating principles for FDX, as well as guidelines for the financial services ecosystem on the essential elements of a secure, transparent, and consumer-first approach to the sharing of financial data. The Five Core Principles of Data Sharing - Control, Access, Transparency, Traceability, and Security – are derived from and influenced by a diverse group of thought leaders in the financial industry as well as regulatory entities and worldwide standards bodies.

The Five Core Principles of Data Sharing are Control, Access, Transparency, Traceability, and Security. They are embodied in the development and adoption of the FDX API standard and empower end users to better understand, leverage, and benefit from their own financial data in a secure, reliable, and user-centric manner.

Control: End Users should be able to permission their financial data for services or applications.
Access: End Users should have access to their data and the ability to determine which entities will have access to their data.
Transparency: Individuals using financial services should know how, when, and for what purpose their data is used. Only data that is required to provide such services should be shared with the organization providing the service.
Traceability: All data transfers should be traceable. Consumers should have a complete view of all entities within the user-permissioned financial data ecosystem that are involved in the data sharing flow.
Security: Financial data parties should follow industry best cybersecurity practices across the whole of their organization for safety and privacy of data during access and transport and when that data is at rest.

User control and permissioning of data is being strengthened by the FDX API standard because the financial data ecosystem is unifying around a common interoperable data standard rather than a patchwork of data access tools that are often plagued by lack of interoperability, inconsistent data connectivity, quality, and governance. In addition, FDX’s User Experience Working Group is further strengthening control and permissioning mechanisms by continuing to develop and enhance focus group-tested user experience guidelines, which make granting, modifying, and revoking data access an intuitive and seamless experience.

Akin to the world before the Bluetooth Core Specification allowed wireless devices to seamlessly connect to one another, data standardization ensures an inclusive and secure environment that empowers consumers to better access data across financial accounts and use that data to better manage their finances and improve their financial health.

The FDX API is available on the FDX website without charge for parties that accept the terms and conditions of the FDX API License Agreement. In addition, FDX membership also allows financial services stakeholders to participate in the FDX consortium, join and vote in over 25 different working groups and task forces, attend FDX’s bi-annual Global Summits and take part in the ever-growing network of financial industry organizations that are adopting and implementing the FDX API.

The FDX API standard provides the tools for secure and reliable financial records access and thus supports best practices for privacy. It is the responsibility of each organization to comply with all government regulations related to privacy. FDX makes no representations that it is GDPR-compliant.

FDX is currently focused on the United States and Canada, but many FDX members are global organizations and FDX is engaged in ongoing dialogue and work with other standards bodies to collaborate on innovation and implementation of best practices.

Developing the FDX API alone will not promote, drive adoption, or guarantee adherence to the standard. Consequently, a qualification and certification program are needed to ensure common implementation and interoperability of any technical standard and further limits the risk of data inaccuracy. Products (i.e., programs, services, and apps for consumer permissioned financial data sharing) can be approved by a certification program to test the technical compatibility/interoperability, prior to being marketed as a compliant product, or getting access to certain intellectual property rights.

FDX is continuing to define and build out this qualification and certification program for implementation of the FDX API standard. FDX recently released foundational requirements covering availability, performance, and security that implementations of the specification must meet and FDX has established a formal Qualification and Certification Working Group to explore the matter further.

FDX technical standards can be tailored to accommodate regulatory requirements at any level of government. FDX is, by charter, neutral on the “what” of regulatory policy in this area and rather seeks to implement technical standards to accomplish the “how” of user-permissioned data sharing in a way that is responsive to market needs as well as any legal or regulatory compliance requirements.

FDX reflects the commitment of its members to provide secure and reliable access to financial records and advocates best practices for consumer transparency and consent (Five Core Principles of Data Sharing). In this, FDX reflects the industry unifying to adopt consumer protection principals that have been advocated by regulators and government agencies to date. In addition, FDX will continue to engage and work with regulators and policymakers to ensure that FDX standards provide the best technical pathway to accommodate any legislative or regulatory requirements in a given jurisdiction.

FDX is the result of years of work among all parties in the financial services ecosystem and has shown that unified commitment to common standards has served to resolve previous conflicts that have existed. All the members of FDX are deeply committed to providing value to the businesses and consumers that interact with all the members of FDX and are committed to building a consumer centric data sharing economy.

Small fintechs and small financial institutions face unique challenges. Limited human, financial and technical resources create barriers to reaching customers and connecting to the broader financial services ecosystem

With this in mind, a non-profit standards body and a common API standard offers many benefits to small entities. First, a common interoperable standard informs the product offerings of technology service providers so that even the smallest financial institutions are able to experience and offer their customers the same common API powered services, tools and protections that are available to larger financial institutions at a fraction of the cost. Secondly, a market-led standard consortium eases the path to market and partnership by bringing the full spectrum of the financial services ecosystem together in one place and making participation and engagement very affordable. Such a model allows small fintech firms to bring innovative ideas forward so that they can be implemented in the marketplace rapidly for consumers to use their own financial data in new ways. Finally, FDX’s open membership structure allows all entities, regardless of size, to benefit and contribute to the FDX API via FDX working groups and task forces in a manner that crowdsources common industry problems and solutions and where every member’s vote is equal.

FDX had its origins in early 2017 as a grassroots effort led by financial institutions, financial technology companies and data aggregators that were seeking to find common ground for a secure, consumer-focused data sharing framework. Recognizing the significant progress already made by FS-ISAC’s Aggregation Working Group in the 2015-2017 time period with its Durable Data Application Programming Interface (DDA) standard, FDX became a wholly owned, independent subsidiary of FS-ISAC in 2018. FS-ISAC assigned all versions of the DDA (now known as the FDX API) to FDX in October 2018 in connection with FDX’s launch.

Architecture

• OpenAPI - (OpenAPI 3.1.x or later), published in standard YAML format.
• REST - RESTful (Representational State Transfer) APIs over HTTPS
• JSON – FDX Schema Objects using JSON Schema 2020-12
• HATEOAS Links – (Hypermedia as the Engine of Application State) for contextually related properties
• Unicode UTF-8 payload in JSON Objects
• REST API Design Best Practices withJSON as the Request Response format

Security and Authentication

• HTTPS -
    • HTTP (as per IETF RFCs 7230 and RFC 7231)
    • HTTP Response, Status, and Error Codes
• TLS over HTTPS – (TLS version 1.2 or higher is mandated)
• FAPI – (FAPI 1.0 Advanced + CIBA and FAPI 1.0 Baseline) from Open ID Foundation
    • OIDC Core (part of FAPI 1.0)
• MTLS Sender Constrained Tokens – (Mutual TLS is part of FAPI 1.0)
• OAuth 2.0 Authorization Framework (IETF RFC 6749)
    • OAuth 2.0 Authorization Framework: Bearer Token Usage (IETF RFC 6750)
    • OAuth 2.0 Dynamic Client Registration (IETF RFC 7591)
    • OAuth 2.0 Step-up Authentication Protocol (IETF draft)
    • OAuth 2.0 Pushed Authorization Requests (IETF RFC 9126)
• JSON security
    • JSON Web Signature (JWS) (IETF RFC 7515)
    • JSON Web Encryption (JWE) (IETF RFC 7516)
    • JSON Web Key (JWK) (IETF RFC 7517)
    • JSON Web Algorithms (JWA) (IETF RFC 7518)
    • JSON Web Token (JWT) (IETF RFC 7519) and Nested JWT for message encryption
    • JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (IETF RFC 7523)
• FIDO – FDX Control Considerations recommends FIDO for all biometric SCA/MFA
• NIST – FDX Control Considerations is based on the NIST Cyber Security Framework (CSF)