Authlete enables API security at one of the most advanced digital banks.
Minna Bank, the newest affiliate of Fukuoka Financial Group, is the next generation of digital banking, created from a digital perspective and designed from scratch. The bank provides all services from opening an account to ATM deposits and withdrawals to money transfers completely through smartphones on a 24x7 basis, so that it can create a simpler and friendlier relationship with money for digital natives in Japan.
APIs that connect everything
Minna Bank has been running banking services in the B2C domain, and is in preparation for BaaS (Banking as a Service) for its B2B2X business. APIs are the essential technology for both of these businesses.
The B2C business is a digital banking service where everything can be done with just a smartphone, and backend APIs must be deployed to process requests from mobile apps of the service.
The other B2B2X business is a BaaS, and APIs are required as well to facilitate collaboration with partners. Moreover, it aims to realize “open banking” by providing APIs to third parties.
Adoption of open standards
Minna Bank has decided to adopt OAuth 2.0 / OpenID Connect (OIDC) as technologies of API authorization and authentication, because it has a principle of choosing widely deployed technologies for its service infrastructure, and thus recognizes that OAuth / OIDC are the standards of authorization and authentication for REST (Representational State Transfer) style APIs.
Also, adoption of Financial-grade API (FAPI) is ongoing to provide open APIs, as Minna Bank considers FAPI as the emerging industry standard.
Security for financial services
Minna Bank provides all services through digital channels. Therefore, its APIs as a technology component must be met with the requirements of banking as a digital service. More specifically, these requirements are to establish API security for financial services.
With that, the bank had to keep up with the evolution of OAuth / OIDC standards including FAPI. But implementing the latest standards by the bank itself was unrealistic because it required a substantial time investment and skills of these particular technologies. The reasonable option was to employ a service that satisfies the requirements.
Running services on a 24x7 basis
In order to meet the security requirements, Minna Bank had considered deploying other API security solutions. However, it was important for the bank to achieve affinity with Google Cloud, which was chosen as the service deployment infrastructure.
The intention of using Google Cloud was to establish a service environment with almost 24x7 availability by leveraging the cloud’s Tokyo and Osaka regions. Choosing a critical API security solution running on other regions or cloud service providers was not acceptable in terms of the availability of the bank’s services.
Services deployment in a short timeframe
The time available for building Minna Bank's service infrastructure was very short for developing a core banking system from scratch. Therefore, implementing the API security functions also needed to be done in a short period of time.
Mr. Naoya Inakura, Digital Service Management Group of Minna Bank, looks back on the development phase:
“We planned our development schedule from the start to go live in less than two years. API security functions were included in the first MVP (Minimum Viable Product) as well as fundamental functions such as deposits and transfers. The MVP had to be built within 7 months. We were required to implement both the OAuth 2.0-based API authorization infrastructure and the core banking system simultaneously.”
Digital Service Management Group of Minna Bank, Ltd.
Integrability with service infrastructure
Minna Bank has chosen Authlete. The decisive factor was the integration with the bank's digital banking infrastructure.
Mr. Masashi Kesuda, Technical Lead of Zero Bank Design Factory (a subsidiary of Fukuoka Financial Group) which develops and operates Minna Bank’s services system, says:
“The primary prerequisites were that the bank's services would be built with Google Cloud at their core. Based on that, we chose appropriate solutions by examining their affinity with Google Cloud. As a result, we decided to use Apigee as an API management infrastructure, and then Authlete because of its connectivity with Apigee.”
Another merit in using the cloud version of Authlete was its service infrastructure leveraging Google Cloud. It allowed the bank to use Authlete as a managed service, and to run it in the domestic regions, which was the same as other services. This deployment solution helped to reduce the operational load.
Technical Lead of Zero Bank Design Factory, Inc.
High level of compliance to FAPI
In the beginning of the project, Minna Bank aimed to achieve the FAPI certification. But it was not easy for the bank itself due to time and cost limitations. It was also assumed that a considerable amount of effort would be required to maintain the certification.
Authlete was the first in the industry to support FAPI at the solution selection process. Beyond that, its implementation was solid and well tested. This was one of the key factors that the bank highly valued.
Fulfilling the infrastructure requirements
With the adoption of Authlete, all of the initial requirements were met. The Authlete service has been configured to support disaster recovery, and has been running in the Japan regions of Google Cloud. Because the service is managed and available through APIs, Minna Bank was able to develop its services in a short time period.
Trusted technical excellence
Mr. Kesuda points out another merit from choosing Authlete, which was not expected initially. It has reduced the time and effort to read and understand the various API security specifications.
“Authlete’s documentation and guidance are very intuitive to understand. For example, it describes details when using a particular API of Authlete, and obtaining a response. That made sense to me. The documentation is written based on what we actually use, so it is very easy for developers to understand and is very helpful. If this documentation did not exist, we would have had to read the entire specifications and design communication flows by ourselves.”
Towards world-class open banking
Minna Bank is now proceeding to implement and deploy FAPI in its API infrastructure for BaaS. Mr. Masaaki Miyamoto, Executive Officer and Chief Information Officer of Minna Bank, says the following:
“First of all, our objective in establishing Zero Bank Design Factory was to build a service infrastructure for the future of banking from scratch. FAPI will be the essential specification that all banks must implement. We believe that if we prepare at this early stage, it will be easier later on.”
Executive Officer and Chief Information Officer of Minna Bank, Ltd.
As the core solution of API security, Authlete will be contributing to the expansion of Minna Bank's advanced digital banking services.