Case Study: Nubank

Nu, fostering access to financial services across Latin America, has chosen Authlete for “Nubank” to adapt to Open Finance Brasil, and for “NuPay” payment service.

Nu Holdings is the parent company of Nubank, one of the world’s largest digital financial services platforms, serving more than 75 million customers across Brazil, Mexico, and Colombia. As one of the leading technology companies in the world, Nu leverages proprietary technologies and innovative business practices to create new financial solutions and experiences for individuals and SMEs that are simple, intuitive, convenient, low-cost, empowering, and human. Guided by its mission, Nu is fostering access to financial services across Latin America.

Nubank turned to Authlete to build its authorization server to meet the latest industry standards required to comply with the Brazilian Open Banking Directive. They soon realized the Authlete solution worked well with their architecture, and decided to leverage it for another service, “NuPay” as well.

We asked Rodrigo Moreira (Business Development Lead) to share his views on Nubank’s experience in deploying the Authlete solution.

Objectives and Challenges

Security Standards for Open Banking

Open banking is currently booming in Brazil, and for Nubank, open banking presents an opportunity to offer the best and most intuitive customer experience, with a lot of data available from it.

In responding to open banking, Nubank faced a new challenge. “It was difficult for us to prioritize the adequate development resources to build the new technology,” said Rodrigo. “At the same time, we had to work closely with the Brazilian Central Bank to ensure that the mandated security standards were implemented correctly.”

However, the FAPI, the foundation of Open Banking's API security, was complex and knowledge was lacking to respond and implement the security profile in a timely manner.

Balance Between Agility and Control

In addition, Nubank's specific requirements included striking a balance between agility and control: one of Nubank's cores is the in-house production of all its services.

“In dealing with Open Banking, the principle was to develop as much as possible in-house,” says Rodrigo. “Ensuring that the security functionality was implemented correctly was another challenge that we faced at that time.”

Why Authlete?

The Best Architecture

In selecting a solution, Nubank implemented its own standard RFP process. First, a long list of potential procurement candidates was drawn up, which was then evaluated from a company, business, and technology perspective to narrow down the list of vendors.

“After speaking to several solution providers, we found that the Authlete solution was best in class with an architecture designed to provide OAuth 2.0 and OpenID Connect functionality, as well as FAPI and CIBA profiles, as web APIs,” says Rodrigo.

Less Development Time

The Authlete solution worked not only for compliance, but also for reducing the development time. “Authlete enabled us to roll out a fully specification-compliant authorization server in just a few weeks without having to modify our existing environment to suit a particular vendor.”

Industry-Proven Credibility

Rodrigo pointed out that Authlete’s technical team had been actively co-authoring the OpenID Foundation standards and specifications and had extensive knowledge of the evolution of security standards for Open Banking APIs. “Their support with our integration helped us comply with the Brazilian standards in a significantly short period of time.”

In conjunction, Rodrigo told us the main reasons for choosing Authlete as a provider. “The SaaS model of service delivery as integral components rather than an end to end open banking solution, the quality of the technology and products, the knowledge and expert support lead to the flexibility to adapt to regulatory changes.”

Outcome and Benefits

Keeping Focus on Core Business

Nubank adopted Authlete to bridge the knowledge gap on FAPI requirements, allowing the company's team to focus on core product development. Technically, the Authlete solution abstracted and delegated much of the OAuth logic, allowing the company to focus on implementing the business logic.

“There were no difficulties in integrating Authlete,” says Rodrigo. Nubank runs its services in a K8s environment on AWS, and setting up the connectors and ACLs to connect with Authlete was very simple. “Authlete's API is easy to use and easily integrated with our open banking service written in Clojure.”

Nubank has valued Authlete’s support capabilities. “We received excellent support from the knowledgeable Authlete members. There were a few problems with the time zone in the early stages of implementation, but these were quickly remedied,” says Rodrigo.

Enabling New Services with Authlete

Lastly, Rodrigo told us about ongoing business development and their plan on leveraging Authlete in that context. “We at Nubank are constantly planning on building new services to better serve our customers. For example, we have recently launched NuPay and will be using the Authlete solution to secure its premium APIs.”