Why ForgeRock built a simulated bank for testing open banking APIs


Digital identity management specialist ForgeRock clearly sees the new open banking regulations popping up across the UK, Europe and New Zealand as a huge opportunity.

These regulations - namely the new Payments Services Directive (PSD2) and open banking here in the UK - allow approved third parties to access customer financial information via a set of standardised, secure application programming interfaces (APIs), providing a huge opportunity for fintechs to offer new services.

In July the San Francisco-based vendor launched what it calls the Open Banking Directory. This gives fintechs still seeking their open banking regulatory approvals from the FCA the opportunity to test their integrations with these new APIs.

By connecting to a simulated bank in the ForgeRock sandbox environment, developers are able to hit the ground running as soon as their regulatory approval comes through. The directory closely mimics the actual API directory approved providers will get access to after passing the FCA's checks.

"ForgeRock has delivered a reference bank implementation and directory, providing a technical sandbox for organisations looking to build and test Open Banking/PSD2 APIs," the vendor said at the time.

Read next: What is open banking? What does it mean for banks, fintech startups & consumers?

Access to the directory and sandbox is free for anyone to access, but ForgeRock isn't doing this out of the goodness of its heart.

As Nick Caley, vice president financial services and regulation at ForgeRock explained to Computerworld UK: "The reason for opening up this service through our new Directory is demand driven. It answers the need in the UK to parallel track testing the Open Banking API specification with the FCA registration process."

It also enables ForgeRock's customers and prospects internationally to gain access to this resource for functionality testing, particularly as other countries are looking to validate their own technical standards for open banking.

"At the same time, as a development resource that will be provided for free for the foreseeable future, it promotes ForgeRock's expertise and capabilities, particularly when it comes to the Security Standards that underpin PSD2 and open banking [emphasis added]."

Yapily case study

A company that's already taking advantage of this new capability is Yapily, one of a number of UK startups that want to become the trusted middlemen in this new open banking ecosystem.

The London-based startup provides developers at fintech companies with the tools to connect their apps to retail banks, gain access to users' accounts information, and initiate payments via its APIs. This includes documentation, demo applications, free code samples, API analytics and monitoring.

Yapily's key aim is to make life easier for fintechs that want to connect with various banks' APIs, especially if those companies are targeting multiple geographies.

As Caley at ForgeRock put it: "Interoperability is only going to become more complex as PSD2 is enforced next year. So services and organisations like Yapily will only become more important for fintechs looking to take advantage of the opening up of these APIs across Europe."

Read next: How HSBC is preparing for open banking

Yapily CTO Joao Martins says that the startup was working on an open banking sandbox of its own at one point, when some engineers bumped into ForgeRock employees at an industry meet up only to discover the vendor's plans to do the same thing.

"It was not something we should be focused on, we needed to focus on the API and building a toolkit for developers," Martins said.

Now Yapily is guiding its customers to sign up to the ForgeRock Directory as a means of testing their integrations, at the same time as developing and demonstrating its own product using the ForgeRock Directory's simulated financial data.

The partnership is more a collaboration of convenience at this point, with no commercial terms in place.

For example, one of Yapily's clients is a pre-funded UK startup called Moneycado, which helps young people save money for travelling. The small company only has two engineers. "They want to solve their customer experience, not connecting to open banking," Martins says.

Martins adds that being able to show investors that it could connect to ForgeRock's model bank has helped prove "that they have a reliable product" in pitch meetings.


Firms like Yapily, TrueLayer and OpenWrks are all seeking to position themselves as the middlemen for fintechs looking to simplify the process of connecting to various bank's APIs, especially if they want to offer their services globally without having to build separate integrations for every bank.

That being said, Martins says Yapily is very different to its rival vendors in the space because it doesn't store any customer data, it simply acts as the 'dumb pipes' for fintechs to connect to the big banks.

"Our strategy isn't to stand out, we believe that most of those people connecting to those services will need a service like ours: a transparent API that doesn't store any data," he says. "We don't store credentials like a screen scraper does.

"This process shouldn't need a regulated proxy in the middle like TrueLayer or OpenWrks, I don't want my data stored there. I give consent to fintechs and don't want anyone else to hold it.

"Our service is charged per use not per user, so a monthly all-you-can-eat service. That being said we are not charging anything until customers have seen value from the service." He guesses that will not be until the beginning of next year.

Read next: How UK fintech startups are preparing for open banking

Shefali Roy, COO at TrueLayer, naturally disagrees with this characterisation however.

Speaking to Computerworld UK via email, she said: "The term screen scraping refers to both the legal framework and the technical implementation. Unsurprisingly, this can lead to misunderstandings. We use credential sharing, which is in compliance with PSD2 and allows us to work with banks that are not yet compliant with open banking. For banks that are compliant, our clients have access to Open Banking APIs."

Roy was keen to stress that TrueLayer doesn't store end-user data: "We have developed a unique security framework where we store encrypted credentials that cannot be decrypted unless the encryption key stored by the customer's application in a separate vault is also accessible.

"As a result, the fintech companies we work with do not need to worry about spending money on securing and governing data, we do it for them. They can then invest all their time and money in developing the best and most innovative open banking products."

Copyright © 2018 IDG Communications, Inc.

8 simple ways to clean data with Excel
Shop Tech Products at Amazon