Introducing the Ping Identity Consumer Data Right Sandbox for Open Banking

In 2017, then-Treasurer Scott Morrison initiated the beginnings of the Consumer Data Right, Australia’s effort to give consumers control over their data held on their behalf by commercial organisations. Based on the worldwide shift to Open Banking, as seen in the UK and Europe, financial services was the first industry to be mandated under this initiative. Future Australian industries to receive their own CDR specifications will include Energy and Telecommunications.

Since then, Data61 and the Australian Competition and Consumer Commission (ACCC), in conjunction with industry participants such as Ping Identity, have developed a set of open standards that enable data holders (generally, the banks who hold customer transaction data) and data recipients (banks, fintechs and other certified parties) to share user data via standard RESTful APIs, based on informed and granular customer consents. The underlying specifications for the CDR include:

• The data sharing APIs, which detail the standard requests and responses to enable data to flow

• The information security (InfoSec) specification, which details the cryptographic standards to be used for communications, as well as the required authentication flow, the user consent requirements and other security pieces

• The ACCC registry API specification, allowing certified participants to register their organisations and applications and receive cryptographic material to be used to trust and secure the API communications between each other

• Non-functional specifications, detailing availability requirements and other environmental concerns

The specifications have been in constant flux since the start of development, with a number of major changes to the design occurring through industry consultation. With the release of version 1.2 in February 2020, participants now have a finalised specification to implement for their respective production release dates mandated by the ACCC: July 2020 for the Big 4 banks and July 2021 for other data holders.

It’s important to note that participants must apply to be certified to use the open APIs of the CDR. While the details of the APIs are open to all, use of them will be highly regulated by the ACCC.

Ping Identity has a long history of involvement in open standards development for digital identity, going back to the days of SAML 2.0, OAuth2 and OpenID Connect. Our work in standards bodies has continued since then to include standards efforts that use OAuth2 and OpenID Connect as the basis for advanced specifications, like the Financial-grade API (FAPI). FAPI in turn is used as the basis for the UK’s Open Banking standards, and it was also the starting point for the Australian CDR. However, the Australian CDR extends FAPI in ways that make- reuse of a UK Open Banking solution incompatible with our local spec, and it adds a number of new requirements for local conditions. 

It was obvious to us at Ping in Australia that our Tier 2 banking customers and interested FinTechs would need a template to work from when attempting to meet CDR requirements. Based on our experience in the specification development process, our work with our local banking customers and our experience building a sandbox for the UK’s Open Banking regime, we have created a pre-built development environment to get you started quickly without the cost of custom development, that aligns to the Australian specifications as of version 1.2.

This sandbox is designed around standard DevOps tooling, allowing interested parties to instantiate their own Ping CDR sandbox environment in a matter of minutes. All data, authentication flows and API calls are live in the sandbox, except for the one-time passcode delivery via SMS, which has been hardcoded for convenience.

The sandbox uses our industry-leading identity and access management components, PingFederate, PingAccess and PingDirectory, to deliver a full CDR experience. Included are:

• An implementation of the CDR InfoSec specification, which is based on the Financial-Grade API (FAPI) specification that Ping Identity has contributed to over many years

• A mock ACCC registry, supporting fintech registration and maintenance services

• An implementation of the CDR data sharing APIs, using Biza.io’s DeepThought CDR API implementation

• A sample Data Holder (bank) web application, demonstrating authentication, authorisation, token creation, and user consent

• A sample Data Recipient (fintech) web application, showing the end user experience in creating a data sharing arrangement with a Data Holder, and the display of transaction data based on CDR-compliant API calls to the Data Holder, on behalf of the end user.

Ping has developed this sandbox in response to our customers’ and prospects’ requests. The CDR specification is complex and Ping has the luxury of a FAPI-compliant solution to start building on. While some of the intricacies of the CDR have required us to make minor modifications to our products or deliver particular configurations, this is Ping’s business. To begin from scratch and develop a fully CDR-compliant solution based on OpenID Connect toolkits or libraries would take tens of thousands of hours of coding. And then there’s the maintenance required as the specification changes, often drastically, as we’ve already seen with the shift to concurrent consent in CDR version 1.3.

The Ping CDR sandbox for Open Banking gives the financial services industry a DevOps-driven, supported, and industry-standard template to use in education, testing and integration. While it is not a production-quality solution, it can be used as the basis for implementing a production CDR environment.

With current conditions putting bank and fintech project teams under pressure and the scarcity of experienced digital identity resources in the market, the sandbox gives those teams a jumpstart to becoming compliant, as a test bed and then a template for a production deployment.

Additionally, all of the capabilities of Ping’s industry-leading components are right there, ready to be used by other digital identity projects in the future. Whether it’s removing application silos to enable omnichannel experiences across web, mobile and API services, updating legacy infrastructure to make use of modern protocols like OpenID Connect or modern crypto functions, or making use of new agile capabilities like OAuth Token Exchange for security across a microservices-enabled environment, the Ping CDR sandbox has all of them waiting to be used.

You can deploy the sandbox in your own environment with a couple of commands. The end-to-end CDR experience can be tried by starting at the sample data recipient application and authenticating with the test user credentials supplied.

From there, you can start to integrate your own applications and backend services. Applications will use the standard OIDC flow against the sandbox’s OAuth authorisation server, PingFederate. To register a new client application, you'll need to enter the required details in the mock ACCC registry. Using the CDR’s slightly non-standard version of dynamic client registration, these details will flow automatically into PingFederate and you’ll be able to hit the OIDC endpoints with your application or Postman API calls straight away.

If you’re a prospective data holder, integrating your existing data sources to be served by the CDR APIs will require further work. The Ping Identity CDR sandbox makes use of Biza.io’s DeepThought API service, which provides a complete set of banking APIs for product and user transaction data out of the box. You can then extend the CDR Sandbox to host your specific product and representative transaction data as well as brand it accordingly. Following closely behind the initial release, a series of integration and how-to videos will be made available, providing guidance on how to integrate the sandbox with existing user repositories, API gateways and data APIs.

The CDR for financial services will continue to change as maintenance updates and new functionality like payment initiation are rolled in. We will keep the sandbox updated on a best-effort basis, tracking the standards and updating the configuration as required.

We’re also keeping a close eye on the development of the Open Energy specification. It may use much of the same framework as financial services, but may diverge in some cases. Whether that will require a Ping Identity CDR sandbox for Open Energy remains to be seen.

We’re also talking with our telecommunications customers about what that standard might look like. Open Telco will probably be closer to Open Banking than Open Energy, and we’ll use our experience to help define the standard and deliver a sandbox for interested parties.

The future is bright for open data sharing in Australia. Ping Identity is the market leader in this space, and we intend to remain there by sharing our technology and experience with the industry.

Get access to Ping Identity’s CDR sandbox for Open Banking today.