Why ForgeRock built a simulated bank for testing open banking APIs

Why ForgeRock built a simulated bank for testing open banking APIs

Fintechs already using ForgeRock's sandbox to simulate connecting to a real bank via the new open banking APIs as a way to supercharge their integration journey

Digital identity management specialist ForgeRock clearly sees the new open banking regulations popping up across the UK, Europe and New Zealand as a huge opportunity.

These regulations - namely the new Payments Services Directive (PSD2) - allow approved third parties to access customer financial information via a set of standardised, secure application programming interfaces (APIs), providing a huge opportunity for fintechs to offer new services.

In July the San Francisco-based vendor launched what it calls the Open Banking Directory - this gives fintechs still seeking their open banking regulatory approvals from the FCA the opportunity to test their integrations with these new APIs.

By connecting to a simulated bank in the ForgeRock sandbox environment, developers are able to hit the ground running as soon as their regulatory approval comes through.

The directory closely mimics the actual API directory approved providers will get access to after passing the FCA's checks.

"ForgeRock has delivered a reference bank implementation and directory, providing a technical sandbox for organisations looking to build and test Open Banking/PSD2 APIs," the vendor said at the time.

Access to the directory and sandbox is free for anyone to access, but ForgeRock isn't doing this out of the goodness of its heart.

"The reason for opening up this service through our new Directory is demand driven," said Nick Caley, vice president financial services and regulation at ForgeRock, when speaking to Computerworld UK.

"It answers the need in the UK to parallel track testing the Open Banking API specification with the FCA registration process."

Furthermore, it also enables ForgeRock's customers and prospects internationally to gain access to this resource for functionality testing, particularly as other countries are looking to validate their own technical standards for open banking.

"At the same time, as a development resource that will be provided for free for the foreseeable future, it promotes ForgeRock's expertise and capabilities, particularly when it comes to the Security Standards that underpin PSD2 and open banking [emphasis added]," Caley added.

Yapily case study

A company that's already taking advantage of this new capability is Yapily, one of a number of UK startups that want to become the trusted middlemen in this new open banking ecosystem.

The London-based start-up provides developers at fintech companies with the tools to connect their apps to retail banks, gain access to users' accounts information, and initiate payments via its APIs - this includes documentation, demo applications, free code samples, API analytics and monitoring.

Yapily's key aim is to make life easier for fintechs that want to connect with various banks' APIs, especially if those companies are targeting multiple geographies.

As Caley at ForgeRock put it: "Interoperability is only going to become more complex as PSD2 is enforced next year. So services and organisations like Yapily will only become more important for fintechs looking to take advantage of the opening up of these APIs across Europe."

Yapily CTO Joao Martins says that the start-up was working on an open banking sandbox of its own at one point, when some engineers bumped into ForgeRock employees at an industry meet up only to discover the vendor's plans to do the same thing.

"It was not something we should be focused on, we needed to focus on the API and building a toolkit for developers," Martins said.

Now Yapily is guiding its customers to sign up to the ForgeRock Directory as a means of testing their integrations, at the same time as developing and demonstrating its own product using the ForgeRock Directory's simulated financial data.

The partnership is more a collaboration of convenience at this point, with no commercial terms in place.

For example, one of Yapily's clients is a pre-funded UK start-up called Moneycado, which helps young people save money for travelling. The small company only has two engineers.

"They want to solve their customer experience, not connecting to open banking," Martins said.

Martins adds that being able to show investors that it could connect to ForgeRock's model bank has helped prove "that they have a reliable product" in pitch meetings.


Firms like Yapily, TrueLayer and OpenWrks are all seeking to position themselves as the middlemen for fintechs looking to simplify the process of connecting to various bank's APIs, especially if they want to offer their services globally without having to build separate integrations for every bank.

That being said, Martins said Yapily is very different to its rival vendors in the space because it doesn't store any customer data, it simply acts as the 'dumb pipes' for fintechs to connect to the big banks.

"Our strategy isn't to stand out, we believe that most of those people connecting to those services will need a service like ours: a transparent API that doesn't store any data," he said. "We don't store credentials like a screen scraper does.

"This process shouldn't need a regulated proxy in the middle like TrueLayer or OpenWrks, I don't want my data stored there. I give consent to fintechs and don't want anyone else to hold it.

"Our service is charged per use not per user, so a monthly all-you-can-eat service. That being said we are not charging anything until customers have seen value from the service" - he guessed that will not be until the beginning of next year.

Shefali Roy, COO at TrueLayer, naturally disagreed with this characterisation however.

Speaking to Computerworld UK via email, she said: "The term screen scraping refers to both the legal framework and the technical implementation. Unsurprisingly, this can lead to misunderstandings.

"We use credential sharing, which is in compliance with PSD2 and allows us to work with banks that are not yet compliant with open banking. For banks that are compliant, our clients have access to Open Banking APIs."

Roy was keen to stress that TrueLayer doesn't store end-user data: "We have developed a unique security framework where we store encrypted credentials that cannot be decrypted unless the encryption key stored by the customer's application in a separate vault is also accessible.

"As a result, the fintech companies we work with do not need to worry about spending money on securing and governing data, we do it for them.

"They can then invest all their time and money in developing the best and most innovative open banking products."

(Reporting by Scott Carey, Computerworld UK)

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags ForgeRock




Channel kicks 2021 into gear as After Hours returns to Auckland

Channel kicks 2021 into gear as After Hours returns to Auckland

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Pantry at Park Hyatt in Auckland to kick-start 2021.

Channel kicks 2021 into gear as After Hours returns to Auckland
The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Show Comments