Open Finance challenges: how Nubank protects customer data and optimizes operations

Written by Rodrigo Sampaio and Marcelo Piva

Nubank always puts customers first to give them control over their finances and empower them in their daily lives. Joining the Open Banking initiative plays a big role in this mission. 

However, with empowerment comes great responsibility, that requires us to continuously safeguard our customer data. 

Dive in to discover how Nubank teamed up with Authlete to architect a state-of-the-art authorization server tailored for Open Banking.

Open Finance, a revolutionary concept, seeks to redefine how financial institutions share customer data with other institutions to deliver everyday services, prioritizing data ownership for customers.

To ensure seamless communication between diverse players, implementing a standardized language and ruleset was imperative. “Security was the top priority to enable this communication, so we established a set of complex security standards (OAuth 2.0 + OpenID Connect + FAPI + “Brazilian Standard”) to guarantee our customers’ peace of mind”, says Marcelo Piva, our Staff Software Engineer.

Open Finance also brought us the opportunity to reassure a core value of our business—transparency. 

That’s because customers must consent by giving explicit authorization to share their data through Open Finance. So, we have to make sure that:

• Customers can control their financial data.
• The decision to share (or withhold) this data with other institutions rests entirely with them.

Moreover, safeguarding this consent information is vital to ensure that only the rightful customer utilizes their data across different financial institutions without undue exposure to external entities.

Let’s deep dive into the technical aspect of API authentication and authorization. Open Banking is supported by a hierarchy of time-tested standards to mitigate any threat to customer data. These encompass the following:

• OAuth 2.0: The gold standard directing most online authorization.
• OpenID Connect (OIDC):  An identity layer built atop OAuth 2.0.
• FAPI: Security profiles based on OAuth 2.0 originally intended for financial-grade APIs.
• Brazilian Standard: Refined and sometimes narrowed down specification of the above standards to resonate with our ecosystem.

During our exploratory phase, we quickly realized the enormity of the challenge—having to comply with hundreds of security rules combined from multiple sources, including custom ones from Open Finance Brazil.

To best overcome the challenge, we decided to look for an expert partner to provide the best solution that would guarantee the security of our customer data. Our benchmarks were: 

• The best architecture
• Reduction of development time
• Industry-proven credibility

While numerous contenders vied for our attention, many were complicated, outdated, and wouldn’t fit well with our tech stack.

After a period of evaluating different solutions, Authlete emerged as our partner of choice. Their offerings removed the complexity of implementing required security standards. Authlete’s flexible and extensible APIs compliant with the latest standards allowed us to construct bespoke authorization and resource servers. This adaptability was invaluable to Nubank.

Beyond compliance, Authlete significantly shortened our development cycle, enabling Nubank to unveil a fully compliant authorization server in record time, all while preserving our existing infrastructure.

Furthermore, Authlete’s proficiency in the evolving API security in Open Banking ecosystems globally, backed by their active involvement in shaping the OpenID Foundation standards ensured our adherence to the Brazilian standards.

Check more details in the Case Study: Nubank – Authlete

As we navigate the evolving landscape of Open Finance, Nubank’s dedication to customer empowerment and data security remains unwavering. Our collaboration with Authlete stands as a testament to our commitment to offer best-in-class security solutions.

Seamlessly merging innovation, transparency, and customer-centricity, we are not just responding to the demands of Open Banking — we are setting the benchmark. Whether you’re a customer seeking financial freedom or a tech enthusiast keen on our behind-the-scenes processes, rest assured that Nubank is at the forefront of redefining digital banking, always with your security in mind.

Stay tuned to our blog for more insights into the financial revolution we’re shaping!