In the last couple of years, the business world has been shaken by scandals connected with customer data management in different sectors. The changes in legislation became inevitable, with the European Union taking the lead by introducing PSD2 directive. Our long-term client, The ID Co., requested us to help them adapt to complex legal requirements by integrating with Salt Edge, a third-party open banking solution.
About DirectID by The ID Co.
The ID Co. is a FinTech solutions company with two individual products under their belt: DirectID and NoMo (developed together with Code & Pepper). This project concerned DirectID, a banking data aggregator which enables customers to use their online banking profiles to log in to other applications and platforms. The product offers two key integration points: DirectID Connect and DirectID Data API. The security model is layered and protected by OAuth authentication and strong encryption.
After the implementation of PSD2, The ID Co. faced an urgent issue that could affect the product’s ongoing operation. They needed to find a means to ensure continuous flow of customer data from European banks. After choosing Salt Edge as a data aggregator, it was our job to build an API compatible with an existing solution – Yodlee, which communicates with the remaining DirectID API.
Solutions for Salt Edge
Some fragments of Salt Edge API turned out to vary significantly from Yodlee API. This forced us to adapt the Salt Edge solution to some extent to ensure our custom API communicates with each service. Documentation provided by Salt Edge proved to be of vital support.
Based on Yodlee source code, our team performed reverse engineering to create an analogical API layer. This included:
- authentication based on OAuth,
- endpoint returning providers (e.g. banks) served by Salt Edge,
- endpoint returning a list of accounts, holder information and transaction history.
Service security became our second key challenge in this project. We needed to recreate the whole complex, multi-level authentication structure inside Yodlee and adapt it to the specifics of Salt Edge to ensure compatibility. Communication in Salt Edge featured extra protection using signatures in HTTP headers or sending additional security data, such as App-id secret, Customer-secret or Connection-secret, broadly discussed in Salt Edge’s security features documentation.
Multiple layer software architecture
The plan for Salt Edge integration involved merging it with the previously used solution, Yodlee. That’s why we decided to structurise the code on project and folder level so that it reflects the existing structure in the Yodlee service. The final architecture involved three layers of code and the following stack: Azure SQL Database and Microsoft Azure cloud.
Unit and integration testing
Quality assurance was a vital part of the project and posed an extra challenge – The ID Co. requested a particular tool set for this purpose. We used xUnit, FakeItEasy and Polly library, to ensure flawless operation of such features as `retry`.
We value Code & Pepper for its proactive attitude, responsiveness and transparent way of working. It is a reliable and dependable company that we can recommend for other business entities to cooperate with.
James Varga CEO & Founder
at The ID Co.