Shared Responsibility
This document provides guidance regarding the roles and responsibilities of customers and Jack Henry when setting up, monitoring, and maintaining open banking practices. Open banking refers to the practice of providing third-party vendors open access to data from financial institutions using application programming interfaces (APIs).
The following information applies to Identity and Access Management, Usage Monitoring, Third-Party Vendor Due Diligence, and Data Security and Controls.
Open Banking Roles and Responsibilities Matrix
| Digital Toolkit |
jXchange In-House |
jXchange Hosted |
SymXchange | EPS / Ensenta |
Payrailz | |
|---|---|---|---|---|---|---|
| Identity and Access Management |
|
|
|
|
||
| Usage Monitoring |
|
|
||||
| Third-Party Vendor Due Diligence | ||||||
| Data Security and Controls |
|
|
|
Identity and Access Management
Who is responsible for creating, revoking, and performing periodic access reviews of API credentials?
Digital Toolkit: Customers are responsible for revoking and performing periodic access reviews. Jack Henry is responsible for creating credentials for major data aggregators on behalf of customers; however, customers can opt out and directly remove those credentials at any time in the back-office products.
jXchange In-House: Customers are responsible for creating, revoking, and performing periodic access reviews.
jXchange Hosted: Jack Henry is responsible for creating credentials when directly authorized by customers via a support case. Customers are responsible for revoking and performing periodic access reviews.
SymXchange: Customers are responsible for creating, revoking, and performing periodic access reviews through detailed logging available in the core.
EPS/Ensenta: Jack Henry is responsible for creating credentials when directly authorized by customers via a support case. Customers are responsible for revoking and performing periodic access reviews.
Payrailz: Jack Henry is responsible for creating, revoking, and performing periodic access reviews, as directed by the Customer. The customer is responsible for access reviews.
Usage Monitoring
Who is responsible for monitoring API usage for fraud and abuse of the API?
Digital Toolkit: Customers are responsible for monitoring for fraud and abuse through Banno People activity logs or the Jack Henry Data Broker.
jXchange In-House: Customers are responsible for monitoring for fraud and abuse.
jXchange Hosted: Jack Henry is responsible for monitoring for fraud and abuse.
SymXchange: Customers are responsible for monitoring the logs for fraud and abuse through detailed logging in the core.
EPS/Ensenta: Customers are responsible for monitoring for fraud and abuse through back-office mitigation tools.
Payrailz: Jack Henry is responsible for monitoring for fraud and abuse.
Third-Party Vendor Due Diligence
When the entity using the API is a third-party vendor and not Jack Henry or the customer, who is responsible for vendor due diligence?
For any API provided by Jack Henry, customers are responsible for all third-party vendor due diligence. Vendor membership in Jack Henry’s Vendor Integration Program does not alleviate the customer from any due diligence obligations.
Data Security and Controls
Who is responsible for setting and maintaining the controls that limit level of access?
Digital Toolkit: Customers are responsible for setting and maintaining vendor access controls through back-office applications.
jXchange In-House: Customers are responsible for setting and maintaining vendor access controls with Jack Henry’s assistance on request.
jXchange Hosted: Jack Henry is responsible for setting and maintaining vendor access controls based on the set of integrations that the customers request.
SymXchange: Customers are responsible for setting and maintaining vendor access controls.
EPS/Ensenta: Jack Henry is responsible for setting and maintaining vendor access controls based on the set of integrations that the customers request.
Payrailz: Jack Henry is responsible for setting and maintaining vendor access controls based on the set of integrations that the customers request.