[Openid-specs-fapi] European Banking Authority draft Technical Standards

Nat Sakimura nat at sakimura.org
Wed Aug 31 13:14:45 UTC 2016

Thanks Dave,

Very good points. I will add it to the agenda.

Re: ISO 20022, we are in the process of establishing a liaison
relationship with ISO/TC68 who maintains ISO 20022.
(It is my homework to craft a liaison letter to the TC and
its SCs.) My hope is to submit the resulting FAPI spec to
TC68 so that they can adopt it. That's why we are
writing the spec according to ISO Directives Part 2
instead of our usual IETF styles.



On 2016-08-31 21:51, Dave Tonge via Openid-specs-fapi wrote:
> Hi all,
> There has been further movement in the EU in the last couple of weeks
> with regards to the requirement and regulation of financial APIs.
> PSD2 - the second payment services directive comes into force in
> January 2018. Part of its requirements are for common and secure open
> standards of communication between account servicing payment service
> providers (ASPSP), Payment Initiation Services (PIS) providers,
> Account Information Services (AIS) providers, payers, payees and other
> payment service providers.
> The text of PSD2 is light on detail on these open standards, and the
> European Banking Authority (EBA) was tasked with developing the
> Regulatory Technical Standards (RTS). The draft of these standards
> along with a consultation paper have now been released:
> https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/regulatory-technical-standards-on-strong-customer-authentication-and-secure-communication-under-psd2/-/regulatory-activity/consultation-paper
> [1]
> Consultation is open now until the 12 October 2016, after which the
> final standards will be published. From my reading of the paper and
> the draft there are a few points of interest that concern the FAPI WG:
> The EBA has declined to specify what standards must be used.  (Clause
> 68). However they have required that banks use common and open
> standards (Clause 69):
> _"ASPSPs shall ensure that their communication interface uses common
> and open standards which are developed by international or European
> standardisation organisations. In particular, as suggested by several
> respondents to the DP, the draft RTS propose that, when transmitting
> payment and information messages between each other, ASPSPs, AISPs,
> PISPs and PSPs issuing card-based payment"instruments shall use ISO
> 20022 elements, components or approved message definitions, if
> available."_
> The good news is that the EBA has clarified that banks must provide an
> interface beyond their online web portal, i.e. an API. It is also good
> that banks will be required to use common and open standards. However
> the fact that no specific standard will be mandated means that there
> could be a plethora of standards used. I personally am not sure about
> the mention of ISO20022 and would prefer a modern JSON based schema. I
> am interested in other's thoughts about this though?
> The EBA is also recommending that the organisation's communicating
> through these APIs verify each other's identity through certificates
> issued by a qualified trust service provider - a specific type of
> certificate authority that complies with the eIDAS regulation [2]). 
> There is some confusion in the paper around authentication and
> authorisation that also needs to be clarified.
> I suggest that the FAPI WG submits a response to the consultation
> paper. I believe that engagement with the EBA and with relevant EU
> banks is important in establishing the emerging FAPI standard as a
> recommended standard for banks complying with PSD2. 
> Perhaps a short discussion of this can be added to the agenda?
> Dave
> Links:
> ------
> [1]
> https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/regulatory-technical-standards-on-strong-customer-authentication-and-secure-communication-under-psd2/-/regulatory-activity/consultation-paper
> [2] 
> https://ec.europa.eu/digital-single-market/en/trust-services-and-eid
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi

More information about the Openid-specs-fapi mailing list