[Openid-specs-fapi] FAPI support for Bookings, Reservations, Etc. ?

Dave Tonge dave.tonge at momentumft.co.uk
Tue Nov 14 13:46:57 UTC 2017

Hi Anders, Tom,

So Anders you are right that the current FAPI profile supports "redirect"
based auth flows.
This can work for e-commerce applications, but as you say is not ideal for
payments made at a POS terminal.

To support this latter type of payment we are developing a FAPI profile for
CIBA - client initiated backchannel authentication:

This approach brings in the concept of a "consumption device" and an
"authentication device". The consumption device may be a POS terminal and
the authentication device could be a user's smartphone. The nice thing
about using CIBA is that many of the APIs defined in OpenBanking should
"just work" - CIBA simply defines a different flow for gaining an access

The basic flow would be as follows:
1. User presents some identifier at POS terminal (this could be via a card,
or phone number, etc.)
2. The user identifier is submitted to a third party (in PSD2 terms, a
payment initiation service provider - PISP)
3. The PISP is already registered as an OAuth client with various banks
4. The PISP sends the user identifier along with data about the proposed
payment to the bank
5. The bank verifies the PISP is a valid client, and then sends a push
notification to the customer's phone
6. The customer is taking through the process of authentication, and
authorization of the payment
7. Once the customer has authorised the payment, an access token is sent to
the PISP
8. The PISP uses this access token to execute the payment

Tom, I understand some of your concerns, however, I believe that the move
towards open APIs in banking, will enhance the security of payments and
give end-users more visibility and control over their accounts. There is
currently a need for strong legislative protection around consumer payments
because they are so insecure and at risk of fraud. The various FAPI
profiles should provide a way for all 3 parties - the bank, the payment
initiation service provider, and the end-user to have confidence and
assurance about any particular transaction.


On 13 November 2017 at 19:44, Tom Jones via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:

> that is far more of a legal/liability problem than a technical one.
> In the us there are 3 mechanisms, all with separate legal/liability
> results.
> Credit cards are not banking in the sense you mean, but are controlled by
> the FED, reg CC. Consumer liability limited to $50 which is usually not
> worth the time to collect.
> Debit cards apply directly to the user's bank account and so are very
> dangerous. I encourage people to avoid them like the plague.
> ACH payments are bank account to bank account and are more like
> traditional banking drafts.
> Because of the weak protection around ACH payments the release of the
> consumers bank routing number is very risky.
> I believe that the introduction of a write api that can extract $ from a
> consumer's  bank account will result in massive losses that will result in
> long legal tussles to determine who pays the bill.
> I can see no good coming from such a write api against consumer or small
> business bank balances.   ..tom
> Peace ..tom
> On Mon, Nov 13, 2017 at 11:20 AM, Anders Rundgren <
> anders.rundgren.net at gmail.com> wrote:
>> On 2017-11-13 19:20, Tom Jones wrote:
>>> I thought i was directly addressing that point. I guess the problem, as
>>> usual, is one of semantics.
>> Yes, I was addressing this from a purely technical level where
>> transferring money from an account to another entity using an
>> on-link bank application is currently performed through [technically]
>> entirely different means compared to using a payment card connected
>> to the same account.
>> The hope is [apparently] that open banking APIs will finally unify
>> the technical side of money transfers, right?
>> Cheers,
>> Anders
>>> Banking originally applied to depository financial institutions (DFI)
>>> only.
>>> The banks were fiduciary holders of funds on the behalf of depositors.
>>> That is the basis for the financial regulations of the first 1/3 of the
>>> 20th century.
>>> Customers issued bank drafts (checks) against their funds, those were
>>> payments to the holder of the draft.
>>> Bank cards allows account holders access to their funds 24x7 at ATMs.
>>> Consumer payments originally applied to credit card accounts which were
>>> approved drafts signed by the holder of the account.
>>> This started to change with the initiation of MOTO - mail order
>>> telephone order - payments.
>>> But the big change occurred when banks learned that they could make more
>>> money from fees than from deposits.
>>> Today i guess i would say that "banking" is anything that the account
>>> holder initiates on his own behalf.
>>> Payments are anything that an FI does against a user account that does
>>> not have an immediate consumer draft as back up.
>>> Clearly the banks want to move us to a brave new world where they do
>>> things to our account and declaim any responsibility if anything goes wrong.
>>> Check some of Ross Anderson's articles if you disagree with that
>>> statement.
>>> It seems to date that all apis approved by the banks are in furtherance
>>> of such an movement.
>>> In particular that means that if an aggregator can "write" to the bank,
>>> it is no long in the realm of "banking".
>>> Peace ..tom
>>> On Sun, Nov 12, 2017 at 10:27 PM, Anders Rundgren <
>>> anders.rundgren.net at gmail.com <mailto:anders.rundgren.net at gmail.com>>
>>> wrote:
>>>     On 2017-11-12 04:14, Tom Jones wrote:
>>>         i am not sure about the eu, but in the us the ach payment method
>>> is not constrained by any dollar limit.
>>>         ANSI X9.59 addressed limits and user consent. AFAICT there is no
>>> protection for users in UK open banking or FAPI.
>>>         It's all banks all the way down.
>>>         Now if we could find a way to make it a claim, then OpenID can
>>> handle it.
>>>     I'm not sure that this is really what I'm asking for, it is rather a
>>> comment/reaction to my somewhat heretic claim that "Banking" and "Consumer
>>> Payments" are quite different and probably do not gain by being dealt by a
>>> generic payment initiation API and associated security model.
>>>     A "visual" of that could be taking a peek at these URL's
>>>     https://www.openbanking.org.uk/read-write-apis/payment-initi
>>> ation-api/v1-1-0/#usage-examples-merchant <https://www.openbanking.org.u
>>> k/read-write-apis/payment-initiation-api/v1-1-0/#usage-examples-merchant
>>> >
>>>     https://cyberphone.github.io/doc/saturn/saturn-authorization.pdf <
>>> https://cyberphone.github.io/doc/saturn/saturn-authorization.pdf>
>>>     which address the same use case.
>>>     As far as I can tell there is no wallet concept in the FAPI, STET or
>>> OpenBanking schemes, whereas the Saturn architecture does away with the
>>> PISP altogether since it doesn't depend on direct account access (Banking
>>> <<>> Consumer Payments).
>>>         Peace ..tom
>>>     Cheers,
>>>     Anders
>>>         On Fri, Nov 10, 2017 at 10:28 PM, Anders Rundgren via
>>> Openid-specs-fapi <openid-specs-fapi at lists.openid.net <mailto:
>>> openid-specs-fapi at lists.openid.net> <mailto:openid-specs-fapi at list
>>> s.openid.net <mailto:openid-specs-fapi at lists.openid.net>>> wrote:
>>>              Dear payment aficionados,
>>>               From what I can deduct, FAPI currently supports a single
>>> payment method ("transfer"):
>>>         https://bitbucket.org/openid/fapi/src/master/Financial_API_W
>>> D_005.md?fileviewer=file-view-default <https://bitbucket.org/openid/
>>> fapi/src/master/Financial_API_WD_005.md?fileviewer=file-view-default> <
>>> https://bitbucket.org/openid/fapi/src/master/Financial_API_
>>> WD_005.md?fileviewer=file-view-default <https://bitbucket.org/openid/
>>> fapi/src/master/Financial_API_WD_005.md?fileviewer=file-view-default>>
>>>              After going a bit deeper into the matter including a brief
>>> study of the STET PSD2 API (https://www.stet.eu/en/news/n
>>> ews1/stet-psd2-api-is-now-available.html <https://www.stet.eu/en/news/n
>>> ews1/stet-psd2-api-is-now-available.html> <https://www.stet.eu/en/news/n
>>> ews1/stet-psd2-api-is-now-available.html <https://www.stet.eu/en/news/n
>>> ews1/stet-psd2-api-is-now-available.html>>), it seems that FAPI and its
>>> "cousins" indeed properly address payments when performed in the context of
>>> "Banking", but somewhat less so for "ordinary" payment operations like
>>> performed at a POS terminal or automated gas station.
>>>              Comments?
>>>              Thanx,
>>>              Anders Rundgren
>>>              _______________________________________________
>>>              Openid-specs-fapi mailing list
>>>         Openid-specs-fapi at lists.openid.net <mailto:
>>> Openid-specs-fapi at lists.openid.net> <mailto:Openid-specs-fapi at list
>>> s.openid.net <mailto:Openid-specs-fapi at lists.openid.net>>
>>>         http://lists.openid.net/mailman/listinfo/openid-specs-fapi <
>>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi> <
>>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi <
>>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi>>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi

Dave Tonge
[image: Moneyhub Enterprise]
10 Temple Back, Bristol, BS1 6FL
t: +44 (0)117 280 5120

Moneyhub Enterprise is a trading style of Momentum Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Momentum Financial Technology is entered on the
Financial Services Register (FRN 561538) at fca.org.uk/register. Momentum
Financial Technology is registered in England & Wales, company registration
number 06909772 © . Momentum Financial Technology Limited 2016. DISCLAIMER:
This email (including any attachments) is subject to copyright, and the
information in it is confidential. Use of this email or of any information
in it other than by the addressee is unauthorised and unlawful. Whilst
reasonable efforts are made to ensure that any attachments are virus-free,
it is the recipient's sole responsibility to scan all attachments for
viruses. All calls and emails to and from this company may be monitored and
recorded for legitimate purposes relating to this company's business. Any
opinions expressed in this email (or in any attachments) are those of the
author and do not necessarily represent the opinions of Momentum Financial
Technology Limited or of any other group company.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20171114/17fd2479/attachment-0001.html>

More information about the Openid-specs-fapi mailing list