[Openid-specs-fapi] Final PSD2 Strong Customer Authentication (SCA) Standards

Dave Tonge dave.tonge at momentumft.co.uk
Tue Nov 28 21:19:47 UTC 2017

Thanks Bjorn.

Some of the new articles are pretty horrific from a security point of view:

Account servicing payment service providers that have put in place a
> dedicated interface shall ensure that this interface does not create
> obstacles to the provision of payment initiation and account information
> services. *Such obstacles, may include*, among others, preventing the use
> by payment service providers referred to in Article 30(1) of the
> credentials issued by account servicing payment service providers to their
> customers, *imposing redirection* to the account servicing payment
> service provider's authentication or other functions, requiring additional
> authorisations and registrations in addition to those provided for in
> Articles 11, 14 and 15 of Directive 2015/2366, or requiring additional
> checks of the consent given by payment service users to providers of
> payment initiation and account information services.

As I understand it this means:
 - Banks have to allow customers to use the same credentials when accessing
their online banking interface, and when using a third party provider (TPP)
 - Banks cannot force the TPP to redirect customers to the bank for auth
 - Banks cannot force TPPs to register with any directory/registry - this
seems to make it hard for a bank to require a TPP to create an OAuth client

Unfortunately, I don't think this text can be changed now.


On 28 November 2017 at 17:39, Hjelm, Bjorn via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:

> All
> As some of you may already know, the European Commission (EC) has
> published its final *“supplementing Directive 2015/2366 of the European
> Parliament and of the Council with regard to regulatory technical standards
> for strong customer authentication and common and secure open standards of
> communication”*
> <http://ec.europa.eu/finance/docs/level-2-measures/psd2-rts-2017-7782_en.pdf>
> (to support implementation of PSD2). The official announcement can be found
> in the *EC press release*
> <http://europa.eu/rapid/press-release_IP-17-4928_en.htm> along with a *Fact
> Sheet*
> <http://europa.eu/rapid/press-release_MEMO-17-4961_en.htm?locale=en>.
> BR,
> Bjorn
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi

Dave Tonge
[image: Moneyhub Enterprise]
10 Temple Back, Bristol, BS1 6FL
t: +44 (0)117 280 5120

Moneyhub Enterprise is a trading style of Momentum Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Momentum Financial Technology is entered on the
Financial Services Register (FRN 561538) at fca.org.uk/register. Momentum
Financial Technology is registered in England & Wales, company registration
number 06909772 © . Momentum Financial Technology Limited 2016. DISCLAIMER:
This email (including any attachments) is subject to copyright, and the
information in it is confidential. Use of this email or of any information
in it other than by the addressee is unauthorised and unlawful. Whilst
reasonable efforts are made to ensure that any attachments are virus-free,
it is the recipient's sole responsibility to scan all attachments for
viruses. All calls and emails to and from this company may be monitored and
recorded for legitimate purposes relating to this company's business. Any
opinions expressed in this email (or in any attachments) are those of the
author and do not necessarily represent the opinions of Momentum Financial
Technology Limited or of any other group company.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20171128/dd4dfc04/attachment-0001.html>

More information about the Openid-specs-fapi mailing list