[Openid-specs-fapi] Final PSD2 Strong Customer Authentication (SCA) Standards

Tom Jones thomasclinganjones at gmail.com
Tue Nov 28 22:52:00 UTC 2017


yeah - that's pretty much a killer. Banks will find a way to avoid have any
accounts which allow this.
Or they will do the :UK banks did around ATM cards are push the liability
onto the consumer or some other entity.
Consumer depository accounts are no longer the source of funds that banks
used to expect, so additional liability associated with them is not likely
to be accepted.
..tom

Peace ..tom

On Tue, Nov 28, 2017 at 1:19 PM, Dave Tonge via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:

> Thanks Bjorn.
>
> Some of the new articles are pretty horrific from a security point of view:
>
> Account servicing payment service providers that have put in place a
>> dedicated interface shall ensure that this interface does not create
>> obstacles to the provision of payment initiation and account information
>> services. *Such obstacles, may include*, among others, preventing the
>> use by payment service providers referred to in Article 30(1) of the
>> credentials issued by account servicing payment service providers to their
>> customers, *imposing redirection* to the account servicing payment
>> service provider's authentication or other functions, requiring additional
>> authorisations and registrations in addition to those provided for in
>> Articles 11, 14 and 15 of Directive 2015/2366, or requiring additional
>> checks of the consent given by payment service users to providers of
>> payment initiation and account information services.
>
>
> As I understand it this means:
>  - Banks have to allow customers to use the same credentials when
> accessing their online banking interface, and when using a third party
> provider (TPP)
>  - Banks cannot force the TPP to redirect customers to the bank for auth
>  - Banks cannot force TPPs to register with any directory/registry - this
> seems to make it hard for a bank to require a TPP to create an OAuth client
>
> Unfortunately, I don't think this text can be changed now.
>
> Dave
>
> On 28 November 2017 at 17:39, Hjelm, Bjorn via Openid-specs-fapi <
> openid-specs-fapi at lists.openid.net> wrote:
>
>> All
>> As some of you may already know, the European Commission (EC) has
>> published its final *“supplementing Directive 2015/2366 of the European
>> Parliament and of the Council with regard to regulatory technical standards
>> for strong customer authentication and common and secure open standards of
>> communication”*
>> <http://ec.europa.eu/finance/docs/level-2-measures/psd2-rts-2017-7782_en.pdf>
>> (to support implementation of PSD2). The official announcement can be found
>> in the *EC press release*
>> <http://europa.eu/rapid/press-release_IP-17-4928_en.htm> along with a *Fact
>> Sheet*
>> <http://europa.eu/rapid/press-release_MEMO-17-4961_en.htm?locale=en>.
>>
>> BR,
>> Bjorn
>>
>>
>> _______________________________________________
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>>
>>
>
>
> --
> Dave Tonge
> CTO
> [image: Moneyhub Enterprise]
> <http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
> 10 Temple Back, Bristol, BS1 6FL
> t: +44 (0)117 280 5120 <+44%20117%20280%205120>
>
> Moneyhub Enterprise is a trading style of Momentum Financial Technology
> Limited which is authorised and regulated by the Financial Conduct
> Authority ("FCA"). Momentum Financial Technology is entered on the
> Financial Services Register (FRN 561538) at fca.org.uk/register. Momentum
> Financial Technology is registered in England & Wales, company registration
> number 06909772 © . Momentum Financial Technology Limited 2016. DISCLAIMER:
> This email (including any attachments) is subject to copyright, and the
> information in it is confidential. Use of this email or of any information
> in it other than by the addressee is unauthorised and unlawful. Whilst
> reasonable efforts are made to ensure that any attachments are virus-free,
> it is the recipient's sole responsibility to scan all attachments for
> viruses. All calls and emails to and from this company may be monitored and
> recorded for legitimate purposes relating to this company's business. Any
> opinions expressed in this email (or in any attachments) are those of the
> author and do not necessarily represent the opinions of Momentum Financial
> Technology Limited or of any other group company.
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20171128/ea0a9879/attachment-0001.html>


More information about the Openid-specs-fapi mailing list