[Openid-specs-fapi] i wish to resign from FAPI

Dave Tonge dave.tonge at momentumft.co.uk
Thu Aug 16 10:59:17 UTC 2018

Hi Tom,

I'm sorry to hear about your wish to 'resign' and note your concerns.
As Ralph said it would be great to try and work through the issues you have
as I can assure you that OpenBanking UK has absolutely no desire to put the
user at risk - indeed safeguarding the user is very important to
OpenBanking UK and there are consumer representatives on the steering
committee who play an active role in championing user's rights and

>From a user protection perspective PSD2 is quite helpful:

 - If a user disputes a payment, the ASPSP (bank) has to refund the user
within 24 hours
 - The ASPSP then needs to investigate and may ask the PSIP for evidence of
 - If the ASPSP is not satisfied it can recover the money from the PISP
(the PISP must have adequate insurance to cover this)
 - If the ASPSP is satisfied with the consent evidence provided by the PISP
AND they are satisfied with how they (the ASPSP) applied "Strong Customer
Authentication" (i.e. 2FA) then they can dispute the users claim and take
the money back from them.

Its worth noting that because of the redirect model that OB uses this is
not that different from if a user disputes a payment made via online
banking. In both cases the bank will have records of how they have applied
authentication, and the text that the user approved when confirming the

In your first email you seem to assume that the user is not involved in
authenticating with the bank and confirming transactions initiated by a
dubious PISP from Malta, but this is not the case. The user will have to
strongly authenticate to their bank AND (in the OB model) confirm the
transaction they are making. If the user is tricked by a dubious PISP they
have full recourse to their bank to get a refund.

>From an AML perspective, ASPSPs have a duty to apply the same checks on a
transaction that a user "initiates" from their online banking platform as
one that a user "initiates" via a PISP.

With regards to some of your comments on the PDF:
 - there is no requirement for a TPP to identify or authenticate a user to
any level of assurance. Indeed for payments in an e-commerce model a TPP
may simply have a record of a user, using a browser, on an IP address who
ordered an item and selected to pay with Bank X (but no nothing else about
the user). If the payment is later disputed the TPP can provide evidence of
the transaction in the same manner that a merchant deals with card charge
backs. I agree with you that this "evidence" would be weak and this is why
the OB model explicitly redirects the user to the bank where strong
authentication can take place AND the user can confirm the amount and
payee. In other PSD2 standards such as the Berlin Group embedded mode this
is a  much greater problem as the ASPSP has no interaction with the user at
 - partial consent - while possible in OAuth 2, this is not allowed by
OpenBanking UK. It is either accept all or deny.

Finally I'd like to stress again that OpenBanking UK is very separate from
the FAPI WG at OIDF. There are multiple standards bodies, industry
initiatives and vendors that are implementing FAPI as a secure profile of
OAuth 2; OpenBanking UK is just one of those.

I hope this helps and thank you for continuing to push us to consider the
protection of the user as we develop these standards.


On Thu, 16 Aug 2018 at 10:32, Tom Jones via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:

> Well, i have spent as much time reviewing and annotating the attached
> document as i am will to do pro bono.
> What I don't see is any reason for the user to trust the flow shown.
> So is the net result a debit against the user's account that is the user's
> liability?
> And does the user have the responsibility to prove that the charge was not
> authorized by them?
> This is not a service that i personally would be willing to use with a US
> bank.
> Here is the site where i record by own thought on user consent:
> http://tcwiki.azurewebsites.net/index.php?title=User_Consent#Full_Title_or_Meme
> i am also working with the Kantara CIS group and Mark Lizar by building an
> OP that uses consent and show some results here:
> tcwiki.azurewebsites.net/index.php?title=Consent_Receipt_Construction
> Peace ..tom
> On Wed, Aug 15, 2018 at 10:56 AM, Ralph Bragg <ralph.bragg at raidiam.com>
> wrote:
>> Hi Tom,
>> I’m personally really interested in the concerns you’ve raised especially
>> when it comes to the OB part.
>> This (below) is the consent guidelines that the OBIE currently have
>> published with an update in train.
>> OB would be really interested in your feedback and comments.
>> Kind regards,
>> https://www.openbanking.org.uk/wp-content/uploads/Consent-Model-Part-1-Implementation-Guide.pdf
>> ------------------------------
>> *From:* 32022724200n behalf of
>> *Sent:* Wednesday, August 15, 2018 16:55
>> *To:* Financial API Working Group List
>> *Cc:* Tom Jones
>> *Subject:* [Openid-specs-fapi] i wish to resign from FAPI
>> Please remove my name from the mailing list and from all future
>> documentation produced by the wg.
>> If you care to know why; i thought i would list my reasons (these just
>> relate to the FAPI part):
>> 1. FAPI is being used by the UK OB & PSD2 folk as proof of security
>> compliance but that only applies to the connection between the ASPSP and
>> TPP, the user is not involved.
>> 2. Since this is the Open ID foundation, i believe it is not part of our
>> work to consider any standard where the user is not identified.
>> 3. We have no input on user consent to the process.
>> I also have concerns about the damage that will be reflected on the
>> OpenID foundation by association with a group that appears to have no
>> interests in the user or the financial and time loss to the user that will
>> (IMHO) result from user unhappiness with the way that their private data
>> and actual assets are put on display without their explicit consent. It
>> seems that the ASPSP has no choice but to accept a payment request
>> initiated by any entity approved by any member state including Malta (with
>> known tolerance for Russian oligarchs) or the channel islands which have
>> been used by UK banks to avoid money laundering regulations. I do
>> understand that they can refuse the request, but that action can be
>> challenged by any TPP, which is certain to wear down their fiduciary duty
>> to their users. The OP in the cases i have seen is not defined, so the
>> threats cannot be fully known.
>> Peace ..tom
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi

Dave Tonge
[image: Moneyhub Enterprise]
Moneyhub Financial Technology, 2nd Floor, Whitefriars Business Centre,
Lewins Mead, Bristol, BS1 2NT
t: +44 (0)117 280 5120

Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Moneyhub Financial Technology is entered on the
Financial Services Register (FRN 561538) at fca.org.uk/register.
Moneyhub Financial
Technology is registered in England & Wales, company registration number
06909772 © . Moneyhub Financial Technology Limited 2018. DISCLAIMER: This
email (including any attachments) is subject to copyright, and the
information in it is confidential. Use of this email or of any information
in it other than by the addressee is unauthorised and unlawful. Whilst
reasonable efforts are made to ensure that any attachments are virus-free,
it is the recipient's sole responsibility to scan all attachments for
viruses. All calls and emails to and from this company may be monitored and
recorded for legitimate purposes relating to this company's business. Any
opinions expressed in this email (or in any attachments) are those of the
author and do not necessarily represent the opinions of Momentum Financial
Technology Limited or of any other group company.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20180816/cee76928/attachment.html>

More information about the Openid-specs-fapi mailing list