[Openid-specs-fapi] i wish to resign from FAPI

Chris Michael Chris.Michael at openbanking.org.uk
Thu Aug 16 11:03:30 UTC 2018

Thanks Dave and Ralph

Tom, I too would like to understand more about your concerns. We are committed to ensuring that the OB standards do exactly as Dave suggests - to protect the end user/customer - and we have been working with OIDF with exactly this goal.

Maybe the four of us can meet/talk to discuss in more details.

When is good for you next week?


Chris Michael

Head of Technology

Open Banking

+44 7767 372277


From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Dave Tonge via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
Sent: 16 August 2018 11:59
To: Openid-specs Fapi
Cc: Dave Tonge
Subject: Re: [Openid-specs-fapi] i wish to resign from FAPI

Hi Tom,

I'm sorry to hear about your wish to 'resign' and note your concerns.
As Ralph said it would be great to try and work through the issues you have as I can assure you that OpenBanking UK has absolutely no desire to put the user at risk - indeed safeguarding the user is very important to OpenBanking UK and there are consumer representatives on the steering committee who play an active role in championing user's rights and protections.

>From a user protection perspective PSD2 is quite helpful:

 - If a user disputes a payment, the ASPSP (bank) has to refund the user within 24 hours
 - The ASPSP then needs to investigate and may ask the PSIP for evidence of consent
 - If the ASPSP is not satisfied it can recover the money from the PISP (the PISP must have adequate insurance to cover this)
 - If the ASPSP is satisfied with the consent evidence provided by the PISP AND they are satisfied with how they (the ASPSP) applied "Strong Customer Authentication" (i.e. 2FA) then they can dispute the users claim and take the money back from them.

Its worth noting that because of the redirect model that OB uses this is not that different from if a user disputes a payment made via online banking. In both cases the bank will have records of how they have applied authentication, and the text that the user approved when confirming the transaction.

In your first email you seem to assume that the user is not involved in authenticating with the bank and confirming transactions initiated by a dubious PISP from Malta, but this is not the case. The user will have to strongly authenticate to their bank AND (in the OB model) confirm the transaction they are making. If the user is tricked by a dubious PISP they have full recourse to their bank to get a refund.

>From an AML perspective, ASPSPs have a duty to apply the same checks on a transaction that a user "initiates" from their online banking platform as one that a user "initiates" via a PISP.

With regards to some of your comments on the PDF:
 - there is no requirement for a TPP to identify or authenticate a user to any level of assurance. Indeed for payments in an e-commerce model a TPP may simply have a record of a user, using a browser, on an IP address who ordered an item and selected to pay with Bank X (but no nothing else about the user). If the payment is later disputed the TPP can provide evidence of the transaction in the same manner that a merchant deals with card charge backs. I agree with you that this "evidence" would be weak and this is why the OB model explicitly redirects the user to the bank where strong authentication can take place AND the user can confirm the amount and payee. In other PSD2 standards such as the Berlin Group embedded mode this is a  much greater problem as the ASPSP has no interaction with the user at all.
 - partial consent - while possible in OAuth 2, this is not allowed by OpenBanking UK. It is either accept all or deny.

Finally I'd like to stress again that OpenBanking UK is very separate from the FAPI WG at OIDF. There are multiple standards bodies, industry initiatives and vendors that are implementing FAPI as a secure profile of OAuth 2; OpenBanking UK is just one of those.

I hope this helps and thank you for continuing to push us to consider the protection of the user as we develop these standards.


On Thu, 16 Aug 2018 at 10:32, Tom Jones via Openid-specs-fapi <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>> wrote:
Well, i have spent as much time reviewing and annotating the attached document as i am will to do pro bono.
What I don't see is any reason for the user to trust the flow shown.
So is the net result a debit against the user's account that is the user's liability?
And does the user have the responsibility to prove that the charge was not authorized by them?

This is not a service that i personally would be willing to use with a US bank.
Here is the site where i record by own thought on user consent: http://tcwiki.azurewebsites.net/index.php?title=User_Consent#Full_Title_or_Meme
i am also working with the Kantara CIS group and Mark Lizar by building an OP that uses consent and show some results here: tcwiki.azurewebsites.net/index.php?title=Consent_Receipt_Construction<http://tcwiki.azurewebsites.net/index.php?title=Consent_Receipt_Construction>

Peace ..tom

On Wed, Aug 15, 2018 at 10:56 AM, Ralph Bragg <ralph.bragg at raidiam.com<mailto:ralph.bragg at raidiam.com>> wrote:
Hi Tom,

I’m personally really interested in the concerns you’ve raised especially when it comes to the OB part.

This (below) is the consent guidelines that the OBIE currently have published with an update in train.

OB would be really interested in your feedback and comments.

Kind regards,


From: 32022724200n behalf of
Sent: Wednesday, August 15, 2018 16:55
To: Financial API Working Group List
Cc: Tom Jones
Subject: [Openid-specs-fapi] i wish to resign from FAPI

Please remove my name from the mailing list and from all future documentation produced by the wg.

If you care to know why; i thought i would list my reasons (these just relate to the FAPI part):
1. FAPI is being used by the UK OB & PSD2 folk as proof of security compliance but that only applies to the connection between the ASPSP and TPP, the user is not involved.
2. Since this is the Open ID foundation, i believe it is not part of our work to consider any standard where the user is not identified.
3. We have no input on user consent to the process.

I also have concerns about the damage that will be reflected on the OpenID foundation by association with a group that appears to have no interests in the user or the financial and time loss to the user that will (IMHO) result from user unhappiness with the way that their private data and actual assets are put on display without their explicit consent. It seems that the ASPSP has no choice but to accept a payment request initiated by any entity approved by any member state including Malta (with known tolerance for Russian oligarchs) or the channel islands which have been used by UK banks to avoid money laundering regulations. I do understand that they can refuse the request, but that action can be challenged by any TPP, which is certain to wear down their fiduciary duty to their users. The OP in the cases i have seen is not defined, so the threats cannot be fully known.

Peace ..tom

Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net<mailto:Openid-specs-fapi at lists.openid.net>

Dave Tonge
[Moneyhub Enterprise]<http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
Moneyhub Financial Technology, 2nd Floor, Whitefriars Business Centre, Lewins Mead, Bristol, BS1 2NT
t: +44 (0)117 280 5120

Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (FRN 561538) at fca.org.uk/register<http://fca.org.uk/register>. Moneyhub Financial Technology is registered in England & Wales, company registration number 06909772 © . Moneyhub Financial Technology Limited 2018. DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Momentum Financial Technology Limited or of any other group company.

Please consider the environment before printing this email.

This email is from Open Banking Limited, Company Number 10440081.  Our registered and postal address is 2 Thomas More Square, London, E1W 1YN.  Any views or opinions are solely those of the author and do not necessarily represent those of Open Banking Limited.  

This email and any attachments are confidential and are intended for the above named only.  They may also be legally privileged or covered by other legal rights and rules.  Unauthorised dissemination or copying of this email and any attachments, and any use or disclosure of them, is strictly prohibited and may be illegal.  If you have received them in error, please delete them and all copies from your system and notify the sender immediately by return email. You can also view our privacy policy (https://www.openbanking.org.uk/privacy-policy).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20180816/d78e2b17/attachment-0001.html>

More information about the Openid-specs-fapi mailing list