[Openid-specs-fapi] i wish to resign from FAPI

Anders Rundgren anders.rundgren.net at gmail.com
Fri Aug 17 05:38:53 UTC 2018

I believe some of your concerns are rooted in the Open Banking concept itself.
One of the motivations (particularly in the UK) was breaking the [perceived] bank monopoly on payments.
A problem here is that every transaction (at least over a certain limit) has to be authorized by the user at his/her bank using the bank's specific account selection methods and authentication solution, creating a horrendous user experience.
To cope with that various "shortcuts" have been introduced where long-lived consents are used, effectively mimicking card-on-file payments or pre-paid cards.

I wouldn't worry too much about the above because the currently entirely non-standard merchant- and app-solutions will cause the market to split into two tracks:
- Super providers like Amazon, potentially dwarfing banks
- The Scandinavian model: Banks create a single client solution and share a common PISP in some way.  Due to the latter they can easily (automatically) reject requesting parties that they for some reason don't want to serve.

What will remain useful of FAPI when the dust have settled are services using account information.

It is in this context worth noting that Chrome now is *shipping* with a "PaymentHandler" interface which is supposed to revolutionize Web payments.
This may not be as easy as anticipated as shown by this recent GitHub issue: https://github.com/w3c/payment-request/issues/759


On 2018-08-15 17:55, Tom Jones via Openid-specs-fapi wrote:
> Please remove my name from the mailing list and from all future documentation produced by the wg.
> If you care to know why; i thought i would list my reasons (these just relate to the FAPI part):
> 1. FAPI is being used by the UK OB & PSD2 folk as proof of security compliance but that only applies to the connection between the ASPSP and TPP, the user is not involved.
> 2. Since this is the Open ID foundation, i believe it is not part of our work to consider any standard where the user is not identified.
> 3. We have no input on user consent to the process.
> I also have concerns about the damage that will be reflected on the OpenID foundation by association with a group that appears to have no interests in the user or the financial and time loss to the user that will (IMHO) result from user unhappiness with the way that their private data and actual assets are put on display without their explicit consent. It seems that the ASPSP has no choice but to accept a payment request initiated by any entity approved by any member state including Malta (with known tolerance for Russian oligarchs) or the channel islands which have been used by UK banks to avoid money laundering regulations. I do understand that they can refuse the request, but that action can be challenged by any TPP, which is certain to wear down their fiduciary duty to their users. The OP in the cases i have seen is not defined, so the threats cannot be fully known.
> Peace ..tom
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi

More information about the Openid-specs-fapi mailing list