[Openid-specs-fapi] FAPI - The elephant in the room

Anders Rundgren anders.rundgren.net at gmail.com
Fri May 10 16:34:07 UTC 2019

On 2019-05-10 15:57, Dave Tonge wrote:
> I'm not sure I follow your argument.

Dear Dave et al,

Note: the following is only valid for traditional, merchant-initiated, consumer payments.  Payments as a part of financial services (banking) is another story which I have less insight in.

> 1. Mobile works fine with OAuth

 From an outside looking in position it seems that the Open Banking community as a whole has caught the "Hammer Syndrome".

If you take Apple Pay as an example it has virtually nothing in common with OAuth.

Conclusion: there are evidently quite different "Nails" out there.  Although Apple Pay builds on a dated card centric scheme, the core concept (statically provisioned account-specific authorization-keys and associated meta-data) has in no way ran out of gas. These schemes also markedly departs from FIDO since their privacy model is based on encryption rather than domain-bindings.

A showdown is looming on the horizon.

In case the FAPI WG would like to discuss this topic further, we can do that anytime.

I leave it there but feel free communicating with me off-list!


> 2. A PISP is a lightweight technology service provider that allows a merchant to receive payments into their bank account directly from their customers bank accounts.

So does a plain-vanilla web redirect as well.

Big merchants will be their own PISPs, but many small to medium size retailers will use a PISP (or indeed their existing payments platform will become a PSIP, e.g. Ayden: https://www.finextra.com/newsarticle/33411/adyen-launches-open-banking-powered-payment-method
> On Mon, 29 Apr 2019 at 10:40, Anders Rundgren via Openid-specs-fapi <openid-specs-fapi at lists.openid.net <mailto:openid-specs-fapi at lists.openid.net>> wrote:
>     Dear list,
>     I hope you don't get too annoyed by my sometimes slightly "deviating" postings.
>     Anyway, this article
>     https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948
>     triggered me to once again reiterate what I consider a core problem with the FAPI vision.
>     In my opinion (supported by massive amounts of real-world deployments), payment transaction requests are rendered and authorized on mobile devices which seems to be at odds with the server-centric OAuth way of doing things.
>     It all really boils down to the question: do "Financial Services" and "Consumer Payments" actually benefit from using the same technology?
>     A related question is the value of a Payment Initiation Service.  As far as I can see it is essentially a "firewall" between the merchant and the user's bank.  The need for such a firewall is not evident.
>     I believe this part of Open Banking needs a refresh where the PIS concept is replaced by something else like e-money institutions issuing virtual payment cards.  Performing bank selection in the PIS and (optionally) account selection in the bank seems very fuzzy compared to simply selecting a card in a consistent user interface. That there is no generally accepted "Wallet" out there is of course a snag.
>     thanx,
>     Anders
>     _______________________________________________
>     Openid-specs-fapi mailing list
>     Openid-specs-fapi at lists.openid.net <mailto:Openid-specs-fapi at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> -- 
> Dave Tonge
> Moneyhub Enterprise <http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
> Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1 6FL
> t: +44 (0)117 280 5120
> Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (FRN 809360) at fca.org.uk/register <http://fca.org.uk/register>. Moneyhub Financial Technology is registered in England & Wales, company registration number 06909772 .
> Moneyhub Financial Technology Limited 2018 ©
> DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company.

More information about the Openid-specs-fapi mailing list