[Openid-specs-fapi] How are TTPs vetted under PSD2?

Wed Jul 8 06:32:53 UTC 2020

I have no opinion about the TPP vetting process, but the chain of trust is long, expensive, and potentially error-prone.

In "Saturn" (pardon for referencing this all the time...), there is a comparable mechanism where the counter-part to an NCA (Merchant Bank), periodically publishes a by them signed record for each vetted entity (Merchant).

This eliminates the need for QTSPs and eIDAS certificates, as well as providing richer information.  In fact, it eliminates the need for centralized Open Banking TPP registries as well.

Sample: https://mobilepki.org/webpay-payeebank/

Anders

On 2020-07-07 08:36, Ralph Bragg via Openid-specs-fapi wrote:
> Hi Nat,
> 
> It’s one of the areas that is unfortunately not universally defined across Europe. Ultimately each National Competent Authority is responsible for accreditation of the regulatory permissions to be a TPP. The ‘technical’ requirements vary by NCA which means that you do get some regulatory arbitrage taking place across Europe with some NCA’s applying stricter rules than others. The financial burden to become a regulated AISP/PISP can be quite high, there is a particularly reasonable high capital requirement to become a PISP.
> 
> Ultimately all organisations and their officers can in some cases be held personally to account especially for negligent handling of personal data. All corporations are subject to the European Wide GDPR however again depending on how and where a breach happens, where it is reported and the ICO / Data Protection Department for a country is given jurisdiction to investigate then again the impact, fines, censure can vary.
> 
> We did ask at the OBIE what if any technical requirements the FCA/NCA or the ICO would like TPP’s to obtain in order to become accredited participants but unfortunately nothing was ultimately adopted. Ideally I’d have liked TPP’s to have complete UK Cyber Essentials Plus as a minimum and have had their software certified as FAPI Relying Party compliant however there was no appetite to implement these requirements and as mentioned there is a potential competitive hazard that will encourage TPP’s to register with whatever country has the lowest or cheapest route to accreditation.
> 
> The OBIE for PSD2 participants can not apply any more rules or checks than those applied by the issuing NCA. For other authorization such as Confirmation of Payee or the other Pay.UK overlay services the ‘NCA’ responsible, in this case Pay.UK, could enforce additional checks or place additional requirements on TPPs before those regulatory roles were granted.
> 
> RB
> 
> *From: *Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Nat Sakimura via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
> *Reply to: *Financial API Working Group List <openid-specs-fapi at lists.openid.net>
> *Date: *Tuesday, 7 July 2020 at 06:45
> *To: *Financial API Working Group List <openid-specs-fapi at lists.openid.net>
> *Cc: *Nat Sakimura <nat at digitalideas.tokyo>
> *Subject: *[Openid-specs-fapi] How are TTPs vetted under PSD2?
> 
> Hi
> 
> It is not really a technical spec issue but just out of curiosity: How are the appropriateness of data handling etc. of the TTPs (i.e., Fintechs) get verified under PSD2? Is there some kind of rules? Who is verifying that the TPP is trustworthy?
> 
> Best,
> 
> Nat Sakimura
> 
> 
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> 