[Openid-specs-fapi] BG/Embedded SCA - Clinically free from OAuth

Francis Pouatcha fpo at adorsys.de
Mon Jul 27 00:11:53 UTC 2020

Hello Anders, Torsten,

criticizing PSD2 for not exposing banking APIs to merchants is as naîve
as criticizing it for not exposing banking APIs mobile phones. I recall
to this response again:

If EBA mandates "Open" access to banking APIs, we need the regulator to
provide a corresponding Trust Framework. Therefore PSD2 is not over

I still haven't seen an alternative trust framework for Open Banking out
there that provides the same openness like PSD2 without regulation or
central authority.

The Berlin Group embedded model was a great transitional model, as
oAuth/Openid FAPI based models were and are still not done. Most of the
specs are still in draft mode.

It is also naive to have banks implement oAuth when they do not understand
oAuth. Before PSD2 :
- many IT-Security Managers of banks in Europe had never heard about
oAuth/JWT before. I conducted tons of workshops.
- many banks have never exposed Open API's before. Reality...

The embedded model is a consequence of HBCI/FinTS that has been operating
in Europe for the last 15 years, passing user credentials to TPP
(unregulated - weaker trust framework but practical).
The embedded model is also a natural migration from the screen scraping
that is still being practiced on the Banking API market.
The regulator introducing a mandatory second factor helped keep those fraud
cases under controls. These decisions were based on data.

Banking community has gathered a lot of data on user credentials based
fraud in the financial sector for years.

The most natural start for PSD2 in mainland Europe consisted in having an
embedded mode built on top of existing user credential based interfaces of
banks (HBCI/FinTS Germany, rep. screen scraping or else) and then give
those banks the time to learn how to deal with oAuth/Redirection/API/API
Gateway/.... This is the reality.

Best regards.

Francis Pouatcha
Co-Founder and Technical Lead
adorsys GmbH & Co. KG
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200726/3bd86378/attachment-0001.html>

More information about the Openid-specs-fapi mailing list