[Openid-specs-fapi] BG/Embedded SCA - Clinically free from OAuth

Anders Rundgren anders.rundgren.net at gmail.com
Mon Jul 27 05:31:20 UTC 2020

Hello Francis,

Mobile applications directly accessing banks is another thread.

Anyway, I think you touched an issue of mutual concern here.
The FAPI WG produces profile documents based on sets of quite complex standards. It is then up to the market like OBIE to use these profiles for creating systems.

What's missing is open discussion about the needs of the market and how well that fits the current profiles.

That OAuth is an ideal solution for AIS is clear since it maps pretty much one-2-one.
However, PIS is a different beast since it brings in a fourth party (the semi-trusted Merchant), into a scheme that was originally designed for three parties.

I could go on forever about the downsides of this arrangement but since it seems to be for the market to figure out, I'd better finish here.

As a final remark I would like to point out that the underlying architecture for payments is the four corner model (excluding settling).  If new developments take this in consideration, it could completely change the playing field [1].


1] https://cyberphone.github.io/doc/saturn/enhanced-four-corner-model.pdf

On 2020-07-27 02:11, Francis Pouatcha via Openid-specs-fapi wrote:
> Hello Anders, Torsten,
> criticizing PSD2 for not exposing banking APIs to merchants is as naîve as criticizing it for not exposing banking APIs mobile phones. I recall to this response again: http://lists.openid.net/pipermail/openid-specs-fapi/2020-July/001976.html
> If EBA mandates "Open" access to banking APIs, we need the regulator to provide a corresponding Trust Framework. Therefore PSD2 is not over regulated.
> I still haven't seen an alternative trust framework for Open Banking out there that provides the same openness like PSD2 without regulation or central authority.
> The Berlin Group embedded model was a great transitional model, as oAuth/Openid FAPI based models were and are still not done. Most of the specs are still in draft mode.
> It is also naive to have banks implement oAuth when they do not understand oAuth. Before PSD2 :
> - many IT-Security Managers of banks in Europe had never heard about oAuth/JWT before. I conducted tons of workshops.
> - many banks have never exposed Open API's before. Reality...
> The embedded model is a consequence of HBCI/FinTS that has been operating in Europe for the last 15 years, passing user credentials to TPP (unregulated - weaker trust framework but practical).
> The embedded model is also a natural migration from the screen scraping that is still being practiced on the Banking API market.
> The regulator introducing a mandatory second factor helped keep those fraud cases under controls. These decisions were based on data.
> Banking community has gathered a lot of data on user credentials based fraud in the financial sector for years.
> The most natural start for PSD2 in mainland Europe consisted in having an embedded mode built on top of existing user credential based interfaces of banks (HBCI/FinTS Germany, rep. screen scraping or else) and then give those banks the time to learn how to deal with oAuth/Redirection/API/API Gateway/.... This is the reality.
> Best regards.
> /Francis
> -- 
> Francis Pouatcha
> Co-Founder and Technical Lead
> adorsys GmbH & Co. KG
> https://adorsys-platform.de/solutions/
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi

More information about the Openid-specs-fapi mailing list