[Openid-specs-fapi] European Banking Authority draft Technical Standards

Dave Tonge dave.tonge at momentumft.co.uk
Wed Aug 31 12:51:01 UTC 2016


Hi all,

There has been further movement in the EU in the last couple of weeks with
regards to the requirement and regulation of financial APIs.

PSD2 - the second payment services directive comes into force in January
2018. Part of its requirements are for common and secure open standards of
communication between account servicing payment service providers (ASPSP),
Payment Initiation Services (PIS) providers, Account Information Services
(AIS) providers, payers, payees and other payment service providers.

The text of PSD2 is light on detail on these open standards, and the
European Banking Authority (EBA) was tasked with developing the Regulatory
Technical Standards (RTS). The draft of these standards along with a
consultation paper have now been released:
https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/regulatory-technical-standards-on-strong-customer-authentication-and-secure-communication-under-psd2/-/regulatory-activity/consultation-paper

Consultation is open now until the 12 October 2016, after which the final
standards will be published. From my reading of the paper and the draft
there are a few points of interest that concern the FAPI WG:

The EBA has declined to specify what standards must be used.  (Clause 68).
However they have required that banks use common and open standards (Clause
69):

*"ASPSPs shall ensure that their communication interface uses common and
open standards which are developed by international or European
standardisation organisations. In particular, as suggested by several
respondents to the DP, the draft RTS propose that, when transmitting
payment and information messages between each other, ASPSPs, AISPs, PISPs
and PSPs issuing card-based payment"instruments shall use ISO 20022
elements, components or approved message definitions, if available."*

The good news is that the EBA has clarified that banks must provide an
interface beyond their online web portal, i.e. an API. It is also good that
banks will be required to use common and open standards. However the fact
that no specific standard will be mandated means that there could be a
plethora of standards used. I personally am not sure about the mention of
ISO20022 and would prefer a modern JSON based schema. I am interested in
other's thoughts about this though?

The EBA is also recommending that the organisation's communicating through
these APIs verify each other's identity through certificates issued by
a qualified trust service provider - a specific type of certificate
authority that complies with the eIDAS regulation
<https://ec.europa.eu/digital-single-market/en/trust-services-and-eid>).

There is some confusion in the paper around authentication and
authorisation that also needs to be clarified.

I suggest that the FAPI WG submits a response to the consultation paper. I
believe that engagement with the EBA and with relevant EU banks is
important in establishing the emerging FAPI standard as a recommended
standard for banks complying with PSD2.

Perhaps a short discussion of this can be added to the agenda?

Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20160831/a64ae490/attachment.html>


More information about the Openid-specs-fapi mailing list