[Openid-specs-fapi] Update on EBA RTS

Henrik Biering hb at peercraft.com
Thu Oct 12 12:31:44 UTC 2017


Hi Dave,
you are certainly right that the cited clause (b) would not prevent the 
PISP from transmitting and storing the users security credentials. But 
the EU is simultaneously struggling to have banks become eIDAS relying 
parties (and even joint co-IdP's) to easily and securely manage 
customers from all EU countries.

This aspiration may be incompatible with a broad interpretation of 
clause (b):

1. The bank may itself be required to redirect to the appropriate eIDAS 
IDP - or (as is currently the case in Denmark) use an special embedded 
flow secured by an IdP-provided browser extension that prevents the bank 
(RP) from accessing the credentials.

2. According to (at least the DK implementation 
<https://digitaliser.dk/resource/3436586>) of the eIDAS LOA definitions, 
IDP's must require users not to provide their credentials to any third 
parties. Otherwise the IdP status will be "Limited" which is a special 
LOA level below the three common EU LOA levels. Which means that the IdP 
will be be excluded from use in connection with almost all public 
services - and it definitely cannot claim to perform SCA for a bank.

So it seems problematic to open for embedded pass-through flows without 
a careful evaluation of the implications for the use of eIDAS.

/Henrik

Den 12-10-2017 kl. 09:51 skrev Dave Tonge via Openid-specs-fapi:
> HI Nat
>
> Sorry, slight confusion - this information is not from myself but from 
> one of the members of the ERPB PIS group - but I still think this is 
> positive movement as it provides a way for the industry to move beyond 
> screen scraping.
> The conversations are not yet in the public domain, so I don't think I 
> can provide any more details at this point.
>
> Ths issue that concerns me is the line that is being taken about 
> redirect based APIs.
> CIBA is good as it allows "decoupled" flows and doesn't count as 
> redirection, BUT even with decoupled flows many are arguing for 
> "pass-through" or "embedded" flows as well - where the banking 
> credentials are entered into a third party site and then "passed 
> through" to the bank via API.
>
> Unfortunately, the text of PSD2 supports their argument:
>
>     The payment initiation service provider shall:
>     (a) not hold at any time the payer’s funds in connection with the
>     provision of the payment initiation service;
>     (b) ensure that the personalised security credentials of the
>     payment service user are not, with the exception of the user and
>     the issuer of the personalised security credentials, accessible to
>     other parties and that *they are transmitted by the payment
>     initiation service provider through safe and efficient channels*;
>
>
> PSD2 Article 66.3
>
> I think we can make an argument that any method that involves banking 
> credentials being entered on a third party site will severely reduce 
> the "Strong Customer Authentication" methods available for that bank 
> to use.
>
> Dave
>
>
>
>
>
> On 11 October 2017 at 17:59, Nat Sakimura via Openid-specs-fapi 
> <openid-specs-fapi at lists.openid.net 
> <mailto:openid-specs-fapi at lists.openid.net>> wrote:
>
>     Thanks, Dave.
>
>     So, are you saying that ERPB (European) industry group on APIs
>     which you are co-chairing will be vetting the APIs for the
>     compliance? That sounds very positive.
>
>     On the topic of no-redirections, would something like CIBA counts
>     for redirection? IMHO, it does not make sense from the security
>     point of view to have the user put his bearer token aka password
>     into the TPP apps. With CIBA, redirection is not involved but we
>     can still avoid the above problem.
>
>     Best,
>
>     ---
>     Nat Sakimura
>     Research Fellow, Nomura Research Institute
>     Chairman of the Board, OpenID Foundation
>
>     On 2017-10-11 23:21, Dave Tonge via Openid-specs-fapi wrote:
>
>>     Dear FAPI Working Group
>>     As discussed on the call, here is the latest information we have
>>     on the RTS:
>>
>>         1.RTS is in the final stages of approval by EC – expected
>>         early Nov (effective date likely to be Sept 2019). On screen
>>         scraping (known as the fall back option) the draft EC
>>         proposal is that PSP firms will be able to seek a regulatory
>>         exemption, to be granted by the competent authority, to avoid
>>         having to supporting screen scraping at all. To obtain an
>>         exception will require a vetting process based upon at least
>>         the following criteria:
>>
>>         a.The APIs are technically PSD2/RTS compliant
>>
>>         b.They are available 3 months ahead of implementation
>>
>>         c.They have been market tested
>>
>>         d.They adhere to specific performance criteria
>>
>>         The EC also proposes that the ERPB (European) industry group
>>         on APIs, that I established and which I co-chair, could, de
>>         facto, become the industry group to ‘vet’ APIs with support
>>         and active participation by EC (DG FISMA and DG COMP) and
>>         including the national competent authorities (like FCA). This
>>         is a very significant and incredibly positive development as
>>         the EC is effectively saying that they want to ‘bless’
>>         industry to guide them, the regulators,to get this right.
>>
>>         Therefore, the OB PSD2 APIs would conceivably have to go
>>         through this vetting and approval process, which illustrates
>>         the importance of aligning our PSD2 roadmap assumptions based
>>         on the direction set at European level. This will help to
>>         avoid divergence between standards at the national level.
>>
>>         2.There have been some questions recently about the
>>         redirection model for PSU authorisation and whether it is
>>         PSD2 compliant. Directionally, the EC supports the view that
>>         “APIs must support all authentication procedures provided by
>>         the ASPSP to the PSU, but must not require the TPP to have to
>>         use the redirect option”. Strictly speaking, the EC is not
>>         banning redirection, but it does support the view that a TPP
>>         should not have to be forced to use it. Logically
>>         therefore, it cannot be the only option available. The EC
>>         also supports the view that the TPP must be “free from
>>         constraints to innovate the design of the user interface for
>>         the PSU’s consent and authorisation journey for both PIS and
>>         AIS”. Within the ERPB API group we agreed yesterday in
>>         Brussels to go into detail on this topic to define what is
>>         acceptable based on the three methods of redirect,
>>         pass-through and embedded. The objective is to set a ‘bar’ of
>>         acceptability to be blessed by the EC as a one of the
>>         criteria by which to ‘vet’ API standards for conformity with
>>         PSD2/RTS.
>>
>>
>>     -- 
>>     Dave Tonge
>>     CTO
>>     Moneyhub Enterprise
>>     <http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
>>     10 Temple Back, Bristol, BS1 6FL
>>     t: +44 (0)117 280 5120
>>
>>     Moneyhub Enterprise is a trading style of Momentum Financial
>>     Technology Limited which is authorised and regulated by the
>>     Financial Conduct Authority ("FCA"). Momentum Financial
>>     Technology is entered on the Financial Services Register (FRN
>>     561538) at fca.org.uk/register <http://fca.org.uk/register>.
>>     Momentum Financial Technology is registered in England & Wales,
>>     company registration number 06909772© . Momentum Financial
>>     Technology Limited 2016. DISCLAIMER: This email (including any
>>     attachments) is subject to copyright, and the information in it
>>     is confidential. Use of this email or of any information in it
>>     other than by the addressee is unauthorised and unlawful. Whilst
>>     reasonable efforts are made to ensure that any attachments are
>>     virus-free, it is the recipient's sole responsibility to scan all
>>     attachments for viruses. All calls and emails to and from this
>>     company may be monitored and recorded for legitimate purposes
>>     relating to this company's business. Any opinions expressed in
>>     this email (or in any attachments) are those of the author and do
>>     not necessarily represent the opinions of Momentum Financial
>>     Technology Limited or of any other group company.
>>
>>     _______________________________________________
>>     Openid-specs-fapi mailing list
>>     Openid-specs-fapi at lists.openid.net
>>     <mailto:Openid-specs-fapi at lists.openid.net>
>>     http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>>     <http://lists.openid.net/mailman/listinfo/openid-specs-fapi>
>
>     _______________________________________________
>     Openid-specs-fapi mailing list
>     Openid-specs-fapi at lists.openid.net
>     <mailto:Openid-specs-fapi at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>     <http://lists.openid.net/mailman/listinfo/openid-specs-fapi>
>
>
>
>
> -- 
> Dave Tonge
> CTO
> Moneyhub Enterprise 
> <http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
> 10 Temple Back, Bristol, BS1 6FL
> t: +44 (0)117 280 5120
>
> Moneyhub Enterprise is a trading style of Momentum Financial 
> Technology Limited which is authorised and regulated by the Financial 
> Conduct Authority ("FCA"). Momentum Financial Technology is entered on 
> the Financial Services Register (FRN 561538) at fca.org.uk/register 
> <http://fca.org.uk/register>. Momentum Financial Technology is 
> registered in England & Wales, company registration number 06909772© . 
> Momentum Financial Technology Limited 2016. DISCLAIMER: This email 
> (including any attachments) is subject to copyright, and the 
> information in it is confidential. Use of this email or of any 
> information in it other than by the addressee is unauthorised and 
> unlawful. Whilst reasonable efforts are made to ensure that any 
> attachments are virus-free, it is the recipient's sole responsibility 
> to scan all attachments for viruses. All calls and emails to and from 
> this company may be monitored and recorded for legitimate purposes 
> relating to this company's business. Any opinions expressed in this 
> email (or in any attachments) are those of the author and do not 
> necessarily represent the opinions of Momentum Financial Technology 
> Limited or of any other group company.
>
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20171012/62fed9a2/attachment-0001.html>


More information about the Openid-specs-fapi mailing list