[Openid-specs-fapi] VRP. Re: Strong MERCHANT Authentication

Joseph Heenan joseph at authlete.com
Mon Apr 13 16:08:02 UTC 2020



> On 13 Apr 2020, at 15:47, Anders Rundgren <anders.rundgren.net at gmail.com> wrote:
> 
> On 2020-04-13 15:52, Joseph Heenan wrote:
>>> On 12 Apr 2020, at 07:21, Anders Rundgren via Openid-specs-fapi <openid-specs-fapi at lists.openid.net> wrote:
>>> 
>>> How is FAPI going to handle VRP?
>> That’s essentially out of scope - but the alternate question of “How do you do VRP with FAPI” the answer is that you obtain authorization from the user for VRP (exactly the same as you would for a single payment, other than showing a differing consent request to the user), resulting in an access token (and optional refresh token) that allows long term access to a payment API that could be used to transfer money from a particular set of bank accounts.
>> VRP in the UK OpenBanking ecosystem has to solve two problems:
>> 1) the non-technical issue that the banks don’t want to do it (except potentially under a commercial contract)
> 
> That's strange, similar schemes are in heavy use since ages back, albeit using other "APIs”.

All the similar schemes (at least in the UK) I’m aware of similarly require a commercial contract of one form or another - ApplePay & competitors, VISA/mastercard credit or debit, direct debits, etc.

There’s still an open question in the UK as to whether the CMA will require the largest 9 banks (those subject to the "CMA order”) to provide VRP APIs; they’re definitely due to provide some functionality that allows the “sweeping” use case and my reading is those banks need to provide it on the same basis as their PSD2 APIs.

Joseph



More information about the Openid-specs-fapi mailing list