[Openid-specs-fapi] Open Banking, Open Data Whitepaper - Final comments by **March 14**

[Gail Hodges]

FAPI WG
I am pleased to confirm that the OpenID Foundation submitted comments on the NISTIR 8389 publication on Open Banking, as per their March 3 deadline today. That submission is below, including the draft Open Banking whitepaper.
Many thanks to Dave for his herculean efforts to draft the NIST comments and the whitepaper so swiftly, and ensuring a quality submission to NIST. Also, many thanks to the FAPI WG for your comments in the draft and in the WG calls.
We invite the WG to make any further comments by EOD March 14th so that we can move to “final”, and send it to NIST and publish it for the benefit of the global community.
Please pay special attention to the following:

  *   OIDF recommendations in the whitepaper, to ensure they reflect the consensus view of the WG
  *   Our references to market implementations, we want to ensure we are accurate, fair, and balanced – for implementations that selected FAPI and those that have not.
Google Doc Link:
https://docs.google.com/document/d/18i1f-lYd7VgAyw_2vYZChlFcSZwG_yK_epF7wAJkBaw/edit#heading=h.o66ldbq1qca8

Gail

From: Gail Hodges <gail.hodges at oidf.org>
Date: Thursday, March 3, 2022 at 12:30 PM
To: "nistir-8389-comments at nist.gov" <nistir-8389-comments at nist.gov>
Cc: Dave Tonge <dave.tonge at moneyhub.com>, nat_fwd <nat at nat.consulting>, Don Thibeau <don at oidf.org>, Mike Leszcz <mike.leszcz at oidf.org>
Subject: Comments on NISTIR 8389 -- OpenID Foundation

Attn: National Institute of Standards and Technology; Computer Security Division, Information Technology Laboratory
Re: Comments on NISTIR 8389 - Cybersecurity Considerations for Open Banking Technology and Emerging Standards

Dear Sir or Madam,
Thank you for this publication, it is informative and we hope will be a useful resource for those seeking to understand Open Banking.
The OpenID Foundation has played a pivotal role in Open Banking security standards, and we welcome your reference to our standards work on FAPI in NISTIR 8389. As a non-profit standards body, we are keen to ensure our standards continue to serve the global community.
We are pleased to share an advance copy of our Open Banking Whitepaper, in draft format, which shares some of our experience globally. We will share the final version of this whitepaper, targeted for publication March 16, 2022.
In addition to the whitepaper we have the following comments on NISTIR 8389:
Lines 586-629 - Australia
The CDR ecosystem originally didn’t include payment and action initiation (line 609) It is being discussed as a future roadmap item now.
The original CDR design included a lot of custom extensions that caused multiple security and interoperability concerns. These are still being remediated by the industry as a part of complete alignment to FAPI1 and transition to FAPI2.
Lines 793-797 - Brazil
It is mandatory for large to mid-sized financial institutions and any institution that will interact with those covered by  the Brazilian legal framework.
A trust model and a directory were created such that parties are not required to put in place direct contracts to interact.
A payment initiation protocol was defined such that multiple payment operators are emerging.
Lines 800-805 - Japan
Most banks are strongly advised by FSA to offer APIs to Fintechs by 2019 and most banks obliged although they are not standardized. Banks and Fintechs are mandated to get into individual contractual agreements which limited scalability in terms of interconnection among them.
For QR code payment, Paypay that is offered by Z Holding is the most prevalent one. As a standardization effort, there is a scheme code JPQR which standardized some aspects of the QR code payment.
Lines 943-946 - API Security
We suggest that you strongly recommend that any Open Banking or Open Finance initiative should adopt an established API security profile. From a security perspective there are many increased risks when an initiative “rolls its own” security profile.
We suggest that as well as mentioning the UK that reference be made to other jurisdictions like Australia, Brazil, New Zealand, Russia,  US/Canada (FDX) and many private ecosystems who are also using FAPI as their security profile.
We also ask that you remove the space between “Open” and “ID” - it is a single word “OpenID”. In addition is it possible to use the abbreviation, FAPI, after the reference to “Financial Grade API”.
Please can you mention the fact that FAPI security profiles went through formal security analysis and come with comprehensive conformance tests and certification for both, data providers and data recipients. FAPI conformance testing covers a large range of positive and negative test cases and focuses on security and interoperability. The FAPI conformance tests have caught serious security vulnerabilities and interoperability issues in API platform implementations developed by large multinational banks, despite those passing through many rounds of internal and external security testing. Vendors from around the world, and hundreds of data providers and data recipients in the UK, Australia, and Brazil have completed FAPI certification. All certifications are published on the OIDF website: https://openid.net/certification/.
It is strongly recommended by global  open banking community:

  *   for all participants to complete FAPI conformance testing before joining the ecosystem, and to consider the cadence of recertification.
  *   All ecosystem API interactions should follow the same security profile.
  *   Ecosystem to perform regular end-to-end security review of the ecosystem including all participants (data recipients, data providers and the registry).
  *   Simplify participant interactions and avoid custom standards.
  *   New ecosystems should consider adopting the FAPI 2 framework (the next iteration of the FAPI specs that builds on the experience of rolling out FAPI 1 in many ecosystems). This will significantly simplify security profile compliance for all participants.

Lines 947 to 951 - SAML
We are not sure whether it is worth mentioning SAML here. It is primarily a single sign-on protocol and is missing many features which are needed for secure implementations of Open Banking.
Lines 959-964 - Privacy and Consent
Privacy is an integral part of any Open Banking initiative, and user consent is one of its most important building blocks. Open Banking and Open Finance are about data sharing that cannot happen without user consent.
To ensure interoperability in the ecosystem, adequate security and satisfaction of privacy regulations, user consent at API and flow level shall be standardized across jurisdictions and based on solid, broadly recognized standards.
OpenID's FAPI not only refers to the privacy framework but also aims to standardize consent requests and consent management. It is designed to support user experience defined by various jurisdictions. It leverages proven broadly adopted open standards.
We suggest paying more attention in NISTIR 8389 to user consent. We also suggest recognizing FAPI as the recommended API and flow-level standard for consent-related operations. It will help limit the proliferation of jurisdiction-specific consent operations approaches in the open banking and open finance spaces. We believe that such recommendations will strengthen security, improve interoperability and speed up ecosystem growth.
Line 978
Is it worth mentioning the financial data exchange (FDX) here? It has 208 member organizations and is currently the driving force behind Open Banking in the US, and a key participant in the Open Banking effort in Canada as well.
Last, the OpenID Foundation anticipates making additional recommendations regarding Dynamic Client Registration, the operations of participant registration, and how other technologies like decentralized solutions can complement the FAPI family of standards. Those comments will be included in the final draft of the whitepaper targeted for March 16, 2022.
Many thanks for the opportunity to provide our comments. As per the whitepaper, you are welcome to contact the OpenID Foundation at Director at oidf.org<mailto:Director at oidf.org> with any follow-up question, or to talk through our comments.

Dave Tonge

Co-Chair FAPI WG
OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20220303/aba63292/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Open Banking OIDF Whitepaper - Draft 1.0 332022.pdf
Type: application/pdf
Size: 199604 bytes
Desc: Open Banking OIDF Whitepaper - Draft 1.0 332022.pdf
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20220303/aba63292/attachment-0001.pdf>