[Openid-specs-fapi] Open Banking payments presume a Monopoly
Anders Rundgren
anders.rundgren.net at gmail.com
Fri May 19 07:19:41 UTC 2023
Hi WG,
I know that the Open ID foundation is mainly about security related standards, like the FAPI profiles.
The problem is that Open ID builds on a specific architecture that actually never worked as intended. The original idea was that you should be able to use an identity provider of your choice, like your ISP. Information cards was an early attempt to make this more realistic. W3C's credential management API is a more recent example.
However, it doesn't really matter what you do unless the IdPs federate. Unfortunately (or IMO quite logical), the motives for such measures are on the same level as federation between VISA and MasterCard. That is, non-existent. The result is that Login with Google and Facebook has become a de-facto standard.
Now, if you map this to payments (be it using Open Banking/OAuth2 or proprietary systems like EPI), you soon realize that TPPs will never federate making life difficult for both Merchants and Consumers unless the number of TPPs/PSPs becomes very small. Is this really what the CMA and PSD2 regulators had in mind?
VRP or premium APIs are band-aids to fix problems that bubbles up from architectures that do not consider the fact that federation already is at hand. What federation you may wonder, right? To make payments scalable, banks have established interbanking networks, permitting you to transfer money from one Bank to another Bank. This federation is also known as the four corner model.
Since Banks are technically challenged, this famous model has neither been put to work (for C2B transactions), nor being subject to research. If you consider yourself as a security expert in this domain, I think it could be worthwhile digging a bit around this topic. Don't take my word for it as an "absolute truth" (I'm certainly not infallible), but this one-page document highlights what I see as watershed issues:
https://cyberphone.github.io/doc/payments/payment-authorization-models.pdf
Next week I will go to a conference in Frankfurt. The EU/EC folks who nowadays publicly claim that EPI is the future for payments are also there :) Payments using Open Banking have obviously disappeared from the radar.
Regards,
Anders R
More information about the Openid-specs-fapi
mailing list