<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"MS ゴシック";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"\@MS ゴシック";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"MS Pゴシック";
panose-1:2 11 6 0 7 2 5 8 2 4;}
@font-face
{font-family:"Trebuchet MS";
panose-1:2 11 6 3 2 2 2 2 2 4;}
@font-face
{font-family:"Open Sans";
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"\@MS Pゴシック";
panose-1:2 11 6 0 7 2 5 8 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0mm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"MS Pゴシック";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.17
{mso-style-type:personal-reply;
font-family:"Arial",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Arial",sans-serif;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:99.25pt 30.0mm 30.0mm 30.0mm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026">
<v:textbox inset="5.85pt,.7pt,5.85pt,.7pt" />
</o:shapedefaults></xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=JA link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><a name="_MailEndCompose"><span lang=EN-US style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D'>What is on the FAPI specs right now is primarily what was in DDA. Thus, only intra-bank transfer is captured. <o:p></o:p></span></a></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D'>But the WG envisioned inter-bank transfer as a use case from the beginning. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"MS ゴシック";color:#1F497D'>--<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"MS ゴシック";color:#1F497D'>PLEASE READ :This e-mail is confidential and intended for the<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"MS ゴシック";color:#1F497D'>named recipient only. If you are not an intended recipient,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"MS ゴシック";color:#1F497D'>please notify the sender and delete this e-mail.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0mm 0mm 0mm 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0mm 0mm 0mm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Openid-specs-fapi [mailto:openid-specs-fapi-bounces@lists.openid.net] <b>On Behalf Of </b>Tom Jones via Openid-specs-fapi<br><b>Sent:</b> Friday, March 24, 2017 9:53 AM<br><b>To:</b> Dave Tonge <dave.tonge@momentumft.co.uk>; Financial API Working Group List <openid-specs-fapi@lists.openid.net><br><b>Subject:</b> Re: [Openid-specs-fapi] Fine-grained authorization for payments<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><div><div><p class=MsoNormal><span lang=EN-US>The context of these emails is a bit unclear. The only piece in the spec on the FAPI site is a transfer, which I take to be a intra-bank transfer.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>It is unclear if the above is about a payment object sent to the bank of the "user" making a payment to a bank account of a "recipient,<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>or if it is about a payment object sent to the bank of the 'user' requesting that the bank make a payment to a previously established correspondent of the 'user'<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>In any case the receipt might be only an acknowledgement that a payment will occur on a future date, or it might be a completely async response to money becoming available to the recipient.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>I guess that more context of the problem being solved would be helpful. ..tomj<o:p></o:p></span></p></div></div><div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=EN-US>On Thu, Mar 23, 2017 at 3:48 PM, Dave Tonge via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.openid.net</a>> wrote:<o:p></o:p></span></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0mm 0mm 0mm 6.0pt;margin-left:4.8pt;margin-right:0mm'><div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'>Hi Tom, Nat<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'>Thanks for the replies.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'>Tom - as Nat said I fully expect the FI's to run their own checks, I'm just talking about kicking off the process. <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'>In Europe with PSD2 we have legislation that bank customers can use PISPs (payment initiation service providers) to initiate payments. <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'>Nat, thanks I didn't realise about the request object registration endpoint - it seems an excellent fit. The OIDC spec isn't particularly clear about it though, but <a href="https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-12#section-10.3" target="_blank">https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-12#section-10.3</a> paragraph D explains it fully.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'>The 4 suggested endpoints look good, although I would maybe join 3 and 4?<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'>I have a couple of follow up questions:<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'>1. Would you envisage passing the fine-grained payment details in the claims property of the request object?<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'>2. The "commit of intent" API I see as being an auth code flow. Essentially the resource owner is granting access to a very specific resource (a single payment transaction). However if we follow an auth code flow then we would expect to end up with an access token. That token could then be used to commit the intent. Does this make sense to you?<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'>Thanks again - I will feed this into the UK Open Banking group.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'>I'm also working on the ability to share some of the proposed endpoints form that group with the FAPI WG.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'>Thanks<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'>Dave<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-family:"Trebuchet MS",sans-serif'><o:p> </o:p></span></p></div></div><div><div><div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=EN-US>On 23 March 2017 at 20:57, Nat Sakimura via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.openid.net</a>> wrote:<o:p></o:p></span></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0mm 0mm 0mm 6.0pt;margin-left:4.8pt;margin-right:0mm'><p class=MsoNormal><span lang=EN-US>Hi<br><br>Just briefly on the point of the outbound access by the banks.<br><br>Banks can provide request object registration endpoint that produces requiest_uri.<br>This should solve the problem. In fact, this was one of the main use case.<br>That's why the spec is saying "The request_uri value MUST be reachable by the Authorization Server, and SHOULD be reachable by the Client." in section 6.2 of the OpenID Connect Core.<br><br>I do not think UMA has anything to do here.<br><br>Also, I should note that any transfer/payment request is only request.<br>After the request is being authorized by the user and committed, banks needs to screen it for AML purposes etc. So, having sufficient funds alone is not a sufficient condition for it to go through. Payment will not be synchronous.<br><br>So, in general, form the API point of view,<br><br>1. Creation of the intent (registering of the request object: request object endpoint)<br>2. Commit of the intent (preferably done on a second channel: authorization endpoint and user questioning)<br>3. Payment status check / callback / notification (status check endpoint)<br>4. Getting Payment result / receipt (payment result endpoint)<br><br>are needed.<br><br>Also, in case of the money transfer, it often is required to have:<br><br>0.1. Destination information verification endpoint<br>0.2. Pre-registered destination account information endpoint<br><br>I have a bit of documentation explaining what NRI as a backend service provider for banks does in Japan, but they are in Japanese...<br><br>Best,<br><br>---<br>Nat Sakimura<br>Chairman, OpenID Foundation<br><br>On 2017-03-24 01:16, Dave Tonge via Openid-specs-fapi wrote:<o:p></o:p></span></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0mm 0mm 0mm 6.0pt;margin-left:4.8pt;margin-right:0mm'><p class=MsoNormal><span lang=EN-US>Dear FAPI WG Members<br><br>When it comes to payments, standard OAuth scopes are too<br>coarse-grained to <br>be the sole communication of the "access" to be authorised. The most<br>common scenario<br>for payments via a FAPI API is likely to be one-off payments of a<br>specific amount<br>to a specific payee (and from a specific account at a specific time).<br><br>If the FAPI spec doesn't address the communication of this data, there<br>are likely<br>to be multiple incompatible implementions.<br><br>Proposals that I've come accross include having a "staging" endpoint<br>where the <br>client registers "intent" to perform an action by sending a payload<br>with the <br>specific payment details and receives a "ticket id". This ticket id is<br>then <br>included along with high level scopes in an authorization code flow.<br>The <br>ticket id could be included in the claims parameter: <br><a href="http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter</a><br>[1] <br>or could be part of the request object:<br><a href="http://openid.net/specs/openid-connect-core-1_0.html#JWTRequests" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#JWTRequests</a> [2]<br><br>While it could be preferable to avoid having a separate staging<br>endpoint - and <br>put any extra data in a signed request object, the reality is that the<br>request <br>could be too large. While this could be solved by passing in a<br>"request_uri" <br>that points at a request object, this has issues as many banks<br>currently have <br>strict restrictions on outbound network access. Also it seems that<br>the <br>"request_uri" option would work best when the parameters in the<br>request object <br>are fairly static.<br><br>What do FAPI members think about this problem?<br>Are there existing standards that we could refer, for example it would<br>seem <br>that the UMA spec would help here?<br><a href="https://docs.kantarainitiative.org/uma/rec-uma-core.html" target="_blank">https://docs.kantarainitiative.org/uma/rec-uma-core.html</a> [3]<br><br>Thanks<br><br>Dave<br><br>--<br><br>Dave Tonge<br>CTO<br> [4]<br>10 Temple Back, Bristol, BS1 6FLt: <a href="tel:+44%20117%20280%205120" target="_blank">+44 (0)117 280 5120</a><br><br>Moneyhub Enterprise is a trading style of Momentum Financial<br>Technology Limited which is authorised and regulated by the Financial<br>Conduct Authority ("FCA"). Momentum Financial Technology is entered<br>on the Financial Services Register (FRN 561538) at<br><a href="http://fca.org.uk/register" target="_blank">fca.org.uk/register</a> [5]. Momentum Financial Technology is registered<br>in England & Wales, company registration<br>number 06909772 © . Momentum Financial Technology Limited<br>2016. DISCLAIMER: This email (including any attachments) is subject<br>to copyright, and the information in it is confidential. Use of this<br>email or of any information in it other than by the addressee is<br>unauthorised and unlawful. Whilst reasonable efforts are made to<br>ensure that any attachments are virus-free, it is the recipient's sole<br>responsibility to scan all attachments for viruses. All calls and<br>emails to and from this company may be monitored and recorded for<br>legitimate purposes relating to this company's business. Any opinions<br>expressed in this email (or in any attachments) are those of the<br>author and do not necessarily represent the opinions of Momentum<br>Financial Technology Limited or of any other group company.<br><br>Links:<br>------<br>[1] <a href="http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter</a><br>[2] <a href="http://openid.net/specs/openid-connect-core-1_0.html#JWTRequests" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#JWTRequests</a><br>[3] <a href="https://docs.kantarainitiative.org/uma/rec-uma-core.html" target="_blank">https://docs.kantarainitiative.org/uma/rec-uma-core.html</a><br>[4]<br><a href="http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A" target="_blank">http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A</a><br>[5] <a href="http://fca.org.uk/register" target="_blank">http://fca.org.uk/register</a><br><br>_______________________________________________<br>Openid-specs-fapi mailing list<br><a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><o:p></o:p></span></p></blockquote><div><div><p class=MsoNormal><span lang=EN-US>_______________________________________________<br>Openid-specs-fapi mailing list<br><a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><o:p></o:p></span></p></div></div></blockquote></div><p class=MsoNormal><span lang=EN-US><br><br clear=all><o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div></div></div><p class=MsoNormal><span lang=EN-US>-- <o:p></o:p></span></p><div><div><div><div><div><div><div><div><div><div><div><p class=MsoNormal><b><span lang=EN-US style='font-size:10.5pt;font-family:"Open Sans",serif;color:#00A4B7'>Dave Tonge<o:p></o:p></span></b></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:8.5pt;font-family:"Open Sans",serif;color:#333333'>CTO<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:8.5pt;font-family:"Open Sans",serif;color:#333333'><a href="http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A" target="_blank"><span style='color:#835EA5;text-decoration:none'><img border=0 width=200 height=50 id="_x0000_i1025" src="http://content.moneyhub.co.uk/images/teal_Moneyhub-Ent_logo_200x50.png" alt="Moneyhub Enterprise"></span></a><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:8.5pt;font-family:"Open Sans",serif;color:#00A4B7'>10 Temple Back, Bristol, BS1 6FL</span><span lang=EN-US style='font-size:10.5pt;font-family:"Open Sans",serif;color:#333333'><o:p></o:p></span></p></div><p class=MsoNormal><b><span lang=EN-US style='font-size:8.5pt;font-family:"Open Sans",serif;color:#00A4B7'>t: </span></b><span lang=EN-US style='font-size:8.5pt;font-family:"Open Sans",serif;color:#333333'><a href="tel:+44%20117%20280%205120" target="_blank">+44 (0)117 280 5120</a></span><span lang=EN-US style='font-size:10.5pt;font-family:"Open Sans",serif;color:#333333'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:"Open Sans",serif;color:#616161'><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='font-size:8.0pt;font-family:"Open Sans",serif;color:#333333'>Moneyhub Enterprise is a trading style of Momentum Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Momentum Financial Technology is entered on the Financial Services Register (FRN </span><b><span lang=EN-US style='font-size:8.0pt;font-family:"Open Sans",serif;color:#00A4B7'>561538</span></b><span lang=EN-US style='font-size:8.0pt;font-family:"Open Sans",serif;color:#333333'>) at <a href="http://fca.org.uk/register" target="_blank">fca.org.uk/register</a>. Momentum Financial Technology is registered in England & Wales, company registration number </span><b><span lang=EN-US style='font-size:8.0pt;font-family:"Open Sans",serif;color:#00A4B7'>06909772</span></b><span lang=EN-US style='font-size:8.0pt;font-family:"Open Sans",serif;color:#333333'> </span><span lang=EN-US style='font-size:7.5pt;font-family:"Arial",sans-serif;color:#222222'>©</span><span lang=EN-US style='font-size:8.0pt;font-family:"Open Sans",serif;color:#333333'> . Momentum Financial Technology Limited 2016. </span><span lang=EN-US style='font-size:8.0pt;font-family:"Open Sans",serif;color:#888888'>DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Momentum Financial Technology Limited or of any other group company.</span><span lang=EN-US style='font-size:10.5pt;font-family:"Open Sans",serif;color:#333333'><o:p></o:p></span></p></div></div></div></div></div></div></div></div></div></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US><br>_______________________________________________<br>Openid-specs-fapi mailing list<br><a href="mailto:Openid-specs-fapi@lists.openid.net">Openid-specs-fapi@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><o:p></o:p></span></p></blockquote></div><p class=MsoNormal><span lang=EN-US><br><br clear=all><br>-- <o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US>..tom<o:p></o:p></span></p></div></div></div></div></body></html>