<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Thanx Gail,<br>
<br>
I don't have anything to add to the document but payments through
Open Banking APIs do not address bank and payment instrument
selection, something the regular payment industry have had for
decades.<br>
<br>
Thanx,<br>
Anders<br>
<br>
On 2022-03-03 21:44, Gail Hodges via Openid-specs-fapi wrote:<br>
</div>
<blockquote type="cite"
cite="mid:83BBD180-B160-45E3-9562-20A5544CCA26@oidf.org">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"Open Sans Light";
panose-1:2 11 3 6 3 5 4 2 2 4;}@font-face
{font-family:"Open Sans Medium";
panose-1:2 11 6 4 2 2 2 2 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:10.0pt;
margin-left:0in;
line-height:115%;
font-size:11.0pt;
font-family:"Open Sans Light",sans-serif;}h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
margin-top:0in;
margin-right:0in;
margin-bottom:10.0pt;
margin-left:0in;
line-height:115%;
page-break-after:avoid;
font-size:13.0pt;
font-family:"Open Sans Light",sans-serif;
font-weight:normal;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:10.0pt;
margin-left:.5in;
line-height:115%;
font-size:11.0pt;
font-family:"Open Sans Light",sans-serif;}span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Open Sans Light",sans-serif;}span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style>
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif">FAPI WG<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif">I am
pleased to confirm that the OpenID Foundation submitted
comments on the NISTIR 8389 publication on Open Banking, as
per their March 3 deadline today. That submission is below,
including the draft Open Banking whitepaper. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif">Many
thanks to Dave for his herculean efforts to draft the NIST
comments and the whitepaper so swiftly, and ensuring a
quality submission to NIST. Also, many thanks to the FAPI WG
for your comments in the draft and in the WG calls. <o:p></o:p></span></p>
<p class="MsoNormal"><b><span
style="font-family:"Calibri",sans-serif">We
invite the WG to make any further comments by EOD March 14<sup>th</sup>
so that we can move to “final”, and send it to NIST and
publish it for the benefit of the global community.</span></b><span
style="font-family:"Calibri",sans-serif">
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif">Please
pay special attention to the following:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l3 level1 lfo6"><span
style="font-family:"Calibri",sans-serif">OIDF
recommendations in the whitepaper, to ensure they reflect
the consensus view of the WG <o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l3 level1 lfo6"><span
style="font-family:"Calibri",sans-serif">Our
references to market implementations, we want to ensure we
are accurate, fair, and balanced – for implementations
that selected FAPI and those that have not. <o:p></o:p></span></li>
</ul>
<p class="MsoNormal"><b><span
style="font-family:"Calibri",sans-serif">Google
Doc Link:
<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span
style="font-family:"Calibri",sans-serif"><a class="moz-txt-link-freetext" href="https://docs.google.com/document/d/18i1f-lYd7VgAyw_2vYZChlFcSZwG_yK_epF7wAJkBaw/edit#heading=h.o66ldbq1qca8">https://docs.google.com/document/d/18i1f-lYd7VgAyw_2vYZChlFcSZwG_yK_epF7wAJkBaw/edit#heading=h.o66ldbq1qca8</a><o:p></o:p></span></b></p>
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif">Gail<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"
style="margin-bottom:0in;line-height:normal"><b><span
style="font-size:12.0pt;font-family:"Calibri",sans-serif;color:black">From:
</span></b><span
style="font-size:12.0pt;font-family:"Calibri",sans-serif;color:black">Gail
Hodges <a class="moz-txt-link-rfc2396E" href="mailto:gail.hodges@oidf.org"><gail.hodges@oidf.org></a><br>
<b>Date: </b>Thursday, March 3, 2022 at 12:30 PM<br>
<b>To: </b><a class="moz-txt-link-rfc2396E" href="mailto:nistir-8389-comments@nist.gov">"nistir-8389-comments@nist.gov"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:nistir-8389-comments@nist.gov"><nistir-8389-comments@nist.gov></a><br>
<b>Cc: </b>Dave Tonge <a class="moz-txt-link-rfc2396E" href="mailto:dave.tonge@moneyhub.com"><dave.tonge@moneyhub.com></a>,
nat_fwd <a class="moz-txt-link-rfc2396E" href="mailto:nat@nat.consulting"><nat@nat.consulting></a>, Don Thibeau
<a class="moz-txt-link-rfc2396E" href="mailto:don@oidf.org"><don@oidf.org></a>, Mike Leszcz
<a class="moz-txt-link-rfc2396E" href="mailto:mike.leszcz@oidf.org"><mike.leszcz@oidf.org></a><br>
<b>Subject: </b>Comments on NISTIR 8389 -- OpenID
Foundation<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="margin-bottom:0in;line-height:normal"><span
style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN">Attn: National Institute of
Standards and Technology; Computer Security Division,
Information Technology Laboratory<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Open Sans
Medium"" lang="EN">Re: Comments on NISTIR 8389 -
Cybersecurity Considerations for Open Banking Technology and
Emerging Standards<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN">Dear Sir or Madam,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN">Thank you for this
publication, it is informative and we hope will be a useful
resource for those seeking to understand Open Banking.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN">The OpenID Foundation has
played a pivotal role in Open Banking security standards,
and we welcome your reference to our standards work on FAPI
in NISTIR 8389. As a non-profit standards body, we are keen
to ensure our standards continue to serve the global
community.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN">We are pleased to share an
advance copy of our Open Banking Whitepaper, in draft
format, which shares some of our experience globally. We
will share the final version of this whitepaper, targeted
for publication March 16, 2022. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN">In addition to the
whitepaper we have the following comments on NISTIR 8389:<o:p></o:p></span></p>
<h3><a name="_q4aj28s1bx08" moz-do-not-send="true"></a><span
lang="EN">Lines 586-629 - Australia<o:p></o:p></span></h3>
<p class="MsoNormal"><span lang="EN">The CDR ecosystem
originally didn’t include payment and action initiation
(line 609) It is being discussed as a future roadmap item
now.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN">The original CDR design
included a lot of custom extensions that caused multiple
security and interoperability concerns. These are still
being remediated by the industry as a part of complete
alignment to FAPI1 and transition to FAPI2.<o:p></o:p></span></p>
<h3><a name="_5kk2q3jhb9m3" moz-do-not-send="true"></a><span
lang="EN">Lines 793-797 - Brazil<o:p></o:p></span></h3>
<p class="MsoNormal"><span lang="EN">It is mandatory for large
to mid-sized financial institutions and any institution that
will interact with those covered by the Brazilian legal
framework.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN">A trust model and a
directory were created such that parties are not required to
put in place direct contracts to interact.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN">A payment initiation
protocol was defined such that multiple payment operators
are emerging.<o:p></o:p></span></p>
<h3><a name="_j40c759x2izs" moz-do-not-send="true"></a><span
lang="EN">Lines 800-805 - Japan<o:p></o:p></span></h3>
<p class="MsoNormal"><span lang="EN">Most banks are strongly
advised by FSA to offer APIs to Fintechs by 2019 and most
banks obliged although they are not standardized. Banks and
Fintechs are mandated to get into individual contractual
agreements which limited scalability in terms of
interconnection among them. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN">For QR code payment, Paypay
that is offered by Z Holding is the most prevalent one. As a
standardization effort, there is a scheme code JPQR which
standardized some aspects of the QR code payment.<o:p></o:p></span></p>
<h3><a name="_yomous9s80ng" moz-do-not-send="true"></a><span
lang="EN">Lines 943-946 - API Security<o:p></o:p></span></h3>
<p class="MsoNormal"><span lang="EN">We suggest that you
strongly recommend that any Open Banking or Open Finance
initiative should adopt an established API security profile.
From a security perspective there are many increased risks
when an initiative “rolls its own” security profile. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN">We suggest that as well as
mentioning the UK that reference be made to other
jurisdictions like Australia, Brazil, New Zealand, Russia,
US/Canada (FDX) and many private ecosystems who are also
using FAPI as their security profile.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN">We also ask that you remove
the space between “Open” and “ID” - it is a single word
“OpenID”. In addition is it possible to use the
abbreviation, FAPI, after the reference to “Financial Grade
API”.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN">Please can you mention the
fact that FAPI security profiles went through formal
security analysis and come with comprehensive conformance
tests and certification for both, data providers and data
recipients. FAPI conformance testing covers a large range of
positive and negative test cases and focuses on security and
interoperability. The FAPI conformance tests have caught
</span><span style="font-family:"Open Sans Medium""
lang="EN">serious security vulnerabilities and
interoperability issues in API platform implementations</span><span
lang="EN"> developed by large multinational banks, despite
those passing through many rounds of internal and external
security testing. Vendors from around the world, and
hundreds of data providers and data recipients in the UK,
Australia, and Brazil have completed FAPI certification. All
certifications are published on the OIDF website:
<a href="https://openid.net/certification/"
moz-do-not-send="true"><span style="color:#1155CC">https://openid.net/certification/</span></a>.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN">It is strongly recommended
by global open banking community:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="margin-bottom:0in;mso-list:l0
level1 lfo3"><span lang="EN">for all participants to
complete FAPI conformance testing before joining the
ecosystem, and to consider the cadence of recertification.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom:0in;mso-list:l0
level1 lfo3"><span lang="EN">All ecosystem API interactions
should follow the same security profile.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom:0in;mso-list:l0
level1 lfo3"><span lang="EN">Ecosystem to perform regular
end-to-end security review of the ecosystem including all
participants (data recipients, data providers and the
registry).<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom:0in;mso-list:l0
level1 lfo3"><span lang="EN">Simplify participant
interactions and avoid custom standards.<o:p></o:p></span></li>
<li class="MsoNormal" style="mso-list:l0 level1 lfo3"><span
lang="EN">New ecosystems should consider adopting the FAPI
2 framework (the next iteration of the FAPI specs that
builds on the experience of rolling out FAPI 1 in many
ecosystems). This will significantly simplify security
profile compliance for all participants. <o:p></o:p></span></li>
</ul>
<h3><a name="_m68tu8tnj925" moz-do-not-send="true"></a><span
lang="EN">Lines 947 to 951 - SAML<o:p></o:p></span></h3>
<p class="MsoNormal"><span lang="EN">We are not sure whether it
is worth mentioning SAML here. It is primarily a single
sign-on protocol and is missing many features which are
needed for secure implementations of Open Banking.
<o:p></o:p></span></p>
<h3><a name="_jqmkc0c3ksv0" moz-do-not-send="true"></a><span
lang="EN">Lines 959-964 - Privacy and Consent<o:p></o:p></span></h3>
<p class="MsoNormal"><span lang="EN">Privacy is an integral part
of any Open Banking initiative, and user consent is one of
its most important building blocks. Open Banking and Open
Finance are about data sharing that cannot happen without
user consent.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN">To ensure interoperability
in the ecosystem, adequate security and satisfaction of
privacy regulations, user consent at API and flow level
shall be standardized across jurisdictions and based on
solid, broadly recognized standards.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN">OpenID's FAPI not only
refers to the privacy framework but also aims to standardize
consent requests and consent management. It is designed to
support user experience defined by various jurisdictions. It
leverages proven broadly adopted open standards. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN">We suggest paying more
attention in NISTIR 8389 to user consent. We also suggest
recognizing FAPI as the recommended API and flow-level
standard for consent-related operations. It will help limit
the proliferation of jurisdiction-specific consent
operations approaches in the open banking and open finance
spaces. We believe that such recommendations will strengthen
security, improve interoperability and speed up ecosystem
growth.
<o:p></o:p></span></p>
<h3><a name="_gn9w7wyjteib" moz-do-not-send="true"></a><span
lang="EN">Line 978<o:p></o:p></span></h3>
<p class="MsoNormal"><span lang="EN">Is it worth mentioning the
financial data exchange (FDX) here? It has 208 member
organizations and is currently the driving force behind Open
Banking in the US, and a key participant in the Open Banking
effort in Canada as well.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN">Last, the OpenID Foundation
anticipates making additional recommendations regarding
Dynamic Client Registration, the operations of participant
registration, and how other technologies like decentralized
solutions can complement the FAPI family of standards. Those
comments will be included in the final draft of the
whitepaper targeted for March 16, 2022.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN">Many thanks for the
opportunity to provide our comments. As per the whitepaper,
you are welcome to contact the OpenID Foundation at
<a href="mailto:Director@oidf.org" moz-do-not-send="true"><span
style="color:#1155CC">Director@oidf.org</span></a> with
any follow-up question, or to talk through our comments.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN">Dave Tonge <o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;line-height:normal"><span lang="EN"><o:p> </o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;line-height:normal"><span lang="EN">Co-Chair
FAPI WG
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN">OpenID Foundation </span><span
style="font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Openid-specs-fapi mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-fapi@lists.openid.net">Openid-specs-fapi@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="https://lists.openid.net/mailman/listinfo/openid-specs-fapi">https://lists.openid.net/mailman/listinfo/openid-specs-fapi</a>
</pre>
</blockquote>
<br>
</body>
</html>