<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
.MsoPapDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1771465064;
mso-list-type:hybrid;
mso-list-template-ids:373830792 1895229876 67698689 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:20.25pt;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:56.25pt;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:92.25pt;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:128.25pt;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:164.25pt;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:200.25pt;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:236.25pt;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:272.25pt;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:308.25pt;
text-indent:-9.0pt;}
@list l1
{mso-list-id:2008483437;
mso-list-template-ids:-1115029278;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style>
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Nat, Dave, Anoop and FAPI WG<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Below are my updates for the FAPI WG call this week. Note the first three items requiring FAPI WG feedback.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Gail <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:-15.75pt;mso-list:l0 level1 lfo1">
<b>FAPI clarifications (3/3 deadline)<o:p></o:p></b></li><ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:-15.75pt;mso-list:l0 level2 lfo1">
“Ask” Triggered by conversation with Open Banking Canada, but an update structured to be for any managing entity.
<o:p></o:p></li></ul>
</ol>
<p class="MsoListParagraph" style="margin-left:92.25pt;text-indent:-92.25pt;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>i.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]>Request for clarifications on FAPI status, Covers spec development, estimated timing to move FAPI 2.0 to final, test development status, security analysis milestones.
<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:92.25pt;text-indent:-92.25pt;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>ii.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]> Support Milestones (generic steps and timing for markets moving to launch with OIDF support, this is intentional skewed towards the faster timelines as the “best case scenario”
like a Brazil Insurance or Saudi Monetary Authority time to market.<o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:-15.75pt;mso-list:l0 level2 lfo1">
Commentors<o:p></o:p></li></ul>
</ol>
<p class="MsoListParagraph" style="margin-left:92.25pt;text-indent:-92.25pt;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>i.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]>Invited: WG co-chairs (Nat, Dave Anoop), Joseph, Ralph, Chris, Dima Mike L have access.
<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:92.25pt;text-indent:-92.25pt;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>ii.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]>All others: Let me know via email or google doc access request if anyone else can comment before Friday.
<o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:-15.75pt;mso-list:l0 level2 lfo1">
<a href="https://docs.google.com/document/d/1tO9Ur21VBWv3hlaRXeSRg8dziOh4oIRfkJPVtA0pgF8/edit">https://docs.google.com/document/d/1tO9Ur21VBWv3hlaRXeSRg8dziOh4oIRfkJPVtA0pgF8/edit</a>
<o:p></o:p></li></ul>
<li class="MsoListParagraph" style="margin-left:-15.75pt;mso-list:l0 level1 lfo1">
<b> FAPI recommendation on FAPI 1.0 vs FAPI 1.0+PAR vs FAPI 2.0 (target 3/17)<o:p></o:p></b></li><ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:-15.75pt;mso-list:l0 level2 lfo1">
7 months has passed since the FAPI WG recommendation in July 2022 comparing the FAPI standards and WG recommendations:
<span style="color:black"><a href="https://openid.net/wordpress-content/uploads/2022/08/OIDF_FAPI-Profiles-Comparisons_2022-07-27.pdf"><span style="font-family:"Arial",sans-serif;color:#1155CC">https://openid.net/wordpress-content/uploads/2022/08/OIDF_FAPI-Profiles-Comparisons_2022-07-27.pdf</span></a></span><span style="font-family:"Arial",sans-serif;color:black">.</span><o:p></o:p></li><li class="MsoListParagraph" style="margin-left:-15.75pt;mso-list:l0 level2 lfo1">
<span style="font-family:"Arial",sans-serif;color:black">Does the Working group believe updated advice is merited now, e.g. stronger encouragement for markets moving to launch in 2H 2023 to start with FAPI 2.0? And our views on migration of FAPI 1.0 markets
to FAPI 2.0? </span><o:p></o:p></li><li class="MsoListParagraph" style="margin-left:-15.75pt;mso-list:l0 level2 lfo1">
<span style="font-family:"Arial",sans-serif;color:black">If YES</span><o:p></o:p></li></ul>
</ol>
<p class="MsoListParagraph" style="margin-left:92.25pt;text-indent:-92.25pt;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>i.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]><span style="font-family:"Arial",sans-serif;color:black">Any changes recommended to be published in the next 2-3 weeks to be timely.
</span><o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:92.25pt;text-indent:-92.25pt;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>ii.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]><span style="font-family:"Arial",sans-serif;color:black">Who from WG will update this briefing with the new information and WG recommendations?
</span><o:p></o:p></p>
<ol style="margin-top:0in" start="3" type="1">
<li class="MsoListParagraph" style="margin-left:-15.75pt;mso-list:l0 level1 lfo1">
<b>NIST 8389 New Questions on “Cybersecurity Considerations for Open Banking Technology & Emerging Standards” – Due 3/31<o:p></o:p></b></li><ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:-15.75pt;mso-list:l0 level2 lfo1">
NIST asked entities that commented on 8389 to provide comments on a new set of questions for a clarification section, questions that are very relevant for FAPI WG to comment on…
<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:-15.75pt;mso-list:l0 level2 lfo1">
Mark Haine has been confirmed by Board as Distinguished Engineer to assist on several deliverables including requests for comment. Mark will take first stab on these questions, and confirm alignment with CFPB comments already made. They will then be shared
FAPI WG for feedback via google docs. Mark can also coordinate a subgroup to confirm messages if desired by WG.
<o:p></o:p></li></ul>
<li class="MsoListParagraph" style="margin-left:-15.75pt;mso-list:l0 level1 lfo1">
<b>NIST 800-63-4 feedback <o:p></o:p></b></li><ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:-15.75pt;mso-list:l0 level2 lfo1">
Mark Haine will also be coordinating feedback across WGs on 800-63-4<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:-15.75pt;mso-list:l0 level2 lfo1">
Feedback requested from OIDF members by 3/10<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:-15.75pt;mso-list:l0 level2 lfo1">
Those from FAPI WG who are able to help synthesize and draft feedback for cover letter and line item changes to 800-63-4 are welcome to a series of 4 huddle sessions that will be between 3/10 and 3/23 before 3/24 deadline<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:-15.75pt;mso-list:l0 level2 lfo1">
NIST’s NCCoE invited Gail to be on a panel on an “Innovating Identity Proofing Panel” 3/9 130-3pm ET with a structured agenda. Registration link here:
<a href="https://www.nccoe.nist.gov/get-involved/attend-events/innovating-identity-proofing">
https://www.nccoe.nist.gov/get-involved/attend-events/innovating-identity-proofing</a><o:p></o:p></li></ul>
<li class="MsoListParagraph" style="margin-left:-15.75pt;mso-list:l0 level1 lfo1">
<b>Other Market updates<o:p></o:p></b></li><ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:-15.75pt;mso-list:l0 level2 lfo1">
Australia<o:p></o:p></li></ul>
</ol>
<p class="MsoListParagraph" style="margin-left:92.25pt;text-indent:-92.25pt;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>i.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]>Pending confirmation of contract signing for WorkPackage 2 by Treasury and University of Stuttgaart so we can kick off that workstream.
<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:92.25pt;text-indent:-92.25pt;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>ii.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]>Pending feedback from ACCC on certification workstream, and potential collaboration after our initial brief earlier in Feb<o:p></o:p></p>
<ol style="margin-top:0in" start="5" type="1">
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:-15.75pt;mso-list:l0 level2 lfo1">
Canada<o:p></o:p></li></ul>
</ol>
<p class="MsoListParagraph" style="margin-left:92.25pt;text-indent:-92.25pt;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>i.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]>Small group checkpoint held at their request 2/27<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:92.25pt;text-indent:-92.25pt;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>ii.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]>No decisions on spec selection yet, but it sounds like they are getting close to making decisions. They are also moving at pace towards a rapid market launch.<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:92.25pt;text-indent:-92.25pt;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>iii.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]>Timely support of questions like those above in (1) is important) to support their due process<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:92.25pt;text-indent:-92.25pt;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>iv.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]>They confirmed they had read all of our whitepapers (drafts and finals) and found them to be very valuable documents. This is a great tribute to the lead editors and contributors—your
work is appreciated and seems to be resonating! <o:p></o:p></p>
<ol style="margin-top:0in" start="5" type="1">
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:-15.75pt;mso-list:l0 level2 lfo1">
US<o:p></o:p></li></ul>
</ol>
<p class="MsoListParagraph" style="margin-left:92.25pt;text-indent:-92.25pt;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>i.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]>CFPB “informal” brief and 2-way conversation with FAPI WG representatives confirmed for 3/7 (Gail to be there in person)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From:<span class="apple-converted-space"> </span></span></b><span style="font-size:12.0pt;color:black">"Laplante, Phillip A. (Fed)" <<a href="mailto:phillip.laplante@nist.gov" title="mailto:phillip.laplante@nist.gov"><span style="color:#0563C1">phillip.laplante@nist.gov</span></a>><br>
<b>Date:<span class="apple-converted-space"> </span></b>Monday, February 27, 2023 at 11:46 AM<br>
<b>Cc:<span class="apple-converted-space"> </span></b>"Voas, Jeff (Fed)" <<a href="mailto:jeff.voas@nist.gov" title="mailto:jeff.voas@nist.gov"><span style="color:#0563C1">jeff.voas@nist.gov</span></a>><br>
<b>Subject:<span class="apple-converted-space"> </span></b>Draft NISTIR 8389 Open Banking Revision</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="font-size:12.0pt;color:black">Dear Respondents to the first DRAFT of NIST 8389:</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="font-size:12.0pt;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="font-size:12.0pt;color:black">Last year you and others commented on (or expressed interest in) the National Institute of Standards and Technology (NIST) report “<b>NISTIR 8389 (Draft) Cybersecurity Considerations for Open Banking Technology and
Emerging Standards</b>” (</span><span style="color:black"><a href="https://csrc.nist.gov/publications/detail/nistir/8389/draft" title="https://csrc.nist.gov/publications/detail/nistir/8389/draft"><span style="font-size:12.0pt;color:#0563C1">https://csrc.nist.gov/publications/detail/nistir/8389/draft</span></a></span><span style="font-size:12.0pt;color:black">).</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="font-size:12.0pt;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="font-size:12.0pt;color:black">NIST is in the process of revising that document. From some of the responses, it is clear to us that the initial document did not clearly state the document’s intent correctly.</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="font-size:12.0pt;color:black">It is important to note NIST does<span class="apple-converted-space"> </span><b>not<span class="apple-converted-space"> </span></b>involve itself in policy or regulatory issues. NIST offers technical guidance and recommendations,
which are made public through its documents. NIST 8389 was intended to only offer information about cybersecurity and privacy concerns for OB.<span class="apple-converted-space"> </span></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="font-size:12.0pt;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="font-size:12.0pt;color:black">Based on the comments received, we are adding a new section to the updated DRAFT NIST 8389. This section will contain responses to the questions below. We feel that feedback from the initial respondents to these questions
is necessary to create the next draft of NISTIR 8389.<span class="apple-converted-space"> </span></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="font-size:12.0pt;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="font-size:12.0pt;color:black">The process will proceed as follows. You (or your designee) are invited to respond (via email) to the set of questions below. You may choose to respond to all or some of the questions or not to respond at all. We invite
your participation (or a designee) to respond in writing to these questions. The findings and recommendations will be used to rework the existing version of 8389. Please note that due to the limits on the scope of our NIST roles, the focus of the panel will
be on Cybersecurity and Privacy Considerations<span class="apple-converted-space"> </span><b>only</b><span class="apple-converted-space"> </span>and not on legislation, banking laws, policy, or other non-technical areas, even though we recognize that these
may be intertwined.</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="font-size:12.0pt;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="font-size:12.0pt;color:black">Please indicate if you or your designee would be interested in participating. You will have 30 days (<b>due date is March 31</b>) to respond. Your responses will be compiled with those of the other participants, which
may be included in the next draft of the document. You may also choose to keep your name or that of your organization anonymous.<span class="apple-converted-space"> </span></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="font-size:12.0pt;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<b><span style="font-size:12.0pt;color:black">Basic Questions</span></b><span style="color:black"><o:p></o:p></span></p>
<ol style="margin-top:0in;caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px" start="1" type="1">
<li class="MsoListParagraph" style="color:black;margin-left:0in;mso-line-height-alt:11.55pt;mso-list:l1 level1 lfo2">
<span style="font-size:12.0pt">In terms of cybersecurity and infrastructure, what will it take to get to open banking (OB) in the US, i.e., what is the path?<span class="apple-converted-space"> </span></span><o:p></o:p></li><li class="MsoListParagraph" style="color:black;margin-left:0in;mso-line-height-alt:11.55pt;mso-list:l1 level1 lfo2">
<span style="font-size:12.0pt">What are the technical obstacles and technical problems that need to be solved?</span><o:p></o:p></li><li class="MsoListParagraph" style="color:black;margin-left:0in;mso-line-height-alt:11.55pt;mso-list:l1 level1 lfo2">
<span style="font-size:12.0pt">Are there necessary and sufficient standards to enable practical implementation of OB?</span><o:p></o:p></li><li class="MsoListParagraph" style="color:black;margin-left:0in;mso-line-height-alt:11.55pt;mso-list:l1 level1 lfo2">
<span style="font-size:12.0pt">Are there necessary and sufficient security protocols to protect public interest?</span><o:p></o:p></li><li class="MsoListParagraph" style="color:black;margin-left:0in;mso-line-height-alt:11.55pt;mso-list:l1 level1 lfo2">
<span style="font-size:12.0pt">What is a realistic timeframe for OB to be rolled out to the public?</span><o:p></o:p></li><li class="MsoListParagraph" style="color:black;margin-left:0in;mso-line-height-alt:11.55pt;mso-list:l1 level1 lfo2">
<span style="font-size:12.0pt">Why would consumers trust OB when consumers mistrust Internet transactions?</span><o:p></o:p></li><li class="MsoListParagraph" style="color:black;margin-left:0in;mso-line-height-alt:11.55pt;mso-list:l1 level1 lfo2">
<span style="font-size:12.0pt">Is it reasonable for consumers to need to understand APIs to participate in OB?</span><o:p></o:p></li><li class="MsoListParagraph" style="color:black;margin-left:0in;line-height:11.55pt;mso-list:l1 level1 lfo2">
<span style="font-family:"Arial",sans-serif;color:#222222;background:white">What are the most likely cyberattacks on consumers that OB enables?</span><o:p></o:p></li><li class="MsoListParagraph" style="color:black;margin-left:0in;line-height:11.55pt;mso-list:l1 level1 lfo2">
<span style="font-family:"Arial",sans-serif;color:#222222;background:white">What, if any, privacy concerns should consumers consider before trusting OB?</span><o:p></o:p></li><li class="MsoListParagraph" style="color:black;margin-bottom:8.0pt;margin-left:0in;line-height:11.55pt;mso-list:l1 level1 lfo2">
<span style="font-family:"Arial",sans-serif;color:#222222;background:white">Non-US countries seem to be ahead of the US in rolling-out OB? Why?</span><o:p></o:p></li></ol>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="font-size:12.0pt;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="font-size:12.0pt;color:black">Thank you again for your interest in and contributions to this work.</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="color:black">Jeff Voas, PhD<o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="color:black">Computer Scientist<o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="color:black">Secure Systems and Applications Group<o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="color:black">Computer Security Division<o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="color:black">Information Technology Lab<o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="color:black">NIST<o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="color:black">Phillip A. Laplante, CSDP, PE, PhD<o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="color:black">Computer Scientist<o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="color:black">Secure Systems and Applications Group<o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="color:black">Computer Security Division<o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="color:black">Information Technology Lab<o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="color:black">NIST<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>