Open Banking

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

Open Banking is both a concept and an actual implementation in the UK.

This page addresses both the UK implementation of the EU banking standards and the concept of Open Banking.

Context

A Chris Michael interview[1] described Open Banking Limited, the brand name of the Open Banking Implementation Entity (OBIE), as a private, non-profit company established in 2016 by the UK’s Competition and Markets Authority (CMA) to create standards and implementation guidelines for United Kingdom retail banking. The organization is funded by major UK banks. Open Banking originally was focused on a subset of PSD2namely personal and business accounts in UK currency. Now the group is tackling a broader set that covers all PSD2 requirements for payment providers across Europe and includes credit cards and e-wallets, all currencies, and FX international payments. It sounds more dangerous every day.

“I think the standards will evolve even beyond that, so this is a really interesting space,” Michael said.

Part of that evolution revolves around the fact that while Open Banking is the name of a UK initiative, “open banking” as a concept is spreading globally. In Australia, for example, the Australian Government is pushing forward with Open Banking, recommending adopting the UK’s standards. Japanese banks and financial institutions are registering as payment providers and soon will be required to open their APIs. And here in the United States, Intuit’s Mint now uses OAuth to connect to select banks like Bank of America, Chase Bank, and Capital One with tokens instead of full access with username and password.

“We're also trying to make sure that these standards are true global standards. So we're working with other standards bodies globally, whether it's in Europe or other emerging markets like Australia, to try and make sure that everyone's using the same core standards,” Michael said. “What we're doing now is creating standards and implementation services for not just the CMA order but for the whole of PSD2, and our standard is designed to be one that is a European, if not a global standard, for financial APIs.”

“It's really great to see so many other markets who are adopting open banking and also who are looking to our standards as a kind of gold standard to build on,” he added. “But it's also great to talk to those other markets and talk to the identity professionals who are looking at open banking in those markets because I think there's also quite a lot that we can learn from them as well.” When it comes to standards creation, the open banking arena is changing rapidly. Open Banking originally was focused on a subset of PSD2, namely personal and business accounts in UK currency. Now the group is tackling a broader set that covers all PSD2 requirements for payment providers across Europe and includes credit cards and e-wallets, all currencies, and FX international payments—and the landscape continues to shift.

“I think the standards will evolve even beyond that, so this is a really interesting space,” Michael said.

Part of that evolution revolves around the fact that while Open Banking is the name of a UK initiative, “open banking” as a concept is spreading globally. In Australia, for example, the Australian Government is pushing forward with Open Banking, recommending adopting the UK’s standards. Japanese banks and financial institutions are registering as payment providers and soon will be required to open their APIs. And here in the United States, Intuit’s Mint now uses OAuth to connect to select banks like Bank of America, Chase Bank, and Capital One with tokens instead of username and password. At Ping, we expect that Open Banking’s version 3 standard, released in September, will reflect this growing scope.

“We're also trying to make sure that these standards are true global standards. So we're working with other standards bodies globally, whether it's in Europe or other emerging markets like Australia, to try and make sure that everyone's using the same core standards,” Michael said. “What we're doing now is creating standards and implementation services for not just the CMA order but for the whole of PSD2, and our standard is designed to be one that is a European, if not a global standard, for financial APIs.”

The Open Banking team is working with the OpenID Foundation to create a profile[2] of OpenID Connect and OAuth 2.0 called Financial-grade API, or FAPI.

Problems

The following are listed as problems that will be solved.

  • The major selling point of this effort by the European bureaucrats is for increased competition.
  • The major selling point of this effort by the standards makers is reduction of the risk caused by "screen-scraping" by personal financial consolidation software, which needs user passwords for full access without the new APIs.

There are several areas that will need to be monitored as Open Banking roles out in the EU as exacerbating existing problems in the banking world.

  1. Out right fraud https://www.bloomberg.com/news/features/2018-09-11/why-the-eu-is-furious-with-malta
  2. Money laundering

The standards are not yet fully tested in the real world with real Users. For example:

  • Banks are worried about the bearer tokens introduced with OAuth 2.0.
  • Banks and payment initiators are both trying to entice the user's to download apps which have the vulnerability of a User Experience which allows exploitation by attackers. See page Native App Security.
    • Android play store requires Native Apps to be bound to an Enterprise Web Site URL if they use the branding of that Enterprise, but there is no recognized way to bind these 3 concepts securely.
    • Apple's secretive plans are a source of uncertainty in terms of release of any type of secure binding that will encourage safe Behavior by Users.
    • This thread discusses some of the challenges of native-app to native-app interchanges where the apps are supplied by the payment initiator and the bank. The apps are considered to be user agents AND user clients, but are supplied by two organizations that moving user assets from one to the other in the back-ground. What could possibly go wrong?

Solutions

  • The UK open banking specs are keep on an open source repository.[3]
  • The Berlin Group is looking at an EU wide deployment.

Banking APIs Now in Deployment

Definitions of interest from the UK Open Banking effort. These acronyms are used through-out the already jargon-heavy industry and will cause lots of head scratching. The major issue is whether Trusted Third Party access to the Users account are read-only (for consolidated reporting - aka screen scraping), or read/write (for payment initiation).

Entity Name Type Cat Description Access
Payment Service User (PSU) Real World Entity N/A a natural or legal person making use of a payment service as a payee, payer or both No
Payment Service Provider (PSP) Legal Entity N/A A legal entity (and some natural persons) that provide payment services as defined by PSD2 Article 4(11) Yes
Account Servicing Payment Service Provider (ASPSP) Legal Entity PSP provides and maintain a payment account for a payer as defined by the PSRs and, in the context of the Open Banking Ecosystem are entities that publish Read/Write APIs to permit, with customer consent, payments initiated by third party providers and/or make their customers’ account transaction data available to third party providers via their API end points. the bank or its agent
Third Party Provider / Trusted Third Party (TPP) Legal Entity PSP organisation or natural person that use APIs developed to Standards to access customer’s accounts, in order to provide account information services and/or to initiate payments. Third Party Providers are PISPs or AISPs. see PISP and AISP below
Payment Initiation Service Provider (PISP) Legal Entity TPP provide an online service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider. read write
Account Information Service Provider (AISP) Legal Entity TPP provide account information services to consolidated information on one or more payment accounts held by a payment service user with one or more payment service provider(s). read only
Financial Conduct Authority Legal Entity Federation Owner The FCA is the competent authority for the UK No

References

  1. Saira Guthrie, Open Banking and Identity: Chris Michael Talks Current State, Trends and the Future. Ping (2018-09-19) https://www.pingidentity.com/en/company/blog/posts/2018/open-banking-identity-chris-michael-talks-current-state-trends-future.html?
  2. UK Open Banking OIDC Security Profile. https://bitbucket.org/openid/obuk/src/4630771db004da59992fb201641f5c4ff2c881f1/uk-openbanking-security-profile.md?at=master&fileviewer=file-view-default
  3. Open Banking Specs version 1.1.1-rc1 https://openbanking.atlassian.net/wiki/spaces/DZ/pages/28737919/The+Open+Banking+Directory+-+v1.1.1-rc1

External Sites