4.1.   Australia (Ralph)

4.2.   UK Open Banking (Ralph)

• Published ver. 3.1 last week.
• It was approved by steering group and available in OB's confluence site.
• Have authority from Steering group to start thinking about 4.0 API and what parts will be mandatory. In process of gathering info from Interop sources.
• One key feedback from API Evaluation Group is what areas API should be covering and will be taken into consideration for next version.
• Security profile which adopts FAPI R/W profile have been adopted but dates for adoption by banks are not set.
• Should be next few weeks but nothing publicly stated.

4.3.   Berling Group (Torsten)

• Meeting tomorrow and the day after. Torsten will be there.
• For last 1.03 version, Torsten contributed some enhancements to OAuth section based on Dave's security analysis of OB and Berlin group's specs. Added text for security checks recommended for security BCP.
• Berlin group did not add contributions even though it has promised to do so and there have been no proposals for collaboration from Berlin.
• Torsten pointed out problems in SCA model of initiating payment within authorization process, but was ignored.
• Vulnerable to session fixation attacks which was solved in Oauth 1.0a. Solution is to use Access token to trigger payment.
• BG considers Using access token to initiate payment a premium service.
• Not just OAuth flow impacted, but also proprietary redirect based flows and embedded mode.
• Torsten will ask when they will conduct security analysis.
• EBA published guidelines around ASPSP will get exemption from stopping screen scrapping.
• ASPSP can't ask for consent /approval. Can only do authentication.
• Not allowed to replay the request for which account you're giving access to and this is the payment you're initiating.
• Supposed to happen only at TPP side. Will send referenced section to mailing list.
• Makes for easier session fixation attack.
• Financial industry regulating something is good. Puts legal entity under competent authority.
• But not looking for technical solution but legal solution for problem of screen scraping.
• Established regulative umbrella, but increases costs and processes for TPPS.
• UK may do OB mode and PSD2 mode. OB mode has easier onboarding to attract more Fintechs.
• But will still need to be compliant to PSD2 and need to be SCA authorized in home state.
• Some countries are more strict in regulations so will face different burdens. Companies will go to countries with less strict regulations.

7.1.   Discussion on two clients using a same key on MTLS(Joseph)

• Allowing same cert to be used, under reasonable conditions make sense
• Joseph described case where applications really should be treated as different, so shouldn't do it
• If cert of a private key from R/W app is exported to Read-only app, the library relies on R/W app
• If TPP host 2 applications, 1 widely used app and 1 naughty development app. If someone manages to steal an access token from the popular properly secured cient, then he could use in naughty one.

7.2.   Next Call

• The meeting was adjourned at 14:59 UTC.