banking protocol docs

1 files changed, 84 insertions, 0 deletions

diff --git a/libeufin/banking-protocols.rst b/libeufin/banking-protocols.rst
new file mode 100644
index 00000000..91c0f599
--- /dev/null
+++ b/libeufin/banking-protocols.rst
@@ -0,0 +1,84 @@
+Banking Protocols
+#################
+
+This page collects information we have about banking protocols available around
+the world.
+
+
+Open Financial Exchange (OFX) Direct Connect
+============================================
+
+`OFX <https://www.ofx.net/>`__ is widely used in the US.  It defines a completely
+custom protocol (based on HTTP) and data formats (**not** based on ISO20022) for banking.
+
+
+Electronic Banking Internet Communication Standard (EBICS)
+==========================================================
+
+EBICS is used primarily in Germany, France and Switzerland.  Some banks (such as BNPParibas
+with their `Global Ebics <https://cashmanagement.bnpparibas.com/our-solutions/solution/global-ebics> offering`__)
+also allow EBICS access to accounts in other countries.
+
+EBICS is just a transfer layer for communicating with banks.  Banks define what
+messages they support.  In practice, EBICS is very often used to transfer
+ISO20022 messages.
+
+German banks that are part of the German Banking Industry Committee all must offer EBICS access.
+Thus this protocol is a good choice for the German market.
+
+
+FinTS / HBCI
+============
+
+German home-banking standard.  Only some banks allow authentication based on key pairs.
+Due to different interpretation of PSD2, other banks now only allow authentication
+methods that require interaction from the customer (SCA / Strong Customer Authentication).
+
+Payloads these days can be ISO20022 messages.
+
+
+PSD2
+====
+
+PSD2 is not a technical standard, but high-level legal requirements on (amongst other things) APIs
+that banks have to offer.
+
+There are many implementations of PSD2 APIs.  The `Berlin Group <https://www.berlin-group.org/>`__
+provides a framework that somewhat standardizes technical details, but the use of this standard
+is by no means necessary.
+
+Unfortunately, it focuses on *other* parties accessing *your* bank account.  It
+does not give customers access to their own bank account.  Customers can manage
+third party access they give to their bank account in their online banking
+system.  That mechanism is conceptually similar to OAuth2.  In fact, some
+implementations of PSD2 even use OAuth2 directly.
+
+PSD2 requires two main services to be available via an API:
+
+* AIS (Account Information Service).
+* PIS (Payment Initiation Service).
+
+Together, they're often called XS2A ("access to account").
+
+An entity that wants to use AIS has to be registered with the financial
+oversight authority in its country (BAFIN in Germany).  PIS has even stronger
+legal prerequisites.
+
+On a technical level, using PSD2 APIs usually requires having an `EIDAS
+<https://en.wikipedia.org/wiki/EIDAS>`__ certificate.
+
+
+Bank-Proprietary APIs
+=====================
+
+Some banks offer completely custom APIs to access services of the bank.  These often include services
+not available via more standardized APIs, such as account creation.
+
+Often banks frame PSD2 as just another API available in their portfolio of API offerings.
+
+Examples:
+
+* `Deutsche Bank <https://developer.db.com/products>`__
+* `ING Group <https://developer.ing.com/api-marketplace/marketplace>`__
+
+