summaryrefslogtreecommitdiff
path: root/libeufin/banking-protocols.rst
blob: 8a1bc0999cf955ca3f1d3b0597fdcea0ed0bec71 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
Banking Protocols
#################

This page collects information we have about banking protocols available around
the world.


Open Financial Exchange (OFX) Direct Connect
============================================

`OFX <https://www.ofx.net/>`__ is widely used in the US.  It defines a completely
custom protocol (based on HTTP) and data formats (**not** based on ISO20022) for banking.


Electronic Banking Internet Communication Standard (EBICS)
==========================================================

EBICS is used primarily in Germany, France and Switzerland.  Some banks (such as BNPParibas
with their `Global Ebics <https://cashmanagement.bnpparibas.com/our-solutions/solution/global-ebics>`__)
also allow EBICS access to accounts in other countries.

EBICS is just a transfer layer for communicating with banks.  Banks define what
messages they support.  In practice, EBICS is very often used to transfer
ISO20022 messages.

German banks that are part of the German Banking Industry Committee all must offer EBICS access.
Thus this protocol is a good choice for the German market.


FinTS / HBCI
============

German home-banking standard.  FinTS is the successor of the Home Banking
Computer Interface (HBCI), but older versions of FinTS are often still called
HBCI.

The current version, FinTS 4.0, is not widely supported by banks yet.  Starting with FinTS,
XML is used as a data format.  Previous versions used a custom text/binary format.

Only some banks allow authentication based on key pairs.
Due to different interpretation of PSD2, other banks now only allow authentication
methods that require interaction from the customer (SCA / Strong Customer Authentication).

Payloads these days can be ISO20022 messages.

Examples:
 * `GLS <https://www.gls.de/geschaefts-firmenkunden/zahlungsverkehr/onlinebankingverfahren-und-programme/daten-zum-onlinebanking/>`__


PSD2
====

PSD2 is not a technical standard, but high-level legal requirements on (amongst other things) APIs
that banks have to offer.

There are many implementations of PSD2 APIs.  The `Berlin Group <https://www.berlin-group.org/>`__
provides a framework that somewhat standardizes technical details, but the use of this standard
is by no means necessary.

Unfortunately, it focuses on *other* parties accessing *your* bank account.  It
does not give customers access to their own bank account.  Customers can manage
third party access they give to their bank account in their online banking
system.  That mechanism is conceptually similar to OAuth2.  In fact, some
implementations of PSD2 even use OAuth2 directly.

PSD2 APIs usually use JSON as a data format.  Often the schema and terminology is "inspired" by ISO20022
messages, but no actual ISO20022 XML message formats are used.

PSD2 requires two main services to be available via an API:

* AIS (Account Information Service).
* PIS (Payment Initiation Service).

Together, they're often called XS2A ("access to account").

An entity that wants to use AIS has to be registered with the financial
oversight authority in its country (BAFIN in Germany).  PIS has even stronger
legal prerequisites.

On a technical level, using PSD2 APIs usually requires having an `EIDAS <https://en.wikipedia.org/wiki/EIDAS>`__ certificate.

Examples (bank offerings):
 * `Sparkasse <https://xs2a.sparkassen-hub.com/home>`__ (Berlin Group based)
 * `Deutsche Bank <https://developer.db.com/products/psd2>`__

Examples (standards):
 * `STET PSD2 API <https://www.stet.eu/en/psd2/>`__
 * `Berlin Group NextGenPSD2 <https://www.berlin-group.org/nextgenpsd2-downloads>`__



Bank-Proprietary APIs
=====================

Some banks offer completely custom APIs to access services of the bank.  These often include services
not available via more standardized APIs, such as account creation.

Often banks frame PSD2 as just another API available in their portfolio of API offerings.

Examples:

* `Deutsche Bank <https://developer.db.com/products>`__
* `ING Group <https://developer.ing.com/api-marketplace/marketplace>`__
* `Revolut <https://revolut-engineering.github.io/api-docs/business-api/>`__
* `PayPal <https://developer.paypal.com/classic-home/>`__


Open Bank Project
=================

The `Open Bank Project <https://www.openbankproject.com/>`__ provides a free software implementation of
banking middleware that supports various APIs, including PSD2-compatible APIs (based on Berlin Group).

API Docs: `<https://github.com/OpenBankProject/OBP-API/wiki/Open-Bank-Project-Architecture>`__


UK Open Banking
===============

Open Banking is the (quite confusing!) name of a UK-based open banking initiative.

What's nice about Open Banking is that their APIs are really close to ISO 20022, unlike many
similar HTTP+JSON APIs.

`<https://openbanking.atlassian.net/wiki/spaces/DZ/pages/16385802/Specifications>`__