commit 8c94d1268d3523663941813e53e939d6e43fb010
parent 1d396d031a03e12501bb9b06b642366c7fbe4313
Author: Florian Dold <florian.dold@gmail.com>
Date: Tue, 9 Jun 2020 13:56:08 +0530
banking protocol docs
Diffstat:
2 files changed, 85 insertions(+), 0 deletions(-)
diff --git a/libeufin/banking-protocols.rst b/libeufin/banking-protocols.rst
@@ -0,0 +1,84 @@
+Banking Protocols
+#################
+
+This page collects information we have about banking protocols available around
+the world.
+
+
+Open Financial Exchange (OFX) Direct Connect
+============================================
+
+`OFX <https://www.ofx.net/>`__ is widely used in the US. It defines a completely
+custom protocol (based on HTTP) and data formats (**not** based on ISO20022) for banking.
+
+
+Electronic Banking Internet Communication Standard (EBICS)
+==========================================================
+
+EBICS is used primarily in Germany, France and Switzerland. Some banks (such as BNPParibas
+with their `Global Ebics <https://cashmanagement.bnpparibas.com/our-solutions/solution/global-ebics> offering`__)
+also allow EBICS access to accounts in other countries.
+
+EBICS is just a transfer layer for communicating with banks. Banks define what
+messages they support. In practice, EBICS is very often used to transfer
+ISO20022 messages.
+
+German banks that are part of the German Banking Industry Committee all must offer EBICS access.
+Thus this protocol is a good choice for the German market.
+
+
+FinTS / HBCI
+============
+
+German home-banking standard. Only some banks allow authentication based on key pairs.
+Due to different interpretation of PSD2, other banks now only allow authentication
+methods that require interaction from the customer (SCA / Strong Customer Authentication).
+
+Payloads these days can be ISO20022 messages.
+
+
+PSD2
+====
+
+PSD2 is not a technical standard, but high-level legal requirements on (amongst other things) APIs
+that banks have to offer.
+
+There are many implementations of PSD2 APIs. The `Berlin Group <https://www.berlin-group.org/>`__
+provides a framework that somewhat standardizes technical details, but the use of this standard
+is by no means necessary.
+
+Unfortunately, it focuses on *other* parties accessing *your* bank account. It
+does not give customers access to their own bank account. Customers can manage
+third party access they give to their bank account in their online banking
+system. That mechanism is conceptually similar to OAuth2. In fact, some
+implementations of PSD2 even use OAuth2 directly.
+
+PSD2 requires two main services to be available via an API:
+
+* AIS (Account Information Service).
+* PIS (Payment Initiation Service).
+
+Together, they're often called XS2A ("access to account").
+
+An entity that wants to use AIS has to be registered with the financial
+oversight authority in its country (BAFIN in Germany). PIS has even stronger
+legal prerequisites.
+
+On a technical level, using PSD2 APIs usually requires having an `EIDAS
+<https://en.wikipedia.org/wiki/EIDAS>`__ certificate.
+
+
+Bank-Proprietary APIs
+=====================
+
+Some banks offer completely custom APIs to access services of the bank. These often include services
+not available via more standardized APIs, such as account creation.
+
+Often banks frame PSD2 as just another API available in their portfolio of API offerings.
+
+Examples:
+
+* `Deutsche Bank <https://developer.db.com/products>`__
+* `ING Group <https://developer.ing.com/api-marketplace/marketplace>`__
+
+
diff --git a/libeufin/index.rst b/libeufin/index.rst
@@ -13,3 +13,4 @@ LibEuFin is a project providing free software tooling for European FinTech.
ebics
sepa
iso20022
+ banking-protocols
