November 18, 2020
Mr Andrew Stevens
Chairman, Consumer Data Standards Australia
Mr Paul Franklin
Executive General Manager, Consumer Data Right, Australian Competition and Consumer Commission
Ms Kate O’Rourke
Principal Advisor, The Treasury, Australia
Mr Daniel McAuliffe
Project Lead, Consumer Data Right, The Treasury, Australia
RE: OpenID Foundation Follow-up to ACDS on CDS
Dear Mr Stevens, Mr Franklin, Ms O’Rourke, and Mr McAuliffe,
This communication follows the letter I sent on August 13, 2019, as Chair of the OpenID Foundation’s Financial-grade API (FAPI) Working Group. In my prior communication, I noted the Foundation performed an analysis of the Australian Consumer Data Standards (ACDS) that highlighted some deviations from the OpenID Connect and Financial Grade API ( FAPI ) standards. Now that the majority of deviations have been removed this enables CDR Data Holders and Data Recipients to demonstrate their technical conformance with the FAPI standards. This increases the reliability of systems leveraging these standards, the repeatability in successive systems and trust among all stakeholders in the ecosystem.
The ACDS’s adoption of FAPI enables the members of your community to leverage the OpenID Foundation certification program. It is a mature model in use today, at scale, via the Open Banking Implementation Entity from UK regulators, identity providers (Data Holders) and relying-parties (Data Recipients) to self-certify their OpenID Connect and FAPI deployments. The tests are available to all, today, at no cost, at any time. The test suite can be run by participants themselves locally on their infrastructure or by using the OIDF’s hosted service. At a time of their choosing participants’ test results are checked by the OIDF, a modest fee and they are added to a publicly available list of organizations that have demonstrated conformance to the FAPI standard. This greatly assists participants, all types, large and small to achieve ACDS compliance and interoperate globally.
The Foundation recently updated the FAPI conformance suite to ensure that servers following the CDR standards comply with the underlying FAPI specifications. A number of Australian organizations have tested these tests against their CDR environments. The interoperability and security issues found in the deployments of Data Holders and Data Recipients were then able to be fixed well before they caused concerns.
The success of testing the tests’ allows the Foundation to launch a FAPI compliance service for CDR data holders. This new service also optionally covers the new pushed authorization spec that CDR plans to start introducing in November 2020. This is timely and important given the CDR’s is a new protocol without the benefit of existing test suites and few vendor implementations.
The purpose of this communication is to gauge the Australian Competition and Consumer Commission’s (ACCC), and relevant internal parties, interest in supporting the OIDF’s launch of a FAPI technical conformance service for CDR participants. Your support would help expand its value to Accredited Data Recipients, and influence evolving the service in the future. We welcome ACCC’s involvement in the FAPI Working Group at any time. Any feedback on the FAPI CDR compliance service is welcome, especially prior to launch.
The Foundation’s considerable investment in its certification program ensures trusted implementations of open standards. The return is measured in positive impacts on interoperability and security. The UK’s use of the Foundation’s test suites has resulted in reduced engineering costs for all parties and facilitated market entry for new participants. This becomes particularly important as CDR is expanded to more entities. It highlights the importance that standards like FAPI evolve within their working groups.
OIDF’s certification program has proven its value to UK OpenBanking. It has revealed and assisted in resolving a significant number of interoperability and security problems in production systems in the nine largest UK banks while reducing integration costs for all. The certification and FAPI teams continue to work to ensure the tests reflect the intent of the specification authors and the needs of users.
We have run a series of joint workshops with the OpenBanking Implementation Entity in the UK, the Financial Data Exchange in the US to increase understanding of the standards and the benefits of the certification tools. We hope we could run similar workshops with the assistance of the appropriate Australian entities.
Please consider engaging with the OpenID Foundation on the launch of the CDR testing service. Your involvement benefits the community at large by alignment with ACCC and ACDS goals. We would be happy to arrange a call to answer any questions you might have. Thank you for your consideration.
Chair, OpenID Foundation
Co-Chair FAPI Working Group