New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft API Definition for the PISP / third party API #70
Comments
Before reviewing, have there been any discussions regarding the suggestion about GSMA MM API in #60? |
Thanks for the quick response @ehenrka . No they're not included in the initial draft, but have a follow-up meeting on this and I'll raise that there.. |
Thanks @sam - perhaps the label should be |
Sure @lewisdaly - updated |
Please find some initial comments below. General comments
Specific comments
Kind regards, |
Thanks for your prompt comments, Henrik. First, a number of your comments seem to me to relate to best practice in relation to APIs in general. As I said in the reorganisation proposal, I think that there should be a best practices document maintained by the CCB, and I've therefore started one based on your comments and aligned the PISP API document with them. Let me know what you think. Second, the use of the term "DFSP". This is, in my view generally in use in the Mojaloop community today and has largely replaced "FSP". Accordingly, I would like to continue to use "DFSP" in this document, simply because I think it is the term most likely to be understood by users. I'd be happy to add it to the glossary; which, again, I would expect to continue to be maintained by the central CCB. Since the Service Name entries in the Open API Specification for FSP Interoperability refer to entries in the Generic Transaction Patterns document, and we are not at present proposing a PISP version of this document, I have removed them from the PISP API definition. Think I changed all the references to the Open API Specification for FSP Interoperability. I have replaced the regex for URI with that given in RFC 3986. I take a different view from you about the imposition of maximum limits. Briefly, it is as follows. A Mojaloop scheme is a community of known participants regulated by rules, and the messages that pass between them are, as you say, protected by security measures. If those measures are not adequate to protect the community from outside attack, then my feeling is that the sooner the system knows about it the better. If, on the other hand, toxic messages are being created and sent by participants, then, again, the system should identify the problem and work with the participant responsible to take appropriate action. However, I will raise this as an issue with the PISP team and canvass their opinion on how they would like to proceed. I will also raise the issue of the information that it is proper for the PISP to expect the payer DFSP to include when it asks the PISP to confirm the transfer. Our expectation was that this should be equivalent to the terms of the transfer, and that it would therefore definitely need to include, for instance, information about the costs that the customer was expected to pay. In the end, though, it will not be the DFSPs who decide which information is to be included and which excluded, but the scheme via the scheme rules. We will not, in my view, be doing the API a service if we exclude from it information which schemes subsequently want to include; but if we allow the inclusion of information which they subsequently decide to exclude, no harm is done that I can see. In any case, I will raise the issue and let you know what we decide. |
Thanks @mjbrichards, From what I can see in the PISP Specification document, you have not enabled changes to be tracked? May I ask you to either answer directly on my comments so that I know which ones you have addressed, or at least use track changes in the document, so that I don't have to review the entire document again to find out where you might have changed anything? This would save a lot of time for me, and for others who might have read the first version or my comments so that they are also aware of what has changed. Based on a quick read now it seems like some of my comments are ignored, and it would be good to know why. I'm sure there are a number misunderstandings in my comments (one of the misunderstandings is mentioned below) as I have not been involved in this specification development, and that some objects are shared, while others are not shared with the FSPIOP API. There are also questions that are left unanswered. I will read and review your start of the API Best Practices document, let me get back to you with comments regarding that. Regarding the term DFSP, it is already in the glossary as an alternative term for FSP.
This issue seems to be mostly because the quote object was not defined in the earlier version. My assumption was that this was to be based on the existing quote object in FSPIOP API provided on the information in that section (my emphasis added on Payee DFSP: The Quote object is used to collect the information on the terms of a transfer which a Payee DFSP returns as part of the positive response to a quotation. This information is forwarded to the PISP by the Payer DFSP so that the PISP’s customer can make an informed consent to the transfer, ...), as the quote object was not defined in the previous version. In the new update, the quote object is now more of an end user quote. The end user fees in the user's FSP definitely need to be shared to the PISP, as this information is required by the end user to be able to confirm. Also regarding the quote, just looking at the quote part now again:
Please let me know why you think that a PISP should ever know about the birth dates of the Payer and Payee? I would just like to understand any use case for the PISP where this information could be valuable? In the FSP Interoperability API, the information is there to support sanction screening. But for PISPs I do not understand the purpose of the data, hence I would like to know why it can even be shared.
There is certainly harm done if someone would spread personal information to a PISP which should not need to know the information. Our FSPs that follows GDPR have the obligation to protect any data of consumers so that only necessary private data is shared. If I was an account holder in any of the FSPs that does not try to follow GDPR, I would still like them to keep my private data private. Kind regards, |
Hi Henrik, thank you for your comments, and please accept my apologies for not having turned on Track Changes when updating the specification. I have produced a further revision of the specification, together with a document responding to each of the points you raised in your original response, and I attach them here. On the other points you raise:
Now to your last paragraph. My view is as follows, at the risk of repeating myself. Decisions about what data items are required or forbidden to be included in messages are the responsibility of the operators of the scheme. The switch provides functionality which enables these decisions to be enforced. In any case, extension lists allow any sort of information about entities in the system to be passed; but at the cost of damaging the general application of the technology providers' solutions, as we have already discussed. This effectively by-passes the sort of control over content which I think you propose as a function of the API. Now, in relation to your specific points. First, it is in my view the responsibility of the scheme, not the API, to decide whether or not a PISP needs to, or can, be party to specific items of information. If yes, then it will allow or mandate the content; if no, it will forbid it. All of this will, of course, be aligned with the regulatory regime in force in the jurisdiction(s) in which the scheme operates; if that were not true, it would not be permitted to operate at all. Second, if you personally did not agree with the sharing of private data in accordance with the regulatory regimes in force in the jurisdiction under which your DFSP operated, you would be entirely at liberty not to participate; but, in my opinion, it would be unreasonable to expect an API to enforce regulations that a regulator did not. Yours, |
Thanks Michael and Henrik for your rigorous discussion. I've done another review myself, which you can find here: |
Thanks @mjbrichards,
At least many of our FSPs has the requirement that the customer should be able to see how much of the amount that they pay is tax. I can't say if it is a regulatory requirement, or if just our FSPs want to be open with how much is tax vs fee. If you want agents to be able to use PISP, then you need to share the commission that they have earned as well.
I'm not talking about the amount that the Payee would receive. As a Payer, you can choose that the amount of the transaction is either a Send amount or a Receive amount. This controls if fees for the Payer should be added on top of the amount, or withdrawn from the amount (please see Section 5.1 in API Definition for FSPIOP). As far as I understand, the use case that you are trying to solve for now is P2P? For a merchant payment, you would always use a Receive amount as the merchant should receive a specific amount. For a P2P, the use of Send vs Receive differs between our deployments. Thank you for providing two examples where you think the birth dates are important for the PISP. Please note that I'm not against that private data can be shared to the PISP. What I'm against is that it seems like the data is shared without any control from the user. I'm sure that there are other types of private data that the PISP might be interested in, why I think there should be a generic support for asking consent about sharing private data in a standardized way. Please see for example OpenID Connect, where a service can specify a number of claims that represent different kinds of personal data that can be requested from the user. Can you please explain to me how I as an FSP would know when the PISP would need the birth dates based on the existing design? Otherwise it seems like the FSP would now always need to share the birth dates, as the PISP might need them for some use case. This would allow the PISP to collect a lot of data about both parties, even though only one of them is a customer of the PISP (either Payer or Payee). In my mind, as you already have a way of asking for consent as part of the API, the PISP should also ask for consent to get the birth date from the user. It probably already has a consent from the PISP's consumer from the sign up of the customer for the service, but probably not from the other consumer (Payee or Payer depending on use case). I think that we are doing the schemes and implementers of the API a service if these topics are discussed as part of the API design, as privacy issues are in general a hot topic, instead of just allowing the data to be sent without any more thought. Having a standardized way of asking for consent to share the data would also allow other types of private data to be shared other than just birth date. I will read and review the updated documents. Kind regards, |
Adding to Henrik’s well-stated cautions on user consent... we have a work stream underway, that Godfrey is leading, to map the interface and Mojaloop platform to GDPR. The work is intended much as Henrik suggests as directional and not specific to any particular implementation.
I agree that we do implementtt we s a service by thinking about informed consent when the interface or platforms are sharing private information.
OpenID is a good reference.
Some of the requirements will emerge from transaction domains outside of payments. The example Michael gives of proving majority age will differ not just by locale but also depending on what product or service is the object of the transaction. Liquor, tobacco, entrance to a club, each can have local rules that are not aligned.
This makes the merchant or PISP a handler of transaction-specific private data. The DFSPs will not be responsible for collecting that consent but may need a way to convey it in the transaction data.
…-- Miller
On Nov 15, 2020, at 11:58 PM, Henrik Karlsson <notifications@github.com> wrote:
Thanks @mjbrichards,
You are correct: the current specification does not break down the fees into their components. As far as I recall, the L1P only requires that customers are informed about the overall cost of a transaction. I'm not against more detail personally, but we saw no need for it.
At least many of our FSPs has the requirement that the customer should be able to see how much of the amount that they pay is tax. I can't say if it is a regulatory requirement, or if just our FSPs want to be open with how much is tax vs fee. If you want agents to be able to use PISP, then you need to share the commission that they have earned as well.
The receive amount is returned by the payee DFSP as part of the quote response. The send amount is contained in the Transaction object, though this may be modified by the Payer DFSP if it intends to deduct further fees from the customer.
I'm not talking about the amount that the Payee would receive. As a Payer, you can choose that the amount of the transaction is either a Send amount or a Receive amount. This controls if fees for the Payer should be added on top of the amount, or withdrawn from the amount (please see Section 5.1 in API Definition for FSPIOP). As far as I understand, the use case that you are trying to solve for now is P2P? For a merchant payment, you would always use a Receive amount as the merchant should receive a specific amount. For a P2P, the use of Send vs Receive differs between our deployments.
Thank you for providing two examples where you think the birth dates are important for the PISP. Please note that I'm not against that private data can be shared to the PISP. What I'm against is that it seems like the data is shared without any control from the user. I'm sure that there are other types of private data that the PISP might be interested in, why I think there should be a generic support for asking consent about sharing private data in a standardized way. Please see for example OpenID Connect, where a service can specify a number of claims that represent different kinds of personal data that can be requested from the user.
Can you please explain to me how I as an FSP would know when the PISP would need the birth dates based on the existing design? Otherwise it seems like the FSP would now always need to share the birth dates, as the PISP might need them for some use case. This would allow the PISP to collect a lot of data about both parties, even though only one of them is a customer of the PISP (either Payer or Payee).
In my mind, as you already have a way of asking for consent as part of the API, the PISP should also ask for consent to get the birth date from the user. It probably already has a consent from the PISP's consumer from the sign up of the customer for the service, but probably not from the other consumer (Payee or Payer depending on use case).
I think that we are doing the schemes and implementers of the API a service if these topics are discussed as part of the API design, as privacy issues are in general a hot topic, instead of just allowing the data to be sent without any more thought. Having a standardized way of asking for consent to share the data would also allow other types of private data to be shared other than just birth date.
I will read and review the updated documents.
Kind regards,
Henrik
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
This is a new version of the PISP API specification (1.3) which I hope takes account of the latest state of our discussions on the account linking process. Any comments would be most welcome. Two particular points:
Otherwise, I have tried to stick to the sequence diagrams, with what success I shall leave you to judge. |
This makes sense. DELETE is idempotent, in the RESTful universe and so is a better choice for collection pruning. POST is not necessarily idempotent and so an assumption can’t be made about the ordering of requests. And DELETE of a consent from the consents collection would not seem to need any additional body data. POST is primarily used when body data must be submitted to provide the new state of the object. But given that we are removing the object, there is no new object state (other than oblivion).
Alignment to the FSPIOP API idioms is a bonus.
— Miller
On Feb 9, 2021, at 7:39 AM, mjbrichards <notifications@github.com> wrote:
This is a new version of the PISP API specification (1.3) which I hope takes account of the latest state of our discussions on the account linking process. Any comments would be most welcome. Two particular points:
I have replaced the proposed unlinking syntax (POST /consents//revoke) with a syntax more closely aligned with the existing FSPIOP API: DELETE /consents/. This is the syntax currently used to make changes to oracles in the ALS, and I therefore thought it more suitable here. However, I am aware that the proposed syntax is better aligned with the Google syntax recommendations for custom methods (https://google.aip.dev/136 <https://google.aip.dev/136>). Perhaps we should discuss.
It occurred to me in thinking about unlinking that our statement of the consent does not at present include definition of the two parties (the PISP and the DFSP) between whom the consent is agreed. It occurred to me that a central register for all consents would really reuqire this, and I have therefore included them in the data body for the POST /consents call. Let me know your thoughts.
Otherwise, I have tried to stick to the sequence diagrams, with what success I shall leave you to judge.
Draft PISP Specification Changes.docx <https://github.com/mojaloop/mojaloop-specification/files/5952359/Draft.PISP.Specification.Changes.docx>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#70 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB6OJ6DDU4VIAWQ7WO57XOLS6FJLXANCNFSM4TKKGAQA>.
|
|
A new version (1.4) of the PISP specification, based on discussions with @lewisdaly, JJ and @eoln. This now represents our agreed view. |
Thanks @MichaelJBRichards |
@MichaelJBRichards -> for property |
I have made the changes suggested by @eoln, together with changes consequent on a detailed review of the sequence diagrams and changes to the data model for the PUT /thirdPartyRequests/authorizations endpoint described in Section 3.1.6.2.1, following a discussion on this point. |
Commenting just on the POST /thirdpartyRequests/authorizations for now:
|
@MichaelJBRichards what do you think? I think the only case where the PISP would want the For the |
These changes are now summarized in this PR: #90 Please comment inline there where it makes sense. |
I've just updated the openapi spec documents for this change request in PR #90, so it's ready for another review. |
Thanks to Michael for an initial draft for the PISP/ third party API [doc file attached to this issue] -
Draft PISP Specification Changes.docx
This also encompasses issue: #68
The text was updated successfully, but these errors were encountered: