Ping Identity senior technical architect and OpenID board member Sarah Squire explained that Open Banking UK takes advantage of OpenID, and that open banking was one of the concepts that made OpenID desirable.
Learnings from the UK experience include:
• Establish a central (non-profit) authority to maintain a list of all valid members of the scheme and their certificates. This aids scalability, and provides a single touchpoint for banks and their customers.
• Start interoperability testing sooner rather than later. There are various ways that attackers can try to manipulate the system, and it is important to know that every party's software is handling these situations correctly. It also helps those developing customer-facing software if they know all of the banks' systems are adhering exactly to the protocol.
• Don't allow apps to store banking credentials. When apps need access to bank data, they should redirect the user to the bank where they can give their consent and then return to the app. Storing credentials "is something we are still trying to quash", Squire said. Banks don't want users to reveal their credentials, and it might be appropriate for a government to mandate that it doesn't happen.