Decision Proposal 090 - Banking Maintenance Iteration 1

[CDR-API-Stream]

This decision captures the outcome of Banking Maintenance Iteration 1. Consultation on these items was conducted on the standards maintenance repository.

This decision will cover the following items:

• Inclusion of PAR in Transaction History standards-maintenance#4
• Account may have multiple deposit rates or lending rates standards-maintenance#21
• Payee name is not always known standards-maintenance#25
• Inclusion of Card Art standards-maintenance#3
• Update to Content-Type standards-maintenance#27
• standard requires customer's cookies for logging in to data recipient to be provided to data holder standards-maintenance#28
• Remove x-cds-subject header standards-maintenance#33
• Error in description of amount in BankingScheduledPaymentSet standards-maintenance#26
• Adoption of CORS as per FAPI standard standards-maintenance#6
• Relationship between BPAY fields and transactions is many to one. standards-maintenance#24
• Remnant vectors of trust references in security profile standards-maintenance#23
• International payees can have a BSB and account number. standards-maintenance#22
• Allowance for multiple term deposit values in a single account standards-maintenance#9
• Tiered fees in Product Reference data standards-maintenance#10
• Using Duration standard for lastWeekDay in Scheduled Payments standards-maintenance#5
• refresh_token_expires_at claim standards-maintenance#29

The final decision document has been reviewed and approved by the Data Standards Chair. It is attached below:
Decision 090 - Banking Maintenance Iteration 1.pdf

[perlboy]

Adoption of CORS as per FAPI standard

I repeat again that the FAPI Standard DOES NOT mandate CORS. It is an optional requirement at the discretion of the Holder/OP. This subject should be reworded to highlight that the CDS has made a deliberate decision to convert a MAY to a MUST.

Specifically quoting from the only part of the FAPI spec that mentions CORS in 6.2.1. Protected resources provisions item 13:

should support the use of Cross Origin Resource Sharing (CORS) [CORS] and or other methods as appropriate to enable JavaScript clients to access the endpoint if it decides to provide access to JavaScript clients.
NOTE: Providing access to JavaScript clients has other security implications. Before supporting those clients [RFC6819] should be consulted.

In addition, the CDS proposes this change for NON Protected resources only which is a further divergence from the clauses referred to in the FAPI specification.

A more suitable subject would be Introduction of CORS to Unauthenticated Endpoints coupled with a note that the FAPI spec provides allowances but this is a profile specific modification being adopted by the DSB.

Further, a note should be made that the Independent InfoSec Review conducted specifically stated the threat assessment was based on CORS headers being absent and consequently "has no negative security impact, but may need to be specified in future if browser-side access is required, at which point cross-domain security attacks can emerge".

[perlboy]

Further feedback with respect to the v1.1.0 release in tickets on standards-maintenance:

• Adopt CI/CD and leverage existing git tags for Standards documentation publishing standards-maintenance#56
• V1.1.0: Get Account Balance operationId Renamed standards-maintenance#60
• V1.1.0: Data Structure Version Naming standards-maintenance#61
• Multiple Credit Card Account & Loan Support standards-maintenance#62
• V1.1.0: CX Guidelines Renamed File standards-maintenance#63
• Support URI Encoded Images in Payloads standards-maintenance#64
• V1.1.0: RateString bounding standards-maintenance#65
• V1.1.0: lastWeekDay change is a new version standards-maintenance#66
• V1.1.0: Normative Reference Change Fixes standards-maintenance#68