The Financial Services Markup Language 1.5 is the latest version of the language developed to implement echecks and other secure financial documents. FSML defines a method to structure documents into blocks of tagged content. Unlike HTML, which uses tags to inform processors about how to display content, FSML uses tags to inform processors about how to use the document content in financial applications.
The FSML content blocks in an FSML document can be cryptographically sealed and signed in any combination needed by business applications. Document processors may also remove blocks without invalidating the signatures on the remaining blocks. They may combine signed documents and then sign blocks contained in the combined documents. Signatures are themselves structured as FSML blocks, as are the X.509 certificates needed by downstream processors to verify the signatures. Thus signatures and certificates become part of the FSML document, so they can be verified and counter-signed by later signers. “Generic FSML” consists of the document structure, block structure, and the methods of creating and verifying general-purpose signatures. This part of FSML 1.5 can be used and extended to create a variety of documents, suitable for processing by multiple parties, with the ability to authenticate the origin and integrity of each piece of the document at any point along the way.
FSML 1.5 further defines specific block types, content tags, and content for creating payment authorizations, such as echecks. Notably, it defines the tags and content of the block, which contains items such as date, amount, pay to the order of, memo, and so on that would be handwritten on the face of a paper check. It also defines the tags and content of the block, which contains items such as the account number, bank routing and transit number, and other information and restrictions which would be pre-printed on the face of a paper check. The bank’s Certificate Authority cryptographically signs the block, along with the account holder’s X.509 certificate, so that no one can alter the block.
Like HTML and other pioneering specifications such as OFX (Open Financial Exchange), FSML is based on the SGML (Standard General Markup Language). Even though FSML uses only simple SGML features, FSML does not conform to XML (Extensible Markup Language), a later and smaller version of SGML. The most obvious difference is that XML requires that every start tag have a balancing end tag, while FSML omits end tags from leaf elements for the sake of brevity.
FSML has been kept simple because financial applications may need the extra security of secure hardware. eCheck uses the most common and inexpensive secure hardware, the smart card, to contain the signer’s keys, to sign and endorse the echecks, and to provide automatic check numbering and registration. The eCheck project has demonstrated that the simplicity of FSML makes it compatible with the memory, processing, and interface speed limitations of smart cards.
FSML tags and contents are implemented using 7-bit ASCII text. Rules for limiting line lengths, inserting and removing line ends, and processing spaces at the beginning and ends of lines are defined. As a result, the plain text FSML document is compatible with transmission via most email systems. However, SGML character entities can be used to express the full Unicode character set for items such as names.
FSML depends on the authentication, integrity and non-repudiation properties of cryptographic hash algorithms and cryptographic signature algorithms to secure the financial system against fraud. It does not rely on encryption, because encryption is insufficient to prevent fraud. Encryption only secures a document while it is transferred from one holder to another. Once the document is decrypted and stored by a holder, it can be stolen from storage by hackers or deliberately compromised by a faithless holder. On the other hand, FSML is compatible with encryption, and the FSML 1.5 Specification contains an Appendix E defining the encrypted email used in the US Treasury eCheck Market Trial. It is expected that S/MIME and HTTP-SSL will also be used for confidential transport of echecks and other FSML documents.
FSML 1.5 is a mature specification that is based on the experience of several companies who developed software and hardware for eCheck payers, payees, banks, and certificate authorities. These systems have been in operation for more than a year. FSML 1.5 is the basis for moving these systems and associated operations from trial to standard production.