
Big Banks Lock Horns with Personal-Finance Web Portals - andore_jr
http://on.wsj.com/1iDRXGf
======
Someone1234
This is the major difference between the US and EU. In the EU this isn't the
"bank's customer data" this is the "customer's data." The customer actually
has a legal right to see what data is held about them by the bank, and the
bank has a legal obligation to make sure that data is accurate and up to date.

~~~
snuxoll
The dumb part is banks are more than willing to support Quicken's Express Web
Connect, which literally stores your username/password on Intuit's servers,
logs into your online banking portal and downloads the .qfx files you would
get if you did it by hand. This is the same company that owns Mint, and it's
literally doing the same thing!

Oh well, until banks decide to stop allowing users to manually save .qfx files
the worst they can do is make life inconvenient.

~~~
avemg
As a (reluctant) Quicken user, I was not aware that Express Web Connect
credentials are stored on Quicken servers. Do you have anything to back that
assertion up?

~~~
breischl
From Quicken's security guide (emphasis added):

When using Express Web connect to automate Web connect downloads from your
financial institution's Web site, _your user name and password_ are encrypted
and, depending on your financial institution's procedures, _will be stored on
our firewall-protected servers_ or in your Quicken software. Your financial
information is transmitted using secure socket layer technology and is
encrypted, so it is unreadable during transmission. It is then _stored on our
firewall-protected servers_ and is securely transmitted directly to your
desktop computer when you initiate One Step Update. Your information is
confidential and is not used for anything other than providing and maintaining
the One Step Update service.

[http://quicken.intuit.com/support/help/account-
transaction-i...](http://quicken.intuit.com/support/help/account-transaction-
issues/how-quicken-protects-financial-
information/GEN82538.html?priorityCode=1327800000)

~~~
toomuchtodo
Yes. They store your credentials at rest in a data store, and the creds are
decrypted on demand when API requests are made.

------
shawkinaw
I used Mint for a long time, but eventually decided I didn't like them having
all my bank login information, including security questions. So I switched to
a setup where I download OFX data directly from my banks using a Python script
[1], and use Ledger [2] to track spending, balances, etc.

A big bonus of this approach is that I have complete control over the data, so
if an import get screwed up somehow I can fix it manually. Mint's "black box"
approach is good when everything works flawlessly, but you're stuck doing
weird hacks if anything goes wrong or you want to do something it wasn't
designed for.

Ledger, incidentally, is from the same one who is now maintaining Emacs, if
I'm not mistaken.

[1]
[http://captin411.github.io/ofxclient/](http://captin411.github.io/ofxclient/)
[2] [http://www.ledger-cli.org](http://www.ledger-cli.org)

~~~
sanderjd
I have a very similar setup, except using YNAB[0]. I never felt like I really
_used_ Mint, besides just going and looking at my balances and (infrequently)
thinking, "huh, looks like I'm over-budget again". With this setup, I feel
like I'm taking matters into my own hands, which has had a noticeable impact
on my spending and planning discipline.

Thanks for the link to your project, looks really useful!

[0]: [https://www.youneedabudget.com/](https://www.youneedabudget.com/)

~~~
comrh
YNAB recommends the manual entry of purchases to better understand the
relationship between the things you buy and your money. This has helped me be
much less impulsive and more aware of the large money sinks in my life
(lunch!). Whatever setup works for you to help you budget though, it is great
software.

~~~
sanderjd
Yep! I did that for awhile, and still do it quite often for purchases while
I'm out and about at target, grocery stores, restaurants, bars, and coffee
shops. But for me, importing dumps from my banks and going through each
transaction to "accept" them is plenty enough for that mental jolt. The tedium
of entering names, categories, and prices might be a bit more powerful, but
just _seeing_ every transaction is (for me) a 99% achievement of the same
goal.

------
davidu
If the banks cared they would provide either token-based API like oAuth or at
the very least, a read-only password for users to give these sites that aren't
fully credentialed.

Customers will always want to extract their data.

~~~
amsb
It's amazing that we can grant revokable, read-only and audited access to our
social accounts, but not our bank accounts. Even though the largest
aggregators operate under some level of federal supervision (via FFIEC and the
OCC), there is an obviously better way. TxPush
([http://txpush.org](http://txpush.org)) looks like an initiative in this
direction. There will likely be an ongoing need for aggregators to maintain
access to laggard financial institutions and possibly to buffer load on the
bank servers as consumers use more and more financially connected apps.

~~~
jackgavigan
_> It's amazing that we can grant revokable, read-only and audited access to
our social accounts, but not our bank accounts._

The UK is moving in this direction. The ODI/Fingleton report into Data Sharing
and Open Data for Banks[1] recommended creating a open banking API standard
and suggested using OAuth, using Twitter as an example (see p24 of the
report). Work has begun on defining the roadmap towards creating an API
standard[2].

1: [https://www.gov.uk/government/publications/data-sharing-
and-...](https://www.gov.uk/government/publications/data-sharing-and-open-
data-for-banks)

2: [http://theodi.org/news/open-banking-working-group-uk-
experts...](http://theodi.org/news/open-banking-working-group-uk-experts-
impact-consumers-regulators-industry)

------
7952
Banks are in a strange kind of transition. For years they acted like a retail
operation that treated finance as a consumer product. But actually their
purpose in the modern world is as infrastructure, more similar to electricity
or water. In that sense their is some similarity to cable companies who are
fighting to avoid becoming just a dumb pipe.

~~~
laotzu
Blockbuster thought they were too big to fail too

~~~
debacle
Blockbuster didn't have legislative scaffolding and bureaucracy throughout the
entire world on its side.

~~~
laotzu
The bigger they are the harder they fall

~~~
nickpsecurity
2008 proved you wrong for the one's that had what the parent referred to.
Confess to crimes and crash economy results in $1 trillion bailout, no audits,
some fines, and criminal immunity. Doesn't happen every day in industry.

~~~
laotzu
Agreed but it is just postponing the inevitable. The bailout and bankruptcies
made their closed-source hierarchical paper system even more highly
centralized, while the superior electric medium is doing the exact opposite in
becoming more decentralized, distributed, and open source.

[http://www.frontporchrepublic.com/wp-
content/uploads/2011/09...](http://www.frontporchrepublic.com/wp-
content/uploads/2011/09/big-bank-theory-chart-large.jpg)

~~~
nickpsecurity
Their schemes have been working most of the time since creation of the Fed
with usable currency and international uptake.

Using Bitcoin for its intended purpose is like gambling. Similarly for other,
popular P2P. So, safe choice is better implementations of centralized model
until _stable_ alternatives exist in P2P space.

Note: Nice graphic but the best thing is looking at boards for interlock. Like
Project Censored did in their nice Theory of Everything for global elites:

[http://www.projectcensored.org/the-global-1-exposing-the-
tra...](http://www.projectcensored.org/the-global-1-exposing-the-
transnational-ruling-class/)

Now you know who they are. We've been able to figure ghe stuff out. Why still
these problems? Cuz few give a shit or do anything. If that remains, we
screwed in long-term. ;)

------
cdnsteve
I agree with the banks in part. Giving your online account credentials to
access your banking information is complete madness. It's a giant security
risk that neither company would likely cover if someone got a hold of your
login details. This is the reason I purposely never signed up for Mint.

On the second half of the argument. Banks need address the fact that users
needs are changing and they want access to their own data, that they own, not
the bank. A bank could create an API service with API keys specifically for
these types of aggregate services to use. This could be done at first for just
read only access, whereby the API does not allow you to transfer funds, etc.
It would be a secure interface to access your data from third trusted third
parties or your own apps.

A secure standard API would be beneficial to customers, to third party
services, and to the banks that offer them. Freeing information inside of
hoarding it, when it doesn't belong to them in the first place.

Credit unions could have a major advantage here if they would start using
modern tech.

~~~
KirinDave
> I agree with the banks in part. Giving your online account credentials to
> access your banking information is complete madness. It's a giant security
> risk that neither company would likely cover if someone got a hold of your
> login details. This is the reason I purposely never signed up for Mint.

As someone who collects these daily; I'd rather not collect them. The lengths
I have to go to to ensure that they're not a major risk for our product?
Significant. It's not a hard problem to solve, but the question is: "do banks
want to solve it?" There's not much incentive for big banks to DECREASE
account stickiness, and a lot of us waiting for great aggregation tools to
totally dis-intermediate the big banks from their customers 8 ways till
Tuesday.

But to be honest, financial data is all sort of like this. For example, once
someone has your ACH routing and account numbers, the only thing that really
stops them from building a fraud factory is the fact that it's difficult to
get permission to interact with the ACH network. You need to handle those with
at least as much care as bank login info.

And then, there was the MASSIVE fraud spree that everyone who didn't implement
yellow path validation for ApplePay opened up. I personally had well over 80k
stolen from my account in less than 1 day via that outrageous fraud loop.
Thanks, Apple Stores and Chase, for pretending that someone else's fingerprint
constitutes my biometric permission.

On the subject of Chase, everyone in the industry was completely shut down
without warning at the worst possible time by Chase. We're all pretty spicy
about how it was handled.

~~~
ska
In my experience (just as a client) Chase is very happy to act unilaterally
and without communication. On the other hand, as an ex-client I have the
option of just never dealing with them again.

------
xirdstl
This seems like it would backfire. I suspect many people are more loyal to
mint.com than to their banks.

~~~
jacquesm
Switching banks isn't easy, unfortunately. Note how banks have very
successfully managed to create systems that do not have bank account number
portability built in, they even engineered them in such a way that any future
desire to implement such portability will meet with very substantial technical
roadblocks.

~~~
Spooky23
Why not? I've ditched banks a few times. Checking is a commodity product these
days... it's not like a banking relationship matters anymore.

In olden times, it might have been a pain. Now most automatic payments hit a
credit card, so you aggregate the account changes at that level.

Last time I flipped to get a 1/4 point off my mortgage. I think I had to
redirect my utility account and change a few online payment portals for AMEX,
etc. Took about 30 minutes, and saved me about $20k over the life of the
mortgage.

~~~
JoshTriplett
> Why not? I've ditched banks a few times. Checking is a commodity product
> these days... it's not like a banking relationship matters anymore.

Depends on what position you're in, and how you've previously organized your
finances. If you still write checks, you have to leave the old account open
with enough funds and wait for all of those to clear. If you have things
pointing at your bank debit/credit card, you need to change those and wait for
any outstanding charges to clear. If you have direct deposit of a paycheck,
you'd need to change that. And any services hooked up to your bank account via
the usual "tell us the number of pennies we just transferred in and back out
of your account" need re-hooking.

~~~
toomuchtodo
* Write checks only when necessary. I usually use USPS money orders instead.

* Always have recurring payments on a credit card, which you pay off monthly.

Bill payments and connected accounts should be minor.

~~~
JoshTriplett
Sure, but those are the kinds of steps you take once you've realized you want
to limit how much gets tied to your bank account. Similarly, once you go
through the pain _once_ of switching email addresses away from an ISP email
address, you might move to a provider-independent address. But in both cases,
you might not know that the first time.

~~~
toomuchtodo
Yep, I agree. Its really an education issue more than anything.

------
BankNote
Banks are ruled by iron fist, old school systems that effectively get a long
line of innovation only when needed. Think Cobol, 2000 year issues. Millions
were spent on the infrastructure eons ago, and the idea of innovation goes
exactly against what they stand up for - stingy, Scrooge type ideals. I don't
blame them, but tech eventually moves around ideas like this. Think again of
the automotive industry, and why don't we have 1 billion new ideas extended to
the most vast product producing machine in the country ... unions, old school
profit engines (pardon the pun), and the sticky idea that innovation will
disrupt it. Tesla is basically the ONLY car dealer to shake the crust off,
because its THAT much better of a tech innovator. Not without the fight from
big-auto though. It's just how these machines work, however because banking
online and new startup FDIC innovation driven banks work WAY BETTER than these
dinosaurs. Lucky for me, my bank doesn't even have branches ... so I get my
dough back from the ATMs I use, within reason mind you. Online services are
STELLAR, because of the reinvestment into tech vs. traditional banks. Ah, I
hope they ALL die to be honest.

------
guelo
They should be required to provide a secure token-based API. The fact that
Mint has to store your bank password in plain text is asking for trouble.

~~~
balls187
Why does Mint have to store your bank password in plain text?

~~~
breischl
They don't have to store it in plain text, but they do need to store it with
reversible encryption (as opposed to hashing) so that they can use it to login
to the bank's website.

~~~
balls187
Right, that's my point. There is no technical requirement to be stored as
plain-text.

Though I would imagine that encryption, by definition, is two-way (encrypt,
decrypt).

As an aside, do merchant account API services provide a secure-token service
to store credit card information? That is, I enter in my VISA credit-card,
click "save" and Amazon.com gets a unique token back that identifies this
credit card. When I later go to purchase an item, Amazon uses this token to
with VISA to charge my card? IIRC, that is how Stripe works, but I wonder if
each credit card manufacturer now supports this, as part of PCI compliance.

------
baldeagle
Check out [https://plaid.com/](https://plaid.com/) and
[https://github.kdc.capitalone.com/hhu373/plaid-django-
app/tr...](https://github.kdc.capitalone.com/hhu373/plaid-django-
app/tree/master/plaidpython)

I'm working on setting up my own 'mint' for the purpose of working with my
expenses, and this is the service I'm looking into using.

------
JustSomeNobody
I must be a bit odd. I prefer to manually enter all my transactions in my
journal. I don't want it automated. Any time I've automated it, I have become
complacent. I feel, in order to properly manage my finances, there must be
some pain. Don't get me wrong, I use SW. I just don't use SW that is
automated.

~~~
mwg986
I think you're right and that there should be some pain. My version of this is
taking a full list of transactions and tagging them individually from
electronic exports. This way any expense isn't reconciled until it's tagged.
This can be done mostly automatically but some are unrecognized/unique
expenses. The unrecognized are the ones that probably matter the most in terms
of managing my finances, dinning out, random items from amazon, etc. I have to
review and recognize everything which makes me monitor the most important
aspects where I might have spent my money poorly.

------
jedberg
This brings up a really important question. Are your banking transactions
your's or the bank's? I know in Europe the law says that you own your
transactions, but I'm not sure if the US has clarity either way.

------
1024core
The banks care for their customers? Really??

Are these the same banks that used to charge "overdraft" fees of $35+ for a
$1.50 overdraft? Where was the concern for customers then??

~~~
logn
These are different departments. The people concerned about Mint come from
Risk, Fraud, Security, and IT. They don't decide overdraft fees.

------
dwaltrip
I'm leaving SF to travel around the US for 6-12 months, which means I need to
switch off the local credit union that I'm currently using. I may as well
choose something that will work for the indefinite future, including whereever
I land next (it will be in the US).

Any recommendations? I'd prefer an organization that was less culpable for the
financial crisis.

~~~
balls187
Why do you have to switch off the local credit union?

~~~
vinceguidry
The cards generally don't work overseas.

~~~
balls187
The OP wrote "leaving SF to travel around the US."

I read "SF" to mean San Francisco.

Also, I usually have better luck overseas with my credit union visa card than
I do with my credit card (since I know the PIN for my checkcard).

------
cpwright
My bank's web portal actually provides a good aggregator service for the
checking/savings/investment/loan accounts I have both there and elsewhere. I
find it very convenient when I do my monthly "what are the state of my
finances" spread sheet.

