
Bank of America Cut Off Finance Sites from Its Data - petethomas
http://www.nasdaq.com/article/bank-of-america-cut-off-finance-sites-from-its-data-20151109-01585
======
ecobiker
The US banking system has not adapted to the modern world at all. Anyone who
has worked with ACH will tell you how bad it is from a payment processing
point of view - for those who don't know - you only receive negative ack,
i.e., when a transfer failed and it's nowhere close to being instantaneous.
It's common elsewhere to have a "read" password and a "write" password.
Basically, you'll be prompted with additional security measures when you are
doing a transfer. Also, the details I give out to somebody to receive money is
the same details someone needs to take money out from my account. What the US
banks have is a "digital" cheque processing system and not a digital banking
system.

It's antiquated.

~~~
toomuchtodo
Gusto did a great blog post series about this, I highly recommend taking the
time:

[http://engineering.gusto.com/how-ach-works-a-developer-
persp...](http://engineering.gusto.com/how-ach-works-a-developer-perspective-
part-1/)

------
guelo
Banks have been purposefully limiting customers' view of electronic data for
years, first by eliminating running balances about 10 years ago and then by
limiting online data to 90 days. They do this because confused customers are
more likely to pay fees such as overdraft fees, which is where retail banks
make most of their money.

Mint complied with the banks' demand to not display running balances but they
do display data going back indefinitely in time.

What Mint has shown the banks is how valuable the data is to advertisers. The
data is so valuable that Intuit is shutting down their popular $50/year semi-
subscription Quicken software in favor of advertising to people via Mint.

In an ideal world a government regulator would step in and ensure data access
and privacy. But we do not live in a very ideal world.

~~~
Hermel
> In an ideal world a government regulator would step in and ensure data
> access and privacy.

No, in an ideal world there would be much more competition between banks,
forcing them to offer better services in order to keep their customers.

~~~
pavel_lishin
Given that I think everyone here wants banks to give us better data access and
privacy, why is the more-competition ideal world better than the government-
regulation ideal world in this specific regard?

------
krschultz
This leads to an opening for either a challenger to Mint that has better
relationships with the banks, a bank with a better UI than the existing banks,
or a bank that explicitly supports Mint.

The existing banks burying their heads in the sand when there is obvious
consumer demand makes the area much more ripe for a new entrant. I'm not sure
how it will play out, but I would consider switching banks in order to have a
better UI on my money. Supporting something like Mint or Personal Capital is
basically a requirement for me to put my money in your bank.

Note that I'm not even particularly happy with Mint, I just can't imagine not
having some form of aggregation of my financial life. I probably check it at
least 1-2x a week and have been for 5+ years, it's a critical piece of
software for me.

------
lotyrin
I don't use the aggregators because I want to, and they don't use my passwords
and screen scrape because they want to. I just can't have being aware of my
finances take all fucking day.

I wish there was a standard and secure format and protocol for collecting
balances and transactions built into the FDIC or NCUA rules or something.

~~~
Someone1234
For a secure protocol just use HTTPS. Secure formats don't really exist for
data interconnects, since you'd have to send across enough information to
decrypt it, and now we're in the "security through obscurity" territory.

It might sound horrifying but JSON or CSV over HTTPS is the most likely to
work and the least work for financial institutions to implement (thus giving
them less ammo to fight it on cost grounds).

Services interconnecting is largely a solved problem in general. Banks might
have needed better security historically, but these days these services are
all fairly secure, so there isn't much bar raising that needed. Heck Apple Pay
is basically this system.

------
mountaineer
Remember when Simple was going to offer an API and provide a path forward for
this problem [1][2]? Never happened [3], speaks to challenges of financial
data still I guess.

[1] [http://www.programmableweb.com/news/banksimple-banking-
servi...](http://www.programmableweb.com/news/banksimple-banking-service-api-
and-all/2010/09/07)

[2] [https://groups.google.com/forum/#!forum/simple-
api](https://groups.google.com/forum/#!forum/simple-api)

[3] [https://www.simple.com/api](https://www.simple.com/api)

------
cyanbane
(Mins involved over 6 months logging into 8 different banking websites/apps) >
(Mins for me to just move my money to a bank that supports aggregators)

The banks' ship has sailed on the presentation front. They need to concentrate
on strong read APIs and novel ways for authentication.

------
jayzalowitz
Fuck it, I am going to build an open source project with the sole goal of
automating access to all of these sites with selenium or something.

Get ready for war(in the nice, data science-y way)

~~~
antsar
That's what these "finance sites" already do. That's why you have to enter
your bank username and password to use them - they just scrape the website.

Incidentally, I have never used one, because that requirement is completely
insane.

~~~
ajkjk
Why is that insane? It's inelegant, but it's not functionally different than
having an API and a system for registering API keys. Either you trust the
aggregator or you don't; if you don't you shouldn't give them access to your
data either way. If they do something they shouldn't with your data, they'll
be ruined if it becomes public.

(Of course there's a huge gray area of things they could do that you wouldn't
like, but that would't ruin them. But there's a clear difference between
questionable things, like selling your data to advertisers, and completely
not-ok things, like stealing your money).

~~~
snowwrestler
> Why is that insane? It's inelegant, but it's not functionally different than
> having an API and a system for registering API keys.

Because there is such thing as a read-only API. But logging into the banking
site as a customer permits the aggregator to take actions as the customer,
like wire transfers--which are not reversible, and not typically covered by
fraud protection.

Sure, I might trust Mint not to do that, but what if Mint gets hacked? By
definition, Mint can access my bank creds in plain text, since it must paste
them into my bank's website. That is worse security than even my own bank's
website, which undoubtedly stores only the hash of my password.

My bank is not going to indemnify me for fraud caused by Mint's security
problems. Bank agreements usually say "don't share your account creds," so if
you do, and then lose your money, the bank is not likely to make you whole.

------
danw3
> Banks said they are within their rights to block or slow customers' access
> to their own financial data.

I find this mindset incredibly disturbing

------
tzier
Reminiscent of taxi companies vs ridesharing companies. Trying to fight/shut
down these services vs working with them (or even developing your own
competing solutions) didn't end well for taxis.

------
imgabe
Wait a minute. From _ITS_ data? From Bank of America's data? I think they mean
from the _customer 's_ data. Data that the customer specifically authorized
these services to access.

~~~
rdudek
The way it works here in the US is that data belongs to the bank and not the
customer.

------
wildlogic
My credit union has an article on their FAQ on how to connect to mint :)

------
redbeard0x0a
There are solutions out there that the banks could use to allow their
customers to have programatic access to their transactions (i.e. an API).
OAuth 1.x and 2.0 both have ways to provide access to your data without you
having to turn your password over to an aggregator (i.e. Mint). Banks have no
incentive to evolve, the barrier to entry is so large (regulatory barriers)
that there are not startup banks who could truly show the world what is
possible.

------
Spoom
Couldn't banks and aggregators just implement OAuth, so the aggregator gets
just the level of access they need, and you never have to give them your
password?

------
xirdstl
Is this just for bank accounts (checking / savings)? I have a credit card
account with BoA, and Mint isn't having any problems accessing it.

------
maxxxxx
The crazy thing is that this problem has been solved a long time ago. MS Money
had the ability to download from different banks and then you had all the data
on your hard disk. Worked like a charm ,but as it seems to be the trend these
days with things that worked well, MS abandoned it.

Mint is so primitive in comparison.

------
Someone1234
We're on Wells Fargo who are also doing this.

Does anyone have an alternative banking solution? We aren't eligible for USAA.
I'd love to keep local free ATM withdrawals, and I have no idea how depositing
cash works for online only financial services.

~~~
Jtsummers
EDIT: This is all wrong: _I think USAA checking and other financial services
are open to most people now, not just military and relatives of current
members. Insurance and perhaps retirement accounts, I think, are all that are
still restricted._

This either used to be true and its switched back, or they were discussing it
and decided not to implement it. Sorry for the mistake.

Also, yeah, as my sibling reply says, you can't deposit cash easily. I think
you can technically mail it, but I would never do that. I used to get paid
rent by a roommate in cash, it was a few hundred a month. I'd just pay for my
meals and groceries with it instead of depositing it.

~~~
Someone1234
When you try and open a USAA Checking account, they ask you for your military
affiliation, if you say none they say:

> Sorry, we can't open this account for you.

> USAA Bank products are only available to military members, veterans who have
> honorably served and their eligible family members.

People keep saying USAA opened up the door to everyone, but their website says
nothing like that.

~~~
Jtsummers
Yeah, I tried to make a new account and saw the same message, that's why I
edited it. A google search revealed a Reddit post from 2013 of people
discussing it. Apparently that's when they closed it to non-military
affiliated folks.

~~~
Someone1234
Oh sorry, I read your edit backwards.

~~~
Jtsummers
No worries. I haven't been the best communicator this week.

------
uptown
Chase has been doing this as well.

[http://www.wsj.com/articles/big-banks-lock-horns-with-
person...](http://www.wsj.com/articles/big-banks-lock-horns-with-personal-
finance-web-portals-1446683450)

------
mikerichards
I'm with BoA and have a mint account. This happened months ago. I pretty much
knew what was going on, but didn't pursue the matter. I was always a little
leery about letting mint into my account anyway.

------
mattgoyer
Can someone recommend a bank with accounts for small businesses that is
unlikely to do this in the future? I'm on BofA now and refuse to hand
reconcile transactions in 2015!

------
chris_wot
They'll never disclose what the security issue is, I assume?

~~~
xirdstl
I suspect they mean that handing out your password is a security issue. It's
not like these sites are new, though, so I don't trust that "security" is the
main motivator.

------
redditmigrant
I stopped using mint a while ago since there was no way to get it to work with
my Bank's two factor authentication. read only password would make things a
lot easier.

------
uts
Why don't banks implement read-only passwords?

~~~
mmebane
USAA does, but it's not implemented as simply as app passwords. There are two
major issues with aggregators: 1) authentication and 2) data access mechanism.
A read-only app password would solve #1, but aggregators commonly implement #2
by screen-scraping, which is the bane of everyone's existence. I wouldn't be
surprised if half of the reason BoA cut off aggregator access was because most
of the aggregators were screen-scraping, and BoA got tired of the support
calls whenever they made a site change and people's accounts stopped syncing.

Last I heard (um, a couple of years ago), USAA's solution was a proper API,
but Mint was still screen-scraping. I have no idea if that's because Mint is
lazy or USAA'S API is too limited for what they want, but my money would be on
the former.

------
driverdan
The solution is to stop using institutions like BoA and Chase that actively
fight against your interests. Let your money talk.

------
Jtsummers
BoA used to have its own aggregator, have they removed it?

