
How banks are getting around open banking and PSD2 - ghosh
http://thefinanser.com/2017/02/banks-getting-around-open-banking-psd2.html/
======
javiercr
Because of this we created Bankscrap[1], a Ruby gem to access multiple banks.
We basically find the APIs that the Banks are using for their mobile apps and
expose them through a common Ruby library with an unified data model.

Each bank has an open source adapter (this is different to Teller) and we
encourage the community to help us building more adapters. So far we got
adapters for 4 major banks in Spain, and 3 more are a work in progress.

Whether PSD2 is going to happen or not, we believe public APIs for banks will
happen (even if banks don't like it).

IMHO banks arte not scared because of security concerns: they all have APIs in
production already, they are just not documented. Their main concerns is
basically how APIs used by third party services could affect their businesses.

[1]
[https://github.com/bankscrap/bankscrap](https://github.com/bankscrap/bankscrap)

~~~
farnulfo
Sometimes ago I found the weboob (Web Outside Of Browser) which has CLI for
french banks :
[http://weboob.org/applications/boobank](http://weboob.org/applications/boobank)

~~~
jgust
That is an unfortunate domain name, unless it's meant to be purposefully
amusing.

~~~
m_t
It seems to a be very recurring discussion in the comments on each LinuxFR
release post.

You can add that some modules have the same kind of name (BNporc which would
translate to BNswine for BNP Paribas[0]). Or some applications: QHandjoob[1],
QFlatBoob[2] or QHavedate[3] where the icon is a stickman with an erect penis
getting ready to have sex doggy style[4].

They used to have a nazi svatiska on the Caisse d'Épargne module logo[5]. At
least they changed that one.

Really, how anyone could use that professionally is beyond me.

[0]
[http://weboob.org/modules#mod_bnporc](http://weboob.org/modules#mod_bnporc)
[1]
[http://weboob.org/applications/qhandjoob](http://weboob.org/applications/qhandjoob)
[2]
[http://weboob.org/applications/qflatboob](http://weboob.org/applications/qflatboob)
[3]
[http://weboob.org/applications/qhavedate](http://weboob.org/applications/qhavedate)
[4]
[http://weboob.org/media/images/applications/qhavedate.png](http://weboob.org/media/images/applications/qhavedate.png)
[5]
[https://symlink.me/projects/weboob/repository/changes/module...](https://symlink.me/projects/weboob/repository/changes/modules/caissedepargne/favicon.png?rev=fa3b0ee1)

------
raesene6
I used to work in banking security and I can understand the bank's concerns.
If they allow a 3rd party access to customer data and that customer data is
subsequently leaked and used for fraud, who's liable?

If a law could codify an acceptable answer to that problem, I think a lot of
the security/regulatory problems could go away. Banks might still try to stop
the process for competitive reasons, but they might not be able to lean on the
crutch of "security" to do so.

In the UK this problem isn't new, there were aggregator services 15 years ago
that screen-scraped banking data to provide customers with a consolidated view
of their finances and they required customer's to provide their credentials
for them to do that. Banks understandably weren't too pleased about the idea
of 3rd parties having those credentials.

~~~
tyfon
In Norway it is quite clear who is liable, the 3rd party. Anyone that holds
personal data needs to acquire a license to do so from Datatilsynet (data
protection authority) and they can only use it for the purpose
specified/granted in the license.

Most of the banks here just provide downloadable csv/excel files after logging
in with BankID (national electronic ID thing,
[https://www.bankid.no/en/company/](https://www.bankid.no/en/company/)).

If you upload that file to a 3rd party, the 3rd party still needs a license
etc to keep/process it and is liable.

~~~
lucaspiller
I'd argue the same would be true in the UK too - under the Data Protection
Act, any company who holds personal information is required to register with a
government authority [0], and the act makes it fairly clear what
responsibilities and actions need to be taken regarding the handling of data.

[https://ico.org.uk/for-organisations/register/](https://ico.org.uk/for-
organisations/register/)

~~~
grabeh
It's a little bit more nuanced than that. The Act places an obligation on data
controllers to register and to comply with the various obligations under the
Act. This excludes data processors (with controllers then making sure they
place relevant obligations on controllers contractually). Potentially a
service provider might argue they're a data processor although if they're
taking decisions over how the data is used they could easily fall within the
data controller category. Under current law, it's the data controller who
would be liable for any loss of data (although they would normally look to
cover off liability contractually with the processor).

In any event, liability really depends on who is taking the decisions over the
use of the data. If the third party just takes a feed of the data from the
bank then takes various decisions over its use, they could well be a data
controller. If on the other hand a bank contracts with a third party to
provide an account aggregation service to its customers and they are passing
data for this very specific purpose then the service provider could well just
be a processor.

The above is also going to change with the new General Data Protection
Regulation coming into force next year...

------
vegabook
It seems to me that many of the banks' concerns are legit.

I personally am not particularly keen on yet another API being made available
to a bunch of rapacious VC-funded startups that facilitates my intimately
personal financial info being spread around. Personally I bank with metro bank
in the UK, they're new, competitive, and frankly pretty darn good, all for
free. Do I need even more "financial services" thrown at me when there are
apparently zillions of bricks and mortar operators already offering me
everything from credit cards, subprime, insurance, car finance, re-mortgaging,
yada yada yada yada ad infinitum?

I would argue that in this case, the banks' and my interests are somewhat
aligned. They're protecting my privacy! How many profit seeking entities on
the internet can say that?

I get it that fintech would dearly love to get its hands on people's money,
but is there actual demand from said people for even more financial services?
Or does this post simply amount to self-interested regulatory lobbying for a
zero sum transfer of economic rents to the fintech space. Because you just
know that if these APIs come about, fintech will find all sorts of dubiously
"persuasive" ways to get people to allow access, possibly against their own
interests.

~~~
dharma1
You should be able to own your financial data, and access it in various ways.

Incumbent banks have been incredibly bad at creating modern digital user
experiences. To analyse my spending, I have to login to my online bank with a
fob and various passwords, download statements in .csv format (month by month,
no batch download) and plot them in excel. It's not great.

I am really looking forward to more open banking API's. Monzo have one, a
couple of others, but very few.

I have been working on a side project for the kind of banking experience I
would want [1] - but it won't be possible without banks opening up API's.

[1] [http://bixtr.com](http://bixtr.com)

~~~
lhnz
You should take a look at Teller [[http://teller.io](http://teller.io)].

~~~
dharma1
Looks good - but it's just a mailing list? Also not sure I want to give r/w
access to my transactions to someone I don't trust

~~~
sjtgraham
Teller founder here. Bixtr looks cool. Would love to grab a cup of tea. sg at
teller . io

------
jasiek
FYI, Teller [[https://teller.io/](https://teller.io/)] in the UK, does what
every developer would dream of.

~~~
vosper
It doesn't seem to be publicly available, and they only seem to have posted
one (undated) blog entry ever. So... does it really work?

~~~
sjtgraham
Hi founder here,

Teller does work but only a very small amount of users have production access
at the moment. We've been very cautious about broadening access in case banks
responded aggressively and generally speaking they haven't. A lot of work has
been put into making the service reliable when it essentially sits on private
APIs the banks prefer no one but them uses.

Teller will eventually support every bank but the banks we support currently
are:

    
    
      - Barclays
    
      - Natwest
    
      - Nationwide
    
      - Santander
    
      - RBS
    
      - Ulster Bank
    
      - Isle of Man Bank
    
    

Re the single blog post. We only blog when we have something to talk about
that could potentially get to #1 on HN (as our only post did). We prefer to
stay focused on building the product, but stay tuned for more posts soon. :)

~~~
chaz6
I don't know if you saw, that natwest have set up openapi.netwest.com and I
wonder if it is related?

------
freekh
Just throwing this in here: [https://github.com/OpenBankProject/OBP-
API](https://github.com/OpenBankProject/OBP-API)

~~~
ichaib
Thanks for the shout out! Open Bank Project is an open source API solution for
banks. We have a catalogue of 130 standard pre-built banking APIs & 6000
developers worldwide using our interfaces. Also, PSD2 is the hook. There are
many more APIs bank can open up which are outside the scope of PSD2. In any
case, Open Banking is definitely a global trend now, there are similar
regulation efforts in the making in Australia, Singapore & South Korea. Feel
free to ask, if you have any question on this topic

~~~
jasiek
This is cool. Are there any banks at the moment that expose data using these
interfaces?

~~~
ichaib
Not publicly available yet. We are working on it

------
stefs
security isn't the only problem. banks do not want the users to be fully
informed. if you overdraw your account, they make more money.

personally, i'd love to write my own open source clients you can verify and
compile yourself that provide better information and heuristics - but that'd
hurt the banks.

there are several kinds of of users: those who make the bank money (the
uninformed that do not care much) and those who are actually interested in
their statements. the latter are loss leaders. for consumer banks, the latter
seem to be in the majority.

an app that informs you with the best intention (warning: if you continue your
spending for the rest of the month like you did this week, you'll pay a lot
extra!) would shift the balance even more.

------
sly010
> Application Programming Interfaces (APIs) with a tokenized or alternative
> authentication method [...] can be inconsistent among financial institutions

That sounds like a made up argument. How is structured data less consistent
than the scraping that is currently happening? A more realistic argument is
that banking systems are old and outdated, the cost of upgrade is enormous and
no banks wants to be first.

Worse, some banks actually have standard APIs (e.g. OFX) than are used by
commercial accounting softwares (e.g. mint, quicken) but the banks (e.g.
Chase) charges a monthly fee to enable it.

------
Bombthecat
Since I'm doing API gateways.

I can tell banks plan or want to offer PSD2 services.

Either by a third party or offering them on there own.

What you might get though is a terible ugly interface to the inner part of the
bank.

I also just read the newest version of the PSD2 proposal. There is (sadly or
luckily) still no plan for further specification what a bank needs to offer or
how.

But all in all PSD2 won't change the world of payment.it will be still easier
to just use PayPal:)

------
sharemywin
I would like to see account numbers be portable like phone numbers are now.

~~~
dforrestwilson1
How would that work? Your money doesn't just sit in your account. The banks
use it to fund loans. Loans that they make money on. That's the premise of the
whole finance system...

~~~
PanMan
You are already allowed to leave your bank, and go to a different bank. The
'only' thing this would change is you would be able to take your account
number with you. BTW, european banks have explicitly not enabled this with
IBAN, as the bank's name is now part of the account number.

~~~
EmielMols
In The Netherlands almost all banks support a "forwarding service" when
switching banks: direct debits to the old account will be forwarded for at
least a year to the new bank (account).

You can bet the banks didn't think of this themselves, but it was probably
forced on them by a consumer protection law. It is, coincidentally, something
most Dutch people don't know exists.

------
jdeibele
I've been frustrated by some time that there's not a generic "look but not
touch" function available to 3rd party programs.

I'm a lot less concerned about a 3rd party leaking info about my assets than I
am about them being able to do things with them.

So far, every program or website that wants access to info also gets full
rights to sell, buy, transfer, etc.

~~~
iffycan
I feel the same way. I made
[http://www.simplefin.org](http://www.simplefin.org)

------
vegabook
the author's "about" pages are a cringe-inducing hubris-fest, and that's being
charitable.

[https://chrisskinner.global/#about-us](https://chrisskinner.global/#about-us)

~~~
bitJericho
Haven't had a laugh that good in a long time.

------
NKCSS
I created an app that would poll my transaction data from my bank's website
and then send push messages to my phone if any new transaction comes in. I
loved it. While doing groceries, having not left the line and packing up my
goods, I'd get a push message of the transaction. This gave me a real feel for
what happened on my bankaccount.

When notifo stopped (free API to send push messages without having to write
your own native app); I didn't re-implement it, but from time to time, I
wished I did; maybe something I should look into again.

~~~
Humdeee
Are you sure it's not already a feature your bank supports by now? All the
major banks I know of (at least here in Canada) have supported this for awhile
and can easily set up within a few clicks. I have SMS for transactions over
$20.00 or whatever threshold I want and it's very nice getting a SMS seconds
after paying or auto-withdrawals from my accounts.

~~~
NKCSS
My bank can set SMS-alerts based on custom rules, but they charge €0.50 or
something per SMS.

~~~
csydas
It's not universal. My U.S. banks don't do this and only have email
notifications, with a minimum threshold of $10 for some reason. My work
account where I live abroad notifies me of every transaction and all attempts
at logins on my online account. The pay terminal info is sent with the amount
and current balance to my phone.

------
djrogers
This kind of thing would definitely guide my decision as to what bank I keep
my money at. If my bank killed digit for example, I'd switch in a heartbeat.

I think big banks will learn pretty quickly that they are commodities, and
they will need to compete on more than inertia alone.

------
iffycan
And for this reason, there's the SimpleFIN spec and SimpleFIN Bridge[1]. Until
banks implement the APIs themselves the SimpleFIN Bridge will _bridge_ that
gap.

[1] [https://bridge.simplefin.org](https://bridge.simplefin.org)

------
jsudhams
Yodlee Supports almost all the banks in the world,

[https://www.yodlee.com/](https://www.yodlee.com/)

~~~
javiercr
Yoodle used to be the provider for Mint [1]. I assume they use some
combination of authorized + non-authorized web-scrapping.

It looks like something that makes sense for big companies. The pricing [2] is
a bit weird:

> Developers will find the Envestnet | Yodlee Aggregation API – our new and
> improved RESTful API architecture – easy to use, which will speed up
> integration and simplify data access. It will also enable developers to sign
> up on the developer portal for a $250 monthly fee and get immediate access
> to a testing and production environment.

So $250/mo just to sign up... no idea about what's the pricing per API call.

[1]
[http://money.cnn.com/2010/12/02/pf/mint_leaves_yodlee/](http://money.cnn.com/2010/12/02/pf/mint_leaves_yodlee/)

[2] [https://www.yodlee.com/blog/envestnet-yodlee-offers-new-
quic...](https://www.yodlee.com/blog/envestnet-yodlee-offers-new-quickstart-
service-support-package-developers-formerly-using-intuits-financial-data-apis-
cad/)

