
Wells Fargo's Bid to Vanquish Screen Scraping - octavien7
http://www.americanbanker.com/news/bank-technology/wells-fargos-bid-to-vanquish-screen-scraping-1081367-1.html
======
curun1r
This is good to hear, but also rings a bit hollow given the industry's history
with trying to keep data locked up. There are very simple things the industry
could have done long ago to make their users more secure and they've done none
of it. For instance, banks could have let users create read-only credentials
to give to aggregators greatly reducing the potential for fraud. They could've
created application-specific passwords, similar to what Google has done, that
would allow more intelligent application of MFA and such...every time I log
into Mint, I get a text message from Vanguard telling me that an unrecognized
device is attempting to log in, requiring me to fix the account in Mint.
Instead, they've basically adopted a "let's make it as difficult to scrape as
possible" mentality which has contributed to the insecure and buggy situation
we have today.

APIs are good, as are OAuth-style permissions requests where users get to at
least know what data a service is asking for. But they shouldn't be used as a
way to kill off screen scraping. They should be a better option that allows
screen scraping to die off normally. The aggregation industry that scrapes
hates it even more than the banks do. It costs them a ton of man power to keep
it working and each integration needs to be done as a one-off. If the banks
provide a better solution, it will get used. Better yet, if they can come up
with a single standard API that will work with most/all banks, that would be
even better. But if the banks also take measures to prevent scraping, it is
going to cause problems and not be a good thing for account holders.

~~~
tln
Wells Fargo allows me to create Read Only credentials! They should get credit
for this feature. I wish all my financial accounts had this.

~~~
semi-extrinsic
I was going to ask, why do you need to give third parties read access to your
account? I've never done so in my life, and can't see the use case.

Then I see further down: it's for the FUBAR tax return system in the US.

Here's a solution for you: fix your damned tax return system first (and watch
Intuit go out of business in the process). Then you've solved many big
problems, not just a small one.

~~~
mryan
> I was going to ask, why do you need to give third parties read access to
> your account?

Tax is not the only reason. How about data analysis services for your personal
finances? e.g. mint.com.

~~~
semi-extrinsic
TIL this is a thing third parties do in the US.

Round here (Norway), your bank already does this analysis part. When I log
into my bank's app or webpage, I get an instant overview of how much I spent
last month on the mortgage, food, gas, insurance, clothes etc. And I can
define custom categories, as well as change how the system sorts transactions
into different categories.

The budgets for the next 12 months my wife and I keep in a shared Google Docs
spreadsheet. Planning requires thought, so I'm skeptical that you can automate
a budget and then have people follow it (unless it's a very lenient budget).

~~~
toomanybeersies
It's a separation of concerns thing. Sure, you can use your bank for analysis,
but there's better options out there. Banks are for storing money, not
financial analysis.

~~~
lisper
> Banks are for storing money

Actually, banks are for aggregating capital. There is no institution in the
Western financial system where you can just store money. The best you can do
is put physical cash in a safe deposit box.

~~~
scott00
Putting physical US cash in a safe deposit box is actually illegal in the US.

~~~
dragonwriter
AFAICT, it actually isn't in the general case (it may be when done with
certain intent or effect), but most US banks now have a blanket prohibition on
foreign or US currency in the agreement they require when you rent a safe
deposit box.

------
spangry
A more informative title for the article probably would have been "Wells Fargo
to publish API". It's about damn time too. Government, take note.

~~~
jbob2000
Wells Fargo to publish API _for private use for Xero customers_

It's not an API that anyone can hook into, just Xero.

~~~
sheepleherd
the article says they plan to go beyond Xero, Xero is just... First

------
sjtgraham
Retail banking is a classic case of diametrically opposed incentives. Banks
rely on the opacity of their products, apathy and the fear that the majority
of people have of simply opening their bank statement, to inflict punitive
charges on their customers. You want to keep your money, banks want to take it
away from you.

Banks also depend on cast-iron control of the channel to cross-sell other
products and services. The thing about 1st party bank APIs is they completely
undermine all of this and that is why they haven't happened.

The end-of-days scenario for retail banking is a 3rd party coming along to
build a superior banking experience atop of their APIs. The 3rd party starting
from a market share of 0 has no choice but to align their incentives with the
user in order to grow. This will manifest in apps that proactively warn users
before their account incurs charges, notifies users when they do, and present
products and services that compete with the banks but are better value for the
user. A 3rd party will de facto end up owning the most important banking
channel and this will ultimately devastate the bank's revenues. All of this is
terrible for the bank but great for the user.

When you decompose things into underlying incentives it becomes clear why
things have or have not happened and will or will not happen.

There are various initiatives to compel banks to provide open APIs, e.g. PSDII
in Europe. However considering the aforementioned incentives it seems obvious
that banks will not act in good faith and will find any excuse (vague hand-
waving to security, fraud, etc) to subvert the UX of the API such that any
service built on top of it is awful to use. A concrete example of this is the
gestating RBS API, they require a 2FA SMS code before moving money over £30.
This is something they do not do and will never do in their own private APIs
that power their own mobile apps because users will not stand for it, but they
can do this with a public API that has no users to speak of very easily.

Considering the current incentives 1st-party banking APIs (at least the ones
we would wish to see) will not happen. The only way that can change that is
through market forces, i.e. one bank has to provide the APIs that cause
material customer churn at other banks. Given this it's clear screen-scraping
is going nowhere anytime soon, in fact it will evolve, by directly hooking in
to the private APIs that power the banks own APIs for more robust, and fully
transactional APIs, i.e. payments and transfers.

Disclaimer: I have started a company that does this -
[https://teller.io/](https://teller.io/)

~~~
audleman
This is a brilliant answer! Responses like this are exactly why I come to
Hacker News comments when I really want to understand an issue.

Follow up questions:

1\. Why is Wells Fargo doing this if it poses such a threat to their penalty-
based-fees revenue stream?

2\. Are there services currently doing the type of account alerting using
screen scraping tech? If not, why not?

~~~
sjtgraham
1\. What Wells Fargo is providing is a limited feed, to a single customer
(Xero), that services SME customers and not consumers. Wells Fargo has chosen
not to make the API open access at this point too. I do not see that this
currently conflicts with their business model.

2\. Not that I am aware of. I expect that is because the largest provider of
screen-scraping feeds is prohibitively expensive (requires large up front fees
and minimum commitments).

------
javiercr
There is one thing that often goes unnoticed: most banks they already have
APIs, they're public (accesible by anyone) but not documented. I'm talking
about the APIs that provide data to their official mobile apps (is there any
bank without a mobile app in 2016?).

For this very reason we've created Bankscrap, a Ruby gem to unlock those
undocumented APIs. The main difference with the services behind apps like Mint
is that:

A) We do not use screen scrapping.

B) It's all open source! Check it out:

[https://github.com/bankscrap/bankscrap](https://github.com/bankscrap/bankscrap)

~~~
ianpurton
Turns out wells fargo already have an api then.
[https://www.wellsfargo.com/mobile/apps/](https://www.wellsfargo.com/mobile/apps/)

------
renownedmedia
What took these assholes so long?

We've been typing usernames and passwords for our very important _banking_
accounts into third parties like Mint (instead of using OAuth) for several
years now.

------
klinskyc
Thought that the article was going to go in a totally different direction
before reading it. Instead of solely trying to block screenscrapers, Wells
Fargo is actually providing a better alternative. If only everything worked
that way

------
mschuster91
Oh, how much do I like the German HBCI standard... nice to see that at least
some non-German players decide to follow the API trend.

However, it is disappointing that this is just a single bank and not a group
of banks developing this - and especially, that a battle-tested standard was
not adopted.

edit: in Germany, actually, there's for commercial use the DTA standard
([https://de.wikipedia.org/wiki/Datentr%C3%A4geraustauschverfa...](https://de.wikipedia.org/wiki/Datentr%C3%A4geraustauschverfahren))
since 1976 (!), which has been replaced only recently by SEPA/ISO20022.
Meanwhile, US banks decide to follow xkcd #927
([https://xkcd.com/927/](https://xkcd.com/927/))...

------
smockman36
Do most banks not have an API? If you use software (e.g. something from
Intuit) that accesses your banking info, is it likely screen-scraping?

~~~
spangry
Correct. Most banks are running back end infrastructure from the 80s with lots
of manual or semi-manual processes (e.g. overnight interbank batch
reconciliation, at least in Australia). From an outsider's perspective, it
appears that retail bank management is completely technically illiterate.

Which unfortunately also makes them the perfect marks for being sold
inappropriate tech solutions (see: blockchain mania).

~~~
shaftway
From an insider's perspective, yes. They are completely technically
illiterate. Banks. Exchanges. Brokers. The whole financial services industry.

~~~
spangry
Oh yeah, don't get me started on exchanges. I'm astounded at how bad their
technical processes are. The ASX (Australian Stock Exchange) has something
like a 3 day time to settlement. And I'm told it's one of the more 'modern'
exchanges (I guess the other ones are still using stock tickers and abacuses).

~~~
meric
Unfortunately 2 days now. I appreciate the time to settlement because I could
buy my shares and pay 2 days later. Sometimes it takes time to get funds from
other accounts, and I wanted to buy (or sell) today, for example, when the
quarterly just came out.

------
hannasm
Forget about existing banking interchange formats which (from personal
experience) wells fargo both doesnt support _OFX or implements poorly_ QFX,
they should definitley define a new API and be a leading stakeholder.

~~~
kornork
Can someone who knows explain why Wells Fargo is inventing a new API rather
than using OFX? Is OFX deficient?

~~~
Spivak
OFX isn't great and a PITA to implelent but it's ubiquitous thanks to Quicken.

Banks move at speeds that make most glaciers jealous and Intuit has some
financial incentives to keep the spec complicated so it's really no surprise
we've been stuck with it so long.

A new open standard would have been nice, but I wouldn't hold my breath on
other banks implementing it, so I can't really blame WF for going it alone
here.

------
RexM
While reading this article, I remembered an article posted to HN about the
introduction of TAuth from teller.io that might be relevant to this
discussion.

[https://news.ycombinator.com/item?id=11636847](https://news.ycombinator.com/item?id=11636847)

------
byoogle
Perhaps Wells Fargo should finish implementing their website first. They’re
missing basic services like letting you make a wire transfer online. Our
company is in the middle of switching banks because dealing with them is such
a hassle.

~~~
genieyclo
For businesses, Wells Fargo offers wire transfer online as part of CEO:
[https://www.wellsfargo.com/com/ceo/](https://www.wellsfargo.com/com/ceo/)

~~~
ianhawes
The process for getting approved as a startup to even use CEO was convoluted,
required multiple sign-offs for no reason, and we were denied twice. It took
emailing someones boss off of LinkedIn to actually get in. And the best part
is that CEO Portal is terribad. The RSA tokens they send you will often go
"out-of-sync" and you're SOL until they FedEx you a new one. The features list
is great but the struggle with actually using the tool makes it painful.

FWIW, we switched to Bank of America and can't complain. I can send wire
transfers online without issue.

------
twblalock
It would be nice if an industry standard developed around Oauth for financial
data. It would be far easier for data aggregators to use, and far safer for
customers as well.

~~~
drglitch
One huge reason there's a war going on over this is that aggregate
transactional (not even itemized receipt) data is a goldmine of near-real-time
consumer behavior analytics. Hedge funds love this data and companies like
Yodlee (and couple of startups) are stomping over one another to sell it. A
couple of startups was on HN recently

~~~
twblalock
Judging by some recent statements by Jamie Dimon and others, the banks would
much rather provide this information via secure APIs than allow screen
scraping to continue.

