
UK's Open Banking to Launch on 13 January - nns
https://www.openbanking.org.uk/about-us/news/uks-open-banking-launch-13-january-2018/
======
zAy0LfpBZLC8mAC
WTF? What is open about a system that only very few organisations can use?
Imagine in the paper world, now you not only can ask the bank how much money
you have, you can also authorize other companies to look at your account
statements for you ... but noone got the idea that maybe you, the account
holder, should be able to get a copy of the account statements?

It seems we are still at the "reading and writing is for monks" stage of
digital technology? God forbid the laypeople themselves use pen and paper!

~~~
Vinnl
Are you sure you can't? Besides the paper statements, I can download my
transaction data in a variety of formats including CSV from every bank I've
use in the Netherlands.

~~~
vidarh
The problem is that for a lot of banks there is no easy way to _automate_ that
process. I think 90 percent of use cases would be addressed simply by
providing a way of giving automated read only access to statements.

~~~
zoltaan
Instead giving access to EVERYTHING seems a little overdrive then....

------
jstanley
> Open Banking is a term that describes a secure set of technologies and
> standards that allow customers to give _companies_ other than their bank or
> building society permission to securely access their accounts.

Does it have to be another company or will I be able to write my own software
that has access to my bank account?

~~~
ErrantX
You have to be a company. You also have to be regulated as an AISP or PISP
(Account Information/Payment Initiation Service Provider).

So there are some hurdles.

~~~
insomniacity
That is disappointing. I wonder if anyone is doing the legal analysis on what
it would take to be a 'passthrough provider', who would simply wrap it up in
an easier API with a simple TOS.

~~~
chirau
Teller.io is doing this. You might want to look into what licenses they needed
to get.

~~~
OJFord
No it isn't, at least, not yet - it asks for all the user login information
including passwords and security numbers required for a normal login.

Edit: And unfortunately, it doesn't seem even to have any intention of using
it:
[https://twitter.com/stevegraham/status/951163378424217600](https://twitter.com/stevegraham/status/951163378424217600)

~~~
ErrantX
Teller is interesting; I have some reservations (mostly around the attitude
they portray, which is a bit unprofessional) but they have a good vision.

The downside is they are encouraging you to share passwords, as you say, which
isn't driving the right customer behaviour.

More critically; in about 18 months the PSD2 Secure Customer Authentication
guidance comes into force and this sort of approach (sharing credentials,
which everyone basically refers to as "screen scraping" in its various forms)
will be dis-favourer, to the extent that banks might have to go to great
lengths to try and stop it. Teller might have to go forward fighting continual
reverse engineering battles.

~~~
OJFord
It's already against the typical bank's terms of service for a user to provide
them.

Not to mention a silly thing to do. But the average user seems just blindly
trusts these things - tools like 'You Need a Budget' ask for the same.

~~~
sjtgraham
Founder here. This is incorrect. It is no longer against the terms of service
of any European bank as of today thanks to PSD2.

~~~
Silhouette
It can no longer be against the terms of service of financial service
providers to prohibit sharing the credentials used to access your accounts on
their systems?

~~~
sjtgraham
Yes, every UK bank had to write to their customers updating their terms
allowing such activity end of last year.

~~~
Silhouette
I have accounts with several banks and other financial services, and I have
received various updates to terms in connection with PSD2 over the past few
months. However, I don't recall any of them saying it was now OK to share
things like passwords or PINs.

Are we talking at cross-purposes here? Encouraging non-experts to share
security credentials that give unrestricted access to their accounts with
third parties is so obviously dangerous that I find it hard to believe that
(a) the financial providers are now required by law to do it, and (b) not a
single one of the updates I received from mine drew attention to this in any
way that I noticed and recall now.

Surely the entire point of the new access paths under PSD2 is that the
financial providers _don 't_ have to endorse the dangerous practice, and can
instead provide an alternative way to achieve similar results but with much
better control and regulation to protect all involved?

~~~
kpil
What the existing screen scraper companies have done, is to make sure the psd2
directive will allow screen scraping as a fallback method if they are not
satisfied with the bank API:s.

That's because the directive is actually a competitive disadvantage for them
since they've invested a lot in the screen scraping.

The interpretation is not trivial though. The authentication details in
particular are not very clear right now.

------
teh
I think this is the UK's implementation of EU PSD2 directive (e.g. [1]) so may
not survive brexit. Looking forward to what'll come out of it though!

[1] [https://www.tsys.com/news-innovation/whats-new/Articles-
and-...](https://www.tsys.com/news-innovation/whats-new/Articles-and-
Blogs/nGenuity-Journal/how-europes-psd2-regulation-could-spark-a-banking-
revolution.html)

~~~
ErrantX
It should survive; the EU Banking Authority is based in London (it will move
post Brexit) and the UK treasury were major influencers on this legislation.

Worth saying also; Open Banking actually came out of the UK competition
marketing authority - its just become tied up with PSD2 (as its one way to
achieve compliance with that legislation)

------
hacker_9
Wow, the UK is really embracing technology. You can do so much electronically
though the Gov.uk website already, and you can even access your NHS medical
record via a phone app. Being able to consume banking data via an API will no
doubt open up a suite of more useful apps, that can help with managing budgets
and planning for the future etc.

~~~
lozenge
There's no such thing as an NHS medical record, every hospital/care centre
keeps its own records. What app are you referring to?

~~~
hacker_9
This: [https://www.nhs.uk/NHSEngland/online-services/Pages/gp-
servi...](https://www.nhs.uk/NHSEngland/online-services/Pages/gp-services-
choice-1.aspx)

And yes there isn't a single database, but if you transfer to a different GP
they will transfer your records from your old GP, and this app then let's you
view them too.

~~~
pbhjpbhj
The records amalgamation was one of those £10s-of-billions software project
that failed to produce any output [other than great profits and some nice
bonuses, I'd warrant] wasn't it?

~~~
hacker_9
That is in the past, it was a single project from 5 years ago, and I think the
companies involved were investigated by the FSA. Nowadays NHS is pushing
software initiatives more and more, see here:
[https://www.england.nhs.uk/digitaltechnology/info-
revolution...](https://www.england.nhs.uk/digitaltechnology/info-
revolution/open-source/)

------
tjoff
Why would anyone ever want to let a 3rd party company manage their bank
account? I barely trust my bank yo do that...

I'm afraid that some companies will try to force it upon customers as well.
Starting with: "If you allow us to manage your purchase it will get even
faster (oh and we get access to all of your financial info), and you also get
a useless gadget!"

~~~
blowski
People said the said the same about ATMs. They were wrong.

~~~
tjoff
How is ATMs remotely similar?

~~~
xxpor
You give a 3rd party ATMs permission to withdraw money every time you use
them. If they wanted to, they could store the data on the stripe of the card
and your pin, and steal all of your money.

~~~
tjoff
That's not worse than doing any purchase at all.

If anything ATMs are the safest and best option available, well, aside from
malicious hardware modifications done to them.

Having access to my bank account with all the history is another thing
entirely.

~~~
xxpor
I guess our threat models are different. I'm not worried about transaction
history as much as being able to drain the account.

~~~
tjoff
Even so, ATMs are much safer than trusting the store clerk _and_ whatever
device they use to read your card.

I know some magnetic stripe readers actually imitates a keyboard and just
"write" the card info. So if you gave focus to notepad.exe instead all the
card info would be dumped in cleartext. "Oh, seems it didn't register, could
you swipe your card again?"

------
sleavey
“Open Banking is a term that describes a secure set of technologies and
standards that allow customers to give companies other than their bank or
building society permission to securely access their accounts."

I can't tell if this is super-useful for the end consumer, or just another way
for e.g. Google to mine your data in return for some superficial benefits.

~~~
zoltaan
The descriptions are so vague, the high ranking beneficiaries of the system
are stating so little so long over and over (sounds like using the same
bullshit generator with the same parameters) that there must be very very
little and uncertain benefits for the users. If they, the insiders of the
system, are unable to explain it in plain and simple facts then it must have
very little about clients. What I hear? More parties could access (including
manipulation!?) your account. More potential source of errors and problems -
and possibly malicious actions. If something goes wrong it will be more
complex to figure out where the problem was. Tracking who can do what is an
added complexity to managing bank matters. All above means lower security.
There is a potential that if more work on the same money they will charge more
- assuming not doing it for charity but for fee. There must be hell of a heck
benefits, increased efficiency to balance that, eventually leaving more at the
clients on the disadvantage of he money industry.... doesn't seem a realistic
scenario from a money industry initiative. I see better ways to improve
banking, especially UK banking - compared to Scandinavia it is in the stone
age -, but not through opening up banking secrets to a lot of parties. To me
it goes in the other direction. Let me be wrong eventually.

------
andy_ppp
From what I understand the molasses IT departments in these banks will be
delivering very little that actually works on Jan 13th but we will see...

~~~
Havoc
Yeah. My impression of HSBC U.K.’s share trading platform was distinctly 1990
era.

~~~
contingencies
In general I loathe HSBC globally. However, FWIW their HSBC UK higher end XML
based credit card gateway was the bees knees in about 2009. Best I've seen in
my career. Awesome individual fraud rule reporting, total control. We probably
had the ass-kicking total package though as I was developing a pan-European
solution for a major handset manufacturer.

------
alexchamberlain
I've read through their website a few times. Whilst it's easy to find the
specs and a list of banks participating - you can even find some example code
on GitHub - it's incredibly hard to find out what you actually have to do to
be able to access the APIs. I appreciate that banking data is sensitive, but I
think the on boarding process could be made a lot clearer.

~~~
Nursie
First you need to be accredited by the FCA, either as a third party provider
or as a banking institute.

Not 100% sure what comes next.

------
xvilka
UK government is certainly on a good path of improving technological side of
it. Along with more and more OpenData initiatives and migrating to FOSS (e.g.
LibreOffice) it leads the efforts of many countries.

------
sungam
Anyone know if the plan is to provide an API to the consumer for management of
personal finances?

~~~
ErrantX
Not right now; at first you'll have to rely on PFM tools built by companies
rather than directly.

There is a chance GDPR will give you as an individual more flexibility but it
wont be mandated.

~~~
insomniacity
That is disappointing. I wonder if anyone is doing the legal analysis on what
it would take to be a 'passthrough provider', who would simply wrap it up in
an easier API with a simple TOS.

------
based2
[https://www.paymentsforum.uk/sites/default/files/documents/B...](https://www.paymentsforum.uk/sites/default/files/documents/Background%20Document%20No.%202%20-%20The%20Open%20Banking%20Standard%20-%20Full%20Report.pdf)

[https://github.com/OpenBankingUK](https://github.com/OpenBankingUK)

[https://openbanking.atlassian.net/wiki/spaces/DZ/overview](https://openbanking.atlassian.net/wiki/spaces/DZ/overview)

------
LeonM
I'm really excited by this (and PSD-2), as a banking API is the last piece of
the puzzle to create fully automated businesses.

~~~
simonswords82
If you use a modern SaaS account app like Xero you can already access banking
records no? What does this give us that you don't already have to fully
automate your business?

------
pagutierrezn
Sorry, but I can't see the benefit of it. Can anyone show a useful scenario...
for the bank account owner?

~~~
golangnews
It would let you see the balance of all your accounts in one place, share data
with your accountant or IFA, or apply for a mortgage without those tedious
forms as well as photocopies of bank statements, offer proof of income easily,
use apps that offer a marketplace for mortgages, savings or other financial
services, use apps like xero, mint or Emma with any bank account easily, etc.

It’s an API for your bank, and like stripe being an API for payments, I think
it’ll shake up the market a bit. It should make a lot of things easier than
before, and force large banks to allow customers to control their data more
via authorised apps. It’ll take a while to have any impact though.

------
sgroppino
I wonder if insurance companies or lenders with start forcing you to give up
access to your main bank account in return for lower premium or rates...

~~~
Silhouette
If they did, statutory regulation to prevent it would surely follow rapidly,
and all they'd do is antagonize people and by extension the government and
financial regulators. Doesn't seem like a worthwhile risk for them.

------
seanwilson
Is there any API in the UK that lets you get the balance of your current
account?

~~~
jasiek
You should check out teller.io - they let you have "an API to your bank
account"

------
Singletoned
I haven't seen a Marquee/Ticker on a website for quite a few years.

The "Background to Open Banking" page made the fans start running on my
(fairly good) laptop.

If this is a sign of the technology behind it, it's not a good sign.

