Hacker News new | past | comments | ask | show | jobs | submit login

> What is truly scary is that the banks and financial institutions have not implemented OAuth. Currently, financial data is provided to third party apps via aggregators, like Plaid and Yodlee.

Hi. I was the CTO of Level Money, that ultimately had a meta-aggregation platform on top of all the major aggregators. We were acquired by Capital One. Disclosures: complete.

Can I just put out there: every major FI has talked about OAuth2. We all know about OAuth2. It's entirely within our technical capabilities to make an API and then allow OAuth2 access. We could even make said access public. The "can they" is answered: yes we could. Yes, we have prototypes.

And yes, there are non-technical obstacles. Pardon me while I Nod Dance & Amble.

But there is a larger question about the aggregation problem. Banks are rightly concerned that if they do open these up, they'll be consumed wholesale by the major tech companies. You could imagine a world where Google partners with your bank to make a pretty amazing experience, but in the process it's almost certain that Google would have a significant upper hand. Most banks (even C1360, which I and many other people are working constantly on modernizing) simply aren't ready to work with giants like Microsoft, Google or Facebook as equals. That, sadly, will take years as these organizations realize they have to do this.

We're all in sort of a slow motion race towards this goal. Slow motion compared to the outside world (as I am all to keenly aware), that is. Internally, the process by which we do this is hugely complicated by US law and regulation. There is this wonderful thing where "regulatory capture" backfires and then you're imprisoned. For every thing that a bank charter enables, it closes off another 2-3 things that never mattered until things started being judged by their slickness in a mobile app context.

As for disconnecting from aggregators, let me tell you as an insider what you can do. Change your password. No really, change your bank password. EVERY major aggregator has a flow that requires they respect this at a technical level. If that fails, it's on your bank and you should shout at them VERY loudly.

But before you do, make sure you are ready to prove yourself as a banker. What will happen with most aggregators is that they'll have to decide, "is this person actually gone or is this stupid web scraper just having a bit of a problem?" They'll try and log in again, at least once in most cases. If you have hooked up multiple services (or the same service multiple times), these will trigger account lockouts just like any failed web login would.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact