Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Is there any US bank with a sandbox or API?
82 points by kparjaszewski on Aug 25, 2016 | hide | past | web | favorite | 59 comments
I'd like to test integration with various bank systems, is there any API/Sandbox for Citi, HSBC, JP Morgan Chase or any other American Bank - similar to PayPal's Sandbox?

Capital One provides this toy API: http://api.reimaginebanking.com

If you want to create an app or startup that does anything involving banking, look elsewhere. The chances you will get approval from banks and regulators are zero. To have a halfway decent shot, you would need years, significant industry connections, expensive lawyers on retainer in New York and Washington, and the ability to prove you have cash on hand in the high 7 figures.

Here's a good example of what I'm talking about: https://medium.com/@oscargodson/thatll-do-pig-that-ll-do-899...

> The chances you will get approval from banks and regulators are zero. To have a halfway decent shot, you would need years, significant industry connections, expensive lawyers on retainer in New York and Washington, and the ability to prove you have cash on hand in the high 7 figures.

Full disclosure, I work for Capital One now. So... C1 has stated publicly it's interested in this space and some of its prominent employees are in prominent public technical groups trying to make it happen. The liability and fraud stories are really unimaginably complicated.

For people looking to make a product today, I've decided to add a quick primer:

Finicity, FinancialServices, and Plaid are all financial aggregators that you can use in combination with novel (read: quasi-legal) mechanisms you can use to provide financial services within the confines of the beleaguered law.

In general a financial product's engineering cycle looks like this:

1. Find a data aggregator you can partner with and give most of your profits to. 2. Work very hard on experience driven products. 3. Find a good lawyer who can help you produce a novel interpretation of the law that works with a specific financial product. 4. Still have limited success because fintech products have linear adoption curves (even Mint).

Examples in this space of novel mechanisms that use existing payment services, data aggregation products and very clever lawyers: Acorns, Digit, Tally.

I was one of the founders and the founding engineer of Level, and worked on Simple. My general observation is that most of the challenge is around data quality and aggregation on the technical side of things.

A lot of the challenge of making these apps work is balancing your fraud risk with your customer experience. Customers are apathetic and inclined to ignore the space, fraudsters are diabolically clever and very engaged.

heartily agree with "give most of your profits to"

Even though Plaid comes up a lot in these conversation, I haven't found their pricing any better or startup friendly than any other provider (fincity, yodlee etc).

Better marketing yes. Better api? Meh.

Anyway, I see the current set of financial data aggregators being fine for market validation for some type of applications, but they are too expensive to allow for wide-spread innovation.

Plaid has callback support and good latency. While I appreciate and have worked with Intuit for a long time, it's difficult not to say plaid has the edge in a modern API design.

The current aggregators are optimized for big businesses and venture backed startups. I used them to sell a startup to capital one, and I named other people doing the same.

You just need to think very long and very hard about your business model.

Heyo! Charley from Plaid here, feel free to message me directly at charley@plaid.com, we want to make sure our pricing is startup friendly :)

Has Plaid changed their pricing model significantly over the past year?

The way Plaid structures (structured?) their pricing is much friendlier than Yodlee in that there are no monthly minimums, setup costs, or term commitments. Simple volume based pricing is generally much more startup friendly, at least in the initial stages.

They have a $500/mo minimum, last I asked (a few months ago.)

Totally agree. Would have upvoted this twice if possible.

Yeah, basically banks don't want a public api because security concerns.

So people get around it by logging into the user's bank and scraping. Which is much less secure than just providing a secure api to begin with...

All good intentions have consequences.

Which is what mint.com does right? That service was terrifying; storing all those usernames and passwords. I'm very surprise there haven't been more security break-ins with that site.

David K Michaels, VP Engineering, Mint.com 27.2k Views For passwords to Mint itself, we compute a secure hash of the user's chosen password and store only the hash (the hash is also salted - see http://en.wikipedia.org/wiki/Sal... ). Hashing is a one-way function and cannot be reversed. It is not possible to ever see or recover the password itself. When the user tries to login, we compute the hash of the password they are attempting to use and compare it to the hashed value on record. (This is a standard technique which every site should use).

For banking credentials, we generally must use reversible encryption for which we have special procedures and secure hardware kept in our secure and guarded datacenter. The decryption keys never leave the hardware device (which is built to destroy the key material if the tamper protection is attacked). This device will only decrypt after it is activated by a quorum of other keys, each of which is stored on a smartcard and also encrypted by a password known to only one person. Furthermore the device requires a time-limited cryptographically-signed permission token for each decryption. The system (which I designed and patented) also has facilities for secure remote auditing of each decryption.


If anyone is curious exactly how the system he describes works, here's a list of Mint's patent's.


To my knowledge, that is what Mint is doing.

I'm curious how they handle two factor authentication?

In Project Posada, my open source Mint alternative project, we handle it with an app on the user's phone that receives texts and, using regex, grabs the code of relevant sms messages then pushes the code back to the scraper, which then inputs the code and continues on.

I'm working on Teller (https://teller.io), which is a universal banking API. We don't support any US banks yet (but we certainly plan to), but we will be publishing a sandbox API in the near future along with the GA release of our production APIs.

In the US I recommend you check out Plaid (https://plaid.com), although I believe they offer read only APIs.

There is also the Open Bank Project (https://openbankproject.com) which is also intended as a universal API but I don't believe has any production integrations, although they do have sandbox APIs.

Email address in profile if anyone wants to chat more about this topic.

Thanks for sharing the open bank project. I'd never heard of it. I'm actually working on something similar to you.

It's called POSADA (personal open source automated digital assistant). It's a open source digital assistant. The primary use cases are financial (paying bills, transferring money, etc). It will open source and user hosted. People host their assistant on pre-loaded, plug and play raspberry pi 3s. Hopefully there will be a community of developers that will share integrations (ie, scraping scripts). So if I want my assistant to work with my local bank, I build an intergration and now anyone else that has the same bank can connect to it.

POSADA's logic will be programmable as well. So you can customize when it alerts you, requests confirmation, or automatically transfers money from one account to another to pay a bill.

One of the use cases I'm most excited about is the ability of POSADA to make donations to organization and charities you care about. So rather than setting up an auto-pay thing with a 3rd party, you tell POSADA how much you want to give, how frequently, and can even adjust the amount based on an assessment of your current financial position. The user would be in total control and I hope that will encourage more people to financial support media outlets, open source projects, and other worthy causes on a regular, sustaining basis.

I've got a mobile app prototype that handles two factor authentication and will eventually grow to become the front end of the assistant. I'm currently leveraging the built in speech-to-text capabilities of android phone to allow the user to communicate with their assistant via voice.

This is great! I too am working behind the scenes (nothing on Github yet) on a set of scrapers that pull in data from various financial institutions (my bank, a credit union, a CC account, ect.) along with a 'manager' application that recieves results from these scrapers and displays the data to me. That's step 1. Next I'd like to fully automate the paying of my bills and setting up arbitrary actions based on certain conditions. For instance, send money to some investment account when primary checking scraper sees a new ACH deposit from my employer, ect.

Have you opened this up anywhere yet? I'm interested in using some of your ideas and/or contributing to them. :)

I just created a repo. Please follow it , as I will have the code I'm working on up there very soon. I would very much welcome any contributions you may have!


We are basically on the same page. POSADA's logic interface has a concept of a plan which is composed of plan actions.

Users will be able to build plans that get executed everyday. for example, you could tell POSADA check you bank account daily and make sure any outstanding checks or withdrawals are adequately funded. If not, you're plan could tell POSADA to try transferring from you savings or alerting you on mobile if it is unable to fund the withdrawal.

I just noticed you're the creator of bankbotsbank. We essentially have the same idea. We should collaborate.

I'm currently using protractor (webdriver) for my crawler but I would open to switching to nightmare to be compatible with you as long as I am able to get that stack running on a pi.

I learned about Nightmare, which apparently runs headless chromium. this is exactly what I needed. Thanks.

If you get around to the connecting to charity part, you may find our (Kiva's) API interesting, https://build.kiva.org/

How about Denmark? :-)

Nope, up until earlier this year I worked in the 'innovation lab' of a top 3 US bank, that was supposedly leading in the banking API space (one of current hottest payment companies uses our backend/wholesale services) and we only offer APIs to big customers and not public, let alone a sandbox environment. My impression with all the regulatory and compliance issues it will take a long time (if ever) that banks will release such tools publicly. By that time hopefully someone will figure out a better system to bypass altogether...

EDIT: Yes, there are aggregators who have agreements with banks, but I believe the OP asked for directly accessing a bank's API, which I believe is not possible with the exception of some beta programs here and there that gives access to some non trivial bank data.

Barclays, Citi, or JPM? :) Oh sorry, you were probably under a take-your-firstborn-NDA.

Either way, the internal incubators at leading banks - at least in NYC - are actually very promising. As parent said, almost every bank has agreements/internal APIs, but they are VERY VERY careful with who gets access. Primary issue, aside from privacy/compliance/PII is that transactional data can be mined so heavily for purchasing patterns and thus predicting revenue for publicly traded companies. In fact, there are a couple of startups trying to do exactly this that popped up recently.

You're going to have to scrape. I'm working on an open source competitor to Mint. I call it POSADA (personal open source automated digital assistant). People run their own scrapers (plu and play, dockerized rasperry pis) so they don't have to trust their credentials and personal data to a 3rd party.

I envision a repository of integrations (ie, scripts for certain sites) so as people create integrations, you share them with the community. There's also a mobile app that allows users to get updates from the assistant, makes requests to it, or give confirmation before the assistant takes action.

Wow, I had this very same idea recently, but I'm glad someone is already working on it! One of the other problems with Mint is that despite their claims to the contrary, it's not exactly actively maintained. Do you have a git link?

I don't have the code up here yet, but I created a repo. Please follow it and I will have some code up very soon. I really hope once it gets going you'll be a contributor!


What about Open Financial Exchange (see my previous comment bellow)?

Thanks for sharing this I'd never heard of it. I looked into it and found some useful info on the GNUCash wiki https://wiki.gnucash.org/wiki/OFX_Direct_Connect_Bank_Settin...

In Germany i do not know any bank that does not support [0]FinTS when using online banking with your account. I would consider that a documented API for external use.

However, you asked for american banks and i haven't seen options to get a sandboxed variant albeit i am sure these exist. Another option would be to open accounts at some Banks....

[0] https://en.wikipedia.org/wiki/FinTS

While I would expect we will see every bank releasing APIs sooner or later (http://www.theregister.co.uk/2016/02/10/consumer_trust_centr... shows the UK heading this way already), you may find it easier to work through an aggregator (plaid, yodlee, quovo, etc) initially for consumer-facing experiences.

Other commenters point out that some US banks have shared some early APIs, but most are not for public consumption and are limited to "partners". I suspect we'll see some restrictions on API access for a while still while regulators and banks get comfortable with an API approach.

Citi has had a Mobile Challenge for a few years with some API test access (http://www.citimobilechallenge.com/), and the Open Bank Project has a sandbox (https://openbankproject.com/) for their version of banking APIs.

But for now, unless you want to leverage aggregators, I think you'll need to just keep reaching out to the banks to be included as a "partner" and try to get early access, or wait til they open broadly, and I wouldn't expect to see that til the next few years for most large banks.

Isn't that what Plaid [0] provides?

I know in the UK the only production banking API is Teller [1].

[0] https://www.plaid.com/

[1] https://teller.io/

We are a young unfounded company and work with most of the major us investment banks and the answer is there is no sandbox or API that they will share with you. Our experience is that the banks won't waste their time on anything that feels beta so you have to invest in having a solution built out and people using it (a catch 22). The exception to this rule however is that banks work for their clients (this pertains to investment banks not retail) and they will use a new tool in the context of an engagement when asked by the issuer, investor or firm they are representing. Not sure what you're planning to build but go to their customers first (issuers or large investors) who are much more agile. Once you're in the system you can navigate through the onboarding. Happy to share our experiences further if you want to discuss - reach out directly.

A lot of banks support the Open Financial Exchange format http://www.ofx.net/

Here's a list: https://wiki.gnucash.org/wiki/OFX_Direct_Connect_Bank_Settin...

Note that some banks (I think Bank of America is one) turn off this access by default on your account to prevent people being tricked into providing access but a quick call to them will get it enabled on your account.

This is a marvelous thread! - I'll read it more carefully, but from a glance it looks like most of the functional links are the right ones... I'll speak more to the theory.

I've recommended that every Bank I've done work for (which is quite a few) consider an external facing API to enable Lead User Behavior (see Von Hippel et al from MIT and MIT Press) and the concept has never gotten good air, for a variety of reasons which, no doubt, make sense to the their reference business models. Much of that can be explained be the theories of Disruptive Innovation (see Clay Christensen, et al, Harvard Business Press).

While I can't speak on this front, I think it's also acknowledged by anyone with a fully functioning brain stem that the various screen scraping solutions are sketchy for all concerned. There are some stable providers (Plaid seems pretty shiney and exciting. Fiserv and Yodalee have been around, and I'd only say that one of them seems yo have more clout than the other.

I think you'll see some exciting possibilities in the not too distant future, but I'd have trouble seeing a major Bank opening their doors to the public for all the reasons mentioned here. If the theories of disruptive innovation hold water, I'd say that once robust services come available that allow smart developers to apply modern thought to services, the disintermediation will be annoying to the big Banks if it strips away their best customers, which it's not likely to.

The problem (from the theory side) is a) there's not much money in providing a service, there's money in selling accounts, and that's where it's really hard for a small player to gain entry and b) in a battle where the incumbent is motivated to fight, that incumbent will likely win, and I personally don't want to fight with an incumbent who makes 5BB a quarter.

100% agree, but there are some exciting banks out there doing innovative things (e.g. BBVA, Santandar, US Bank, Fidor, Silicon Valley Bank). There future of Open Banking is coming... It's just not here yet and I wouldn't hold your breath.

In the meantime...

Work at Dwolla. What us and others, like Plaid, have done is taken these partnerships, resources, compliance requirements, etc. and smashed them into endpoints, creating [hopefully] something you're looking for. Our White Label and co-branded APIs (https://developers.dwolla.com/). A quick list.

Create Bank Transfers - Yes Know Your Customer Verification - Yes Sandbox - Yes Bank account verification - Yes Webhooks - Yes Oauth - Yes (Co-branded only) Create Customer Records - Yes (White Label only)

Reach out to Spencer@Dwolla.com, if you think we can help to. (While we don't work directly with Plaid, we can be complimentary).

In practice, everyone uses products by companies like Yodlee, they barely work and have a ton of production bugs and they're expensive but they sort of get the job done and they "work" almost everywhere.

I'm playing with https://github.com/euforic/banking.js right now, looks promising, sounds like other ppl have used it to connect via OFX to their respective banks (I use chase which requires a $10 per month fee to access)

Look into FinTech Sandbox (boston) - they are backed by Devonshire/FMR (aka Fidelity) and provide an incubator-like program for anything fintech-related. Its probably a best place to start if you want to do anything in the banking space and dont have high millions raised already for connectivity alone.

Not necessarily a big bank but Visa also has a developer site with several APIs that include Payments, Data and Analytics, and Fraud. Their website can be found at https://developer.visa.com/

Banks suck at APIs (even if one exists). If you are trying to move money between bank accounts, you can checkout https://checkbook.io, they have a white label, token based API to create bank transactions.

What about Geltbox Money? it doesn't use any third party Aggregation site (the user can aggregate his own data without exposing private data to any third parties /web site. It is a new way of aggregating data privately.

US Bank just opened up their read-only API for a hackathon this weekend: https://usbinnovationsd.eap.soa.com/#!welcome

Depending on your use case, https://plaid.com may be able to help. Used by Stripe, Venmo, etc. and supports more than 15,000 banks.

Their pricing isn't really prototype/startup friendly though.

This was the business model for Standard Treasury before they got acquired by Silicon Valley Bank. If you want details, you should talk with Dan Kimerling, one of the founders.

Dwolla provides a sandbox and they can connect to banks. So, there is a layer between your app and the bank, but it may give you the functionality you are seeking.

Have you tried Yodlee? They serve as the API for many banks.

Most banks support, NACHA files over SFTP. But you will need a contract and stuff.

What do you want to do? Pull transaction data or something else?

BBVA has public APIs in the US and Spain -https://www.bbvaapimarket.com/ More APIs are coming too.

Silicon Valley Bank (svb.com)

Check out https://developer.capitalone.com for three APIs that Capital One has published. There are also open source reference applications at https://github.com/capitalone/

(By way of full disclosure, I work in Capital One's Open Source Office.)

Open source office? cool! (I am a happy customer)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact