It seems we are still at the "reading and writing is for monks" stage of digital technology? God forbid the laypeople themselves use pen and paper!
For the vast majority of people that's meaningless - so to be able to share that data with companies offering new and interesting services (AIS sign up is reasonably lightweight, certainly within trivial reach of any startup) is a big step forward.
I think we should be encouraging!
(Or in other words; your thinking of the limitations on the micro level and missing the benefits at the macro)
FWIW GDPR is more interesting legislation for what your after - you will have the ability to get access to your own data. Unfortunately that legislation didn't push hard enough to promote the idea of digital access - we should level our criticism most harshly there to try and effect change :)
Erm ... WTF?! I'm not sure how explain this as it just seems so obvious, but ... you can, like, use software that other people write on your own computer!? There is no need to have any clue whatsoever of software development nor to share your data with any third party in order to profit from open APIs.
People can use Thunderbird to read and write email without any need to be able to write software because there are open POP3, IMAP, and SMTP specs and you can have POP3, IMAP, and SMTP credentials for your email provider ... how is that meaningless to the vast majority of people?!
> I think we should be encouraging!
Encouraging of what? More centralization of data processing? Less control for the consumer?
> FWIW GDPR is more interesting legislation for what your after
Not at all. That is about data protection, not about machine readable interfaces. First of all, being able to access my data does not in any way allow me to initiate transactions, which is a ciritical part of banking functionality. But also, being able to access data does not at all mean being able to process it using a computer. I can have access to all the data companies store about me now, and most of them will simply send a letter with a printout to fulfill their legal obligations.
As to the desktop app business; well sure but my hope is we build to this sort of thing. No harm is starting somewhere!
Which is precisely why it is bad?!
> GDPR is business to consumer and we should critique it to press for digital solutions that are meaningful for consumers.
No, GDPR simply does not have anything to do with this. GDPR is about human rights, not about technological development. Machine readable access might still be a worthwhile goal in that area, but extending data protection to encompass the right to submit transactions to your bank via a machine readable standardized interface certainly would be a stretch.
> As to the desktop app business; well sure but my hope is we build to this sort of thing. No harm is starting somewhere!
But are we starting anywhere? Say I want to write free banking software for people who care about their privacy ... are we even the slightest bit closer to being able to do that? Or isn't this rather a step in the opposite direction in that it further cements the idea of having monks do all the reading and writing for your?
Sounds like your issue boils down to whether this is done with SaaS vs local app
Though, mind you that "local app" is not the only way to run software. I could also install software on my home server to, I dunno, send me XMPP messages for incoming transactions, dunno whether you would call that a "local app"?
I look after a system that has loads of PII, as a mix of traditional SQL databases and RDF with a bunch of RESTful service layers keeping it all in neat boxes so it's not a sprawling unmanageable mess.
Now, if you ask for Subject Access after our verification team is happy that you're who you say you are I can and will extract the data that's clearly about you from those sources, tart it up and reformat it, and shove that into a PDF you can have.
What I can't realistically do, even if they tried to legislate for it, is make say the RDF data structures somehow understandable to the lay person who thinks "graph" means "chart" and "a triple" is when you win three things in a row.
OpenBanking works because ultimately the banks are pretty interchangeable when it comes to ordinary personal accounts. Money comes in or out, there's some short half-arsed text saying why, an amount, it's a very regular structure. But imagine trying to build a single "digital access" that works for your Reddit posts, health records, grocery purchases, subscription to Playboy, and MetroCard account... what on Earth would the UX be for that?
Google gives us an idea what the best we could hope for is - if you sign in and say you want all your data, Google will ZIP it all up for you. But it's not a coherent system, it's just like somebody's old PC backup, a bunch of unrelated files in different formats in a ZIP file.
I'm sorry - as a consumer, I'm going to want the most stringent checks before giving a third party direct read/write access to my bank account. The biggest criticism people have of the scheme so far is that it 'sounds like a security nightmare' and who is liable if I give someone access and they do Bad Things.
Is your criticism really that it is insufficiently open in that certification is stringent?
No, my criticism is that it is an interface for third parties only that locks out the first party!?
And what happens if their computer is hacked, the credentials stolen and the accounts emptied?
It's not hard for me to imagine developers saying, "hey, we all know computers get hacked, it is the bank's job to know when its really me versus when someone stole my API keys. What a shitty bank. I'm expecting all my money back"
How is that any different with web interfaces? Or are you saying that people should just generally not be able to use their own computers for banking purposes?
Credentials for web interfaces are stored in our heads.
People are still able to use their own computers - via the web interface, which is under the full control of the banks.
Then ... create an API without "API keys"?!
> Credentials for web interfaces are stored in our heads.
So ... store the credentials for the API in your head then?!
> People are still able to use their own computers - via the web interface, which is under the full control of the banks.
Erm ... no, it's not? The bank sends me IP packets, what happens with those IP packets is completely under my control (or under the control of anyone who happens to have compromised my computer, for that matter). I select what web browser I use. I could write my own web browser. Or modify an existing one. Or run it under a debugger. Or just not use a browser at all. What my computer does with the IP packets my bank sends me is completely out of the bank's control.
Obviously, I want a fully machine-readable API to all of my bank's functionality. Which also "downloading transaction data as CSV" does not fit at all if I have to manually log in and download the data. Also, CSV lists of transactions usually are useless for synchronization as they usually don't provide any mechanism to reliably deduplicate transactions and to check for completeness.
According to my bank's website, I can get account statements up to 10 years back, except for closed accounts.
At least an API. If that's what customers really want, at least now there is chance somebody will provide it.
>why should I have to employ a monk looking through my bank statements to be able to get access to them? Sure that can be a basis for an idiotic hack
Because the banks themselves are completely uninterested in providing API access to you and somebody with a legal team has to shoulder the liability for providing it.
But I don't want "an API"? I want a non-proprietary API! I wouldn't bother with locking myself into some proprietary startup crap of questionably reliability, then I can just as well scrape the web interface of my bank, that's also a proprietary API of sorts, and I at least don't have to pay yet another party and risk them abusing or leaking my data and myself being unable to figure out who is responsible for failures in the service.
> Because the banks themselves are completely uninterested in providing API access to you and somebody with a legal team has to shoulder the liability for providing it.
... which is exactly why they should be legally obligated to, instead of some idiotic "you have to allow third parties to access your customers' data" laws?!
Does it have to be another company or will I be able to write my own software that has access to my bank account?
So there are some hurdles.
(edit; in addition the psd2 legislatiob, and specifically the technical guidance, does touch on concepts like 4th party, relaying parties and technical partners - so the exoectation of the regulator is that this will emerge)
* your bank is an "ASPSP"
* the second party is you
* the company (third party) is the AISP
"For businesses that only carry on account information services, there is an option to become a ‘registered account information service provider’. These providers have no capital requirements and need to meet fewer conditions than authorised firms. Businesses that provide payment initiation services must be authorised and must have a minimum of €50,000 in initial capital (or higher if they provide certain other payment services). Both AISPs and PISPs have to hold professional indemnity insurance (PII). The EBA has developed Guidelines on PII (link is external)."
Correct? This doesn't specifically rule out being a relay, but I guess there is more detail/restrictions in another document.
See also: https://www.out-law.com/en/articles/2017/june/fca-urged-to-a...
Edit: And unfortunately, it doesn't seem even to have any intention of using it: https://twitter.com/stevegraham/status/951163378424217600
The downside is they are encouraging you to share passwords, as you say, which isn't driving the right customer behaviour.
More critically; in about 18 months the PSD2 Secure Customer Authentication guidance comes into force and this sort of approach (sharing credentials, which everyone basically refers to as "screen scraping" in its various forms) will be dis-favourer, to the extent that banks might have to go to great lengths to try and stop it. Teller might have to go forward fighting continual reverse engineering battles.
In particular I'm concerned that Teller will have a massive target painted on it's back, because it has those full login details - they could become systemically important to the UK banking system, and then perhaps the regulator should step in!
Not to mention a silly thing to do. But the average user seems just blindly trusts these things - tools like 'You Need a Budget' ask for the same.
Are we talking at cross-purposes here? Encouraging non-experts to share security credentials that give unrestricted access to their accounts with third parties is so obviously dangerous that I find it hard to believe that (a) the financial providers are now required by law to do it, and (b) not a single one of the updates I received from mine drew attention to this in any way that I noticed and recall now.
Surely the entire point of the new access paths under PSD2 is that the financial providers don't have to endorse the dangerous practice, and can instead provide an alternative way to achieve similar results but with much better control and regulation to protect all involved?
That's because the directive is actually a competitive disadvantage for them since they've invested a lot in the screen scraping.
The interpretation is not trivial though. The authentication details in particular are not very clear right now.
However, I will be hunting down the full version of the T&Cs for my account to see what they say now!
That's extremely disappointing...
That's putting it mildly.
"get your API key, paste here", etc
Repeat for savings, insurance, whatever.
"A lot of people didn’t take us seriously, ignored us, bet on #OpenBanking instead. Look where we are now. We OWN the best access to the banking infra & everyone is else is out in the cold, totally fucked. When everyone thinks you’re right, you’re wrong. https://open.spotify.com/track/0whZQj81yqAv9yJEyNZcnR?si=TGr... "
Anyone fancy building their business on top of this attitude?
Our technology is the best in the market but it’s entirely your prerogative to not build on it. We will be building products on it ourselves going forward anyway and that’s what I think the future of our company is.
Worth saying also; Open Banking actually came out of the UK competition marketing authority - its just become tied up with PSD2 (as its one way to achieve compliance with that legislation)
And yes there isn't a single database, but if you transfer to a different GP they will transfer your records from your old GP, and this app then let's you view them too.
There are still a lot of details siloed in individual organisations, though.
They did not have much choice. The deadline is before brexit.
I'm afraid that some companies will try to force it upon customers as well. Starting with: "If you allow us to manage your purchase it will get even faster (oh and we get access to all of your financial info), and you also get a useless gadget!"
Obviously, I didn't follow through with that, because that's a terrible sign of how Fidelity treats security and when it comes to entrusting large sums of money with an investment firm, I'd prefer one that's demonstrated a better security policy all around.
Anyway, this article was hilariously scant of technical details, but if the API they're creating allows different privileges to be associated with each API user, it's possible that I could use it to provide a company like Fidelty read-only access to only the information they need to verify that I am the account owner, and nothing more.
Illegal things are illegal. It's a risk vs. convenience calculation people make, as with banks themselves.
If anything ATMs are the safest and best option available, well, aside from malicious hardware modifications done to them.
Having access to my bank account with all the history is another thing entirely.
I know some magnetic stripe readers actually imitates a keyboard and just "write" the card info. So if you gave focus to notepad.exe instead all the card info would be dumped in cleartext. "Oh, seems it didn't register, could you swipe your card again?"
I can't tell if this is super-useful for the end consumer, or just another way for e.g. Google to mine your data in return for some superficial benefits.
Not 100% sure what comes next.
There is a chance GDPR will give you as an individual more flexibility but it wont be mandated.
It’s an API for your bank, and like stripe being an API for payments, I think it’ll shake up the market a bit. It should make a lot of things easier than before, and force large banks to allow customers to control their data more via authorised apps. It’ll take a while to have any impact though.
The "Background to Open Banking" page made the fans start running on my (fairly good) laptop.
If this is a sign of the technology behind it, it's not a good sign.