Hacker News new | comments | show | ask | jobs | submit login

> Open Banking is a term that describes a secure set of technologies and standards that allow customers to give companies other than their bank or building society permission to securely access their accounts.

Does it have to be another company or will I be able to write my own software that has access to my bank account?

You have to be a company. You also have to be regulated as an AISP or PISP (Account Information/Payment Initiation Service Provider).

So there are some hurdles.

That is disappointing. I wonder if anyone is doing the legal analysis on what it would take to be a 'passthrough provider', who would simply wrap it up in an easier API with a simple TOS.

There are a bunch of companies doing exactly this, usually with some value-added service on top (e.g. categorisation).

I think that will come. It will take a bit of time for comfort to set in (both with the consumer and the banks) but I definitely see this as the first step.

(edit; in addition the psd2 legislatiob, and specifically the technical guidance, does touch on concepts like 4th party, relaying parties and technical partners - so the exoectation of the regulator is that this will emerge)

I'm struggling with the enterprise-y terminology. It sounds like:

  * your bank is an "ASPSP"
  * the second party is you
  * the company (third party) is the AISP
So each individual company that needs to access your information is an AISP (or PISP for initiating payments)? Your accountant might be an AISP and your water company a PISP? And FCA requirements are (https://www.fca.org.uk/firms/new-regulated-payment-services-...):

"For businesses that only carry on account information services, there is an option to become a ‘registered account information service provider’. These providers have no capital requirements and need to meet fewer conditions than authorised firms. Businesses that provide payment initiation services must be authorised and must have a minimum of €50,000 in initial capital (or higher if they provide certain other payment services). Both AISPs and PISPs have to hold professional indemnity insurance (PII). The EBA has developed Guidelines on PII (link is external)."

Correct? This doesn't specifically rule out being a relay, but I guess there is more detail/restrictions in another document.

See also: https://www.out-law.com/en/articles/2017/june/fca-urged-to-a...

Yes that is an accurate summary.

Teller.io is doing this. You might want to look into what licenses they needed to get.

No it isn't, at least, not yet - it asks for all the user login information including passwords and security numbers required for a normal login.

Edit: And unfortunately, it doesn't seem even to have any intention of using it: https://twitter.com/stevegraham/status/951163378424217600

Teller is interesting; I have some reservations (mostly around the attitude they portray, which is a bit unprofessional) but they have a good vision.

The downside is they are encouraging you to share passwords, as you say, which isn't driving the right customer behaviour.

More critically; in about 18 months the PSD2 Secure Customer Authentication guidance comes into force and this sort of approach (sharing credentials, which everyone basically refers to as "screen scraping" in its various forms) will be dis-favourer, to the extent that banks might have to go to great lengths to try and stop it. Teller might have to go forward fighting continual reverse engineering battles.

I think we've independently arrived at exactly the same point with our reservations.

In particular I'm concerned that Teller will have a massive target painted on it's back, because it has those full login details - they could become systemically important to the UK banking system, and then perhaps the regulator should step in!

It's already against the typical bank's terms of service for a user to provide them.

Not to mention a silly thing to do. But the average user seems just blindly trusts these things - tools like 'You Need a Budget' ask for the same.

Founder here. This is incorrect. It is no longer against the terms of service of any European bank as of today thanks to PSD2.

It can no longer be against the terms of service of financial service providers to prohibit sharing the credentials used to access your accounts on their systems?

Yes, every UK bank had to write to their customers updating their terms allowing such activity end of last year.

I have accounts with several banks and other financial services, and I have received various updates to terms in connection with PSD2 over the past few months. However, I don't recall any of them saying it was now OK to share things like passwords or PINs.

Are we talking at cross-purposes here? Encouraging non-experts to share security credentials that give unrestricted access to their accounts with third parties is so obviously dangerous that I find it hard to believe that (a) the financial providers are now required by law to do it, and (b) not a single one of the updates I received from mine drew attention to this in any way that I noticed and recall now.

Surely the entire point of the new access paths under PSD2 is that the financial providers don't have to endorse the dangerous practice, and can instead provide an alternative way to achieve similar results but with much better control and regulation to protect all involved?

What the existing screen scraper companies have done, is to make sure the psd2 directive will allow screen scraping as a fallback method if they are not satisfied with the bank API:s.

That's because the directive is actually a competitive disadvantage for them since they've invested a lot in the screen scraping.

The interpretation is not trivial though. The authentication details in particular are not very clear right now.

Most likely it took the form of 'Section 7.5.2 is deleted', and you or I wouldn't have noticed.

However, I will be hunting down the full version of the T&Cs for my account to see what they say now!

Really? So that suggests enrolment in an 'Open Banking' app requires the same?

That's extremely disappointing...

> a bit unprofessional

That's putting it mildly.

We actually don’t do this where we we have an option to, i.e. with Barclays and Nationwide. Regardless, users giving credentials to 3rd parties is not against the terms of any bank in the EU and it’s contrary to EU law for them to make it so. Banks are also on the hook for liability in the first instance and must immediately make good any customer loss, although they can pursue the 3rd party.

Teller isn't part of the PSD2/Open Banking world. They've reversed engineered all the bank's private APIs for their mobile apps, in part because they believe the banks will hobble and cripple the Open Banking APIs because it's in competition with their business model.

IT's not disapointing if you ever want consumers to actually trust the system. Even I'm not convinced about opting in yet.

My understanding is companies, who meet stringent requirements and can afford to take out insurance policies should they be liable for any loss/misuse of data.

I don't get why they can't give individuals and API key for access to only their own accounts.

presumably as dubious third parties would use it a way round the control framework

"get your API key, paste here", etc

Why would I ever fucking want to do that "give companies other than their bank or building society permission to securely access their accounts."

Want a better mortgage rate or a bigger loan? Let us look at the data, we may be able to give you one.

Repeat for savings, insurance, whatever.

Yeh right you know those comparison sites are all pay to play TANSTAAFL as Bob Heinlein noted.

I said nothing about comparison sites,this could be other banks or financial service companies.

Take a look at teller.io. I personally have some reservations, but you might like it.

Teller.io is not using the 'Open Banking' API - it asks for all the user login information including passwords and security numbers required for a normal login.

Edit: And unfortunately, it doesn't seem even to have any intention of using it: https://twitter.com/stevegraham/status/951163378424217600

Good grief:

"A lot of people didn’t take us seriously, ignored us, bet on #OpenBanking instead. Look where we are now. We OWN the best access to the banking infra & everyone is else is out in the cold, totally fucked. When everyone thinks you’re right, you’re wrong. https://open.spotify.com/track/0whZQj81yqAv9yJEyNZcnR?si=TGr... "

Anyone fancy building their business on top of this attitude?

Never judge a man until you’ve walked a mile in his shoes. We’ve had a very difficult couple of years with some banks going to some lengths to inflict as much damage as they can on our business. It didn’t work. However, now they have failed to deliver something required by law I let my emotions get the better of me. It was a very cathartic moment.

Our technology is the best in the market but it’s entirely your prerogative to not build on it. We will be building products on it ourselves going forward anyway and that’s what I think the future of our company is.

Change to a bank that lets you do it - for example, Mondo/Monzo has an API.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact