Does it have to be another company or will I be able to write my own software that has access to my bank account?
So there are some hurdles.
(edit; in addition the psd2 legislatiob, and specifically the technical guidance, does touch on concepts like 4th party, relaying parties and technical partners - so the exoectation of the regulator is that this will emerge)
* your bank is an "ASPSP"
* the second party is you
* the company (third party) is the AISP
"For businesses that only carry on account information services, there is an option to become a ‘registered account information service provider’. These providers have no capital requirements and need to meet fewer conditions than authorised firms. Businesses that provide payment initiation services must be authorised and must have a minimum of €50,000 in initial capital (or higher if they provide certain other payment services). Both AISPs and PISPs have to hold professional indemnity insurance (PII). The EBA has developed Guidelines on PII (link is external)."
Correct? This doesn't specifically rule out being a relay, but I guess there is more detail/restrictions in another document.
See also: https://www.out-law.com/en/articles/2017/june/fca-urged-to-a...
Edit: And unfortunately, it doesn't seem even to have any intention of using it: https://twitter.com/stevegraham/status/951163378424217600
The downside is they are encouraging you to share passwords, as you say, which isn't driving the right customer behaviour.
More critically; in about 18 months the PSD2 Secure Customer Authentication guidance comes into force and this sort of approach (sharing credentials, which everyone basically refers to as "screen scraping" in its various forms) will be dis-favourer, to the extent that banks might have to go to great lengths to try and stop it. Teller might have to go forward fighting continual reverse engineering battles.
In particular I'm concerned that Teller will have a massive target painted on it's back, because it has those full login details - they could become systemically important to the UK banking system, and then perhaps the regulator should step in!
Not to mention a silly thing to do. But the average user seems just blindly trusts these things - tools like 'You Need a Budget' ask for the same.
Are we talking at cross-purposes here? Encouraging non-experts to share security credentials that give unrestricted access to their accounts with third parties is so obviously dangerous that I find it hard to believe that (a) the financial providers are now required by law to do it, and (b) not a single one of the updates I received from mine drew attention to this in any way that I noticed and recall now.
Surely the entire point of the new access paths under PSD2 is that the financial providers don't have to endorse the dangerous practice, and can instead provide an alternative way to achieve similar results but with much better control and regulation to protect all involved?
That's because the directive is actually a competitive disadvantage for them since they've invested a lot in the screen scraping.
The interpretation is not trivial though. The authentication details in particular are not very clear right now.
However, I will be hunting down the full version of the T&Cs for my account to see what they say now!
That's extremely disappointing...
That's putting it mildly.
"get your API key, paste here", etc
Repeat for savings, insurance, whatever.
"A lot of people didn’t take us seriously, ignored us, bet on #OpenBanking instead. Look where we are now. We OWN the best access to the banking infra & everyone is else is out in the cold, totally fucked. When everyone thinks you’re right, you’re wrong. https://open.spotify.com/track/0whZQj81yqAv9yJEyNZcnR?si=TGr... "
Anyone fancy building their business on top of this attitude?
Our technology is the best in the market but it’s entirely your prerogative to not build on it. We will be building products on it ourselves going forward anyway and that’s what I think the future of our company is.