Hacker News new | past | comments | ask | show | jobs | submit login

Both Bank of America and Wells Fargo do technically have APIs, though they're limited in scope to corporate accounts for treasury purposes. I've applied for access to both and both declined to even a sandbox account.

Think what you want about the EU, but sometimes they have good initiatives.


This is a sham. You need to go through lots of audits & other administrative BS in order to be declared an "AISP" even if you don't actually process banking data yourself and it never leaves the user's device.

Imagine PCI-DSS compliance but without the exception that you don't have to be PCI-compliant yourself if you don't touch card data and pass it directly to a PCI-compliant payment processor.

It might look dreary to you from a distance, but for us on the ground, it is working. My bank is already offering to show any other banks’ statements along my accounts.

It's only working for large, existing players, is his point. For me wanting to build automatic syncing to my budget tools, I'm still out of luck. They don't even let you access your own data.

That’s kind of expected, isn’t it? An integration you make could be potentially used/abused by others and must be thoroughly vetted. For personal use my bank offers daily CSV downloads.

> For personal use my bank offers daily CSV downloads.

Can you automate this? This is my point. Manual CSV exports are not a solution. Open Banking was supposed to solve this but it's a complete sham that is only there to make them look like they're doing something and benefit the existing incumbents.

Why is it a sham? TPPs (who are either AISPs and/or PISPs) process banking information for customers of participating banks. A TPP will typically provide some kind of service like a unified view of customer finances, and as part of that they're processing customer banking info.

It would be an unusual TPP where the data never left the customer's device. Usually there'll be a web service/web app provided by the TPP and the communications will be between the customer and the TPP and then the TPP and the bank (a.k.a ASPSP)

Whilst it's not perfect, it's a hell of a lot better, from a security perspective, than 3rd parties getting full banking creds for customers.

> It would be an unusual TPP where the data never left the customer's device.

Why? The scenario you mention (providing an unified view of a person's multiple accounts & credit cards) can perfectly be done on the device itself and negates plenty of concerns regarding security, the need for a backend, etc. I personally made an app to display my balance & transactions on my Apple Watch. It's purely local and doesn't even have a backend. Yet, I can't actually launch it "by the rules" because I need to become an AISP even though I never come in contact with actual banking data.

> 3rd parties getting full banking creds for customers.

This is clearly a stop-gap solution until something better comes around, and frankly it isn't the worst solution if you trust the third-party. At least it becomes the user's choice whether to share credentials instead of the bank or some other entity deciding who can and can't have access based on potentially stupid or anti-competitive reasons.

Purely on a customer device would be extremely difficult as the OAuth keys for obtaining the consent would need to be stored on the device, which isn't a solution that scales past one user, from a security standpoint.

The problem of customer choice is that customers are very badly informed about the relative security of services, so there's a market for lemons. If the bank has no liability, that's possibly fine (although it could be argued the bank has some responsibility to advise the customer), but if the bank has any liability for issues resulting, then they get a say in the outcome.

Why wouldn't it be good from a security standpoint? How do social media clients do it then? As far as I know they do oAuth too and so hold the consumer key & consumer secrets inside the binary.

Leakage of the consumer secret/consumer key alone doesn't compromise security as you still need the access token and refresh token which are per-user.

Truelayer (although a smaller company) is the equivalent of Plaid in EU.

You generally need to have good relationships with banks for them to allow you to use their APIs.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact