Hacker News new | past | comments | ask | show | jobs | submit login
The quiet battle raging around open banking (sifted.eu)
120 points by rmesters on Aug 2, 2021 | hide | past | favorite | 56 comments



I didn't understand that article. Maybe I don't have enough context.

"share their bank data with other parties"

What? Who wants to share their what now with whom? Why would they do that?

"Fintechs like Plaid, TrueLayer and Tink have founded their businesses on providing access to regulated banking data for a fee.."

What data? Aggregated? Individual banking? What regulated data? What regulations?

"Under current banking regulation, raw data must be provided for free to consumers via an official application programming interface (or API). As a result, the apps pick up the cost on behalf of their users."

What? My bank doesn't offer an API. I have no idea what that last sentance even means. What cost?

It really seems like the article assumes a lot of background knowledge. Anybody have an ELI5 link?


All banks in the EU must offer a data and payments API. The APIs are standardised and must allow third party service providers - which themselves must be regulated - to be able to build services using these APIs. With a user's authorisation, said service provider can view transaction data or initiate a payment, for example. The specific regulation is called "payment services directive 2".


This is exactly what I miss about PSD2, a small company still can't just use an api to do it's banking, checking what money comes in and optionally (semi) automate payments. You still need to lobby your country's ministry of finance to get a license. Great for all the hot customer payments startups but useless for a company that just want to do IBAN and cut out the middle man.


This is exactly why I hate the name "Open" Banking.


Truly we need two tiers of API access, one which will only work with bank accounts we link to our API developer profile, which is easier to get access to, and another that is meant to handle third party bank data which requires ministry compliance and may need to wait longer for.


You can get that via banks directly, in whatever proprietary format, if they wish to provide it.

e.g. Monzo in the UK (&US?) offers a personal-use-only 'beta' API (it predated 'open' banking requirement, and they continue to say it's a developer API in beta, don't share access keys yet but one day, but basically it seems to be vapourware at this point). PSD2's 'open' banking is.. I don't know, it's something, but it's not what anybody here wants, or imagines it is from the name if they've not previously heard of it.

It might as well be a standardised Industry COBOL Interchange Specification, a copy is yours for just £25k today! Or join the 2022 edition working group for a mere £250k, and help define next year's mandatory update.


Since you mention COBOL, a lot of work is being done in COBOL to export JSON feeds exactly for this. Since the late 2000s and 2010s back-end core banking space (in larger banks) was largely about moving from disparate code to a common trunk, this, at least for friends 'lucky' enough to be connected to this, seems to be implemented as a general solution so should XTZ country decide to do their own regulatory implementation of Open Banking/PSD2 a lot of the ground work will have been done.


What's to stop people from building an integration that requires the API keys from the self-serve access flow? e.g. in the US people are OK with giving their password to Plaid?


> in the US people are OK with giving their password to Plaid?

They absolutely shouldn't be.

There are/were services like that here too, but what trust (or usefulness to be honest) they had will/has erode/d as a consequence.

Also you don't have to be a literal bank, the better (/with enough of an EU/UK focus) services like that will just offer the proper authentication method instead, now (since 2016 I think?) that it's available.


Cofounder of Nordigen here. We built a completely free API to allow small companies check what money comes in, no additional license needed (it's done on the back of our AISP licence). We're connected to more than 1,000 banks in Europe. Here's the link: https://nordigen.com/en/products/account-information/


Indeed, why should it require an intermediary at all? Even individuals should be able to access their banks' APIs directly from their own devices.


> What? Who wants to share their what now with whom? Why would they do that?

Accounting or budgeting services for example.

> What data? Aggregated? Individual banking?

TrueLayer & Plaid are gateways that translate bank's individual APIs into a single common one, and their clients pay them for the privilege (typically a monthly fee per active account connected).

> What regulated data? What regulations?

There are EU regulations that force each bank to provide an API to any AISP (account information services provider) or PISP (payment initiation service provider). The (A|P)ISP can request the end-user's consent (typically via OAuth) to access this data.

> My bank doesn't offer an API.

This is why I dislike the name Open Banking. It's not actually open. You have to either to through tons of regulatory BS to become an AISP or go through a gatekeeper like TrueLayer or their competitors (which will happily "lend" you their AISP license). Fortunately, there are modern banks such as Monzo or Starling which allow the end-user to use the API to access their own account, but technically this has nothing to do with Open Banking (even though it's often the same API).


I work around this sector. Big banks sell data to data brokers the same as telcos do. It's unlike Facebook selling your data because the people buying it aren't trying to target you specifically. They are looking for market trends. You are usually aggregated around your demographic. Essentially, the banks are selling the spending behaviors of demographic X. This type of anonymous data is important to businesses like Nike and Coke because it informs their advertising messages.


I also know that there are several companies trying to build alternative credit risk models in markets like India and Colombia, where many people do not have a credit history so the usual credit scoring models do not really work. In this case the data is certainly being used to target, or rather score you specifically.


I can't find it rn, but I think chase sells individualized data to brokers which can then be linked to online tracking id's. Google has a program for this, it links physical and digital and they use it to verify the effectiveness of their o line ad campaigns.


> Big banks sell data to data brokers the same as telcos do.

Do they pay me for making money from me?


indirectly, by providing you with 'free' services.


Or low cost, as they are forced to do by the legislation anyway.


That is incredibly disturbing.


If this is actually true (because it has nothing to do with Open Banking), how does this comply with the GDPR?


It complies because it's aggregated, no individual's data is involved.


Facebook doesn't sell your data.

https://www.facebook.com/help/152637448140583/


Facebook sells access to you. It's like those safe driving apps. They don't sell your data. But they sell access to conclusions drawn from your data. That's their entire business.


That's some high quality 1984 level newspeak you got there.


> What? Who wants to share their what now with whom? Why would they do that?

Barclays will send banking data directly to FreeAgent[1] which allows you to categorize the transactions and upload receipts. FreeAgent uses this information to calculate how much VAT and Corporation tax I owe to the government. Couldn't be simpler.

[1] https://support.freeagent.com/hc/en-gb/articles/360006470520...


If memory serves it's an EU directive meant to decouple handling of money from access to banking information by forcing banks to provide APIs that third parties can use on a bank customer's behalf. So you can grant an app permission to see a live view of your account balance, for example. Not sure what applications the lawmakers have in mind. Credit rating seems like an obvious application. It would maybe make it easier to circumvent credit cards for money transfer, maybe? I suspect there's a lot of hand-wavy "startups will figure something out"


> Not sure what applications the lawmakers have in mind.

Accounting and budgeting services are the most common examples.


Not answering your question but, I ran into Plaid recently as Tesla wants you to use it to pay for your car. I said "GTFO" and got a cashier's check

As others have pointed out, Plaid is service that lets people interface with your bank via one API, the Plaid API, Plaid deals with all the various banks. And Plaid mines your account advertising (as it says in their TOS/Privacy policy) and shares that info with whoever they want.

I also found out (and this is old info) that ANYONE can take money from your bank account without your permission. There might be repercussions for them later or maybe the bank has to trust them but I found this out because I signed up for Apple Pay and Apple Pay wants me to pay my bill via ACH.

https://en.wikipedia.org/wiki/Automated_clearing_house

What happened is I gave Apple my info (routing number and account number) and without the bank confirming with me that Apple had permission to take some money, Apple sucked money out of my bank account.

That's crazy to me. Those 2 numbers are on every check I've ever written.

I get that someone can charge money to me with my Credit Card info but AFAIK if it's fraud I'm only out max $50. Plus, it's not my money, it's the CCard company's money since it's effectively a loan and the fraud is their problem, not mine.

I'm sure someone with more knowledge can tell me why the ACH system is safe but I find it super scary ATM.


> Plaid mines your account advertising (as it says in their TOS/Privacy policy) and shares that info with whoever they want.

FWIW I think this is a slight misinterpretation of our privacy policy. The section on advertising basically just refers to our usage of cookies for advertising and analytics. Plaid does not share personal information without your explicit consent: https://plaid.com/how-we-handle-data/


No. You are correct. The US payment system is hopelessly insecure. Anyone who has your numbers can pull money from your account with no further authentication. Knuth had to stop writing checks for his bug bounties because of this.

https://www-cs-faculty.stanford.edu/~knuth/news08.html


Similarly, the PSD2 directive in Europe transformed the bank accounts into credit cards. With limited insurance.


This article does not make a lot of sense.

As you can see it is sponsored by Nordigen, and they try to say that open banking has some ugly and bad aspects in everything that is not the particular points of their marketing offer.



Open banking isn't what it sounds like...

You would imagine that with open banking I could write my own code to pay my bills, send out birthday gifts, or pay my employees...

I imagine I could enable a trusted third party to automatically switch my bank account from one that earns 0.1% interest to one that earns 1% interest... Or to detect that I was double billed for amazon prime and auto refund one. Or maybe it would let me create temporary bank accounts for a payment (so that I can't be overbilled).

Yet it turns out that it's not really more than a csv dump of your statement. It's read only, and has barely any more data than the pdf files available from the bank. Pretty much all you can do with it is draw pretty graphs that anyone could draw in excel in 5 minutes. Oh, and some evil companies demand to have access to your bank statement via openbanking to check if you are 'worthy' of a job/loan/school.


There are two stages of regulatory licencing. One is the 'read only' as you state. The other allows transaction rules you have set up (or authorised) to be transacted on your behalf, and carries another layer of licence.


This article is almost incoherent. I'm really surprised to see it rank here. It's useful neither to folks who know about open banking (because they would learn nothing new), nor to people new to open banking (because it doesn't explain even the basics of how it's meant to work).

Open banking is meant to allow any third party to get your financial information if you agree, just like any app can implement social auth with Google/Twitter/GitHub.

But (pasting a comment I wrote here 2 years ago):

"By using Plaid or an Open Banking service from another party (e.g. Experian) you'll pay fees to get information you can get for free if you integrate directly with the banks.

Even though the open banking APIs are uniform, any company wishing to use them still has to register with each and every bank, and test the integration works with each one. Until you've done it once, it's hard to know whether it will be easy (you write the code once, and it works flawlessly for all banks) or you have edge cases (e.g. some banks have funny timeout issues). So if you're a developer on a deadline, you will likely prefer to use a single API."


I wish I could give my banks/FIs a token which allows the bank/FI to just drop my data (like transactions) into my Google Drive in some machine-readable format like CSV. Then I could use an offline tool of my choosing to analyze the data. Why can't it be this simple?


Use a modern bank like Monzo or Starling and they'll allow you to access their API directly without having either an AISP license or using a gatekeeper like TrueLayer.


I've had a good experience with Monzo (never used Starling, though IIRC there's some history between the two). I'd recommend signing up to the waiting list if you haven't already.


For people in the US: Monzo has a waitlist and Starling doesn’t seem available (yet)


The entire PSD2 directive laying the groundwork for open banking is a disaster, IMHO. It seeks to do the right things but then completely ignores identity and authorization as a problem. It kinda matters, which organizations you authorize to access your financial data and how do they know it’s you. All that given the eIDAS directive is in place laying at least groundwork for EU-wide identities.

It has a glass ceiling to it: the more popular it gets the more fraud there is going to be the less popular it is.


Open Finance is quite possible without giving your user name and password, by using a similar approach as Open Banking API. Which platform require you to give your credentials?


Plaid is the big one. They use app-specific passwords or other auth methods where available, but most of the integrations they offer are built on elaborate screen scraping because the banks they're pulling from don't offer any kind of APIs in the first place.


I yearn for better personal financial software with things like purchase queues, a simple “should I buy this?” UI, and a way to quickly calculate the downstream effects of financial decisions. Open banking, or at least clean, timely bank data is prerequisite to anything like that, but it’s been elusive for solo devs in the US. The UK and EU is far ahead in that regard.


The #1 financial integration feature missing from ~all banks ~everywhere for most users is secure transaction notifications. Granted, this is significantly complicated by cancellation, deferred settlement, bank fees as an externally accounted figure, debit states and failed transactions with rollbacks or associated credits. But just a dumb integration would be enough for many uses and would allow firing a substantial number of accountants. It's not too tongue in cheek to suggest that the whole hosted-accounting world is largely playing off this one feature + pretty graphs.

Thoughts on future settlement protocols: https://raw.githubusercontent.com/globalcitizen/ifex-protoco...


Quite surprised to see a sponsored post make the front page of hn.

I'm planning to utilize the UK version to aggregate my transactions via a read only interface. That seems relatively safe & think I can wrangle the half a dozen accounts with python into some sort of coherent view.

Someone hacked together a bash version of it already:

https://gitlab.com/emorrp1/accounts


The missing bit is IAM. User to create access keys, each key with a policy that allows specific actions. Much like AWS IAM works


The Financial Data Exchange (FDX) working group is pushing for this. They have a data spec and UX guides that encourage this exact thing. A user creates an access token for a specific app and that access token might can grant certain abilities to certain bank accounts. It's also adopted by the top US banks (live in production).


I see no point in open banking for me as a customer. The supposed benefits are timid compared to the huge privacy implications. I pass


I use a budget app called YNAB (You Need A Budget). It's great, but if I want to connect it to my bank account so I don't forget to add a transaction, I need to literally give my bank account number and password to Plaid, a 3rd party service that logs into my online banking portal as me in order to screen-scrape my transaction data, because my bank does not offer an API. Do you not see a problem with this? Not only is it a terrible idea from a security stand-point, but it's also super brittle and error-prone, because whenever the bank updates its website it breaks the screenscraper.


Gah I was looking into this sort of stuff. I'm sticking to Excel and manual reconciliation like I've been doing for 20 years now. Thanks for the heads up.


You don't need to connect your bank account to YNAB. It works fine without it; you just need to manually enter every transaction, which you should do anyway. Linking to your bank account is just to catch mistakes and to auto-add scheduled transactions.

I would never go back to budgeting in Excel. Way too tedious.


They're helpful if you use portfolio aggregation tools like Personal Capital or Mint. Tracking your overall portfolio balance when you have many different types of investment accounts with different banks is difficult to do by hand.

Without open banking APIs, these tools have to collect your authentication information and impersonate you on your banks' websites to collect your account balance information.


Which privacy implications?


The attack surface is larger if there are also third parties with access to your account data.

Attackers will breach the weakest link. Right now there is only one link: your bank's website.


That is unfortunately not true. There are a great many additional surface areas, such as that time they linked TurboTax to their account, or the time they signed up for budgeting software - and gave it their bank credentials, etc.

Most of these being done through screen scraping and by storing users bank credentials in some random 3rd parties database. Which is a huge and tempting target.

It’s gotten somewhat better in some cases now as they are at least using SSO type setups, so it’s a track able and expirable token instead of raw credentials at least some of the time - but yikes.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: