It's about time. When I learned that applications like YNAB (You Need A Budget) use services like Plaid to connect to my bank account, and that these services literally take my username and password and impersonate me to get my banking data, I was a little sketched out. I use YNAB every day, and having it connected to my bank account is incredibly useful, but if something goes wrong and Plaid loses my money somehow, is there any recourse?
Hopefully individuals will be able to use the Open Banking APIs to access their own data directly, but it looks like accreditation will be required, so probably not.
Plaid is only one security breach away from being utterly destroyed. And they will take out the financial lives of all their customers with them.
It’s utterly irresponsible and I have no idea how Plaid hasn’t been shut down. You have no recourse if they are breached. The TOS of your online banking probably says that if you disclose your username and password to any third party then you have no liability protections.
To be fair, YNAB is rather explicit about how it connects to your accounts and also actively recommends against doing so in favor of manually entering your transactions. My experience with connecting the two is that I still need to manually validate every transaction because on occasion Plaid is either slow or just misses entries entirely.
Also in the case of YNAB, Plaid is not posting transactions on your accounts. It's a screen scraping service transferring account data.
FWIW I use Schwab for banking and I was able to connect YNAB to Schwab without entering my password. It looks like Schwab supports read-only API access, and Plaid takes advantage of that to avoid needing your credentials.
As an added plus, you can keep 2FA enabled. Schwab does 2FA through an app so it's a touch above SMS-based 2FA (although only a single app is supported, Symantic VIP Access, rather than generic support for apps like Google Authenticator).
I also hate Plaid's model where you provide Plaid your credentials, and I've never entered my credentials into Plaid.
In the UK, which has implemented open banking already, you can use services like https://syncforynab.com/ (no affiliation, just a happy customer) to link your accounts to YNAB. Some challenger banks like Monzo and Starling allow you to set up webhooks for transactions so they're immediately available in YNAB through Sync for YNAB rather than having to use x-hourly syncs via open banking companies that are officially blessed by the big banks.
I haven't read the entire report yet, but it seems like a step in the right direction (even given some of the caveats folks have pointed out). I work at Plaid and a big focus area for us is to move as much traffic to APIs as possible, with a target of 75% of traffic to be committed to APIs by EOY, and we’re hopeful that we’ll be close to a fully API based industry in the next few years. IMO anything that makes API-based connectivity and open finance standards more widespread is a win for both fintech developers and anyone with a bank account.
I think the future is that banks/bank apps will do the budgeting stuff themselves. Most bank apps will now break down your monthly spending by categories. My bank app shows me my weekly and monthly spend compared to previous periods, how much I spent in each category, how much I spent at each business, how much I have spent this month so far compared to the same time last month and etc.
Hi! I work at Plaid wanted to share that the Consumer Financial Production Bureau addressed the fact that a financial institution cannot waive liability responsibilities in a recent Compliance Aid. FAQ 4 says that instititutions cannot rely on an agreement with the consumer that waives the liability protections under Regulation E if a consumer has shared their account information with a third party because those are protections provided under the Electronic Funds Transfer Act.
Dunno how Turbotax does things under the hood in the US, but when it prompts me for the username and password of my broker to import my info, it certainly make me very queasy.
This is basically the main reason why I built uFincs (https://ufincs.com/) without any sort of bank integration. As a Canadian myself, the privacy implications of letting a third party like Plaid take my bank password to get my data were, indeed, rather sketchy. I've been looking forward to the day that open banking gets pushed here, so this is definitely good news that uFincs (and every other personal finance app) nmight eventually get some secure bank integrations.
Although, knowing how these things usually go, I'm sure the "2023" target is a little optimistic...
I've worked for a heavy customer of Plaid, and I've experienced the good and bad side of said entities and architectures, and the propaganda used by both sides. Banks say "impersonate", Plaid says something else. I think a reasonable viewpoint could say that you are authorizing Plaid to act on your behalf. Would a bank punish a rich person for having their accountant/finance manager know their credentials and use them in their duties? Would a bank publicly punish someone for storing their bank password in a password manager? How about an online password manager?
This put me off this type of banking app the first time I tried to register an account with them ten years ago, and I haven't touched them since.
I suppose EU users have an easier time with the PDS2 directive mandating interoperability between banking actors, but I'm unsure how many have found a way around properly implementing it.
> YNAB (You Need A Budget) use services like Plaid to...take my username and password and impersonate me to get my banking data
WHAT. THE. F.
I'm a longtime, happy YNAB user. I had no idea this was going on until just now. I always just assumed there were secure APIs used to import my data. YNAB's Capital One "integration" stopped working a few years ago (possibly because they cracked down on screen scraping?) and I was upset with Capital One. Perhaps Capital One took steps to prevent insecure access/screen scraping?
As a developer living in a country that has fully implemented "Open Banking", here's a quick setting of expectations for Canadian developers so they don't get too excited as I did when this was first being introduced.
Open Banking is not, in fact, open in almost any sense of the world. It is standardised and the standards are freely available ("open"), but other than that, you still need to have an official "blessing" to actually access a production API endpoint (even for your own account), you need a legal entity that has some highly specific and entirely meaningless certificates that are hard (and potentially expensive) to get and even after all of that, you'll still need to negotiate access with each bank individually.
What I imagined when I first heard of "Open Banking" was a public OAuth2 endpoint where I can grant my custom script access to just my bank balance and transaction history (possibly with a change webhook) and have it update my finance tracking database.
The "open" part is only relevant to the banks, since they don't have to pay royalties for the standard implementing the APIs. For the rest of us, it might as well be SS7.
If you're based in Europe or UK, Nordigen has a completely free API do exactly what you described (I'm one of the cofounders).
We're connected to 1,500 EU/UK banks and you can connect your bank account to your script/app without any license, certificates or any fees. We don't charge for accessing banking data, we only charge for complimentary data enrichment services like transaction categorisation.
As a Canadian who has been waiting for the hypothetical ideal situation you describe since Mint and YNAB launched in Canada, that is disappointing to hear. Perhaps there will be a startup that can jump through the hoops and then provide some sort of programmability / webhook access to end users.
> What I imagined when I first heard of "Open Banking" was a public OAuth2 endpoint where I can grant my custom script access to just my bank balance and transaction history (possibly with a change webhook) and have it update my finance tracking database.
Banks are dealing in financial stuff. They probably do not want to deal with people having problems understanding OAuth2, API's, sandboxes and such. That is an entire different business.
“Open” in this case means open standards and access for accredited entities.
Because if you grant access to just anyone, then you’ve created an instant fraudster’s paradise.
The legal requirements in the UK (which you may be talking about, unsure) are not meaningless, they are there to ensure that known parties and known good practice are in use. Open Banking the company is working on ways to help small businesses gain accreditation and may already be able to offer assistance, and while accreditation is not free, it’s only a few £k, hardly enough to break the bank.
As a non-accredited actor, if you have a limited company you can register as a technical service provider for free and develop your product against the sandbox environment.
Oh and you don’t have to negotiate access with each bank either. The whole point is to pre-vet and establish trust ahead of time.
That’s as open as anyone with half a brain should want it to be, given what we know about people’s ability to protect their own finances.
"Users have complained that after connecting their bank accounts, Plaid stores their credentials and uses them to collect 5 years’ of transactional data and continues to track users’ data in future. Users further claim that the data-gathering scheme is not incidental to Plaid’s business model and is, in fact, its “very purpose.”
Wow, I just assumed Plaid was part of some kind of interbank consortium. I can’t believe a service that big can be based on that model. It’s interesting how HF trading can be so cutting edge while consumer banking is 15-20 years behind.
It’s interesting to me how quickly I’ve soured on the concept of open banking, which on paper sounds fantastic and originally I was very much in favour of. And which I’ve used personally to make it easier to extract my own data for my own use.
However more often than not now I’m seeing it used for really invasive applications. Such as when I rented my most recent apartment and they asked to use open banking to verify our finances, which as far as I know would have given them access to every single transaction going back a decade or so. The agent was confused as to why I wouldn’t go ahead with it and ultimately let us opt out, but I do worry that at some point I won’t have much choice but to accept.
I’ve also seen credit scoring companies that suggest you’ll get a better credit score if you use open banking to hand over your transactions. I have no need to use that but I suspect others who are desperate to increase their chances of getting a mortgage, etc, won’t have much of a choice.
I feel the same. The convenience will likely outweigh the security concerns in the not too distant future.
What I would like is some middle step - that instead of allowing open access to accounts, I get to choose how the data is summarised and presented. e.g. just show total income and outgoings, fortnightly, over the last 6 months. Things like that.
Yes, I could export the transactions, do some Excel hand waving and make a report, then make a PDF and send it, then they would do data entry into their system summarising what they read. But automating that data sharing step would be fantastic.
I am in the process of applying for a home loan at the moment, and the amount of documentation is significant. If I were able to automate 80% of it in a fairly anonymised data way, that would be really useful.
> Such as when I rented my most recent apartment and they asked to use open banking to verify our finances
There was a Launch HN recently that did just this, but for people like Uber drivers wanting to borrow money to buy their own car. They handed over their Uber credentials, and the service scraped their Uber history to determine whether they were a good risk or not.
I'm not usually into slippery slope arguments but what your landlord asked of you is just that little bit worse than their service (worse as they have access to your bank account, not just your payroll data).
I think the moral of the story is that as a provider (Uber, a bank), you should be proactive about providing read-only access to data, removing the need for screen scraping and providing better security to your drivers/customers.
This sounds so futuristic which is awesome but at the same time banks like Tangerine, which otherwise I have nothing but praise for, don't even allow be to use a password more secure than a 4-6 digit numeric passcode. Obviously no 2FA. Sorry, that has little to do with the submission, I just had to vent about banks.
I don't know why OAuth tokens aren't the default solution to this. BoA recently added this as an option and it's way more straight forward than giving my login credentials to Personal Capital or, god forbid, Intuit.
edit: Of course it helps if the 3rd parties implement it as well. I revoked access to Intuit but Personal Capital only lets me use my userID and password.
I have some issues with the wording in this article (I work at Plaid and I don't think everything it says about us is accurate) but the report is a good thing. Right now we really are dependent on screen scraping at many banks and we'd much rather use API-based connections to power our services, but so many banks just don't provide APIs. I'm optimistic for an open banking future in Canada and who knows, maybe even the US some day...
The EU has been moving in this direction with PSD2 and it’s been pretty good. Downside is there’s no defacto standard for APIs and each bank's development skills vary widely.
Given the tech savvy HN user base I'm surprised at all the "I'm surprised these 3rd party services are just impersonating me".
I'd love it if there were API's to access my banking data directly, but failing that I rely on the meager "txn download via csv" my Canadian banks offer (at least).
This is a problem discussed here as well. Generally big banks are advocating getting rid of screen scraping and moving to API but most fintechs are smaller and they don't want to change and there is little appetite from Govt. to force them.
The Spectre Salt Edge API does the same. I thought I could use this in Firefly III to automcatically pull my banking data, until I found out they are screen scraping. This is a no go. Unfortunately, the official FinTS APIs available by most banks are incredibly flawed, too. Firstly, a lot of information is not available. Secondly, there is no way to have a "read-only" API key/connection. Why is that? I have no idea. There is an Open Banking project in Europe, but it it is far from being ready.
To everyone in this thread complaining that this is just Canada being Canada and trying to snuff out the upstarts... what the fuck are you going on about?
I'm a US citizen and I want this screen scraping / credential sharing / whatever you want to call it to die in a fire already. Forcing banks to implement any sort of API access seems both preferable to the dumpster fire we have today, as well as more inviting to upstarts, because right now the only way to be an upstart is to literally ask your customers to violate their bank's terms of service.
[+] [-] frosted-flakes|4 years ago|reply
Hopefully individuals will be able to use the Open Banking APIs to access their own data directly, but it looks like accreditation will be required, so probably not.
Here's the full text of the report: https://www.canada.ca/en/department-finance/programs/consult...
[+] [-] williamscales|4 years ago|reply
It’s utterly irresponsible and I have no idea how Plaid hasn’t been shut down. You have no recourse if they are breached. The TOS of your online banking probably says that if you disclose your username and password to any third party then you have no liability protections.
[+] [-] jamespullar|4 years ago|reply
Also in the case of YNAB, Plaid is not posting transactions on your accounts. It's a screen scraping service transferring account data.
[+] [-] KerrickStaley|4 years ago|reply
As an added plus, you can keep 2FA enabled. Schwab does 2FA through an app so it's a touch above SMS-based 2FA (although only a single app is supported, Symantic VIP Access, rather than generic support for apps like Google Authenticator).
I also hate Plaid's model where you provide Plaid your credentials, and I've never entered my credentials into Plaid.
[+] [-] frereubu|4 years ago|reply
[+] [-] phoenixy1|4 years ago|reply
[+] [-] adrr|4 years ago|reply
[+] [-] SilverRed|4 years ago|reply
[+] [-] phoenixy1|4 years ago|reply
Source: https://www.consumerfinance.gov/compliance/compliance-resour...
[+] [-] shados|4 years ago|reply
[+] [-] devinsit|4 years ago|reply
Although, knowing how these things usually go, I'm sure the "2023" target is a little optimistic...
[+] [-] perl4ever|4 years ago|reply
Wait, you mean you don't read and understand every word of every legal agreement you accede to??
Ok, well, as a responsible consumer, have you considered keeping a lawyer on retainer?
[+] [-] jrootabega|4 years ago|reply
[+] [-] barbarbar|4 years ago|reply
[+] [-] marvin|4 years ago|reply
I suppose EU users have an easier time with the PDS2 directive mandating interoperability between banking actors, but I'm unsure how many have found a way around properly implementing it.
[+] [-] xibalba|4 years ago|reply
WHAT. THE. F.
I'm a longtime, happy YNAB user. I had no idea this was going on until just now. I always just assumed there were secure APIs used to import my data. YNAB's Capital One "integration" stopped working a few years ago (possibly because they cracked down on screen scraping?) and I was upset with Capital One. Perhaps Capital One took steps to prevent insecure access/screen scraping?
[+] [-] franga2000|4 years ago|reply
Open Banking is not, in fact, open in almost any sense of the world. It is standardised and the standards are freely available ("open"), but other than that, you still need to have an official "blessing" to actually access a production API endpoint (even for your own account), you need a legal entity that has some highly specific and entirely meaningless certificates that are hard (and potentially expensive) to get and even after all of that, you'll still need to negotiate access with each bank individually.
What I imagined when I first heard of "Open Banking" was a public OAuth2 endpoint where I can grant my custom script access to just my bank balance and transaction history (possibly with a change webhook) and have it update my finance tracking database.
The "open" part is only relevant to the banks, since they don't have to pay royalties for the standard implementing the APIs. For the rest of us, it might as well be SS7.
[+] [-] rmesters|4 years ago|reply
We're connected to 1,500 EU/UK banks and you can connect your bank account to your script/app without any license, certificates or any fees. We don't charge for accessing banking data, we only charge for complimentary data enrichment services like transaction categorisation.
https://nordigen.com/
[+] [-] byeokim|4 years ago|reply
> It is standardised and the standards are freely available
Same.
> you still need to have an official "blessing" to actually access a production API endpoint (even for your own account)
Same.
> you need a legal entity that has some highly specific and entirely meaningless certificates that are hard (and potentially expensive) to get
Same though not entirely meaningless.
> you'll still need to negotiate access with each bank individually.
Not same.
[+] [-] ghostpepper|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] RileyJames|4 years ago|reply
[+] [-] Gys|4 years ago|reply
Banks are dealing in financial stuff. They probably do not want to deal with people having problems understanding OAuth2, API's, sandboxes and such. That is an entire different business.
[+] [-] Nursie|4 years ago|reply
“Open” in this case means open standards and access for accredited entities.
Because if you grant access to just anyone, then you’ve created an instant fraudster’s paradise.
The legal requirements in the UK (which you may be talking about, unsure) are not meaningless, they are there to ensure that known parties and known good practice are in use. Open Banking the company is working on ways to help small businesses gain accreditation and may already be able to offer assistance, and while accreditation is not free, it’s only a few £k, hardly enough to break the bank.
As a non-accredited actor, if you have a limited company you can register as a technical service provider for free and develop your product against the sandbox environment.
Oh and you don’t have to negotiate access with each bank either. The whole point is to pre-vet and establish trust ahead of time.
That’s as open as anyone with half a brain should want it to be, given what we know about people’s ability to protect their own finances.
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] jt2190|4 years ago|reply
[+] [-] manishsharan|4 years ago|reply
From this source https://www.lexology.com/library/detail.aspx?g=8f56092c-ab40...
"Users have complained that after connecting their bank accounts, Plaid stores their credentials and uses them to collect 5 years’ of transactional data and continues to track users’ data in future. Users further claim that the data-gathering scheme is not incidental to Plaid’s business model and is, in fact, its “very purpose.”
[+] [-] user3939382|4 years ago|reply
[+] [-] neom|4 years ago|reply
[+] [-] vesinisa|4 years ago|reply
[+] [-] phoenixy1|4 years ago|reply
[full disclosure: I work at Plaid]
[+] [-] kaolinite|4 years ago|reply
However more often than not now I’m seeing it used for really invasive applications. Such as when I rented my most recent apartment and they asked to use open banking to verify our finances, which as far as I know would have given them access to every single transaction going back a decade or so. The agent was confused as to why I wouldn’t go ahead with it and ultimately let us opt out, but I do worry that at some point I won’t have much choice but to accept.
I’ve also seen credit scoring companies that suggest you’ll get a better credit score if you use open banking to hand over your transactions. I have no need to use that but I suspect others who are desperate to increase their chances of getting a mortgage, etc, won’t have much of a choice.
[+] [-] phil-martin|4 years ago|reply
What I would like is some middle step - that instead of allowing open access to accounts, I get to choose how the data is summarised and presented. e.g. just show total income and outgoings, fortnightly, over the last 6 months. Things like that.
Yes, I could export the transactions, do some Excel hand waving and make a report, then make a PDF and send it, then they would do data entry into their system summarising what they read. But automating that data sharing step would be fantastic.
I am in the process of applying for a home loan at the moment, and the amount of documentation is significant. If I were able to automate 80% of it in a fairly anonymised data way, that would be really useful.
[+] [-] beachy|4 years ago|reply
There was a Launch HN recently that did just this, but for people like Uber drivers wanting to borrow money to buy their own car. They handed over their Uber credentials, and the service scraped their Uber history to determine whether they were a good risk or not.
I'm not usually into slippery slope arguments but what your landlord asked of you is just that little bit worse than their service (worse as they have access to your bank account, not just your payroll data).
I think the moral of the story is that as a provider (Uber, a bank), you should be proactive about providing read-only access to data, removing the need for screen scraping and providing better security to your drivers/customers.
[+] [-] barbazoo|4 years ago|reply
[+] [-] llbeansandrice|4 years ago|reply
edit: Of course it helps if the 3rd parties implement it as well. I revoked access to Intuit but Personal Capital only lets me use my userID and password.
[+] [-] phoenixy1|4 years ago|reply
[+] [-] gigatexal|4 years ago|reply
[+] [-] canada_dry|4 years ago|reply
I'd love it if there were API's to access my banking data directly, but failing that I rely on the meager "txn download via csv" my Canadian banks offer (at least).
[+] [-] diogotozzi|4 years ago|reply
https://www.bcb.gov.br/en/financialstability/open_banking
[+] [-] jonny_eh|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] softveda|4 years ago|reply
This is a problem discussed here as well. Generally big banks are advocating getting rid of screen scraping and moving to API but most fintechs are smaller and they don't want to change and there is little appetite from Govt. to force them.
[+] [-] Helmut10001|4 years ago|reply
[+] [-] celticninja|4 years ago|reply
https://www.openbanking.org.uk/what-is-open-banking/
[+] [-] bacan|4 years ago|reply
[+] [-] lostgame|4 years ago|reply
I work for a major bank relevant to this story, and I've honestly not heard anything about it internally.
[+] [-] themantra514|4 years ago|reply
[+] [-] oliyoung|4 years ago|reply
[+] [-] ohazi|4 years ago|reply
I'm a US citizen and I want this screen scraping / credential sharing / whatever you want to call it to die in a fire already. Forcing banks to implement any sort of API access seems both preferable to the dumpster fire we have today, as well as more inviting to upstarts, because right now the only way to be an upstart is to literally ask your customers to violate their bank's terms of service.