Hacker News new | past | comments | ask | show | jobs | submit login
UK's Open Banking to Launch on 13 January (openbanking.org.uk)
127 points by nns on Jan 13, 2018 | hide | past | favorite | 107 comments



WTF? What is open about a system that only very few organisations can use? Imagine in the paper world, now you not only can ask the bank how much money you have, you can also authorize other companies to look at your account statements for you ... but noone got the idea that maybe you, the account holder, should be able to get a copy of the account statements?

It seems we are still at the "reading and writing is for monks" stage of digital technology? God forbid the laypeople themselves use pen and paper!


Its a fair criticism in part; but you are a technologist and so want unfiltered access to play with that data.

For the vast majority of people that's meaningless - so to be able to share that data with companies offering new and interesting services (AIS sign up is reasonably lightweight, certainly within trivial reach of any startup) is a big step forward.

I think we should be encouraging!

(Or in other words; your thinking of the limitations on the micro level and missing the benefits at the macro)

FWIW GDPR is more interesting legislation for what your after - you will have the ability to get access to your own data. Unfortunately that legislation didn't push hard enough to promote the idea of digital access - we should level our criticism most harshly there to try and effect change :)


> For the vast majority of people that's meaningless

Erm ... WTF?! I'm not sure how explain this as it just seems so obvious, but ... you can, like, use software that other people write on your own computer!? There is no need to have any clue whatsoever of software development nor to share your data with any third party in order to profit from open APIs.

People can use Thunderbird to read and write email without any need to be able to write software because there are open POP3, IMAP, and SMTP specs and you can have POP3, IMAP, and SMTP credentials for your email provider ... how is that meaningless to the vast majority of people?!

> I think we should be encouraging!

Encouraging of what? More centralization of data processing? Less control for the consumer?

> FWIW GDPR is more interesting legislation for what your after

Not at all. That is about data protection, not about machine readable interfaces. First of all, being able to access my data does not in any way allow me to initiate transactions, which is a ciritical part of banking functionality. But also, being able to access data does not at all mean being able to process it using a computer. I can have access to all the data companies store about me now, and most of them will simply send a letter with a printout to fulfill their legal obligations.


Thats what I mean; PSD2 has always been about B2B. GDPR is business to consumer and we should critique it to press for digital solutions that are meaningful for consumers.

As to the desktop app business; well sure but my hope is we build to this sort of thing. No harm is starting somewhere!


> Thats what I mean; PSD2 has always been about B2B.

Which is precisely why it is bad?!

> GDPR is business to consumer and we should critique it to press for digital solutions that are meaningful for consumers.

No, GDPR simply does not have anything to do with this. GDPR is about human rights, not about technological development. Machine readable access might still be a worthwhile goal in that area, but extending data protection to encompass the right to submit transactions to your bank via a machine readable standardized interface certainly would be a stretch.

> As to the desktop app business; well sure but my hope is we build to this sort of thing. No harm is starting somewhere!

But are we starting anywhere? Say I want to write free banking software for people who care about their privacy ... are we even the slightest bit closer to being able to do that? Or isn't this rather a step in the opposite direction in that it further cements the idea of having monks do all the reading and writing for your?


> you can, like, use software that other people write on your own computer

Sounds like your issue boils down to whether this is done with SaaS vs local app


Sort of? So?

Though, mind you that "local app" is not the only way to run software. I could also install software on my home server to, I dunno, send me XMPP messages for incoming transactions, dunno whether you would call that a "local app"?


The objection to software you manage is the same as the objection to software you write - that you won't have the checks, balances, and liabilities of registered suppliers and this would create uninsurable risk that the banking ecosystem can't be expected to bear.


So, web banking does not exist?


Digital access to your data isn't likely to work out generally unless you're happy with "Here's a PDF sent to your email address" in which case, sure, that's going to happen.

I look after a system that has loads of PII, as a mix of traditional SQL databases and RDF with a bunch of RESTful service layers keeping it all in neat boxes so it's not a sprawling unmanageable mess.

Now, if you ask for Subject Access after our verification team is happy that you're who you say you are I can and will extract the data that's clearly about you from those sources, tart it up and reformat it, and shove that into a PDF you can have.

What I can't realistically do, even if they tried to legislate for it, is make say the RDF data structures somehow understandable to the lay person who thinks "graph" means "chart" and "a triple" is when you win three things in a row.

OpenBanking works because ultimately the banks are pretty interchangeable when it comes to ordinary personal accounts. Money comes in or out, there's some short half-arsed text saying why, an amount, it's a very regular structure. But imagine trying to build a single "digital access" that works for your Reddit posts, health records, grocery purchases, subscription to Playboy, and MetroCard account... what on Earth would the UX be for that?

Google gives us an idea what the best we could hope for is - if you sign in and say you want all your data, Google will ZIP it all up for you. But it's not a coherent system, it's just like somebody's old PC backup, a bunch of unrelated files in different formats in a ZIP file.


Just because plebs can't understand triples doesnt mean they should have the right to seem (and potentially show them to someone who does). It might even get people to learn or write software to make sense of whatever data structure. In any case it shouldn't be up to the data borrower.


> What is open about a system that only very few organisations can use

I'm sorry - as a consumer, I'm going to want the most stringent checks before giving a third party direct read/write access to my bank account. The biggest criticism people have of the scheme so far is that it 'sounds like a security nightmare' and who is liable if I give someone access and they do Bad Things.

Is your criticism really that it is insufficiently open in that certification is stringent?


?!

No, my criticism is that it is an interface for third parties only that locks out the first party!?


If you want to download your own data you can do so, to an extent, through the midata format which was launched in 2011. It lets you download the last 12 months transactions from your current accounts in a file.

https://www.gov.uk/government/news/the-midata-vision-of-cons... https://www.hsbc.co.uk/1/2/midata-faqs https://www.santander.co.uk/uk/current-accounts/midata


Having to manually press a download button is not a machine readable interface. Also, this does not allow me to submit transactions.


How many people do you think will be able to secure their access?

And what happens if their computer is hacked, the credentials stolen and the accounts emptied?

It's not hard for me to imagine developers saying, "hey, we all know computers get hacked, it is the bank's job to know when its really me versus when someone stole my API keys. What a shitty bank. I'm expecting all my money back"


WTF?

How is that any different with web interfaces? Or are you saying that people should just generally not be able to use their own computers for banking purposes?


API keys are stored on the computer (even accidentally pushed to github, etc)

Credentials for web interfaces are stored in our heads.

People are still able to use their own computers - via the web interface, which is under the full control of the banks.


> API keys are stored on the computer (even accidentally pushed to github, etc)

Then ... create an API without "API keys"?!

> Credentials for web interfaces are stored in our heads.

So ... store the credentials for the API in your head then?!

> People are still able to use their own computers - via the web interface, which is under the full control of the banks.

Erm ... no, it's not? The bank sends me IP packets, what happens with those IP packets is completely under my control (or under the control of anyone who happens to have compromised my computer, for that matter). I select what web browser I use. I could write my own web browser. Or modify an existing one. Or run it under a debugger. Or just not use a browser at all. What my computer does with the IP packets my bank sends me is completely out of the bank's control.


It's a tool specifically designed to allow the first party to open access to a third party. It doesn't lock anyone out of anything.


Are you sure you can't? Besides the paper statements, I can download my transaction data in a variety of formats including CSV from every bank I've use in the Netherlands.


The problem is that for a lot of banks there is no easy way to automate that process. I think 90 percent of use cases would be addressed simply by providing a way of giving automated read only access to statements.


Instead giving access to EVERYTHING seems a little overdrive then....


Well, that was just an example for the sake of an analogy?

Obviously, I want a fully machine-readable API to all of my bank's functionality. Which also "downloading transaction data as CSV" does not fit at all if I have to manually log in and download the data. Also, CSV lists of transactions usually are useless for synchronization as they usually don't provide any mechanism to reliably deduplicate transactions and to check for completeness.


Does the history go back more than a year or two?


I would expect they are, if only for legal reasons.

According to my bank's website, I can get account statements up to 10 years back, except for closed accounts.


If you wanted to run a startup that ran APIs which bank customers could use this bill would presumably make that possible.


Which is supposed to solve the problem how? Now I as a customer am dependent on the proprietary API of some startup? Or do you expect startups to compete on a standardized API? And why should I have to employ a monk looking through my bank statements to be able to get access to them? Sure that can be a basis for an idiotic hack, but how does that make it a sensible approach?


>Or do you expect startups to compete on a standardized API?

At least an API. If that's what customers really want, at least now there is chance somebody will provide it.

>why should I have to employ a monk looking through my bank statements to be able to get access to them? Sure that can be a basis for an idiotic hack

Because the banks themselves are completely uninterested in providing API access to you and somebody with a legal team has to shoulder the liability for providing it.


> At least an API. If that's what customers really want, at least now there is chance somebody will provide it.

But I don't want "an API"? I want a non-proprietary API! I wouldn't bother with locking myself into some proprietary startup crap of questionably reliability, then I can just as well scrape the web interface of my bank, that's also a proprietary API of sorts, and I at least don't have to pay yet another party and risk them abusing or leaking my data and myself being unable to figure out who is responsible for failures in the service.

> Because the banks themselves are completely uninterested in providing API access to you and somebody with a legal team has to shoulder the liability for providing it.

... which is exactly why they should be legally obligated to, instead of some idiotic "you have to allow third parties to access your customers' data" laws?!


> Open Banking is a term that describes a secure set of technologies and standards that allow customers to give companies other than their bank or building society permission to securely access their accounts.

Does it have to be another company or will I be able to write my own software that has access to my bank account?


You have to be a company. You also have to be regulated as an AISP or PISP (Account Information/Payment Initiation Service Provider).

So there are some hurdles.


That is disappointing. I wonder if anyone is doing the legal analysis on what it would take to be a 'passthrough provider', who would simply wrap it up in an easier API with a simple TOS.


There are a bunch of companies doing exactly this, usually with some value-added service on top (e.g. categorisation).


I think that will come. It will take a bit of time for comfort to set in (both with the consumer and the banks) but I definitely see this as the first step.

(edit; in addition the psd2 legislatiob, and specifically the technical guidance, does touch on concepts like 4th party, relaying parties and technical partners - so the exoectation of the regulator is that this will emerge)


I'm struggling with the enterprise-y terminology. It sounds like:

  * your bank is an "ASPSP"
  * the second party is you
  * the company (third party) is the AISP
So each individual company that needs to access your information is an AISP (or PISP for initiating payments)? Your accountant might be an AISP and your water company a PISP? And FCA requirements are (https://www.fca.org.uk/firms/new-regulated-payment-services-...):

"For businesses that only carry on account information services, there is an option to become a ‘registered account information service provider’. These providers have no capital requirements and need to meet fewer conditions than authorised firms. Businesses that provide payment initiation services must be authorised and must have a minimum of €50,000 in initial capital (or higher if they provide certain other payment services). Both AISPs and PISPs have to hold professional indemnity insurance (PII). The EBA has developed Guidelines on PII (link is external)."

Correct? This doesn't specifically rule out being a relay, but I guess there is more detail/restrictions in another document.

See also: https://www.out-law.com/en/articles/2017/june/fca-urged-to-a...


Yes that is an accurate summary.


Teller.io is doing this. You might want to look into what licenses they needed to get.


No it isn't, at least, not yet - it asks for all the user login information including passwords and security numbers required for a normal login.

Edit: And unfortunately, it doesn't seem even to have any intention of using it: https://twitter.com/stevegraham/status/951163378424217600


Teller is interesting; I have some reservations (mostly around the attitude they portray, which is a bit unprofessional) but they have a good vision.

The downside is they are encouraging you to share passwords, as you say, which isn't driving the right customer behaviour.

More critically; in about 18 months the PSD2 Secure Customer Authentication guidance comes into force and this sort of approach (sharing credentials, which everyone basically refers to as "screen scraping" in its various forms) will be dis-favourer, to the extent that banks might have to go to great lengths to try and stop it. Teller might have to go forward fighting continual reverse engineering battles.


I think we've independently arrived at exactly the same point with our reservations.

In particular I'm concerned that Teller will have a massive target painted on it's back, because it has those full login details - they could become systemically important to the UK banking system, and then perhaps the regulator should step in!


It's already against the typical bank's terms of service for a user to provide them.

Not to mention a silly thing to do. But the average user seems just blindly trusts these things - tools like 'You Need a Budget' ask for the same.


Founder here. This is incorrect. It is no longer against the terms of service of any European bank as of today thanks to PSD2.


It can no longer be against the terms of service of financial service providers to prohibit sharing the credentials used to access your accounts on their systems?


Yes, every UK bank had to write to their customers updating their terms allowing such activity end of last year.


I have accounts with several banks and other financial services, and I have received various updates to terms in connection with PSD2 over the past few months. However, I don't recall any of them saying it was now OK to share things like passwords or PINs.

Are we talking at cross-purposes here? Encouraging non-experts to share security credentials that give unrestricted access to their accounts with third parties is so obviously dangerous that I find it hard to believe that (a) the financial providers are now required by law to do it, and (b) not a single one of the updates I received from mine drew attention to this in any way that I noticed and recall now.

Surely the entire point of the new access paths under PSD2 is that the financial providers don't have to endorse the dangerous practice, and can instead provide an alternative way to achieve similar results but with much better control and regulation to protect all involved?


What the existing screen scraper companies have done, is to make sure the psd2 directive will allow screen scraping as a fallback method if they are not satisfied with the bank API:s.

That's because the directive is actually a competitive disadvantage for them since they've invested a lot in the screen scraping.

The interpretation is not trivial though. The authentication details in particular are not very clear right now.


Most likely it took the form of 'Section 7.5.2 is deleted', and you or I wouldn't have noticed.

However, I will be hunting down the full version of the T&Cs for my account to see what they say now!


Really? So that suggests enrolment in an 'Open Banking' app requires the same?

That's extremely disappointing...


> a bit unprofessional

That's putting it mildly.


We actually don’t do this where we we have an option to, i.e. with Barclays and Nationwide. Regardless, users giving credentials to 3rd parties is not against the terms of any bank in the EU and it’s contrary to EU law for them to make it so. Banks are also on the hook for liability in the first instance and must immediately make good any customer loss, although they can pursue the 3rd party.


Teller isn't part of the PSD2/Open Banking world. They've reversed engineered all the bank's private APIs for their mobile apps, in part because they believe the banks will hobble and cripple the Open Banking APIs because it's in competition with their business model.


IT's not disapointing if you ever want consumers to actually trust the system. Even I'm not convinced about opting in yet.


My understanding is companies, who meet stringent requirements and can afford to take out insurance policies should they be liable for any loss/misuse of data.


I don't get why they can't give individuals and API key for access to only their own accounts.


presumably as dubious third parties would use it a way round the control framework

"get your API key, paste here", etc


Why would I ever fucking want to do that "give companies other than their bank or building society permission to securely access their accounts."


Want a better mortgage rate or a bigger loan? Let us look at the data, we may be able to give you one.

Repeat for savings, insurance, whatever.


Yeh right you know those comparison sites are all pay to play TANSTAAFL as Bob Heinlein noted.


I said nothing about comparison sites,this could be other banks or financial service companies.


Take a look at teller.io. I personally have some reservations, but you might like it.


Teller.io is not using the 'Open Banking' API - it asks for all the user login information including passwords and security numbers required for a normal login.

Edit: And unfortunately, it doesn't seem even to have any intention of using it: https://twitter.com/stevegraham/status/951163378424217600


Good grief:

"A lot of people didn’t take us seriously, ignored us, bet on #OpenBanking instead. Look where we are now. We OWN the best access to the banking infra & everyone is else is out in the cold, totally fucked. When everyone thinks you’re right, you’re wrong. https://open.spotify.com/track/0whZQj81yqAv9yJEyNZcnR?si=TGr... "

Anyone fancy building their business on top of this attitude?


Never judge a man until you’ve walked a mile in his shoes. We’ve had a very difficult couple of years with some banks going to some lengths to inflict as much damage as they can on our business. It didn’t work. However, now they have failed to deliver something required by law I let my emotions get the better of me. It was a very cathartic moment.

Our technology is the best in the market but it’s entirely your prerogative to not build on it. We will be building products on it ourselves going forward anyway and that’s what I think the future of our company is.


Change to a bank that lets you do it - for example, Mondo/Monzo has an API.


I think this is the UK's implementation of EU PSD2 directive (e.g. [1]) so may not survive brexit. Looking forward to what'll come out of it though!

[1] https://www.tsys.com/news-innovation/whats-new/Articles-and-...


It should survive; the EU Banking Authority is based in London (it will move post Brexit) and the UK treasury were major influencers on this legislation.

Worth saying also; Open Banking actually came out of the UK competition marketing authority - its just become tied up with PSD2 (as its one way to achieve compliance with that legislation)


Haha. And my initial thought was ‘you see this is the type of thing the UK could leverage on arguing for UK thriving without eu’


Wow, the UK is really embracing technology. You can do so much electronically though the Gov.uk website already, and you can even access your NHS medical record via a phone app. Being able to consume banking data via an API will no doubt open up a suite of more useful apps, that can help with managing budgets and planning for the future etc.


There's no such thing as an NHS medical record, every hospital/care centre keeps its own records. What app are you referring to?


This: https://www.nhs.uk/NHSEngland/online-services/Pages/gp-servi...

And yes there isn't a single database, but if you transfer to a different GP they will transfer your records from your old GP, and this app then let's you view them too.


The records amalgamation was one of those £10s-of-billions software project that failed to produce any output [other than great profits and some nice bonuses, I'd warrant] wasn't it?


That is in the past, it was a single project from 5 years ago, and I think the companies involved were investigated by the FSA. Nowadays NHS is pushing software initiatives more and more, see here: https://www.england.nhs.uk/digitaltechnology/info-revolution...


There's a thing called a summary care record which is in a central database: https://digital.nhs.uk/summary-care-records

There are still a lot of details siloed in individual organisations, though.


Yeh right then why cant Bedford send test results to Lister (Stevenage) 40 miles away at one point I was supposed to spend an entire day (by ambulance) going to Stevenage for 10 mins to have some bloods done then go back 3 days later for my outpatient clinic :-)


> Wow, the UK is really embracing technology

They did not have much choice. The deadline is before brexit.


This is an EU initiative, not UK.


Why would anyone ever want to let a 3rd party company manage their bank account? I barely trust my bank yo do that...

I'm afraid that some companies will try to force it upon customers as well. Starting with: "If you allow us to manage your purchase it will get even faster (oh and we get access to all of your financial info), and you also get a useless gadget!"


I once tried to open a personal investing account with Fidelity. When it came time to fund it, they wanted me to give them the username and password for my bank account so that they could log in on my behalf and verify that the account was owned by me.

Obviously, I didn't follow through with that, because that's a terrible sign of how Fidelity treats security and when it comes to entrusting large sums of money with an investment firm, I'd prefer one that's demonstrated a better security policy all around.

Anyway, this article was hilariously scant of technical details, but if the API they're creating allows different privileges to be associated with each API user, it's possible that I could use it to provide a company like Fidelty read-only access to only the information they need to verify that I am the account owner, and nothing more.


A bank is a third party company which manages your money.

Illegal things are illegal. It's a risk vs. convenience calculation people make, as with banks themselves.


People said the said the same about ATMs. They were wrong.


How is ATMs remotely similar?


You give a 3rd party ATMs permission to withdraw money every time you use them. If they wanted to, they could store the data on the stripe of the card and your pin, and steal all of your money.


That's not worse than doing any purchase at all.

If anything ATMs are the safest and best option available, well, aside from malicious hardware modifications done to them.

Having access to my bank account with all the history is another thing entirely.


I guess our threat models are different. I'm not worried about transaction history as much as being able to drain the account.


Even so, ATMs are much safer than trusting the store clerk and whatever device they use to read your card.

I know some magnetic stripe readers actually imitates a keyboard and just "write" the card info. So if you gave focus to notepad.exe instead all the card info would be dumped in cleartext. "Oh, seems it didn't register, could you swipe your card again?"


“Open Banking is a term that describes a secure set of technologies and standards that allow customers to give companies other than their bank or building society permission to securely access their accounts."

I can't tell if this is super-useful for the end consumer, or just another way for e.g. Google to mine your data in return for some superficial benefits.


The descriptions are so vague, the high ranking beneficiaries of the system are stating so little so long over and over (sounds like using the same bullshit generator with the same parameters) that there must be very very little and uncertain benefits for the users. If they, the insiders of the system, are unable to explain it in plain and simple facts then it must have very little about clients. What I hear? More parties could access (including manipulation!?) your account. More potential source of errors and problems - and possibly malicious actions. If something goes wrong it will be more complex to figure out where the problem was. Tracking who can do what is an added complexity to managing bank matters. All above means lower security. There is a potential that if more work on the same money they will charge more - assuming not doing it for charity but for fee. There must be hell of a heck benefits, increased efficiency to balance that, eventually leaving more at the clients on the disadvantage of he money industry.... doesn't seem a realistic scenario from a money industry initiative. I see better ways to improve banking, especially UK banking - compared to Scandinavia it is in the stone age -, but not through opening up banking secrets to a lot of parties. To me it goes in the other direction. Let me be wrong eventually.


From what I understand the molasses IT departments in these banks will be delivering very little that actually works on Jan 13th but we will see...


Yeah. My impression of HSBC U.K.’s share trading platform was distinctly 1990 era.


In general I loathe HSBC globally. However, FWIW their HSBC UK higher end XML based credit card gateway was the bees knees in about 2009. Best I've seen in my career. Awesome individual fraud rule reporting, total control. We probably had the ass-kicking total package though as I was developing a pan-European solution for a major handset manufacturer.


I've read through their website a few times. Whilst it's easy to find the specs and a list of banks participating - you can even find some example code on GitHub - it's incredibly hard to find out what you actually have to do to be able to access the APIs. I appreciate that banking data is sensitive, but I think the on boarding process could be made a lot clearer.


First you need to be accredited by the FCA, either as a third party provider or as a banking institute.

Not 100% sure what comes next.


UK government is certainly on a good path of improving technological side of it. Along with more and more OpenData initiatives and migrating to FOSS (e.g. LibreOffice) it leads the efforts of many countries.


Anyone know if the plan is to provide an API to the consumer for management of personal finances?


Not right now; at first you'll have to rely on PFM tools built by companies rather than directly.

There is a chance GDPR will give you as an individual more flexibility but it wont be mandated.


That is disappointing. I wonder if anyone is doing the legal analysis on what it would take to be a 'passthrough provider', who would simply wrap it up in an easier API with a simple TOS.



I'm really excited by this (and PSD-2), as a banking API is the last piece of the puzzle to create fully automated businesses.


If you use a modern SaaS account app like Xero you can already access banking records no? What does this give us that you don't already have to fully automate your business?


Sorry, but I can't see the benefit of it. Can anyone show a useful scenario... for the bank account owner?


It would let you see the balance of all your accounts in one place, share data with your accountant or IFA, or apply for a mortgage without those tedious forms as well as photocopies of bank statements, offer proof of income easily, use apps that offer a marketplace for mortgages, savings or other financial services, use apps like xero, mint or Emma with any bank account easily, etc.

It’s an API for your bank, and like stripe being an API for payments, I think it’ll shake up the market a bit. It should make a lot of things easier than before, and force large banks to allow customers to control their data more via authorised apps. It’ll take a while to have any impact though.


I wonder if insurance companies or lenders with start forcing you to give up access to your main bank account in return for lower premium or rates...


If they did, statutory regulation to prevent it would surely follow rapidly, and all they'd do is antagonize people and by extension the government and financial regulators. Doesn't seem like a worthwhile risk for them.


Is there any API in the UK that lets you get the balance of your current account?


You should check out teller.io - they let you have "an API to your bank account"


I haven't seen a Marquee/Ticker on a website for quite a few years.

The "Background to Open Banking" page made the fans start running on my (fairly good) laptop.

If this is a sign of the technology behind it, it's not a good sign.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: