That is disappointing. I wonder if anyone is doing the legal analysis on what it would take to be a 'passthrough provider', who would simply wrap it up in an easier API with a simple TOS.
I think that will come. It will take a bit of time for comfort to set in (both with the consumer and the banks) but I definitely see this as the first step.
(edit; in addition the psd2 legislatiob, and specifically the technical guidance, does touch on concepts like 4th party, relaying parties and technical partners - so the exoectation of the regulator is that this will emerge)
I'm struggling with the enterprise-y terminology. It sounds like:
* your bank is an "ASPSP"
* the second party is you
* the company (third party) is the AISP
So each individual company that needs to access your information is an AISP (or PISP for initiating payments)? Your accountant might be an AISP and your water company a PISP? And FCA requirements are (https://www.fca.org.uk/firms/new-regulated-payment-services-...):
"For businesses that only carry on account information services, there is an option to become a ‘registered account information service provider’. These providers have no capital requirements and need to meet fewer conditions than authorised firms. Businesses that provide payment initiation services must be authorised and must have a minimum of €50,000 in initial capital (or higher if they provide certain other payment services). Both AISPs and PISPs have to hold professional indemnity insurance (PII). The EBA has developed Guidelines on PII (link is external)."
Correct? This doesn't specifically rule out being a relay, but I guess there is more detail/restrictions in another document.
Teller is interesting; I have some reservations (mostly around the attitude they portray, which is a bit unprofessional) but they have a good vision.
The downside is they are encouraging you to share passwords, as you say, which isn't driving the right customer behaviour.
More critically; in about 18 months the PSD2 Secure Customer Authentication guidance comes into force and this sort of approach (sharing credentials, which everyone basically refers to as "screen scraping" in its various forms) will be dis-favourer, to the extent that banks might have to go to great lengths to try and stop it. Teller might have to go forward fighting continual reverse engineering battles.
I think we've independently arrived at exactly the same point with our reservations.
In particular I'm concerned that Teller will have a massive target painted on it's back, because it has those full login details - they could become systemically important to the UK banking system, and then perhaps the regulator should step in!
It can no longer be against the terms of service of financial service providers to prohibit sharing the credentials used to access your accounts on their systems?
I have accounts with several banks and other financial services, and I have received various updates to terms in connection with PSD2 over the past few months. However, I don't recall any of them saying it was now OK to share things like passwords or PINs.
Are we talking at cross-purposes here? Encouraging non-experts to share security credentials that give unrestricted access to their accounts with third parties is so obviously dangerous that I find it hard to believe that (a) the financial providers are now required by law to do it, and (b) not a single one of the updates I received from mine drew attention to this in any way that I noticed and recall now.
Surely the entire point of the new access paths under PSD2 is that the financial providers don't have to endorse the dangerous practice, and can instead provide an alternative way to achieve similar results but with much better control and regulation to protect all involved?
What the existing screen scraper companies have done, is to make sure the psd2 directive will allow screen scraping as a fallback method if they are not satisfied with the bank API:s.
That's because the directive is actually a competitive disadvantage for them since they've invested a lot in the screen scraping.
The interpretation is not trivial though. The authentication details in particular are not very clear right now.
We actually don’t do this where we we have an option to, i.e. with Barclays and Nationwide. Regardless, users giving credentials to 3rd parties is not against the terms of any bank in the EU and it’s contrary to EU law for them to make it so. Banks are also on the hook for liability in the first instance and must immediately make good any customer loss, although they can pursue the 3rd party.
Teller isn't part of the PSD2/Open Banking world. They've reversed engineered all the bank's private APIs for their mobile apps, in part because they believe the banks will hobble and cripple the Open Banking APIs because it's in competition with their business model.
