Please stop using multiple accounts to promote your stuff on HN. It's against the rules and we ban accounts and sites that do it. Also, HN users notice obvious cases like https://news.ycombinator.com/item?id=27843204 and will flame you if you keep it up.
I'd really like to have a read-only API that is accessible for personal projects to be able to retrieve my own transaction history. Sadly with PSD2 that is (afaik) impossible, or at least pretty close to impossible.
Things like this (nordigen) might "solve" the problem by replacing it with a bigger one: now nordigen (or someone else) has access to all this transaction data and is going to leak it somewhere.
I get why banks are so conservative and bureaucratic, and all this PSD2 security stuff is required. I want my financial data to be secured. But I also want to be able to access it with my own software. Guess I cannot have both, in which case I prefer the first.
I dont think nordigen is a solution (for me) and quite frankly, I find the concept somewhat scary.
It is rally terrible that such a service is actually necessary...
PSD2 was a chance to create a standard api for everyone including customers. I still cannot understand how they managed to f it up by limiting access to "trusted companies"
I work at a bank and it's quite simple really. The systems we use at my workplace are so antiquated and wonky that even giving people read access would be a monumental effort. To put it plainly, modernizing these systems takes effort similar in order of magnitude to landing on the moon. Not for any technical reason, but due to the mountains of manual processes and general cruft built up around them. The EU is not deaf to these concerns, and therefore the laws end up falling short for no other reason than that they want someone to actually be able to follow them.
We are talking about things like "make a request at the wrong time and the system will be broken for the next 24 hours, and you are not allowed to speak to the people who know why".
People (myself included until a few years ago) buy into this "banks need to be secure and move slowly to maintain that" but really most of it is due to mismanagement. The "move slowly" is a rationalization.
Oh, I totally agree (started my carreer in a company that still used VSE/ESA and CICS and sometimes dream about ASRAs).
However, they had to implement modern api-stuff with PSD2 and then they made it strictly b2b-only :-(
Oh I think its a mix of both. But I do not have your insight ofc, so just guessing.
I think banks should move slowly and pay extra attention to security. Examples like N26 show that not doing so can cause significant issues.
But its also a great excuse to justify your vintage cruft.
My bank fio.cz provides it's own user rest api, so that before you create an api access key, you can select which accounts it applies to and if it's read only access or not. I don't understand why there aren't more banks doing something like this. Btw the bank also offers PSD2, but I haven't looked into that so far, and I'm not sure if it's actually directly useful for a client. https://www.fio.cz/bank-services/internetbanking-api
I think some banks do offer restricted keys that only allow you to access your own accounts - I think Starling in the UK does this; Monzo used to too, but I'm not sure if that's the Open Banking API, or just another API.
Starling[1] and Monzo[2] have their own APIs accessible to end users which are not Open Banking[3]. Monzo has a separate set of OB APIs and AFAIK Starling doesn't have an OB API as only the big, high-street UK banks (HSBC, Barclays, RBS, Santander, Bank of Ireland, Allied Irish Bank, Danske, Lloyds, Nationwide) were forced to implement the OB spec.
Take a look at https://woob.tech. In a nutshell, it is a bunch of open source python modules which allows you to scrape websites as a unified API. (i.e "bank", "classified ads", "recipes", etc.)
They mostly cover European (especially French, since the original author is French) banks. But they have some US ones.
> now nordigen (or someone else) has access to all this transaction data and is going to leak it somewhere.
You must of course be able to trust the 3rd party, Nordigen in this case. But I don't think their operational license even allows storing your financial data - only proxying requests between you and the bank. So only your bank is even allowed to store your financial data.
But of course you need to be able to trust that Nordigen indeed does not store and abuse your financial data -- just like you need to be able to trust your bank! Bear in mind though that Nordigen is supervised by the same financial regulation authority as your own bank, and if they were caught doing anything shady they would face very serious consequences - not to even speak of staining their reputation, which would be ruinous for a small startup.
tl;dr: Banking is ultimately about trust, and nothing is ever perfect.
You are right, trust is the most important thing here.
But nordigen does not want my money for their service. Instead they want to sell what looks like APIs for ML over your transaction data. So they at least have a good incentive to use my data for training their model.
ofc, I dont know what they do with it, they may be cool ethical ppl just doing a cool thing and my mistrust might be totaly misplaced.
But I have to trust another entity that proxies my connections. Another link in the chain.
And I dont really want to hit on nordigen here, as I said, I dont know them, I have not read that whole website and havent looked in the details.
For me its more about the generell problem. I find it sad that a service like this seems nessassary.
Under PSD2 banks are required to give access to the "open" APIs only to audited partners (Third Party Payment Service Provider, TPP) They may give wider access, but most are somehow paranoid about the entire matter.
For what PSD2 done is it made that Nordigen service possible, also I can see my history from one bank in another. Results (possibilities) greatly vary from bank to bank, but in general at least I can download my data from one place.
I get your complain, but It's a step forward at least.
I have the same desire as OP to access my own data. I want to build a tool to track my assets. Maybe it's worth building this as open source. Would that be considered "open finance"?
The access to my bank’s PSD2 API is only possible for authorized companies. I assume other banks require the same. They do not want to deal with individuals.
I know. As a dev, I don't like it, but I understand the bank's attitude. That's why individuals will need an intermediary, such as Nordigen (or Tink, Plaid, Truelayer, Ponto)
There was a Show HN a few weeks ago [1] about a script that used Nordigen.
This is from Nordigen's information handling section in TOS, just so people understand what's going to happen with their financial data (I also recommend reading full TOS).
> 2.3. As the Services also allow User to upload Information and/or obtain Account Information and personal data therein, User further acknowledges and agrees that by uploading or entering any Information for the Services and by using the Services, User grants Nordigen permission to make anonymized data based on personal and non-personal data collected from User or through User's use of the Services, and combine such anonymized data with that of other Users in order to make anonymized aggregate data. Nordigen may use the anonymized data and anonymized aggregate data for various business purposes and legitimate interests of Nordigen, including but not limited to improving the Services, developing and improving other Nordigen products and services, and distributing or licensing such data to third parties with whom Nordigen has a business relationship.
A very impressive list! Having worked in the sector I can only begin to imagine the monumentality of this integration task.
I however see that some banks are still missing. How do you deal with those? After all, PSD2 is supposed to give access to all EU banks. Have you encountered any resistance where e.g. banks refuse to open the APIs - the APIs are broken, non-standard, non-existent, or such?
I'm weirded out by PSD2. I see the utility, but there are only so much interested parties able to wield this tool. Its expressed goals are to "improve the security of payment transactions, enhance consumer protection, foster innovation and increase competition on the market".
But looking at open banking APIs all I see are "insight" features for risk assessment and data mining. If I want to make a payment, disclosing that the amount is covered via a boolean would suffice, instead all accounts, transaction history and balances are transferred with some payment initiators. Ready to be scored by a model. It reminds me of private messengers asking for permission to upload all contacts: surely this is not necessary most of the time, but you want to get on with your day and click yourself through TOS dialogues. I need bank account level privacy settings to not accidentally disclose the past 400 days of my financial history.
Mildly interesting: I wanted to see how their newsletter signup flow worked, but on inputting my email and clicking "sign up" I get a jquery $.ajax error. I wonder if they monitor their signups at all (and how long it's been broken).
The rules are at https://news.ycombinator.com/newsguidelines.html and https://news.ycombinator.com/newsfaq.html.
--
For readers: of many past submissions promoting this startup, these look to be the major threads:
Show HN: Connect your bank account to Google Sheets - https://news.ycombinator.com/item?id=27769266 - July 2021 (76 comments)
Nordigen: Free banking data and premium insights - https://news.ycombinator.com/item?id=26375962 - March 2021 (39 comments)