Open Banking is a big buzzword at the moment. It is good to distinguish different aspects of it:
1) Regulation. What you heard as "PSD2" - is essentially a directive by European Commission and EBA demanding banks to open up access to accounts data and payment initiation. Neither it defines by what means this access should be provided, nor when it should be available - each European country Central Bank can decide on its own.
2) Technical Specification. Examples are OpenBanking UK specification or The Berlin Group - would be groups of banks or local regulators trying to define common standards. Think of interface definition that describes both APIs as well as journeys/workflows.
3) Compliance. In the EU some of the banks (mostly large ones) are now required to be PSD2 compliant, which means they would need to expose their APIs through the standards described above. In the US, where there is no such requirement - the only way to access the bank account is to emulate a browser.
4) Third-Party Providers or Aggregators (Plaid, Teller, Tink, SaltEdge, Bud...) - would essentially provide access to the accounts of multiple banks via APIs. If you look at Plaid in the US - their codebase is probably 50%+ screenscraping/user emulation scripts in order to retrieve your accounts from e.g. Bank of America. For the EU fin-techs its a bit better, but still depends per country (remember Berlin Group vs UK OpenBanking?).
> would be groups of banks or local regulators trying to define common standards
Why 'would be' just out of interest?
AFAICT Open Banking is an organisation that has been given a mandate by the UK government, through the competition and marketing authority, and is funded by the nine largest retail banks. In the UK it is the defacto standard, and compliance of the CMA 9 is mandatory.
While there is so far no consistent standard across the EU, at least within the UK this one is set and pretty much non-negotiable.
(Disclaimer - I have consulted with Open Banking and continue to do so, but of course I do not speak on their behalf)
-- edit --
I'm particularly interested in this -
> Third-Party Providers or Aggregators (Plaid, Teller, Tink, SaltEdge, Bud...) - would essentially provide access to the accounts of multiple banks via APIs.
As AFAICT this would be explicitly disallowed unless all the users of said APIs are themselves accredited. You can't just get accredited for PSD2/OB API use, then expose that information to non-accredited entities. If this is what Plaid are doing then I wouldn't expect their accreditation to last all that long.
The scenario is typically the following. After the EU Commission approves the directive, each country has to transform it into the national law and define the authority/approach/timelines. In the case of the UK, it's indeed the way you've described.
> As AFAICT this would be explicitly disallowed unless all the users of said APIs are themselves accredited.
In UK Plaid would have to follow the OpenBanking regulation indeed and provide access according to the consent of the account owner. In the US they are just storing your password and using it according to their privacy policy.
I'm not sure they would be allowed to provide access to another party at all, if the other party wasn't accredited, regardless of consent.
I'm sure they've looked into this with their lawyers, but acting as an escape route for banking data to non-approved entities is not likely to be smiled upon.
They are allowed to provide access but with a few stipulations:
Firstly, the consumer must be aware that they are sharing their data via Plaid (i.e. Plaid can't hide behind the scenes).
Secondly, there are certain exceptions for needing to be regulated by the FCA - particularly if you don't show any data back to the user.
In practice, it makes sense to be regulated by the FCA regardless because asking to share bank information/transactions with Plaid can turn users off and you're limited with what you can do with that data without being regulated/authorised.
I find that surprising, given the lengths OB go to to ensure that only registered, accredited entities can participate in using their APIs. I'm not saying you're wrong, just that I find it surprising.
(Source, I consult with OB and have a hand in their PKI, I don't speak for them and I'm not part of or informed well about anything to do with the regulatory environment)
"In the US, where there is no such requirement - the only way to access the bank account is to emulate a browser."
Not entirely correct. In the US, JPMorganChase, Intuit, and others have adopted the OFX standard (consortium-based, which provides #2) as a more secure, controlled API alternative to browser emulation.
like any other entrenched monopolist, Plaid shouldn't want OFX to make it easier for new entrants to enter. Building something to interact with OFX is easier than building a scraper.
There's legitimately no alternative, "secure" way to access someone's banking data other than by asking for a username/password and then 'impersonating' them / asking for 2FA codes etc etc. As a commenter on the issue says, there is no oauth-esque mechanism implemented by banks.
I think plaid is the lesser evil when compared to rolling all of that on your own for N different banking institutions.
If I was plaid, I would use things like open banking if it's available, because it cost less to implement and maintain than the current html scraping norm we have now.
I'm guessing plaid uses oauth & open banking when available, and falls back to scraping when it's not.
What percentage of the world's banks are covered? Or perhaps what percentage of the world's population banks in those covered institutions? Or perhaps what percentage of the total banked wealth (terminology?) is held in covered institutions?
It depends on the audience. Many businesses don't want to restrict themselves exclusively to the subset of UK banks that follow that initiative. And government intervention is hardly a pragmatic solution (how many companies can afford to lobby every government in which they'd like to do business?).
>> There's legitimately no alternative, "secure" way to access someone's banking data other than by asking for a username/password
Not so true under Open Banking and other systems. Open Banking uses OAUTH2 style stuff, and a variety of certificate schemes (Open Banking's own, and EU ETSI qualified certificates) to allow participants to be delegated various forms of access and roles, in a much more granular way.
>> As a commenter on the issue says, there is no oauth-esque mechanism implemented by banks.
There is in the UK, and PSD2 solutions are rolling out all across the EU. Australia is also getting in on the action.
I generally feel that way too, but the US banking system just isn't built for it. It's hard to get too mad at Plaid for spoofing when my checking account's ID number is the only password required for authorizing electronic transfers.
It looks OK if you have your browser set to the default 16px font size. If not, that page might not look good at all, because unfortunately it uses a fixed line-height but keeps the browser-configured font-size.
I found that sans-serif body face to be quite difficult to read; the letters seem too 'fat' or the kerning is slightly too wide, I cannot decide which.
A lot of people in England has long pleaded with the SNP to stand in English seats rather than just Scotland, because of their other views, so it would not be so strange to see one of the other "regional" parties decide to try to increase their influence by standing throughout the UK.
From what I gather, green policies and opposition to austerity are higher up on the Plaid agenda than Welsh independence right now, so the objective of your hypothetical expansion would pretty much be to duplicate the green party.
I'm en-gb native and I pronounce both of those pretty close to "played" though in the case of the political party it's quite near to "plied" too, think "played" but in a Brum accent.
"Plad" [ie tartan-y cloth] is USA pronounciation to me; which I assume is what you mean in your second sentence?
It's from the Gaelic word "plaide" which rhymes approximately with "badger" in most English accents, and means blanket. "plad" is the preferred pronunciation of the English loan word. English spelling is a mess, so mistakes are understandable.
"Plaid" in "Plaid Cymru" is pronounced like "plied" in English.
Normal people can't just hit their bank for an APi key, it's designed for regulated third party services and banks to have a common API to talk to each other that has to comply with the spec (I think, at least this is my understanding of it anyway)
note: I'm aware some of the challenger banks here (Starling etc) have a developer API, but that's their own offering
Open Banking means you can access your own banks API, however if you have a lot of customers and you need to access lots of different APIs from different banks then you use an intermediary 3rd party, e.g TrueLayer and you use their API to access the open banking API of the customers bank.
It could provide a useful shared API for all the countries it covers. I also think there's a non-trivial certification process which would be onerous for a small startup.
Presuming you are from Plaid - can you tell me what your position is on what I think I'm seeing - OpenBanking APIs opened up to non-accredited organisations using yourselves as a gateway - and whether that's in keeping with your accreditation?
I.E. The APIs available in the UK are designed to open data up to competition, but only within the limits of those orgs that are FCA accredited for PSD2 Roles of various sorts. Are you allowed to let others piggyback on those?
Plaid has registered as an AISP ('Account Information Service Provider'), which means that they can register for and use the Open Banking APIs provided by UK banks.
These APIs use an authorisation flow similar to what you see when you 'Login with Google' or 'Login with Facebook'. At some point in that flow, you are redirected to your bank's web site to allow access, and to select the account(s) for which you are allowing access. At this point, you are on your bank's web site, you can check the URL to make sure you're not being phished.
On the face of it, it seems like any company that's building on top of bank transaction data should just register as an AISP themselves, as the integration with Open Banking APIs doesn't look that complicated. But Plaid is one of a number of third parties that insert themselves in between.
In general these services suggest some combination of (i) easier integration, i.e. less development and maintenance, (ii) additional intelligence on top of the raw data, e.g. categorisation of transactions, (iii) no need for maintenance.
There's one obvious con: the AISP's logo has to be shown in the authorisation flow. So, even if your users know you, they might not be willing to share their information with 'Plaid' or whichever third party AISP you've chosen.
I don't know how real the development/maintenance/integration issues are. I could imagine that registering with 30+ banks and testing your code against all of them might be a hassle. But if their API backends all behave in the same way, then maybe you just need configuration parameters for the endpoint and token(s). If their backends have slightly different behaviour, though, then perhaps you need to branch your code based on the bank.
One thing that's encouraging about Plaid entering this space: their free tier appears to support up to 100 bank accounts for free. This should be enough for anyone who wants to set up their own self-hosted Mint equivalent. And, if all the accounts are in the UK, then you're giving Plaid just read-only access to your accounts, which is much less of an issue than providing your login credentials to them or another party.
Teller is a system which relies on screen scraping and taking your passwords (AFAICT, though the comment below says they use the mobile APIs, it's much the same regardless).
In the UK this is no longer necessary and FCA accredited organisations (Or qualified organisations from across the EU) can gain access to Bank APIS which allow much easier, programmatic access with much more granular access and far fewer security implications.
IIRC teller have also been subject to blocking and possible lawsuits from various banks for their scraping activities and are not well liked in the industry.
(--edit-- I am rate limited here so cannot respond below, just to say that if OB APIs are not performant, that'll likely be down to the participating banks. I would expect them to improve over time.
I'm not trying to say teller is illegal - I doubt very much that it would have survived this long if it were illegal - simply that the security model is not so great and the banks don't like it and continue to try to block it. 'Stevie' would probably do well to get himself accredited before the banks find a way to keep him out permanently.)
>In the UK this is no longer necessary and FCA accredited organisations (Or qualified organisations from across the EU) can gain access to Bank APIs which allow much easier, programmatic access with much more granular access and far fewer security implications.
I don't have a horse in this race, but in my experience the Open Banking APIs are:
1) Regulation. What you heard as "PSD2" - is essentially a directive by European Commission and EBA demanding banks to open up access to accounts data and payment initiation. Neither it defines by what means this access should be provided, nor when it should be available - each European country Central Bank can decide on its own.
2) Technical Specification. Examples are OpenBanking UK specification or The Berlin Group - would be groups of banks or local regulators trying to define common standards. Think of interface definition that describes both APIs as well as journeys/workflows.
3) Compliance. In the EU some of the banks (mostly large ones) are now required to be PSD2 compliant, which means they would need to expose their APIs through the standards described above. In the US, where there is no such requirement - the only way to access the bank account is to emulate a browser.
4) Third-Party Providers or Aggregators (Plaid, Teller, Tink, SaltEdge, Bud...) - would essentially provide access to the accounts of multiple banks via APIs. If you look at Plaid in the US - their codebase is probably 50%+ screenscraping/user emulation scripts in order to retrieve your accounts from e.g. Bank of America. For the EU fin-techs its a bit better, but still depends per country (remember Berlin Group vs UK OpenBanking?).