Open banking works by giving consumers the option to share their banking data with other firms. The most common use is granting access to budgeting or money management apps and companies, so that a customer can pool different bank accounts and credit cards into one place.
Ah yes, finally what we’ve been missing in our financial system! 🤭
I get that this doesnt matter for a lot of people, but i specifically chose my bank because it had close ties with Plaid (API aggregator) - the closest we currently have to open banking. To me, it just seems so fundamentally simple to be able to offer a way to export your own transaction information to whoever you agree to share it with. Boggles my mind that we dont have this already.
In Canada, the thing that makes people hesitate when giving financial data to an app is where liability sits when sharing your account details. Right now, because i’m sharing my credentials with Plaid some banks would refuse to reimburse you if you were subsequently hacked - regardless of the leak source. When open banking legislation comes into effect, this liability will be shifted to the data brokers (plaid), and potentially also the thrid party applications that do things with your financial data.
That was my thinking 10 years ago. Today I wouldn’t want anything but heavily regulated banks to touch my financial information. Even if some third party is carrying the responsibility for fraud. Having worked at both small and large tech companies as well as one of the big five, I have very little faith in some random tech limited liability to be able to pay up if something bad happens. That’s not to say I’m super confident in the banks either, just that they have way more money, are pressed hard to do infosec and have government backing if and when shit hits the fan. It’s possible that the gov’t would require some hefty bags of money and liability guarantees from the third parties to allow them to participate in the new system which would could make things better. Now that I think about it, I bet the big five have made sure the conditions are as onerous as possible in order to reduce any actual competition as much as possible. :D
I have very little faith in some random tech limited liability to be able to pay up if something bad happens. That’s not to say I’m super confident in the banks either, just that they have way more money, are pressed hard to do infosec and have government backing if and when shit hits the fan.
Agreed, peering behind the veil of any organization will probably result in a loss of confidence. And to be fair, I do have concerns about this ultimately being 100% private and secure, but I’m mindful that perfection shouldnt be the enemy of progress. I have confidence that there is a relatively safe way to implement this. We’re not the first in the world to do it, and thankfully we can look to other jurisdictions to see where the risks are.
Now that I think about it, I bet the big five have probably made sure the conditions are as onerous as possible in order to reduce any actual competition as much as possible. :D
They’ll undoubtedly speak with banks when the legislation passes and regulations are being drafted, and a part of me hopes that the big dinosaur institutions we have realize deep down that they need to enter the modern world.
Banks are competition in the sense that they have competing interests, but not in the sense that are offering a comparable product. If my bank was actually interested in building an app that would help me wrangle and take control of my spending habits, they would have already built it with a couple devs like all these other apps popping up.
Can’t wait to be “agreeing” to share my bank statements under duress going forward. Everyone who thinks your money is theirs, and that you’re just an inconvenient transfer medium, is going to be on this train.
Companies capitalizing on convenience is not new. If you want to go to the ultimate end of the spectrum where you don’t need to give up any info to a third party, open source applications have you covered. Firefly iii, Actual Budget to name two with existing bank integrations.
It comes down to your personal risk tolerance and appetite. If you have no tolerance, don’t take the risk and stick with your convictions instead of grumbling that you had to give your bank statements to download a scammy Tetris app.
I think the point was that we don’t want to provide the intimate minute details of our private spending to everyone who asks, lest we risk judgement by the same fools who lob the “well if you have nothing to hide” fallacy.
I worry that either externally or internally you’ve set up a false dichotomy here.
A faster way for the elderly to export their financial data to scammers! A new attack surface for data mining shit-fuckers! A faster way to calculate the spending limits of a “customer!”
On one hand, I’m excited for the possibility of a completely self-hosted and local Mint alternative. On the other hand, this bit is concerning:
One of the biggest areas of growth is in credit assessments. Under open banking, lenders could directly access an individual’s banking data, so they can look beyond credit scores. Consumers can also use it to build their credit scores, for example by proving reliable rent payments.
If this comes to fruition, it’ll likely become mandatory for everyone to provide this data when applying for loans of any kind or to rent some place. Hopefully, they’ll have something set up so that you can share specific transactions instead of having to share everything.
Yeah. Not opening the Banking Kimono will bring looks of distrust.
The most common use is granting access to budgeting or money management apps and companies, so that a customer can pool different bank accounts and credit cards into one place.
I’m confused dude, we can already do this?
I’ve known some guys that are working for one of those “Financial data brokers” like the one Mint uses.
I thought that there was something fancy to actually link your bank account and whatever budgeting app you want to use, like some Oauth or API token…
In reality, you basically give your (plaintext) credentials to this entity which then uses them to open a session with your bank and parse the webpage. If there was some MFA used it forwarded the request back to you and if there was some robot check blocking the connection, they would have employees take control of the session and do the physical clicking on the webpage…
Not saying that all Fin data brokers work like that, but I can confirm that’s the way one of the major ones did work internally 4-5 years back .
That was my impression too. Banks don’t have such APIs and it seems like they’re regulated not to. Terrible, insecure smoke and mirrors. This is why I never gave my credentials to any such company. If I have them my credentials, then they would be me.
The regulation is the IIROC Dealer Member Rule (DMR) 3200 A. 1.(b) (i) which prohibits IIROC registrants (brokerages) from allowing their clients to use their own automated order systems to generate orders. So just clarifying that its not illegal because it’s unsafe, just that they dont want us to give an app our credentials that does algorithmic trading on our behalf. Their reasons, i dont know.
The problem is Plaid et al are forced to scrape webpages because banks dont offer an alternative. Banks currently hold the user liable for sharing their password if theres a breach, but this new open banking legislation will shift that liability to plaid/third parties.
Still definitely works like that. It’s a massive security issue.
Can’t imagine I’d take advantage of it. I’m still waiting on a postal savings system in Canada.
I can export information from all financial institutions and import it to GNUCash. But I don’t need to because I actually use it for double entry bookkeeping and add all the transactions myself. This lets me catch when a financial institution messes up in one of the myriad of ways they tend to do.
The last thing I want is other entities being able to pretend they’re me legally.