Canada calls screen scraping ‘unsecure,’ sets Open Banking target for 2023

It&#x27;s about time. When I learned that applications like YNAB (You Need A Budget) use services like Plaid to connect to my bank account, and that these services literally take my username and password and <i>impersonate me</i> to get my banking data, I was a little sketched out. I use YNAB every day, and having it connected to my bank account is incredibly useful, but if something goes wrong and Plaid loses my money somehow, is there any recourse?<p>Hopefully individuals will be able to use the Open Banking APIs to access their own data directly, but it looks like accreditation will be required, so probably not.<p>Here&#x27;s the full text of the report: <a href="https:&#x2F;&#x2F;www.canada.ca&#x2F;en&#x2F;department-finance&#x2F;programs&#x2F;consultations&#x2F;2021&#x2F;final-report-advisory-committee-open-banking.html" rel="nofollow">https:&#x2F;&#x2F;www.canada.ca&#x2F;en&#x2F;department-finance&#x2F;programs&#x2F;consult...</a>

As a developer living in a country that has fully implemented &quot;Open Banking&quot;, here&#x27;s a quick setting of expectations for Canadian developers so they don&#x27;t get too excited as I did when this was first being introduced.<p>Open Banking is not, in fact, open in almost any sense of the world. It is standardised and the standards are freely available (&quot;open&quot;), but other than that, you still need to have an official &quot;blessing&quot; to actually access a production API endpoint (even for your own account), you need a legal entity that has some highly specific and entirely meaningless certificates that are hard (and potentially expensive) to get and even after all of that, you&#x27;ll still need to negotiate access with each bank individually.<p>What I imagined when I first heard of &quot;Open Banking&quot; was a public OAuth2 endpoint where I can grant my custom script access to just my bank balance and transaction history (possibly with a change webhook) and have it update my finance tracking database.<p>The &quot;open&quot; part is only relevant to the banks, since they don&#x27;t have to pay royalties for the standard implementing the APIs. For the rest of us, it might as well be SS7.

This may be driven by TD&#x27;s suit against Plaid<p>From this source <a href="https:&#x2F;&#x2F;www.lexology.com&#x2F;library&#x2F;detail.aspx?g=8f56092c-ab40-4ed0-80c6-20a452fcd55d" rel="nofollow">https:&#x2F;&#x2F;www.lexology.com&#x2F;library&#x2F;detail.aspx?g=8f56092c-ab40...</a><p><i>&quot;Users have complained that after connecting their bank accounts, Plaid stores their credentials and uses them to collect 5 years’ of transactional data and continues to track users’ data in future. Users further claim that the data-gathering scheme is not incidental to Plaid’s business model and is, in fact, its “very purpose.”</i>

It’s interesting to me how quickly I’ve soured on the concept of open banking, which on paper sounds fantastic and originally I was very much in favour of. And which I’ve used personally to make it easier to extract my own data for my own use.<p>However more often than not now I’m seeing it used for really invasive applications. Such as when I rented my most recent apartment and they asked to use open banking to verify our finances, which as far as I know would have given them access to every single transaction going back a decade or so. The agent was confused as to why I wouldn’t go ahead with it and ultimately let us opt out, but I do worry that at some point I won’t have much choice but to accept.<p>I’ve also seen credit scoring companies that suggest you’ll get a better credit score if you use open banking to hand over your transactions. I have no need to use that but I suspect others who are desperate to increase their chances of getting a mortgage, etc, won’t have much of a choice.

This sounds so futuristic which is awesome but at the same time banks like Tangerine, which otherwise I have nothing but praise for, don&#x27;t even allow be to use a password more secure than a 4-6 digit numeric passcode. Obviously no 2FA. Sorry, that has little to do with the submission, I just had to vent about banks.

I don&#x27;t know why OAuth tokens aren&#x27;t the default solution to this. BoA recently added this as an option and it&#x27;s way more straight forward than giving my login credentials to Personal Capital or, god forbid, Intuit.<p>edit: Of course it helps if the 3rd parties implement it as well. I revoked access to Intuit but Personal Capital only lets me use my userID and password.

I have some issues with the wording in this article (I work at Plaid and I don&#x27;t think everything it says about us is accurate) but the report is a good thing. Right now we really are dependent on screen scraping at many banks and we&#x27;d much rather use API-based connections to power our services, but so many banks just don&#x27;t provide APIs. I&#x27;m optimistic for an open banking future in Canada and who knows, maybe even the US some day...

The EU has been moving in this direction with PSD2 and it’s been pretty good. Downside is there’s no defacto standard for APIs and each bank&#x27;s development skills vary widely.

Given the tech savvy HN user base I&#x27;m surprised at all the &quot;<i>I&#x27;m surprised these 3rd party services are just impersonating me</i>&quot;.<p>I&#x27;d love it if there were API&#x27;s to access my banking data directly, but failing that I rely on the meager &quot;txn download via csv&quot; my Canadian banks offer (at least).

Brazil started Open Banking at 2019<p><a href="https:&#x2F;&#x2F;www.bcb.gov.br&#x2F;en&#x2F;financialstability&#x2F;open_banking" rel="nofollow">https:&#x2F;&#x2F;www.bcb.gov.br&#x2F;en&#x2F;financialstability&#x2F;open_banking</a>

What&#x27;s open banking? What&#x27;s the context?

Australia is building Open Banking (and generically Consumer Data Standards) APIs on GitHub. <a href="https:&#x2F;&#x2F;github.com&#x2F;ConsumerDataStandardsAustralia&#x2F;standards" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;ConsumerDataStandardsAustralia&#x2F;standards</a><p>This is a problem discussed here as well. Generally big banks are advocating getting rid of screen scraping and moving to API but most fintechs are smaller and they don&#x27;t want to change and there is little appetite from Govt. to force them.

The Spectre Salt Edge API does the same. I thought I could use this in Firefly III to automcatically pull my banking data, until I found out they are screen scraping. This is a no go. Unfortunately, the official FinTS APIs available by most banks are incredibly flawed, too. Firstly, a lot of information is not available. Secondly, there is no way to have a &quot;read-only&quot; API key&#x2F;connection. Why is that? I have no idea. There is an Open Banking project in Europe, but it it is far from being ready.

The UK mandated this, possibly the EU also, but it works very well.<p><a href="https:&#x2F;&#x2F;www.openbanking.org.uk&#x2F;what-is-open-banking&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.openbanking.org.uk&#x2F;what-is-open-banking&#x2F;</a>

So glad to see this happening. Screen scraping is unsecure and imo a per account APIkey based solution with a read-only access is the way ahead.

As a developer in Canadian Banking, I wonder how this will affect us.<p>I work for a major bank relevant to this story, and I&#x27;ve honestly not heard anything about it internally.

I built a shopping app with a headless browser 10 years ago. Fun project until any part of a vendor site changed :\

2023? Australia&#x27;s might be finished by then

To everyone in this thread complaining that this is just Canada being Canada and trying to snuff out the upstarts... what the fuck are you going on about?<p>I&#x27;m a US citizen and I want this screen scraping &#x2F; credential sharing &#x2F; whatever you want to call it to die in a fire already. Forcing banks to implement <i>any</i> sort of API access seems both preferable to the dumpster fire we have today, as well as <i>more inviting to upstarts</i>, because right now the only way to be an upstart is to literally ask your customers to violate their bank&#x27;s terms of service.

Nice. Looking forward to 2023.

For those outside of Canada: The Canadian banking industry is <i>highly</i> centralized. This looks like a way to keep more nimble upstarts from actually getting started.<p>(Not directly related, but Revolut recently retreated from the Canadian market, for example.)

I&#x27;m guessing from this that Canada&#x27;s banks are upset about getting their grass cut and are looking to regulate new entrants out of business. That&#x27;s usually what a &quot;made in Canada&quot; solution means.