lxndryng - a blog by a millennial with a job in IT

The Need for Banking APIs

May 01, 2017

I've misspent a bank holiday weekend trying to make it a little easier for myself to manage my money without having to turn to a plethora of different devices for different pieces of information to do so. The workflow that I have at present involves a mobile phone, a keyfob and between three and five passwords stored in a variety of password managers: clearly, this setup is not something that I particularly ever want to deal with when I just want to quickly check up on my investments or handle the "oh, I've just been paid, I should do my monthly financial tasks" inevitability at the end of each month. I've developed automation for Hargreaves Lansdown, but the security policies of the other organisations I perform financial transactions with don't permit me to take control of my financial affairs in an automated way.

The UK context for opening up banking data

People have been making noise about the lack of APIs in banking, with Payments UK establishing the Open Banking Implementation Entity to develop a set of standards that would agreeable to banks operating in the UK.

This entity hasn't published meeting notes since October 2016, so who knows what's happening in that space now - given that is was an initiative involving the only people whose IT moves slower than that of government, probably nowhere.

This does seem to be a little bit of a deaf, dumb and blind approach though: projecting massively onto the rest of the population, I don't necessarily need something fancy in this space. The majority of banks provide exports to comma-separated values, Quicken and Microsoft Money formats, which I can then readily interrogate for any information. The issue is that I usually would have to navigate an online bank account interface that hasn't been updated since HTML tables were considered gauche, and I'd have to handle the authentication step of using a multi-factor authentication token, something that can't readily be abstracted away from the concrete implementation of each bank's token generator.

In terms of what is 'real' in this space at present, the API offerings are generally limited to a branch locator, an ATM locator and a product search API (as implemented by RBS and HSBC's banking brands). I appreciate the opening up of this data, but I can already obtain this location data from the Google Maps API and I don't really want to (as an end-user) automate my product selection, given how creative with the truth banks can be about what is truly offered. There seems to be such a gulf between what customers really need, as opposed to what the minimum points of contention between the banks could be. Of course, this is just the cost of trying to get the elephants of the financial sector to move away from the oases they've always known.

So why not do it manually?

I don't want to.

I guess that is the crux of it: I could manually go into the portals of each of my financial service providers and fetch a CSV file, put it somewhere and process it in any way I choose. But I don't want to. I don't want to be beholden to what financial service providers feel I should be able to do with my financial data. Of course, that's always the cost of doing business with anyone, but that would never stop me from being sore about it.

The spectre of multi-factor authentication and corporate inertia

Large corporates aren't the smartest when it comes to security in their customer-facing applications, and I think it would be naive to assert that large financial institutions would be immune to either 1) outright stupidity, as in the linked examples, or 2) groupthink that serves to permeate the entirety of a profession within an organisation.

In the context of multi-factor authentication used by banks, (2) is far more likely to be an issue in providing a good, automatable and secure API service to customers. The typical enterprise "these are the processes we have, they are immutable" inertia and subsequent ennui would be likely to set in: our current service is 'secure', so why would we do anything else? I've seen this time and again throughout my career and it seems to be something that no large corporate is immune to.

The hope that we have to have here is that someone explains how the likes of Amazon's IAM, OAuth or any number of other token-based authentication methods work. I've never had any more faith in an mobile app-based multi-factor authentication token generator than even the most simple of JSON Web Token generators, so hopefully others could come around to a similar realisation.

Is there hope for the future?

As far as I can see, my hopes are all pretty much in one basket, and it's not one I'm comfortable with: I'm not one to pin my hopes for change on a so-called 'disruptive' startup; and I'm certainly not one to hope for 'market forces' to pressure the larger players to compete with relatively niche service offerings. That said, Monzo recently being given a banking license, combined with the commitment to their APIs and integration platform that they've demonstrated throughout Beta, does give me some hope. If nothing else, it is a differentiator which may shape the choices I make over who I bank with.

On the investments front, not even Nutmeg appear to want to do anything in terms of exposing APIs to customers, so I may just have to make do with my own wranglings in that space.