My problem is that it does not even allow access to your own account. Nobody has a problem with access to others' accounts being regulated. I just want to do whatever I want with my own account.
If you are allowed to access your data, then you can grant that access to third parties (pass along the API token). I happen to think that is great, but we live in a time where the idea of my sharing my Facebook account with an app is considered a problem, because it has a list of my friends.
My financial history contains a lot of metadata about third parties.
This is exactly the intersection between this overlay strict interpretation of privacy and my right to share my side of the data with third parties.
At the moment you can already grant third parties access to your data - you can pass along your online banking credentials and they will scrape the web UI (there is an entire industry built on that - companies like TrueLayer will take any bank’s credentials and some cash and give you JSON in exchange, scraping the online banking UI behind the scenes).
Stupid people will be stupid and will find a way to shoot themselves in the foot; doesn’t mean I should be prevented from accessing my own data.
You are not and were never prevented from accessing your own data. You keep repeating that while also mentioning you have options to access it.
You may not like the options you have to access that data because you have different needs than most other people. But insisting you're not allowed feels more than just exaggeration.
Open banking means it's not 100% proprietary and exclusive to each bank, it doesn't mean they have to open all doors and say "do what you want, I'm not even here". Regulation is there with a reason especially when dealing with such sensitive topics. You get access but you have to meet some conditions and the bar will be set according to the sensitivity: confidential personal data and actual money? It's going to be pretty high.
People are more than happy to blame regulators when they fail to put measures in place to protect people from major issues but will complain nonetheless if the regulation is there.
I am prevented from accessing my own data. A lot of bank's online banking is absolutely awful and doesn't go back more than 3 months worth of transactions.
Thankfully none of this bullshit actually applies to me (I use Monzo Bank which does have an API) but I feel the pain for everyone else.
> it doesn't mean they have to open all doors and say "do what you want, I'm not even here"
So hold on, does this means we now need regulation on how we can use cash? Because at the moment, stupid people can withdraw all their cash and throw it away, and nobody is there to prevent them from doing so.
How about we let people be responsible for their own data, and let them do whatever they want with it?
> online banking is absolutely awful and doesn't go back more than 3 months
It doesn't mean you can't request it directly with the bank. It is more cumbersome but they have to be able to provide that data as far back as the country's laws require them to keep it.
It's just that usually data older than 12-24 months is archived and I can guarantee you no API no matter how open it is will allow you to get the data directly from the archive. That's not what the system is meant to do. You'll still get 1-3 years but using a generic app instead of a proprietary one.
And you just moved the goalposts.
> So hold on, does this means we now need regulation on how we can use cash?
Moving your own cash has always been your business. But touch someone else's cash or account has always been regulated, yes. Some companies manage to exploit some gaps in that regulation and give you something but that's not because they should, it's because they can :).
Let me give you an example: you can treat your illness as you please. But if you want to treat other people's illnesses you need a medical degree. A pretty high bar. Unfair, right? :)
> How about we let people be responsible for their own data, and let them do whatever they want with it?
You're basically advocating for the removal of most regulation anywhere. I'm not sure you understand the implications. Which makes me think you'd be the first one to complain that nobody put rules in pace so you don't get bitten just as soon as "being responsible" bites you back.
My Monzo API allows me to go back to when I opened the account (back then it was just a prepaid card) in 2016. Somehow they are able to get the data directly from this "archive" which frankly shouldn't exist - Facebook is able to lookup stuff from 10 years ago instantly - don't tell me a bank can't do the same.
> But touch someone else's cash or account has always been regulated, yes
My argument here is about my own account. I'm even happy to send a letter stating that I am not an idiot and assume all responsibility just to get a personal access token.
> You're basically advocating for the removal of most regulation anywhere
I'm not advocating for no regulations everywhere - some stuff absolutely does need to be regulated, like massive tracking across the web. However when the user is in control and is knowingly handing over the key to their account, I'm happy for there to be no regulations. Same way nobody is preventing you from handing over your house keys to someone.
I don’t see account access being abused either. People could already be giving out their credentials, but somehow it’s not happening, so I don’t see the argument against personal access tokens.
They are not using APIs to begin with. I'm not sure what else is there to lock down.
Maybe we should just let idiots be idiots, and natural selection (or in this case, financial selection?) do its thing and the problem will go away eventually?
> They are not using APIs to begin with. I'm not sure what else is there to lock down.
It's a bit like getting your app from the app store, or system repository, rather than downloading a random exe from the internet. Apple's walled garden comes in for a lot of criticism, but it does stop a lot of crap getting through. Getting your PSD2 enabled, regulated app from a curated list rather than any random piece of crapware is the same sort of idea.
> Maybe we should just let idiots be idiots...
Eh, if that was going to work it would have done by now. They'll only become a burden on the state.
> My problem is that it does not even allow access to your own account.
Here, use our application to aggregate data about your financial history, just give it access to your data and it'll give you all sorts of useful stats.
Do not look behind the curtain, we're definitely not snaffling your data and giving it to anyone we feel like...
--edit--
The number of people who would be competent to write their own API-using software is pretty tiny as a proportion of the population. If you allow people access to their own account data via an API then they will seek out software to help them access it. The regulations are about who can produce and distribute such software.
> If you allow people access to their own account data via an API then they will seek out software to help them access it
Is that a bad thing? How about we let people do whatever they want with their data?
Not to mention the lack of APIs doesn’t stop this - there is an entire industry built on top of scraping bank’s web UIs. Companies like TrueLayer will happily take online banking credentials and provide you with an API, scraping the bank’s UI behind the scenes. A lot of financial aggregator apps use it for ages now.
Of course not. But it makes sense to ensure that the vendors of these products are FCA approved.
> How about we let people do whatever they want with their data?
For the same reason we can't have quite a lot of other nice things - scammers and shysters will take advantage.
> there is an entire industry built on top of scraping bank’s web UIs.
There is, and now you can have a choice - a well functioning, secure ecosystem with oversight, or giving your login credentials to some third party to abuse as they see fit.
Allowing anyone to use any software to access their banking data would allow them unprecedented abilities to automate, and attack.
I'm sorry if you don't feel that's adequate. Perhaps you should have a conversation with one of the many people that object to OpenBanking because it's far too permissive and they don't want the possibility of any third party getting their banking data, ever, oversight or not.
> Allowing anyone to use any software to access their banking data would allow them unprecedented abilities to automate, and attack.
In certain countries (Germany, etc) there are actually open protocols (FinTS/HBCI, etc) that banks conform to and allow any software to gain access to the accounts provided the proper credentials are supplied, and it doesn't look like the world has melted down.
AFAICT FinTS wasn't ever massively widely supported and has never been fully implemented, there seems to be little information about it at all.
What info I can find appears in discussions related to PSD2, and one presumes there are reasons the EU didn't pick up that model but issued what it did.
One of the projects using these protocols seems to be openbankproject.com, but they have their apps go through approvals as well, using OAuth flows in a similar way to OpenBanking in the UK.
Eh. I don't really see how, even from your perspective, you can be against PSD and Open Banking - it forces all banks in the EU to open up more than the vast majority do now.
To be fair, I am not against open banking - it’s definitely a step in the right direction. But I just want people to know that it’s not a silver bullet and it’s got many shortcomings. It’s definitely not the solution to the lack of bank’s APIs, and more needs to be done.
Do you think it's appropriate an app doing something as trivial as calculating much you spend on Starbucks each month is now a regulated activity? I don't.
Why is this a problem exactly?