- cross-posted to:
- personalfinancecanada
- cross-posted to:
- personalfinancecanada
Open banking works by giving consumers the option to share their banking data with other firms. The most common use is granting access to budgeting or money management apps and companies, so that a customer can pool different bank accounts and credit cards into one place.
Ah yes, finally what we’ve been missing in our financial system! 🤭
I’ve known some guys that are working for one of those “Financial data brokers” like the one Mint uses.
I thought that there was something fancy to actually link your bank account and whatever budgeting app you want to use, like some Oauth or API token…
In reality, you basically give your (plaintext) credentials to this entity which then uses them to open a session with your bank and parse the webpage. If there was some MFA used it forwarded the request back to you and if there was some robot check blocking the connection, they would have employees take control of the session and do the physical clicking on the webpage…
Not saying that all Fin data brokers work like that, but I can confirm that’s the way one of the major ones did work internally 4-5 years back .
That was my impression too. Banks don’t have such APIs and it seems like they’re regulated not to. Terrible, insecure smoke and mirrors. This is why I never gave my credentials to any such company. If I have them my credentials, then they would be me.
The regulation is the IIROC Dealer Member Rule (DMR) 3200 A. 1.(b) (i) which prohibits IIROC registrants (brokerages) from allowing their clients to use their own automated order systems to generate orders. So just clarifying that its not illegal because it’s unsafe, just that they dont want us to give an app our credentials that does algorithmic trading on our behalf. Their reasons, i dont know.
The problem is Plaid et al are forced to scrape webpages because banks dont offer an alternative. Banks currently hold the user liable for sharing their password if theres a breach, but this new open banking legislation will shift that liability to plaid/third parties.
Still definitely works like that. It’s a massive security issue.