Monzo's view and plans for PSD2

From what I have read and know about PSD2, this could cause a problem for banks that have an API, that doesn’t conform to the (yet to be agreed) standards.

There is good blog post written by Chris Skinner (https://thefinanser.com/2017/05/fintech-versus-banks-round-one-psd2.html/), on a new campaign being run by some European FinTech start-ups, who are looking to challenge PSD2.

My question is, what is Monzo’s thoughts on PSD2 and are there any plans in place, around the API should they be made to conform?

I wouldn’t claim to be an expert on this area but while we’re waiting to see whether Monzo has a response to this, here’s my thoughts.

The issue that these FinTech start-ups are complaining about is proposed changes to the regulations which would prevent them from doing screen scrapes of bank’s websites.

In the complaint that’s quoted in Chris’ blog, they say that

Direct Access is a secure technology that has been used for the last 15 years by both European Fintechs and Banks to provide AIS and PIS services to millions of consumers. With several hundreds of millions of successfully initiated payment and aggregation services provided, there hasn’t been, until this day, one single documented incident of data fraud or compromise of personal credentials.

but it doesn’t seem like a huge stretch to imagine that a 3rd party storing & using a customer’s credentials, in order to log into their bank’s online banking account on their behalf, may not be the most secure way to handle access to their data.

It’s certainly very different from one of the examples of a use of screen scraping that they mention

Online travel: Search and provision of travel options from multiple different providers through one interface

which is accessing public data.

On the other hand, the introduction of the Open Banking Standard which Monzo are fans of (or at least, they were back in Feb 2016), should enable aggregators to access customer’s data from bank’s APIs through a secure protocol like oAuth2.
Chris points out that the banks probably won’t make access to customer’s data easy. And obviously this data would be formatted differently & there would be work involved in retrieving it so I assume that, the cost & time implications are a significant motivation for this complaint. But in my - not so expert - opinion, using oAuth2 seems like a more secure approach & I can’t see why aggregators wouldn’t be able to pull the data from the APIs instead.

Monzo aren’t screen scraping customer’s data from their legacy bank’s bank accounts & as far as I know, they haven’t mentioned that they have any plans to aggregate their legacy bank data. But if they did, I expect they’d retrieve it from these new open APIs - rather than screen scraping - so I don’t see any reason why they’d be bothered by the changes that’re being proposed for this regulation.

Since Monzo’s API will be open anyway, I wouldn’t have thought that PSD2 will cause major issues either.

But I could be overlooking something here what’re your thoughts on this?

One use for this API by Monzo or anyone else targeting customers of legacy banks could be migrating transaction histories when opening a new account. I think this may have been mentioned previously here but I can’t find it right now.

Given that Monzo is very much API centric (and has an open API already as @alexs points out), I don’t think it would be too much of a problem to make certain changes should they be required for conformity to new PSD2 standards. The API is already very feature rich but APIs are good and extensible and version-able so an API first approach should in fact put Monzo in an excellent position to lead the way and set an example for others.
Should the incumbents try to make things difficult for “would be” API users, I can’t help but feel that this would be very foolish as it will limit them from evolving and offering integrations that are, I believe, the future of banking. It would be a little like trying to resist streaming video as Blockbuster tried to a few years ago… …who’s Blockbuster?

Nice reply Alex!

The only point I would add onto your point “using oAuth2 seems like a more secure approach & I can’t see why aggregators wouldn’t be able to pull the data from the APIs instead.”

As far as I can see from this area, most aggregator customer services are actually using data aggregators behind as opposed to directly integrating or scraping bank sites (e.g. Yodlee).

What I would expect when PSD2 comes into effect would be that Yodlee integrate the APIs and handle any data cleaning etc and the end consumer aggregators just update their single integration to Yodlee (plus change the experience to use OAuth). This should add even less burden on the aggregators.

What a timely post! We are planning to publish an update on our API plans this week or next on our blog.

Uncertainty around obligations on us and the developers after PSD2 is implemented in the UK is one of the main reasons we have chosen not to push our API strategy very hard, yet. Developers are currently able to build apps for their own personal use but we don’t just any Monzo user to use these apps, yet.

What about people like Bud, developers who intend to make a product available for the wider public?

I have spoken to them and they have said that they are literally waiting on yourselves for the keys to the API and are dubious as to whether you will give these out or not.

Even without the regulations, the open API is a core part of Monzo’s strategy -

Tom also commented on the risk of a third party stealing customers because of the open API in this video (at 21:05) -

There’s more details about the concerns & proposal in this week’s FinTech Insider podcast. Again, it sounds like it’s only the screen scrapers that have an issue in this instance -

https://11fs.com/podcasts/ep250-liked-shouldve-put-blockchain/

The inability to use screen scraping is irritating, but completely forgivable if similar levels of access will be available through better means of authentication (e.g. Oauth2 with the ability for the customer to revoke application access at any time would be much better than having TPPs store customer passwords). “You’re not allowed to screen-scrape and you can’t use our API unless you fill out 3 million pages of paperwork” would be very frustrating, though.

I think that campaigning for screen scraping to be allowed is probably short-sighted. I would never provide a third party with my bank login details, and this has in fact prevented me from trying out some of these new aggregator products. But it requires a level of trust I simply don’t have in some random start-up. If it is under a regulated scheme using tokens such as OAuth2, I’d be much more likely to try. It’s akin to the direct debit guarantee – this way I know I’m not opening myself up to significant liability should something go wrong. So I think that by moving away from screen scraping, the potential market will greatly expand for a lot of these products.

And this is precisely why I don’t think screen scraping should be blocked by regulations . Once banks provide open OAuth interfaces, TPPs will switch to use them (nobody wants the responsibility of storing users security credentials, and the requirement to update back-end software every time a bank changes their online banking interface, especially compared to access via a documented and (hopefully!) stable API). Once TPPs start using OAuth, providers using screen scraping (and who aren’t prepared / willing / able to switch) will be abandoned by consumers, because OAuth tokens are nice and easily revocable and giving people your password isn’t nice or (particularly) easily revocable.

Interesting to see Chris Gledhill (CEO of SECCO) posting his thoughts on screen scraping on his LinkedIn page yesterday:

The European Banking Federation (EBF) has asked the EU Commission to support a ban on “screen scraping”, against advice from the European Banking Authority (EBA). It could be argued this is to protect consumers from the negative aspects of screen scraping (sharing login credentials) but I think it has a lot more to do with protecting the new PSD2 API standards coming in next year and exerting more control and surveillance on the movements of money and data.

(emphasis mine!) You talk about that as if it’s a bad thing?

No I don’t, Chris Gledhill wrote the article

Here’s the latest on this - no screen scraping

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.