One-Click Disconnections for Third Party API Account Access


(Josh Price) #1

Hey Monzo Community :wave:,

I’m not sure if this has come up before as I couldn’t find anything that related so here’s my idea.

Over the coming months, we’re likely to see more companies integrate with Monzo. The recent announcement of an integration with Emma is a perfect example.

These companies will obviously want me to authenticate my Monzo account, that’s fine however there should be some way for me to control who has access to my account and allow me to easily remove access and no longer allow that company to have access to my Monzo account.

This is a similar feature to that of Facebook, Google, Twitter or really any website that has some OAuth functionality that enables other sites to use your login from say Facebook to get onto their service.

The only problem with this is companies like Facebook, Google and Twitter make it super hard to remove access as it’s hidden under account settings in some sub-menu. This is likely part of the reason you often see on your Facebook feed, friends sharing random links to random sites! They likely gave access to some app months ago and that app is no using that access is a malicious way.

Obviously, Monzo is my bank and while I’m aware the whole process of these integrations is heavily regulated by the Monzo team, I should from with my Monzo app, be able to remove access to third-party integrations with one-click. That way, I can be assured that the platform I previously authenticated with, no longer has access!

This is just an idea but I think it gives users more control over who has access to their account.


(Alex Sherwood) #2

Hey Josh :wave:

It sounds like the team are thinking the same thing -

obviously they don’t mention one click disconnection but I’ve seen a comment from @simon that Monzo didn’t want the 3rd party to suddenly start seeing that they couldn’t connect to your account without knowing why. He must have said that in the Developer’s Slack as I can’t find it now so presumably it’s been archived :disappointed:


(simon) #3

This is part of the reason. It’s important for customers to realise that open banking means they can share their data with third parties, and banks have to facilitate that.

That means that if you want to terminate your relationship with the third party, you should do so by telling them.
This gives the third party an opportunity to, for example, also delete the data they’ve stored previously.

We will of course “log you out”, revoking the third parties access and refresh tokens if you ask us. As part of onboarding AISPs i’m asking them to confirm that “deleting/disconnecting Monzo” from within their app, does result in them discarding the access token and refresh token.

Once we start allowing Payment Initiation, i expect we will have a place in the app where you can see, not only what companies have read access, but also what mandates (e.g. £30/month to Sky TV) exist so you can cancel them at will.