We ask for all three pieces of information to reduce the risk of somebody sending a push notification to a random person they donāt know. If the sort code and account number are already provided by the third party (to initiate a payment from a specific account) then these will be pre-filled so you donāt have to type them.
In reality we expect that the majority of customers will use the App to App flows, so they will never even see this web flow. They will jump straight into the Monzo app and then back out to the third party app.
To follow on from this point, some banks are exposing savings accounts via open banking even though not technically required to do so as they are non-payment accounts (as I understand it).
What will Monzo do here? Will 3rd parties be able to access Monzo Savings accounts via open banking?
With the need to reauth every 90 days, is there a way to do that fully on the Monzo side? So on day ~90, send a notification asking to reauth. That would save users having to go back to random services to reauth. Or is that not allowed in the spec?
Yes, weāre planning to do this for all third party clients. You will just have to review the whole list and refresh them all in one go. You will get a reminder to do this 30 days before any client expires.
Currently 3rd parties seem to connect to Monzo via OAuth, or so I am led to believe. I donāt know what this is. What is it and how is it different to open banking? (in basic terms)
In theory yes, but we havenāt implemented it for Open Banking yet. We have a while to do it though as the first reminders wonāt go out for another 60 days or so.
A question about the open banking standard and interoperability, if I may. Weāre told that Monzo will continue to use Truelayer for third party integrations after open banking comes in. That got me wondering whether there are very different technical implementations of the open banking standards, or whether itās simply easier to have just one end point.
And, if I might be permitted a second, do you think the way that open banking is specified at the moment is future proof? Do you think it might, in the longer term, stifle innovation?
Hi @kieranmch appreciate you spending the time answering questions!
Any chance of a demo mode where I can demo how Monzo works without having to expose my own personal finances?
Also curious if there could be an option to hide the overall balance when using the app - would be handy when using the app in a confined public area (like on a bus / airplane / train / etc)
To understand the whole OAuth specification is quite a lot of work, but the idea is that it allows you to give third parties access to your account without giving away your password. Broadly speaking there isā¦
Setup Phase
Monzo will give the third party an āOAuth Clientā which basically gives that company the ability to access the Monzo APIs. As part of this process we will establish a shared secret*, a high-entropy piece of information (a long random unguessable string) that only Monzo and the third party know
Redirection
When you want to connect your Monzo account to a third party (letās call them Hot Chip Limited or HCL) - HCL will redirect you to Monzo.
Authentication
Monzo will verify your identity and then redirect you back to HCL putting an auth code in the URL - which can be read by HCL. The auth code is tied to your account.
Token Exchange
Once HCL has your auth code, this time they will come to Monzo directly with the auth code and ask for an Access Token. The Access Token lasts for about 24 hours and allows the third party to access your data. Why bother with the auth code? This is where it gets very clever. In order to obtain the access token, HCL must also present their client secret that we established in the setup phase. This means that the auth code on its own is useless without the secret. Since the auth code is being passed around in URLs and is clearly visible in the URL bar, it wouldnāt be secure enough on its own. With this approach the Access Token is only ever seen by Monzo and the third party.
Refreshing
We will also issue a refresh token to the third party, which they can use to get a new Access Token when the first one runs out. They need to use their client secret again to obtain a new token.
Open Banking uses OAuth, as well as a custom permissions model based on OpenID.
*Open Banking does not use shared secrets because although they are secure, we use MTLS (mutual transport layer security) which is considered even more secure as we can use asymmetric cryptography to avoid the need to ever share a secret key in the first place.
We used TrueLayer because they also did screen-scraping for us, and they have āsmoothed overā lots of the minor differences between the APIs. It is exceptionally difficult to get a āperfectā implementation and even Monzo deviates from the standard in some very minor ways because itās just impossible for us to conform to it.
When this happens, Open Banking ask us to give feedback so they can refine the standard - and we will certainly continue doing this.
Now that we have much more experience with Open Banking we might decide to go direct to other banks ourselves - but no immediate plans to do that.
Iām not worried that the standard will stifle innovation - if anything it will enable it. What I donāt like is the lack of focus on āreal timeā. Webhooks are important, and third parties should be able to access the data more than 4 times a day. Monzo now have a public policy team, and we are working hard to give feedback to everyone responsible for Open Banking to set the tone for the next version.
Itās a shame that open banking is restricted to pre-approved vendors, and thereās no opportunity for developers to play with their own accounts. I wonder if a vendor that acted as a gateway to allow developers to write their own code against their own accounts would ever be approved by the regulator.
