🏦 Open Banking at Monzo - Ask Me Anything!

We ask for all three pieces of information to reduce the risk of somebody sending a push notification to a random person they don’t know. If the sort code and account number are already provided by the third party (to initiate a payment from a specific account) then these will be pre-filled so you don’t have to type them.

In reality we expect that the majority of customers will use the App to App flows, so they will never even see this web flow. They will jump straight into the Monzo app and then back out to the third party app.

3 Likes

That makes total sense. I am seeing most connections happening on the web, but it could just be the customer type we have.

This work won’t impact our developer API because the regulation states you must be an authorised and regulated company to use the Open Banking APIs.

To follow on from this point, some banks are exposing savings accounts via open banking even though not technically required to do so as they are non-payment accounts (as I understand it).

What will Monzo do here? Will 3rd parties be able to access Monzo Savings accounts via open banking?

2 Likes

Yes, pots will be available through Open Banking.

6 Likes

Including interest bearing Pots?

1 Like

Yes!

3 Likes

With the need to reauth every 90 days, is there a way to do that fully on the Monzo side? So on day ~90, send a notification asking to reauth. That would save users having to go back to random services to reauth. Or is that not allowed in the spec?

1 Like

Yes, we’re planning to do this for all third party clients. You will just have to review the whole list and refresh them all in one go. You will get a reminder to do this 30 days before any client expires.

9 Likes

That is awesome. So then the refresh token will just carry on working after that period?

One more question. Can you buy all banks and make this API available for them all. Kthx.

Also, can you make accounts randomly disappear from open banking like Barclays. It adds some fun to the experience.

1 Like

Currently 3rd parties seem to connect to Monzo via OAuth, or so I am led to believe. I don’t know what this is. What is it and how is it different to open banking? (in basic terms)

In theory yes, but we haven’t implemented it for Open Banking yet. We have a while to do it though as the first reminders won’t go out for another 60 days or so.

4 Likes

Hey @kieranmch, thanks so much for doing this! :pray:

A question about the open banking standard and interoperability, if I may. We’re told that Monzo will continue to use Truelayer for third party integrations after open banking comes in. That got me wondering whether there are very different technical implementations of the open banking standards, or whether it’s simply easier to have just one end point.

And, if I might be permitted a second, do you think the way that open banking is specified at the moment is future proof? Do you think it might, in the longer term, stifle innovation?

5 Likes

Hi @kieranmch appreciate you spending the time answering questions!

Any chance of a demo mode where I can demo how Monzo works without having to expose my own personal finances?

Also curious if there could be an option to hide the overall balance when using the app - would be handy when using the app in a confined public area (like on a bus / airplane / train / etc)

Keep up the great work!

1 Like

To understand the whole OAuth specification is quite a lot of work, but the idea is that it allows you to give third parties access to your account without giving away your password. Broadly speaking there is…

Setup Phase
Monzo will give the third party an “OAuth Client” which basically gives that company the ability to access the Monzo APIs. As part of this process we will establish a shared secret*, a high-entropy piece of information (a long random unguessable string) that only Monzo and the third party know

Redirection
When you want to connect your Monzo account to a third party (let’s call them Hot Chip Limited or HCL) - HCL will redirect you to Monzo.

Authentication
Monzo will verify your identity and then redirect you back to HCL putting an auth code in the URL - which can be read by HCL. The auth code is tied to your account.

Token Exchange
Once HCL has your auth code, this time they will come to Monzo directly with the auth code and ask for an Access Token. The Access Token lasts for about 24 hours and allows the third party to access your data. Why bother with the auth code? This is where it gets very clever. In order to obtain the access token, HCL must also present their client secret that we established in the setup phase. This means that the auth code on its own is useless without the secret. Since the auth code is being passed around in URLs and is clearly visible in the URL bar, it wouldn’t be secure enough on its own. With this approach the Access Token is only ever seen by Monzo and the third party.

Refreshing
We will also issue a refresh token to the third party, which they can use to get a new Access Token when the first one runs out. They need to use their client secret again to obtain a new token.

Open Banking uses OAuth, as well as a custom permissions model based on OpenID.

*Open Banking does not use shared secrets because although they are secure, we use MTLS (mutual transport layer security) which is considered even more secure as we can use asymmetric cryptography to avoid the need to ever share a secret key in the first place.

11 Likes

Thank you! I can’t answer this but you might want to start a new thread or find an existing one.

Thank you, that’s really helpful!

We used TrueLayer because they also did screen-scraping for us, and they have “smoothed over” lots of the minor differences between the APIs. It is exceptionally difficult to get a “perfect” implementation and even Monzo deviates from the standard in some very minor ways because it’s just impossible for us to conform to it.

When this happens, Open Banking ask us to give feedback so they can refine the standard - and we will certainly continue doing this.

Now that we have much more experience with Open Banking we might decide to go direct to other banks ourselves - but no immediate plans to do that.

I’m not worried that the standard will stifle innovation - if anything it will enable it. What I don’t like is the lack of focus on “real time”. Webhooks are important, and third parties should be able to access the data more than 4 times a day. Monzo now have a public policy team, and we are working hard to give feedback to everyone responsible for Open Banking to set the tone for the next version.

10 Likes

It’s a shame that open banking is restricted to pre-approved vendors, and there’s no opportunity for developers to play with their own accounts. I wonder if a vendor that acted as a gateway to allow developers to write their own code against their own accounts would ever be approved by the regulator.

1 Like