[Animats]

Your terms:

"We are not liable for any loss or damage that may result from your use of our services. This includes any direct, indirect, or consequential losses; any loss or damage caused by tort, including negligence, breach of contract or otherwise."

You don't get taken seriously in the financial space with terms like that. You need to accept responsibility for errors and carry errors and omissions insurance.

Compare Bank of America Bill Pay service terms:

When you make a bill payment using Online or Mobile Banking you can be confident that it will be processed correctly. In the unlikely event that we fail to process your payment in accordance to the payee, amount and date you specified, Bank of America will reimburse you for any late-payment-related charges incurred.

We are committed to keeping your financial information safe and making sure you can bank with us securely, which is why you are not liable for fraudulent transfers or bill pay transactions made via online or mobile when they are reported promptly.[1]

[1] https://www.bankofamerica.com/onlinebanking/online-banking-s...

[sjtgraham]

Thanks for your feedback. We developed TAuth to provide attribution and non-repudiation for exactly this kind of situation. I personally take security very seriously such that launching our product has taken longer because designing and implementing a system worthy of performing financial transactions on behalf of others is a serious undertaking.

Our terms are comparable to the incumbent "screen-scrapers" in the market, e.g. Yodlee and Plaid. FWIW it is not currently possible for users to move money with Teller. I'm open to revisiting the terms when it is, and I'm always open and listening to feedback such as this.

Thanks for taking the time.

[corobo]

> I personally take security very seriously

Respectfully, your users don't care about technical security if you get compromised - they care about their financial security. Please do reconsider your stance on liability, I found myself wincing while reading that disclaimer.

It pains me to say it as a techie but insurance is more important than security in this case. It'd be great if you were iron clad against all hacks ever but it'd sit more easily if there was insurance backing it up. What if you get a rogue employee dumping out all the credentials for example, not all attacks come from outside.

If you don't trust your security enough to assume liability, why should your users?

> FWIW it is not currently possible for users to move money with Teller

I don't believe it's so much a compromised service or API that's concerning, it's your credential storage. The data you hold does allow users to move money if compromised.

Having picked fault with your service enough, it does look like a great service and I'd love to use it one day. Best of luck!

[biot]

The problem isn't what an attacker can do with Teller credentials. The problem is what an attacker can do with the banking credentials you ask users for. The risk profile is similar here to a breach in an online password manager -- if you used an online password manager to store your banking credentials, are you perfectly comfortable with an attacker gaining access to your credentials since the password manager implements no banking functionality?

[dbbk]

Is there much desire for moving money via API though? Seems like it would expose you to massive risk for little reward.

[anthuswilliams]

Oh my, I have thought about this a lot, and I firmly believe that there is. Sorry for the ensuing wall of text!

Right now I pay for several online services, a gym membership, insurance, a student loan, a mortgage, and an auto loan. Every one of these companies has authorization to pull money from my account each month. They all pay their payment processor a significant sum of money in exchange for the processor running the payments and shouldering the risk of the bank not honoring them.

With an API, I could stop relying on this "pull" model and start using a "push" model instead. Companies get my money only when I explicitly send it to them. I could schedule a payment to go out every month for services I want instead of allowing arbitrary vendors to charge my card (banks do have a partial stab at this in the form of bill-pay, but it tends to be pretty bad).

Presumably since the risk of fraud is lower since I authorized the payment with my RSA key, merchants could pay lower fees to their payment processors.

Now, I'm a little atypical, because I know how to program so I could use the API without help. But I know many people who would certainly take advantages of services built on top of an API like this.

Think of all the people in your life who have accidentally continued paying for something they no longer wanted due to the vendor "mistakenly" continuing to charge their card. Or scummy negative-option marketing companies which loudly tout a free product or service and then continue to charge your card thanks to some tiny section in their terms of service.

The possibilities get better too. You could have budgeting apps that don't let you spend more than $X per month for video games, but still allow you to buy groceries. You could give your children an authorized card with a per-month maximum but still allow them to pay for an Uber home if it's after 9 pm.

I really think this sort of thing would be a massive boon to people and society, and it's unfortunate that banks (in America) are fighting so hard to prevent it.

[posix_compliant]

Bank of America's assets total over 2 trillion dollars. I would imagine it's easier for large financial institutions to create such strong guarantees for its users.

[ksherlock]

Marc came to our office at midnight and read the letter I’d written to our community about the Airbnb Guarantee, and the two changes he made changed the company forever. I’d said we guarantee five thousand dollars for property damage, and he added a zero, which seemed crazy.”

-- http://www.newyorker.com/magazine/2015/05/18/tomorrows-advan...

[PeterisP]

That's kind of the point - if you have large assets, that might be some assurance of your liquidity if e.g. a $100 million bad event happens; but if you do not and can't pledge large amounts of capital as pretty much a collateral, then you'd be expected or even required to buy insurance for very large amounts.

[EpicEng]

ok, so... I'll take BoA seriously, and not these guys.

[jameskegel]

You're not wrong; but please don't ignore OP's excitement to garner your attention, those things matter to little people like us in a socially conscious culture of 2017.