[jswny]

Not only does this sound potentially illegal but how can you be confident that you will recognize the breaking changes in time to fix them? What if you begin supporting a large number of banks and you can't keep up?

Also, will your reverse-engineered use of the mobile API's have any detrimental effect on the user? I imagine the user will be the one authenticated with the API, what if the bank starts to see an influx of odd API traffic and decides to investigate it or there is some type of rate limit?

Your decision to reverse-engineer mobile API's opens the door for many important questions in my opinion.

[sjtgraham]

The EU Computer Programs Directive 2009 provides an exemption for reverse-engineering for the purposes of creating inter-operable systems. This directive has been harmonized into UK law (where Teller is domiciled and operates) and Teller satisfies the requirements to be protected by the exemption. We have also developed many novel techniques that do not meet the UK legal definition of reverse-engineering so we have that angle too. This issue has also been looked at by expensive lawyers.

In terms of stability. It actually takes 6-12 months for a bank to get something into production. We are not talking about fast moving organisations here. We have not had a breakage with a supported integration in two years of beta testing.

We take many steps to ensure our traffic does not stand out to banks eager to actively interfere with Teller. Our clients perfectly emulate (100% API compatibility with their own) and make the same API calls in the same order etc. We also only make API calls as a result of user action, i.e. Teller does not poll or cause atypical traffic patterns. Finally have 100s of IP addresses and assign an IP address to a user for a period of time. All of this compounds to make Teller traffic look indistinguishable from their own mobile app traffic. The objective is to make it more likely they will block their own app traffic than block Teller as a string incentive to not interfere their customers' choice to use Teller enabled services.

[reledi]

Hey Stevie, I was at the HN London where you gave a very memorable demo on reverse-engineering mobile banking apps. Stoked to see to how far you've come and congratulations on the Teller beta launch!

Even back then you had caught the attention of banks. I'm sure they've threatened you many times. But now that banks are taking you more seriously and returning your calls, how are you going to convince them to work with you instead of against you?

And what happens when, if they haven't begun already, try and legally DoS you?

[fredsted]

Seems pretty sensible.

I hope banks will realise that open APIs are a good thing, and if they don't start getting their shit together, they'll be left behind. Our whole financial infrastructure is so needlessly complicated. Why can't it all be JSON APIs?