Hacker News new | ask | show | jobs
by isbvhodnvemrwvn 1434 days ago
To use these APIs in Europe you need a license, and I'm not willing to pull my banking data via third parties. Never mention the apps which want me to give them my full credentials.

I would be willing to use a script which I can audit and run myself, but nobody offers that for my bank.
4 comments
aspyct 1434 days ago
There's Ponto :)

https://myponto.com/en

Disclaimer: I work for them. What I'm saying here is 100% personal and does not reflect the views of my employer, yada yada...

To be honest, we're doing an excellent job of protecting our customers' data. It's one of our core concern, and I have absolutely zero issue putting my own data in there.

We do _NOT_ store your credentials or even receive them at any point. Quite frankly, we don't want them. Any authorisation you would give us automatically expires after some time anyway, enforced by the banks.

The primary offer of Ponto is one API to interact with all your own bank accounts. No license needed, we handle all of that. We also provide a unified interface to all the banks.

The API is well thought out. All of our managers are highly skilled devs, so they understand what it takes to build good software (= time).

Check it out, we have a great support directly via Slack. I'm not answering that myself, but the guys who do it are super dedicated and will go a long way to help you.

Honestly I can't say enough good things about this product and our team! A product you can rely on, long term.

link
mhitza 1434 days ago
Belgian law seems pretty data hoarding heavy. Even things like activity logs will be kept around for 10 years after contract termination, per your Privacy terms.

Fintech might be overall more security focused in their software development practices, but 10 years is still a very long time to entrust someone with your data.

link
capableweb 1434 days ago
So, related to the topic at hand, if I use Ponto, can I connect Gnucash to it then so it fetches all information automatically?
link
aspyct 1434 days ago
Probably, yes :) But you'd have to find/build the integration.
link
capableweb 1434 days ago
Haha, anything is possible if I build it myself!

So the answer is a clear no then, please be up front about it instead :)

link
aspyct 1434 days ago
I was merely responding to the parent comment saying that you need a license, which is not the case with this API.
link
capableweb 1434 days ago
Sure, that I understand, I'm just saying that you failed to actually reply to me (or your reply was ambiguous at best)

The topic is GnuCash, parent said "The biggest problem with it as far as I can tell is the requirement for manual entry" whereas someone replied "To use these APIs in Europe you need a license" and you said "There's Ponto", and I asked you if I can use Ponto to connect to GnuCash.

I think it's understandable to think that if someone is suggesting Ponto (in a submission about GnuCash), then you should reasonably be able to use Ponto to connect to GnuCash, since that's the entire point of this submission. Otherwise your comment just reads as trying to shoehorn in your own product wherever it's only slightly related to the topic at hand.

link
slavoingilizov 1434 days ago
AFAIK, none of this is true. Banks are required by law to provide open APIs with solid authentication mechanisms, apps usually access them via aggregators and never request your banking credentials.
link
isbvhodnvemrwvn 1434 days ago
The aggregators are third parties I mentioned. You can't easily obtain a license to use those APIs yourself, even if only to access your own data.

The apps which don't have a deal with these aggregators request you to provide credentials (now fortunately most of them are defunct due to MFA)

link
wdb 1434 days ago
Understandably because you are dealing with a heavily regulated industry but I do agree it would be nice to be able to use the APIs for your own data somehow.

Aggregators to require you to provide credentials are just web-scraping the websites or have reverse engineered the banks (internal) APIs.

link
hectormalot 1434 days ago
For some APIs you can get the access yourself. For example, here is the API for account and transaction information at ABN AMRO (3rd largest bank in the Netherlands): https://developer.abnamro.com/api-products/business-account-...

I'll concede that it's only for business accounts. But, that includes small single owner businesses and I've been considering to switch to ABN to automate the accounting of my small side business.

The PSD2 APIs (also for consumers) indeed need a PSD2 license and an EIDAS certificate.

Technically, for consumer data, I think you could use GDPR to request a computer-readable extract of your transaction data. However, I think most banks would then redirect you to some CSV/MT940 export option in the web interface that is hard to automate.

link
acatton 1434 days ago
Yes, but no. The law is PSD2, but there are so many requirements that it's impossible for a private person to access it. First of all you need to generate a certificate which needs to be signed by a financial authority. Then you use client-based certificates to connect to these APIs. [1]

[1] https://support.n26.com/en-eu/security/open-banking-psd2/psd...

link
smartmic 1434 days ago
Yes, here is one example from German Commerzbank: https://developer.commerzbank.com/

I have been playing with the idea to use its API for my personal finance but the API with MFA is not so simple. At least not simple enough for me to spend much time for writing a customized interface. So I am still using their web interface which works well for my personal needs.

link
anfogoat 1434 days ago
I was excited when my bank first announced Open Banking; I could use it to replace my embarrassing, then Selenium based mess with something more sane. Then Open Banking went into production and I learned I need a business entity and a whole host of other bs to make use of it without relying on some third party bottom feeder.

I don't know what I was thinking. This is Europe and there is very little chance a good idea won't be ruined with some sort of bureaucracy, licensing requirements, utterly vapid credentialism, or as a last resort, some other form of obtuse gatekeeping.

link
nielsole 1434 days ago
Also all these APIs are read write, aren't they? I really wish there was an easy read-only API that i could use for all kinds of hacky integrations
link
jeltz 1434 days ago
No, they generally have different scopes. You do not need to request a scope which can initiate transfers.
link