[wolframarnold]

This is pretty interesting. Aside from the security questions already asked, and assuming they can be addressed satisfactorily, I have this question/suggestion:

Financial institutions all differ in their online offerings and most live in the stone age (i.e. no useful API's), such that accessing transaction data relies largely on screen scraping. One of the biggest make or break moments for services like yours is getting critical mass in coverage of financial institutions. I use two services, Mvelopes and FileThis and have connected dozens of accounts to either, everything from large credit card providers like Chase to obscure credit unions and mortgage lenders. Neither service covers all my institutions. I've offered my help to build scrapers but have not been taken up on that.

I think what could really revolutionize this is creating an open source marketplace for these scrapers that anyone can contribute to. The scrapers would implement a standard API to return data in some common format and would call a number of standard methods to access login credentials, etc. You'd have to develop the framework that these scrapers get plugged in to (also open source) and a test framework. The calling/consuming code of your service can be closed source.

In the long term hopefully this would inspire banks to implement the required API's natively such that scraping is no longer necessary.

[AdieuToLogic]

There are reasons why FI's do not provide API's for accessing transaction data:

* They are on the hook for PCI compliance (which providing access to entities other than ISO's would clearly violate).

* There is little to no business incentive to entertain integration of this sort.

* Transaction data is very much considered "proprietary information" owned by the FI (in the minds of institutions I have worked with) and is not shared.

* FI's view their clients in the transactional world as being either the Merchant (which is already provided transaction information through settlement and reporting processes), ISO's/VAR's (also already provided with their operational data), or Account Holders. The latter is allowed access to their transaction history via a browser due to market demands and cost saving concerns.

In short, there is no way in the foreseeable future that financial institutions will implement API's which imply consent to use Account Holder transaction data without onerous vetting of the service consuming this information.

EDIT: made the bullet point list more legible.

[iffycan]

We have attempted to try the open source bank access model you've described [1], but I'm not confident that such a system would ever be dependable without the cooperation of the FIs themselves, for the reasons AdieuToLogic gives.

[1] https://github.com/simplefin/bank-access