48 comments

[ 5.9 ms ] story [ 105 ms ] thread
seems to be struggling with load. Anyone else?
Not working for me either. I haven't read it all yet but I think this article is related: http://www.theguardian.com/media-network/2016/feb/16/banking...
https://github.com/OpenBankProject/OBP-API seems to be related to them.

The snazzy writeup suggests loads of people are involved but the project has a pretty low number of contributors. Is this the whole organisation or a subset of people doing some work relating to the concept.

The idea of a common API is really fantastic mind you.

Hi Folks, Simon here from the Open Bank Project. We're based in Berlin but were involved from the early stages in the report published by the UK Treasury. We put up the sandbox to get feedback on the APIs etc. Guess we have some high load on one of our servers at the moment! Feel free to ask any questions. (AMA??)
While I wait for the pages to load... Any fintechs (or other) actually planning on implementing this API? What is the relationship like with the industry? (Is there feedback being implemented in the API?)

More information would help. There seems to be interest around the world to change/modernize the financial industry for consumers. Thanks for taking questions.

Finally loaded. Here is the blurb from their website:

UK Open Banking

A demo of Open Banking APIs in the UK

In February 2016, a group of experts from the banking, FinTech, security and open data communities published a framework to deliver an open standard for Application Programming Interfaces (APIs) for UK banks. This work, led by HM Treasury, aims to increase competition and innovation in and around banking to improve outcomes for customers and thus further support the UK’s world-leading FinTech industry.

The European Union is rapidly advancing legislation (PSD2) that will, upon implementation in the next two years, require banks in the EU to open their payment and transaction systems to certified third parties. This is a good moment for the UK to take a leadership role and influence the EU and beyond.

We took this opportunity to reveal the first Open Banking API sandbox specificaly targeted at supporting discussion around the UK Open Banking standard. The sandbox we are showing today provides a selection of API calls relevant to the UK Open Banking Standards report. Feel free to explore the calls. We believe our technology gives the UK a tremendous headstart and access to a vibrant Fintech developer community.

Click below and enjoy!

thanks for your patience, should be faster now!
I just gave them my email address and was taken through to Mailchimp, where their address is given as being in Berlin! Strange that this is supposed to be led by HM Treasury.
This doesn't look HM Treasury-ey is this by some other organisation?
Let by us at the Open Bank Project (www.openbankproject.com)
How does this work. Will banks be using the same API structure in general, or is it more sort of an advice type of thing.

Also what type of operations are intended to be supported (read/write?)

The report sets out a framework rather than a specification at this point. It talks about a phased approach starting with open data (e.g. branches, products) then transaction history and then write (e.g. payment) options. PSD2 from the EU might well influence the operations supported first.
HM Treasury report defo aims at the UK Banks supporting the same API - which is the mission of Open Bank Project.
The report was commissioned by the government and delivered by a private company Open Data Institute Limited. This sandbox is from another private company Open Bank Project aka Tesobe.
I've been dreaming of a standardized banking API for as long as I've been using online banking. It crushes my soul every time Mint makes me send them my actual log in credentials just to scrape transaction data. Really hope this catches on, but I think too many orgs have a vested interest in being the gate-keepers of your banking data.
Mint has always pulled my data automatically from BOA, Chase and Wellfargo. Which banks are you using??
Mint is logging in on your behalf, unless you have a different service than I do.
Yep, the OBP approach is to use OAuth (currently 1.0a) so the App doesn't have to see the credentials.
(comment deleted)
see also teller.io for the UK, Stevie gave a great talk on the same issue at a hackernews london meet up last year.
If you're in the UK and want a banking API (including payments and transfers), I'm building http://teller.io/. It's been in private beta about 2.5 months and access will be opening more broadly soon. I couldn't wait for banks to get themselves into gear so I reverse engineered all of their mobile apps, took their private APIs and expose a single unified API through Teller.

Here is a video of me cURL-ing my bank account yesterday: https://www.youtube.com/watch?v=wwWccFD0wv8

Here is a CLI one of my beta testers @sebinsua/@nouswaves made for his bank account: https://github.com/sebinsua/teller-cli

So far the RBS banks, e.g. Natwest are in prod. If you bank with them, want super early access, understand it's beta product and will give some feedback: sg <> @ <> teller.io

How did you reverse engineer the Natwest/Ulster/RBS app. It is my understanding they use certificate pinning?
Certificate pinning is easy to defeat.
Doesn't exactly answer the question..
If you can run the app on a jailbroken/rooted device, it's fairly easy to beat certificate pinning in a few different ways. Two that come to mind are:

* find the certificate file in the app and replace it with your own.

* hook the function that verifies the certificate and make it return true.

If you tried reversing the app in question, none of these methods work as the app has a couple of protections against changing its code.
They do pin certs. I don't disable pinning, I quite like the protection it gives me. I actually inject code at runtime to observe and modify behaviour.
Interesting. I've sent you an email about using teller. Hopefully you give me a shot at it.
An API for Natwest would be amazing, but won't this be against their TOS? Just wondering if they are aware of your work and OK with it.
It's not against their TOS for me as a customer to reverse engineer their mobile clients (AFAIK), it is against their TOS for you as a bank customer to give Teller any authentication details. This is nothing new, the incumbent aggregator Yodlee also causes users to violate the bank TOS in this way. But aggregators solve such a pain point that users are prepared to use these services.

Every UK bank is aware of Teller, even ones I have not interacted with directly. I've been up to Edinburgh and to the RBS London offices a bunch of times, I know them well. I hope to work with the banks and not against them.

This looks actually pretty cool. It ooks like its focussed on developers - reminds me of Stripe, but for bank APIs.

I'd be curious about security as few of the URLs here shed any light on the topic and from my experience it often is rather INsecurity circus.

Do we have to give you the full login details?

I'm somewhat impressed though - I was defeated by certificate pinning on one UK bank's mobile app. How did you get round that?

Teller emulates the first party mobile client. So what you need to give Teller depends on what you need to enrol your mobile device.

I don't disable PKI pinning. I inject code at runtime to observe and change behaviour.

Can you add Halifax to your dropdown of banks. I've selected Other but I think Halifax is big enough to be on the list.
I'd also like to suggest the addition of the Co-Operative Bank (they're not dead yet!) and/or Smile. I have a Smile account.
I've played with Teller and it's nothing short of incredible. The developer on boarding is super slick.
Stevie gave me access a few weeks ago, I'm working on a product on top of Teller. What he's working on is really exciting and enables developers to build all kinds of apps they couldn't do previously.
Aren't there terms of service that prohibit you from reverse engineering their software and profiting from it? I want to build a mobile app on top of a private reverse engineered API and my lawyer says it could jeopardize my LLC's assets if we get sued
Are you using polling to discover new transactions, or do they send a notification to the mobile app?
I'd like to think the banking industry in Australia might follow this lead, but I'm not hopeful.
"...require banks in the EU to open their payment and transaction systems to certified third parties" Does anyone know if this will mean that average Joe can't just write a script to access his account, because he isn't a "certified third party"?