How to see all your bank accounts in one place?

rhysgt

I use Money Dashboard. It supports Open Banking with the biggest banks and also has a nice app.

gozaimasu

eskbanker wrote: »

So, when selecting apps for this, pick from those that use the Open Banking APIs to source data directly - if you're requested to divulge your online banking credentials for the other accounts then walk away!

Surely if you had accounts within the same banking group, it wouldn't matter if you had to enter log in credentials? So if you can access your Lloyds Bank account in the Halifax app or vice-versa, or HSBC/First Direct etc.

colsten

eskbanker wrote: »

So, when selecting apps for this, pick from those that use the Open Banking APIs to source data directly - if you're requested to divulge your online banking credentials for the other accounts then walk away!

How's your Open Banking app going to access your bank account(s) without knowing the access credentials?

eskbanker

colsten wrote: »

How's your Open Banking app going to access your bank account(s) without knowing the access credentials?

It relies on open standard Application Programming Interfaces (APIs) to provide secure integration directly between systems, so moves away from the concept of logging in in the traditional way by data-sharing behind the scenes (subject to customer consent of course).

https://www.openbanking.org.uk/customers/what-is-open-banking/:

Some apps and websites currently use screen-scraping, which involves you giving them your login details and password so they can login to your account and analyse your financial information or make payments on your behalf.

With Open banking, you’re never asked to share your password or login details with anyone other than your own bank or building society. Safe. Secure. Simple.

eskbanker

gozaimasu wrote: »

Surely if you had accounts within the same banking group, it wouldn't matter if you had to enter log in credentials? So if you can access your Lloyds Bank account in the Halifax app or vice-versa, or HSBC/First Direct etc.

I can't speak from direct experience of those particular apps but, given the amount of investment involved by the major banks, it would surprise me if you still had to provide Lloyds login details in order to access an account there from the Halifax app. Are you saying that's the case?

As above, the old model is becoming obsolete with the introduction of two-factor authentication for accessing accounts via browsers, etc, so as this rollout progresses then it becomes impractical to use screen-scraping....

colsten

eskbanker wrote: »

It relies on open standard Application Programming Interfaces (APIs) to provide secure integration directly between systems, so moves away from the concept of logging in in the traditional way by data-sharing behind the scenes (subject to customer consent of course).

https://www.openbanking.org.uk/customers/what-is-open-banking/:

Sorry, I don't understand that. Surely no API can provide authorisation to access my accounts, unless I have authorised that API to do so. How should that authorisation work if not by authentication via my login information? The apps that I tried all required me to provide my login information. How else would they obtain my consent?

masonic

colsten wrote: »

Sorry, I don't understand that. Surely no API can provide authorisation to access my accounts, unless I have authorised that API to do so. How should that authorisation work if not by authentication via my login information? The apps that I tried all required me to provide my login information. How else would they obtain my consent?

The provider asks for your consent, then sends a request to your bank. You can normally see which providers are authorised through online banking and revoke any you no longer want to process your data. You don't share your full login information at any time, you'll validate the request using details other than your login credentials.

If you go to your bank's app or online banking and can't find the provider listed in your authorisations in the Open Banking section, it means they are just screen scraping.

All of the apps I tried were either no good for my needs or not using Open Banking, often both.

colsten

masonic wrote: »

The provider asks for your consent, then sends a request to your bank. You can normally see which providers are authorised through online banking and revoke any you no longer want to process your data. You don't share your full login information at any time, you'll validate the request using details other than your login credentials.

If you go to your bank's app or online banking and can't find the provider listed in your authorisations in the Open Banking section, it means they are just screen scraping.

.

I don't believe that as this would mean that any old Tom, !!!! or Harry can add my sort code and account number to their app and see my balance and transactions.

Obviously, app providers need to be registered for the use of the API. But they can't then simply provide information about everybody's accounts to anyone who requests it. The app needs to be authorised by the respective account holder first. I can't see how this could happen without the account holder to confirm their right to see the account data, and the only way I can see that confirmation to work is with data previously agreed between the account holder and the bank. In short: login information.

EDIT: naturally, it would be possible, in theory, to use data other than the login information to provide the confirmation. However, none of us has been asked to agree any additional authentication data for Open Banking with their bank. So the only way for electronic authorisation is the use of login information.

eskbanker

It's difficult to answer this without actually having gone through the process, as practical experience always trumps theory!

However, looking at the explanatory info on the site of a randomly-chosen example of an app supporting open banking, namely Money Dashboard, it does appear that there is some form of one-off initial login that allows the relevant authentication to be established, but this seems to be ring-fenced in a way that doesn't involve divulging your credentials to the app provider (which is clearly identified as being the older mechanism):

How do I switch my accounts to Open Banking?

When you log in to Money Dashboard you will see a “Switch to Open Banking” button next to accounts which you can connect via Open Banking APIs. Simply click this button & you will be directed to your banks online portal. Simply follow the instructions and you will be able to select which accounts you want to connect.

Your account connection will be switched to Open Banking with all your historic data saved.

If you want to connect a new account, go to “Add Account” and select the Open Banking connection for your bank from the drop down list of account providers and follow the prompts.

[...]

Why are only some accounts supported?

At the moment, only the nine largest banks (listed above) are required to implement the Open Banking API and they are phasing the roll out of connected accounts. This means you might still need to use a credential sharing connection (the way you currently connect your accounts in Money Dashboard). We will continue to provide connections to as many accounts as possible, opening up new Open Banking API connections as soon as they are available.

When you select to connect your account your bank will show you which accounts you can connect via API.

Not all savings accounts come under PSD2 (the legislation requiring banks to make your account information more accessible to you) so you might not be able to migrate all your accounts to an Open Banking API just yet. With savings accounts a good rule of thumb as to whether your bank will provide an Open Banking API connection is if you can currently make payments directly from your savings account to another third party account.

I haven't been able to find a simple document explaining this initial authentication process, but there's a more technical analysis at https://www.forgerock.com/industries/financial-services/open-banking/UK-Spec

masonic

colsten wrote: »

I don't believe that as this would mean that any old Tom, !!!! or Harry can add my sort code and account number to their app and see my balance and transactions.

Only to the extent that any Tom, Richard or Harry could fraudulently switch your bank account. Conceptually the two processes are quite similar. With the CASS, you give details other than your internet banking logon and password, which are used to authorise a different bank to see your payees, DDs etc with a view to switching them to a new account in your name. With Open Banking, the authorised provider follows essentially the same process to gain some level of access to your account information on an ongoing basis.

Obviously, app providers need to be registered for the use of the API. But they can't then simply provide information about everybody's accounts to anyone who requests it. The app needs to be authorised by the respective account holder first. I can't see how this could happen without the account holder to confirm their right to see the account data,

Agree up to here. Providers would not be exempt from the usual KYC checks and would need to verify your identity before they could proceed.

and the only way I can see that confirmation to work is with data previously agreed between the account holder and the bank. In short: login information.

EDIT: naturally, it would be possible, in theory, to use data other than the login information to provide the confirmation. However, none of us has been asked to agree any additional authentication data for Open Banking with their bank. So the only way for electronic authorisation is the use of login information.

Not only possible, in theory, but necessary. A firm that has your login details can do anything you can do. They may not be authorised by you to do those things but would be capable of doing them. That's what sparked the move away from screen scraping to Open Banking. There would be no point building an Open Banking API where providers could have restricted access to your information when the only way to grant that access is to give them unrestricted access via your full logon information.

The easiest way this could have been implemented neatly and securely is for everyone to be able to generate a specific "Open Banking" username and password for each provider they want to give access and share that with the respective provider. What actually happens (it appears) is that these credentials are exchanged behind the scenes and aren't used to validate the request itself, which is a shame.