Bank Feeds - you know they're dodgy, right?
I occasionally get asked if we're going to implement "direct bank feeds" into KashFlow the way some other online accounting software companies have.
I was reading a LinkedIn discussion where a few accountants and business advisors were under the impression that these software companies have "permission" from the banks to do this. This isn't the case. A few recent developments have highlighted why this is a big problem.
The data doesn't come direct from the banks. It comes from a third-party called Yodlee.
Yodlee don't have permissions from the banks either. They use a technique called "screen scraping". To do this, they require the user to hand over their internet banking log on credentials.
If someone robs £50k from your bank account through no fault of your own, you're protected., The bank assume liability.
If you've breached your bank T&Cs by handing over your credentials to someone else then the liability is yours. You're not going to get your money back.
If you're advising your clients to use a Yodlee-powered service, I hope you're making them aware of this.
I can't bring myself to put Yodlee feeds in KashFlow without making this issue VERY clear to anyone that uses it, which I suspect would mean not manypeople would actually go ahead and use it.
There's a big furore in South Africa at the moment about security and the Yodlee service. The banking ombudsman there is quoted as saying "divulging your internet banking credentials... clearly exposes one to enormous risks." See "Use financial management tool ‘at your own risk’".
Personally, I agree with another article that says it's "most probably, but not necessarily, safe". But with small businesses only just coming around to the idea of using cloud services, I don't think it's a good idea to expose them to security risks - perceived or real - without making it clear what's going on.
This is probably the biggest reason we've kept away from providing/using this service.
A KashFlow customer pays us for a service and they rightfully expect it to work.
If something breaks, they don't care that it's because of a third-party using a slightly dodgy data gathering method and it's out of our hands.
Due to the way screen-sraping works, it breaks regularly. This isn't just a theoretical issue. As I write this the feeds of data from RBS, Natwest and a number of other UK banks aren't working and there's no way of knowing when they will be up and running again (and when they are up, no way of knowing when they will break again and for how long)
I'm not willing to expose my customers to that level of reliability. It would reflect badly on us and our partners that recommend the software
Feeds in KashFlow
We will be putting bank feeds into KashFlow. But we'll be getting the data legitimately via the front door, rather than getting unauthorised access via a back door.
Unfortunately doing things properly take a little longer but it does mean there will be no reliability or security issue.
If you/your clients want bank feeds NOW and you use a service that uses Yodlee, you have a responsibility to make sure your customers know the risks involved, especially around liability.