Bank Feeds - you know they're dodgy, right?

I occasionally get asked if we're going to implement "direct bank feeds" into KashFlow the way some other online accounting software companies have.

I was reading a LinkedIn discussion where a few accountants and business advisors were under the impression that these software companies have "permission" from the banks to do this. This isn't the case. A few recent developments have highlighted why this is a big problem.

The Background
The data doesn't come direct from the banks. It comes from a  third-party called Yodlee.

Yodlee don't have permissions from the banks either. They use a technique called "screen scraping". To do this, they require the user to hand over their internet banking log on credentials.

Liability
If someone robs £50k from your bank account through no fault of your own, you're protected., The bank assume liability.
If you've breached your bank T&Cs by handing over your credentials to someone else then the liability is yours. You're not going to get your money back.
If you're advising your clients to use a Yodlee-powered service, I hope you're making them aware of this.
I can't bring myself to put Yodlee feeds in KashFlow without making this issue VERY clear to anyone that uses it, which I suspect would mean not manypeople would actually go ahead and use it.

Security
There's a big furore in South Africa at the moment about security and the Yodlee service. The banking ombudsman there is quoted as saying "divulging your internet banking credentials... clearly exposes one to enormous risks." See "Use financial management tool ‘at your own risk’".

Personally, I agree with another article that says it's "most probably, but not necessarily, safe". But with small businesses only just coming around to the idea of using cloud services, I don't think it's a good idea to expose them to security risks - perceived or real - without making it clear what's going on.

Reliability
This is probably the biggest reason we've kept away from providing/using this service.
A KashFlow customer pays us for a service and they rightfully expect it to work.
If something breaks, they don't care that it's because of a third-party using a slightly dodgy data gathering method and it's out of our hands.
Due to the way screen-sraping works, it breaks regularly. This isn't just a theoretical issue. As I write this the feeds of data from RBS, Natwest and a number of other UK banks aren't working and there's no way of knowing when they will be up and running again (and when they are up, no way of knowing when they will break again and for how long)

I'm not willing to expose my customers to that level of reliability. It would reflect badly on us and our partners that recommend the software

Feeds in KashFlow
We will be putting bank feeds into KashFlow. But we'll be getting the data legitimately via the front door, rather than getting unauthorised access via a back door.
Unfortunately doing things properly take a little longer but it does mean there will be no reliability or security issue.

If you/your clients want bank feeds NOW and you use a service that uses Yodlee, you have a responsibility to make sure your customers know the risks involved, especially around liability.

Comments

Xero

chatman | | Permalink

Would be good to get the Xero response to this.

Thanks

wilcoskip | | Permalink

This is good (and vital) information, which I had no idea about.  Thanks for bringing it to our attention.

WS.

cverrier's picture

3rd party links are too risky

cverrier | | Permalink

I had the same concerns when looking for a personal finance system to replace my elderly copy of MS Money.    I looked at MoneyDashboard.com - which looked like it might be the answer, but in the end couldn't get round the fundamental issue that required I divulge my online banking login details to a 3rd party - I just couldn't bring myself to do it.

I'm sure the actual risk was low, but in the end, the potential for disaster in the event of a problem was just too high to contemplate.   After all - if there ever was a problem, even one that was entirely unrelated to Moneydashboard, the bank could still use that as a way of refusing compensation.

Xero address this in the same way that Kashflow have - by dealing direct with the banks - which means the integration links are authorised by the bank themselves.    Xero started in Australia/New Zealand where banks historically were much more willing to get involved in this (and technically better placed to implement it).     It's proven MUCH harder for cloud providers to negotiate with UK banks in the same way (plus each bank has unique IT systems that makes the whole thing more complex to implement).

 

DuaneJAckson's picture

Xero do use Yodlee    3 thanks

DuaneJAckson | | Permalink

cverrier wrote:
Xero address this in the same way that Kashflow have - by dealing direct with the banks - which means the integration links are authorised by the bank themselves.

No they don't.

Not for the majority of UK banks.

See http://blog.xero.com/bank-feed-status/

cverrier's picture

I stand corrected!

cverrier | | Permalink

Apologies Duane - I was making an assumption based on their AUS/NZ setup.

Barclays calculator-like things

chatman | | Permalink

For Barclays, you have to use one of those little calculator-like jobbies, which generate a new password each time, so surely they couldn't avoid liability for giving away your details if you have used one of them.

Two Questions

sambit | | Permalink

Interesting Blog!

1) How do you weigh the risks of Yodlee against using online credit card payments and the companies that store your credit card details?

2) Dealing with individual banks I would assume would also mean SOAP directly into the bank system but you would still need some sort of authentication and vault for hashkey or password storage. Does that mean the risk is totally mitigated?

@misra_sam
Program Manager

SortMyBooks

 

Credit Card Details

chatman | | Permalink

You are allowed to give your credit card details away (to suppliers). You are not allowed to give away your bank login details.

garyturner's picture

Xero bank feeds

garyturner | | Permalink

Good discussion into which I'm happy to cast some light.

We think that the prospect of near realtime banking in your accounting app is a profound change to the way small businesses manage their cashflow. Accordingly, we set out to lead the field by building the best bank reconciliation capability we could, and to provide our customers with multiple methods of loading their bank transactions where most accounting apps offer a limited single method.

  1. Bank statement upload - this involves the manual download of an electronic file from your bank's online banking system and the manual upload of that file into Xero each time you want to populate Xero with your recent bank transactions. This is the foundation method of uploading your banking data into Xero and we support the broadest range of statement file formats available from .OFX, .QFX and CSV.
  2. Partner Bank Feeds - these are automated feeds that come directly from a bank where Xero has a direct technical agreement with the bank and the mutual bank and Xero customer whereby the bank provides Xero with a daily electronic submission of the customers transactions. These then appear automatically in Xero, refreshed every day. The first (and thus far only) Partner Bank Feed we launched in the UK came online in April 2009 for HSBC customers, and today more than 7,000 bank statement updates are automatically delivered by HSBC directly into Xero every day in the UK.
  3. Yodlee Bank Feeds - these automated feeds arrive in Xero via the Yodlee feed aggregation service which came online for Xero customers in the UK in November 2010 and 70 UK banks and credit card account types are delivered through this route. Beyond the UK, our use of the Yodlee service enables Xero users to connect 5,000 unique bank, credit card and financial institutions account types with their Xero bank reconciliation tool.

We find that Yodlee sometimes attracts this kind of controversial commentary for a couple of reasons. These stem from the fact that Yodlee is disruptive to a banking industry that can't agree on a common framework for a transactional conduit for bank feeds (some banks (e.g HSBC) offer their customers a standalone service for this, but most don't), and because the banking industry can't make its mind up about whether it loves or hates Yodlee.

Yodlee says that forty of the fifty largest banks in the US embed Yodlee at the heart of their own online customer service portals under the banks' own white labelling, including American Express, Merrill Lynch and HSBC's EasyView.

Amazon also uses Yodlee as the foundation of its Amazon Payments service.   

Having built our secure Partner Bank Feed service in 2007, we were one of the first accounting software companies to recognise the value Yodlee could add in terms of speeding up our ability to address the largest possible range of bank accounts globally. A little over a year since it became available for Xero customers in the UK, more than 6,000 bank accounts have been connected to Xero through the service.

The manner in which Yodlee feeds appear in Xero also varies from bank to bank, for example more than 1,000 Barclays Bank customers connect their accounts to Xero and have to manually enter a secure PIN each time they invoke the transfer to Xero. While other banks don't rely on a PIN sentry device there's often a degree of manual attendance required, such as memorable word or other security check for Yodlee feeds to connect with Xero each day.

Because of the overhead some bank customer experience with Yodlee feeds, we've seen some Xero customers change banks to HSBC just to get the Partner Bank Feed service which by its nature doesn't require the same intermediary security checks every day. 

Yodlee isn't a perfect solution and one day we'd hope to see more banks building their own plumbing to negate the need for third party supplementers like Yodlee. However, given the preponderance of cases where banks use Yodlee themselves - we were recently asked by a UK bank to build a Yodlee connector for them! - I don't imagine Yodlee will disappear overnight and we're satisfied that this is the right service for our customers.

We're proud to be able to offer the broadest range of choice of bank data capture than any other product in the market and I'm heartened to hear than Duane is still holding back on adding any banking integration to Kashflow (Partner Feeds or Yodlee Feeds) anytime soon.  :)

Gary Turner
Managing Director, Xero
@garyturner

 

PS. By means of illustration of the value of bank feeds; more than 13,000 UK customer bank feeds pump through an average of 5 statement lines into Xero every day, and this flattens to a hypothetical average of 65,000 bank statement lines a week that don't require to be manually keyed into Xero by customers in the UK. This has led to the situation where Xero customers enjoy almost realtime visibility and control of their finances every single day, rather than putting off the chore of building and completing a bank rec.

kmcloughlin@twinfield.com's picture

Data storage

kmcloughlin@twi... | | Permalink

Another thing to look at with this is, where is the data stored. Currently Yodlee store the data in the US and so we need to answer the questions on data security and encryption. I would assume that this comes under the 'Safe Harbour' agreement but still as stated by Duane, will the banks take responsibility if something goes wrong?

DuaneJAckson's picture

Two Answers

DuaneJAckson | | Permalink

sambit wrote:
1) How do you weigh the risks of Yodlee against using online credit card payments and the companies that store your credit card details?

It's a different thing altogether. Besides, very few companies actually store your card details. They preauthorise them and then store a token to re-bill it later on. If that token is stolen then all the theif can do is debit your bank account into the original companies bank account. Not much use to a thief. To store actual credit card numbers you need to be PCI Level One compliant which is a very strong/stringent standard

sambit wrote:
2) Dealing with individual banks I would assume would also mean SOAP directly into the bank system but you would still need some sort of authentication and vault for hashkey or password storage. Does that mean the risk is totally mitigated?

For authorised bank access 1) it's usually read only, so no ability to transfer funds (as opposed to full access) 2) it's approved by the banks, so doesn't breach your T&Cs so doesn't cause you to take on onerous liabilties.

(say Hi to Eileen for me)

DuaneJAckson's picture

calculator-like jobbies

DuaneJAckson | | Permalink

chatman wrote:

For Barclays, you have to use one of those little calculator-like jobbies, which generate a new password each time, so surely they couldn't avoid liability for giving away your details if you have used one of them.

Put yourself in a loss adjustors shoes. There's a 50k liability you have to pay out to the customer. Customer has breached T&Cs and given out their credentials. Would you decide to let your employer (the bank) pay out the £50k? Or would you say "Terms are terms, you breached them, we don't have to pay"?

garyturner's picture

Yodlee is PCI Level 1 Compliant

garyturner | | Permalink

DuaneJAckson wrote:
To store actual credit card numbers you need to be PCI Level One compliant which is a very strong/stringent standard.

Yodlee is a PCI Level 1 Service Provider.

Gary Turner
Managing Director, Xero
@garyturner

Not to Dwell on it but!

sambit | | Permalink
  1. Yodlee is compliant I think ( not sure)
  2. This is still a theory and neither the banks nor any individual have reported issues.
  3. I do agree with Gary the root cause is because of the lack of standard banking interface. If that was present then it would have been much simpler.

Yes I will tell Aileen you said hi. :)

Thanks,

Sambit Misra

SortMyBooks

 

Tkwhitehouse's picture

Banks do it themselves

Tkwhitehouse | | Permalink

I used to use a service from First Direct called Internet Banking Plus, prior to that Egg had a similar service. They both provide you with a single place to log into all your accounts and show the current balance.

Based on the clunky way they worked (you could tell they were logging-in in the normal way in the background) I'm guessing they both scraped rather than having a nice 'front door' route.

I imagine other banks have similar services.

timfouracre's picture

Clear Books & Bank Feeds

timfouracre | | Permalink

Clear Books integrated with Yodlee last summer and since then our customers have been saving loads of time not having to faff around with downloading and importing bank statement files.

 

Initially, we actually took a similar view to KashFlow. However, having investigated Yodlee in more detail we changed our mind and decided to give our customers a choice.

dunkerley's picture

Direct Feeds are tough to set up, but worth the effort    1 thanks

dunkerley | | Permalink

With 25 years experience in direct data feeds, we at BankLink can speak with some experience on the issues raised in this discussion.

Establishing direct data feeds with banks is time consuming and expensive.  We have direct data feeds from more than 100 banks and financial institutions, including now 2 of the major UK banks (RBS/NatWest and HSBC).  Each bank has its own systems, must perform its own legal, security and risk assessments, and must then commit to an ongoing process for administration (adding / removing accounts from the data feed).  Every direct bank relationship involves time, effort and cost to establish and maintain.  So why do we bother when screen scraping could make it all so easy?  The simple answer is consistency and reliability.

We handle over 14 million transactions per month, distributing these securely to over 4,500 accounting practices who in turn use BankLink to service around 250,000 clients.  With volumes that large, we cannot afford to rely on data collected from banks without their knowledge – or for that matter, their cooperation and support.  We need to be sure that the data will arrive every day, that it will be in the right format and free of errors.

Furthermore, given that we provide our service through accounting practices, we have found that most practitioners are not prepared to advise their clients to do anything which might contravene the client’s banking terms and conditions.  They want a service which operates without the need for clients to divulge passwords, PINs, or any other internet banking credentials. 

In expanding our service to the UK over the last couple of years, we have not found the banks here any more or less difficult to engage with than elsewhere.  Indeed for the most part the UK banks have been enthusiastic about a service which better connects banks with small businesses and their accountants and we look forward to adding more banks to our service soon.  Establishing direct data feeds with banks always requires a significant investment of time and effort – an investment which is understandably beyond the patience / resources of many. 

We certainly understand the desire for an easier, faster solution for bank data feeds, but we’ve never found one that offers the levels of reliability and consistency we, and our clients, need.

John Dunkerley

www.banklink.co.uk

paul.k2's picture

This old Chestnut

paul.k2 | | Permalink

As Duane points out, this conversation has come up in the past.

For me it’s very simple.

Providing I stick to the Ts &Cs if my Internet Banking agreement, all risk falls to the bank.

I will happily sign up now for any service using an aggregator or similar technology if I can be assured of one point:

If for any reason I am the victim of fraud, and my bank refuses to compensate me, the service provider offers to meet my legal costs and agree to indemnify me for my losses.

As yet no one has made that offer so I must assume they are not confident of the legal position.

Therefore anyone using or offering these services must be doing so at their own risk. As someone that suffered cheque fraud I am not prepared to take the risk or advise any of my clients to do so.

Paul Kelly

http://www.kellysolutions.co.uk

 

PS

I have been told, but cannot verify, that some banks actively monitor their systems for aggregators and block the connections.

Haven't we covered this before .....

JC | | Permalink

Has anything major changed since the last time (Apr 2011) this was addressed?

Quote

'.. @garyturner
 
I am afraid that your response has not really addressed the Yodlee security concerns in respect of Xero - all that has been said is that it is not the only approach on offer
 
I suppose this really raises the fundamental question of responsibility by the provider
 
Security is potentially an issue and with this in mind, if things go wrong, is it sufficient for a provider to say - we offered you 3 choices and the one you selected went wrong
 
Or
 
is the onus on the provider not to place the user in this position in the first place
..'

Reference:

http://www.accountingweb.co.uk/topic/technology/cloud-accounting-software-review-xero/493411

 

garyturner's picture

It's a choice

garyturner | | Permalink

@JC - I'd guess the banks and software companies who embed Yodlee, or any other similar aggregator inside their services, would be happy to take on the fraud liability if it wasn't for the fact that in doing so they would then inherit the liability for any fraudulent transactions that occur on the account - even by the customer's own criminal hand - unless of course they could prove beyond any doubt that it wasn't as a result of a failure in their or their third party's systems.

Banks can help immediately - and some do - by providing their customers with read only access rights that specifically limit the access that aggregators get to downloading transactions - that effectively eliminates any risk.

The wider issue that's not surfaced yet on this issue of trust, is vendor viability - as has been pointed out above, building out a bank feed capability whether direct with banks or through third parties (both of which Xero has done) is not a quick nor insignificant undertaking in either financial or operational senses.

Trust and viability extends to all data held by cloud software vendors and third party relationships they employ to provide their services to their customers, the internal operational disciplines employed by cloud vendors (and associates) and the level of accountability they undertake to respect.

As a side note, it would be more transparent and contextually helpful if certain commenters on this thread would explicitly identify themselves as being associated with accounting software businesses (as opposed to accounting practices or end users) that either compete with Xero or other accounting systems that provide bank feeds to their customers.

Gary Turner
Managing Director, Xero
@garyturner

kmcloughlin@twinfield.com's picture

Bank Feeds

kmcloughlin@twi... | | Permalink

I agree that we all need to lobby the UK banks to make this easier. In the Netherlands the banks are happy to download all client transactions over night into a secure area in the Twinfield environment. We can then import these, without compromising security and keeping all the data in Europe. When the client logs on in the morning, all that they have to do is manage the exceptions. Of course this is also due to the stringent security measures used by Twinfield and the 'Twinfield 'self learning' software.

For the UK Twinfield invest heavily to provide methods to upload statements and use the inbuilt facilities as we never want to compromise security or where the data is stored, but wouldn't it be better if the banks made this easier.

Account Aggregation

james.varga | | Permalink

I just wanted to add my support for Yodlee and account aggregation. Having been involved in the industry for a couple of years now I can say with confidence that its here to stay. 

In terms of liability we looked at this quote extensively. What it really boils down to is that banks are not going to withhold their obligations under their T&C's JUST because you have used a PFM service or such. They would have to prove that it was due to the use of the PFM before they would not cover you. To date, and with many many millions of users using account aggregation of one sort or another just now - there has never been a case of this. The way Yodlee stores and handles your information there is really minimal risk and its a read only environment. 

Account aggregation isn't something new - its been around for over 10 years in the UK alone. It is disruptive though and this is why many people don't like it.

What you have to think is what does it give the consumer - visibility, convenience, simplicity, etc. We are using Yodlee's services in quite a different way - to solve a big problem in online identity. It allows us to quickly, easily and with a huge amount of coverage provide a service to consumers in a way that works for them. 

We should be working together as an industry to support these sorts of movements - if not for ourselves...for our users. 

 

James Varga

CEO

www.miiCard.com

NumberBruncher's picture

 

NumberBruncher | | Permalink

 

OCRex released AutoRec, a desktop application that OCR's bank statements. It is NOT the same as other generic OCR packages. It has been developed specifically for hundreds of different UK bank statements and provides for 100% accuracy verification so that all debits/credits and balances are always spot on. Released less than 12 months ago, there are already more than 300 accountancy firms subscribed to it - for the good reason that it works, that it doesn't require business owners to logon to internet banking and download CSV files, it doesn't require authorisations to be given to accountants to access their online banking or most importantly, require that internet banking authentication details to be given to third parties that bounce them around the internet and/or store them in foreign jurisdictions. 

Anyway, OCRex is now at the testing stage with a cloud based solution specifically to offer an alternative to vendors like KashFlow, Twinfield and others from having to either use aggregators or not having a solution at all. It would allow vendors' users to securely upload scanned images of bank statements or eStatement PDF's to their chosen accountancy solution and we provide the tech to extract of the data into an electronic format that the vendor can use to provide its users with an automatic bank reconciliation ... without breaking any banking T&C's or exposing your user base to unnecessary risk.

I, as I'm sure everyone on this thread can accept that there is a massive demand for feeds. But saying the banks aren't helping isn't justification for getting your user base to break their T&C with their banks. In my opinion, if those that use screen scraping technology are that proud of their security measures, they should put their money where their mouth is and provide a guarantee. Isn't that what the credit card companies do? If it was guaranteed, you can be sure I'd give it the thumbs up. 

As for BankLink, while our product competes with theirs, I respect their approach to how the have developed their solution. It's safe and in agreement with the institutions they work with. It's just unfortunate for them that they have not been able to cater for more than a few banks in the UK. 

One more great thing about the ocrex solution is that it's not just a "from now on you can get your bank statement data". With the OCRex solution you can get data from years of past statements as well. 

Brendan Woods 
OCRex CEO & Founder

I am using Xero and also work    1 thanks

Peter Lovatt | | Permalink

I am using Xero and also work in IT and know a reasonable amount about IT and online security.

I thought long and hard about Yodlee. The thing that worried me was that they must store my logins in a way that can be used - security details like password are usually hashed - a one way incryption. Yodlee cant do this, because they have to use the actual details. And that means that if they are broken into the details can be acquired and used for fraud. 

There were a couple of points that were key to me deciding to continue using them, and I think they are universal.

We have to assume there is a risk ( very small ) that they will be hacked. We already trust payment gateways and PayPal to store our payment information ( the really risky stuff - the problems from someone reading our bank accounts is much smaller. ) so the risk of using Yodlee is the same, except that card processing has very developed fraud screening, bank payments less so (I am open to correction on this) So, if I am ok with PayPal storing my card details I can accept the risk from Yodlee.

The real decider was that that the banks I use - Lloyds, NatWest and HSBC all now have 2 factor authorisation for new payees. This means that if the details are stolen, all they can do is send money to someone I already pay. For me that is an acceptable risk.

I would say very strongly that for banks without 2 factor authorisation its a REALLY bad idea. If the details are stolen your money could be in a Ukraine bank before you can blink, and you are not covered by your bank.

I see that as fundamental, and its as simple as 2 factor = OK, no 2 factor = not OK

The convenience and control it gives business owners and individuals is huge, and bring real benefits, which need to be weighed against the risks.  I hope the process I went through is useful for other people thinking about it.

Peter 

Director 

Sunmaia Internet

 

 

We decided not to offer it!

E. Reid | | Permalink

I completely share the concern that handing over sensitive information to unauthorized third party is a risky move. 

Here at Keepek we have spent some time debating the issue. Some of our users asked for it because it's convenient for them. However, in our eyes, the risks were high. At the end the team agreed to not offer this feature. Now, we ask our users to upload directly their bank statements to our platform. They'll spend 3mn a month doing that but at least they do not breach any agreement with their bank. 

http://www.keepek.com

I too am concerned about the

shaflidason | | Permalink

I too am concerned about the risks involved in providing unfettered access to accounts to a company in the US. As a programmer I could see right away that they were "screen scraping" which suggested that I'd be handing over details that I should never hand over, and so would be breaching the T&C's.

One way to limit the risk however is if you can set up another user account for your bank account, and make that user "read only", i.e. it cannot move any money, then not only can you revoke Yodlee's access to your accounts at any time, there is no potential for money to be moved without your consent.

Even with that however, there are still the inherent risks in providing full account details of your (or your clients') business to a 3rd party with whom you do not perhaps have a close relationship.

GlennDrake's picture

2014 and still no bank feeds

GlennDrake | | Permalink

This whole situation is due to a complete lack of interest from any of the major UK banks, through their inaction they have contributed to the widespread use of screen-scraping encouraging people to breach their Ts and Cs. We're now in 2014 and sadly very little has changed.

Screen-scraping is a horribly messy way to extract information from websites. It's extremely high maintenance, slow and breaks routinely, there's no way way to provide any sort of stability and consistency using this method. Yodlee have carved a business out of doing this on an industrial scale, there's no test environment everything is done with live bank credentials.

Providing a secure read-only data feed would be fairly trivial to implement for most banks. Only when their customers start demanding change will things improve, that means screaming at your bank not the accounting software. There's so little to separate the big banks now, this could be a way for one of them to take the lead and really differentiate themselves.

It looks like Barclays will be the likely candidate to move forward with bank feeds first, they've already dipped their toes in the water with Freeagent. Let's just hope they don't try to commercialise it.. I'm sure many banks aren't exactly thrilled about ceding traffic to third party financial applications but really it's time something was done.

In the mean time, here's a few suggestions on the Barclays site worth voting up:

https://www.yourbank.barclays.co.uk/t5/Your-products/Data-feed-with-Quic...

https://www.yourbank.barclays.co.uk/t5/Your-products/Automated-bank-feed... https://www.yourbank.barclays.co.uk/t5/Your-everyday-banking/Email-machi...

Add comment
Log in or register to post comments