strands-blog.jpg

Sensitive Matters: Banks and Sensitive Data - Part 2

← Blog Home

Sensitive Matters: Banks and Sensitive Data - Part 2

Legislation changes would not suffice if they weren't accompanied by technological advances. Thankfully, the technology race started years ago and it's in a more than solid enough state for the legislation to accommodate.

Different technologies are focused on solving different purposes, which we will touch on later in this article. Technology that works hand-in-hand with data can be grouped in 3 ways: 

Accessing data

How does a third-party app access data from a bank? How do a thousand third-party apps access this data? And... more to the point, how does a third-party app access the data from a thousand banks? These three questions have surprisingly different answers

There are multiple ways to achieve this data access, and each way can be implemented differently. We'll show some of the different choices, but bear in mind that each of them can be implemented in a different manner, with intermediate processes, different flows, etc.

EXTRACT, LOAD, TRANSFORM

Usually abbreviated as ETL, this is a process where we take a set of data and manipulate it in order to convert it into a format and structure that we can work with. The solution can be implemented in different ways and it depends on the kind of agreements the app makes with the banks. 

One example of this working in the finance sector may be an app that needs data from different banks that are not willing to use any "newer" technologies yet. The banks would not disclose their own data structure and the app doesn't want it either. The bank uses their own ETL to convert their complex internal structure to an agreed simpler structure with only the data that the app needs (masked account numbers, transactions information filtered, no real names, etc). If the app manages to get different banks to agree to the same structure, then it can use the same ETL for all of them, transforming the data that the banks provided to the app internal structure.

Let's see an example:

ETL_GRAPH

 

  • Can a third-party app access data from a bank? √ . You need to arrive at an agreement with one bank to gain access (or 3, 4...)
  • Can a thousand third-party apps access data from a bank? Χ It depends on who the bank makes the agreement with. Different apps have different necessities.
  • Can a third-party app access data from a thousand banks? Χ It is virtually impossible to establish the same agreement with a thousand banks.

Public APIs

API stands for Application Program Interface, and it basically means that the source of the data (a bank) would offer a set of instructions to access some data that they share publicly. The bank may require authentication, a fee, a subscription, etc or be totally public and free.

Following our previous example, an app would like to access data from different banks. The app would need to implement the APIs of each of the banks it wants to use. Ideally, the banks would provide quite similar APIs for accessing transactions, accounts, etc. It's the app's responsibility to read the data that the bank provides, and adapt it to its internal needs. There is no agreement on the format or structure of the data. The bank decides.

Public_API_Graph

  • Can a third-party app access data from a bank? . You just need to implement the bank's API (or 10, or 15). 
  • Can a thousand third-party apps access data from a bank? Χ. Every app should implement the bank's API.
  • Can a third-party app access data from a thousand banks? Χ. Each bank will provide a different API, and implementing all of them is an expensive task.

Screen Scraping

This method works by using a "bot" to log in into the user online banking platform and 'read' what the user would see. It detects patterns, searches for specific texts, etc. in order to obtain information. This method may sound crazy but it's widely used and there are companies that offer bank data based on this method.

This method has several disadvantages:

  • It requires you to share your Online Banking credentials with a third party.
  • It only captures what the user sees, not what the bank has. The bank may decide to only show the last digits of credit cards, or limit the results to the last 3 months, or truncate the description of a transaction, etc.
  • If the bank decides to change the layout and style of its platform, the information collected may be wrong or non-existent. 
  • The bank can detect that the "user" accessing the platform is not a real person and decide to block it for security reasons.
  • This method is slower than any other. It needs to go through the whole page looking for data, clicking on links to access different sections, paginating through tables, etc. 

So, why is it so widely used? Because it doesn't require any action from banks. There is no need to establish an agreement, the bank doesn't need to have a public API, and the app does not need to pay anything to the bank.

PSD2

It’s about time we end screen scraping techniques and other less efficient methods in favor of new standards like PSD2, which is now imposed for banks in the EU.

By having one single specification for accessing data from different entities, we’ll be able to check all the questions:

How does a third-party app access data from a bank? PSD2

How do a hundred third-party apps access data from a bank? PSD2

How does a third-party app access the data from a hundred banks? PSD2

PSD2 is upon us: 2018 will be the year for Open Banking, access to data and disruption within the banking sector. 2018 will bring competition, innovation and standardization set to benefit all parties.  Banks and non-banks will have access to more information than ever before, and customers will begin to receive a better banking experience all round.  

A sensitive topic, perhaps, but one that will mark a before and after in finances, like it or not.

 GDPR_Banner_(eng)

Topics: LEGISLATION, financial technology, psd2 impact on banks, API, Data Security, financial data

Author: Pablo Reyes, Software Engineer on Mar 15, 2018

Find me on:

Subscribe to Email Updates

Posts by Topic

see all

Recent Posts