OAuth and Banking - Lets make Statement APIs

December 01, 2010

Oauth lets us standardize limited access to personal banking data.

Accessing bank statements programmatically is a difficult problem. Finance tracking websites like mint involve typing in username / passwords for some US banks and most UK banks dont allow automatic export of statements at all.

UK building society Nationwide recently dropped structured formats from their online statements, offering only PDF! It is shocking that a bank would drop structured data output in favour of PDF in 2010.

Banks should implement OAuth to allow applications restricted access to their bank accounts. From here they should provide an API for accessing your statements in a structured format (json / xml). This in turn would drive innovation of mobile and web financial applications and this will drive more customers to the banks that provide these digital services.

This excerpt from oauth.net describes concept of limited access using OAuth,

Many luxury cars today come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will not allow the car to drive more than a mile or two. Some valet keys will not open the trunk, while others will block access to your onboard cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using your regular key to unlock everything.

Everyday new website offer services which tie together functionality from other sites. A photo lab printing your online photos, a social network using your address book to look for friends, and APIs to build your own desktop application version of a popular site. These are all great services – what is not so great about some of the implementations available today is their request for your username and password to the other site. When you agree to share your secret credentials, not only you expose your password to someone else (yes, that same password you also use for online banking), you also give them full access to do as they wish. They can do anything they wanted – even change your password and lock you out.

This is what OAuth does, it allows the you the User to grant access to your private resources on one site (which is called the Service Provider), to another site (called Consumer, not to be confused with you, the User). While OpenID is all about using a single identity to sign into many sites, OAuth is about giving access to your stuff without sharing your identity at all (or its secret parts).

As you authenticate with the bank during the OAuth process it allows existing login credentials to be used, so the addition of oauth to the internet banking suite would be an enhancement rather than a rewrite; Allowing the banks to use there existing internet banking login functionality.

This would bring banks and banking data up to speed with the current developments in technology. There looks to be an interesting development in the US which separates the internet offering from the web technology. Bank Simple could pave the way for a new direction in how we bank.

Traditional banks need to embrace this or risk getting left behind by a new generation of tech savvy online operations.