23
Aldar
8d

Got pretty peeved with EU and my own bank today.

My bank was loudly advertising how "progressive" they were by having an Open API!

Well, it just so happened I got an inkling to write me a small app that would make statistics of the payments going in and out of my account, without relying on anything third-party. It should be possible, right? Right?

Wrong...

The bank's "Open API" can be used to fetch the locations of all the physical locations of the bank branches and ATMs, so, completely useless for me.

The API I was after was one apparently made obligatory (don't quote me on that) by EU called the PSD2 - Payment Services Directive 2.

It defines three independent APIs - AISP, CISP and PISP, each for a different set of actions one could perform.

I was only after AISP, or the Account Information Service Provider. It provides all the account and transactions information.

There was only one issue. I needed a client SSL certificate signed by a specific local CA to prove my identity to the API.

Okay, I could get that, it would cost like.. $15 - $50, but whatever. Cheap.

First issue - These certificates for the PSD2 are only issued to legal entities.

That was my first source of hate for politicians.

Then... As a cherry on top, I found out I'd also need a certification from the local capital bank which, you guessed it, is also only given to legal entities, while also being incredibly hard to get in and of itself, and so far, only one company in my country got it.

So here I am, reading through the documentation of something, that would completely satisfy all my needs, yet that is locked behind a stupid legal wall because politicians and laws gotta keep the technology back. And I can't help but seethe in anger towards both, the EU that made this regulation, and the fact that the bank even mentions this API anywhere.

Seriously, if 99.9% of programmers would never ever get access to that API, why bother mentioning it on your public main API page?!

It... It made me sad more than anything...

Comments
  • 4
    become a legal entity in minutes?
    Estonias e-residency let's you open shop for a virtual company.

    https://e-resident.gov.ee/
    What is e-Residency | How to Start an EU Company Online
  • 12
    Yeah, open banking is designed so other (supposedly trusted) organisations can write apps that work across banks in Europe to do things such as analyse your account data, take payments, setup standing orders, that sort of thing.

    It's basically impossible for you to use it as an end user - and it's a very odd (and backwards) definition of an Open API.

    All it really means is that "banks must have a way to integrate with this specific type of API request on some level" even though it's not an API you can meaningfully access.
  • 4
    @heyheni i wouldnt recommend this way, its too paper heavy. You would also need an permission of your government. The PSD2 also defines that customers have their own API. In Germany its mostly HCBI, due historical reasons.
  • 2
    And HBCI has another advantage: its theoretically possible to implement a static webpage to communicate with the bank, since its also specified for https. The current Version is FinTS 4.0, but most banks use FinTS 3.0 aka HBCI 3.0.
  • 3
    I feel your pain man, I had a very similar experience with my bank. Their api had just enough docs to get you sorta started but no actual usage examples or clear info on how to actually use it. Fun times.
  • 5
    @LucaScorpion I mean... That's probably what aggravated me the most.

    My bank had all the detailed documentation in their main developer portal.

    ALL OF IT. INCLUDING ALL THIS OPEN BANKING STUFF.

    Seeing that, how I could have known that it was locked behind a frickin blast-door of laws like that? -_-"
  • 1
    I had the same with my project. Not limited by technology but by law.
  • 3
    Going through bank certification for my code right now with a large bank in US meetings 2 times a week and i keep raising issues with bugs in there integration I've found. They keep telling me well it's deployed on other platforms just fine so it must be my code (management) get response on ticket from their devs accepting responsibility few hours later. Is not fun dealing with infallible financial institutions.
Add Comment