Osuuspankki, one of the largest banks in Finland has put out a statement reminding people of dangers in using software to query your bank account statement – in essence talking about the pulling of data from the bank with Balancion. They are saying that using such third party applications is against the terms of service as well as dangerous for security reasons.
Balancion is a Mint -like service aimed at understanding personal finance. It has received much attention in the press and for a reason, it’s useful and there’s a real need in what it offers. Since there are no APIs in the Finnish banks, Balancion uses a java browser to pull data from the bank accounts. This is the part of the service Osuuspankki does not like.
I cannot, but wonder why the banks in Finland have not taken the same path as the banks elsewhere in the world. Keeping huge walled gardens when there is clear demand for third party applications building value for the banks’ customers is just nonsense. They have never managed to create so much value for so little effort – why not allow this?
Problems like these pretty much relate back to the incompetence and ability to truly understand the value in how new economies such as the online environment work. I hope other banks see this as an opportunity to improve their services to their customers.
(Hat tip to Markus Ossi)
Biovakka Suomi Oy 
Bitbar
Well, this is a pet peeve of mine – and I did blog about it recently at length: bit.ly/beTim0
Really, this is not a problem very specific to Finland. In the US the personal finance startups are doing exactly the same “bad” things that have ruffled OP. Yes, there is standard API and data formats used (OFX), but still no way to authorize a third-party to fetch your data from a bank in a secure way. Partly this problem is in practice mitigated by the presence of Yodlee, an account aggregation company. So you share your online banking credentials with Yodlee and eg Mint gets your data via Yodlee. But that just means you need to trust Yodlee.
And it has to be noted that for *corporates* things are fine in Finland. APIs, standard data formats, all okay. It is just a bit new here that *consumers* would want same kind of access. After all, we disposed of checks long ago so no need for Quicken et al to balance your checkbook, and hence no need for desktop personal finance software to get your data from your bank.
OP-Pohjola is the largest financial group in Finland. Please help them realize what they might be missing.
Send them a message, call them, do something. This is your obligation as a customer, as an owner member (omistajajäsen) or as a citizen of Finland (if you’re not a customer). Non-customers can send feedback from: https://www.op.fi/op?id=311&srcpl=3
Everyone on this forum knows that Finland needs innovative companies like Balancion. Let’s not allow old school frozen minds hinder the development of new innovative ideas.
I don’t know the reason for this policy, but I could guess.
The biggest worry could be those over 10 million Trojan horses that are installed on Windows computers and are still undetected by antivirus software as we speak (source: RSA). They’re just waiting to activate at the right time.
Banks may consider an open API as more way for those criminals to get access to their customers” money. At the moment it’s the bank who loses money, if their customers choose the wrong software.
At least for business accounts (which are exactly the same as personal accounts, as they can be linked under the same login) you can get a secure API key for scripted access. So they do have API access. They charge quite a bit of month for it though, but the tech is there and they should just let people use it (or allow giving read-only access to authorized third parties, which could be done using the regular access card way).
OP has built their own budgeting tool within their netbank, so Balancion is also competing with them. And do not forget that banks view their own netbanks as shops to sell new products to their existing customers as well, they want their customers to spend as much time as possible in their service, not a third party service where their customers will propably be exposed to marketing from competitors.
So I think this is an expected decicision and after this I would not be surprised to see other banks decline access as well.
As Jani noted, a bank account is just a bank account so there is no technical limitation as such to offer access to consumers using existing APIs. See http://bit.ly/bpdbAA – the “Web Services -rajapinta” part is the SOAP API that is now available from the bigger Finnish banks. On the same page standard data formats used by the local banks are also described.
However, this works for corporates, but no way for consumers. To get API access you need a visit to a branch for contracts and then it takes a week or so for them to issue you the keys. You then need to download some additional certs and finally provide all the necessary tokens to whoever needs to be able to access your accounts (like your internal systems or accounting provider).
So these existing mechanisms are really a total non-starter for consumers. What you’d need is OAuth based mechanism for doing the authorization of third-parties and a very lightweight protocol for read-only fetching of account statements. Easy enough to do but not going to happen in the near term.
The core of the problem is that most people have a relationship with one bank only, and in such scenario that bank would like to push their personal finance management solution, integrated with their online bank. What I could see happening is one of the new entrants (eg Sofia Pankki) offering an open, but proprietary API in order to entice web-savvy customers. But that customer segment is really very niche and after all the open API would be a loss leader product. You’d perhaps get some deposits in and that’s kind of useful, but what you’d really need is to monetize those customers by upselling stuff like wealth management services.
Another possibility would also be that one of the vendors of banking software used by many of the local banks (like Crosskey or Samlink) would build an API into their product. It would still have to be sold to their bank customers though so they’d need to see the demand. Now, who is going to setup this grassroots Facebook campaign to lobby for banks to join the data portability movement?
facebook grassroots campaign for data portability movement in finland? how many people do you think will join? :D
it looks very bad for balancion. i know finnish banks as i have worked there and to them, data and customer security is the number one concern. and honestly, balancions mint clone is not going to make them change their priorities.
As pp mentioned, OP has their own budgeting tool, which they charge for. It’s just sad that for the three years I’ve been using it, they have not developed it at all.
These kind of tools really add value to banking, but this is something Finnish banks have not yet realized. People’s netbanking habits are evolving and the big banks are not in a very good position to benefit from the change. Balancion is just the beginning of a huge structural change that will hit the banking sector during the 5 next years.
@pp, um, well, does like ten people count as a true groundswell of public outcry against the evil financial institutions keeping innocent consumer data captive? No, didn’t think so either. But that kind of just reinforces my point: the demand for banks to open up is very niche.
You do raise good points though on the non-technical aspects. Of course, OP is mostly worried about security (take for example the recent phishing attacks that ended up costing Nordea rather a lot). But banking is a business where customer acquisition costs are usually high and churn comparatively low (eg compared to mobile operators). Nevertheless, if third-party systems like Balancion might encourage churn as established players, it means the customers need to go somewhere, like switch to some smaller upstart banks. So those banks do have an incentive to be open.
Too bad banking isn’t such a good area for lean startups. There’s the simple matter of 5m euros of capital needed and onerous but understandable licensing requirements. If not, one could just see if there’s traction for an open bank. Of course, if consumers would be comfortable banking with an entity based in, say, Malta, that would be different, but they’re not.
The CEO of Balancion left a comment on my blog post where I was wondering the same thing: http://www.tarkkamarkka.com/blogi/2010/01/osuuspankki-kielsi-balancionin-kayton/
The most interesting part is here: “Itse asiassa alkuperäisessä tiedotteessaan OP mainitsi myös nimemme. Koko tiedotetta muokattiin OP:n toimesta muutenkin 24 h sisällä 2 otteeseen ja hyvä niin.
Saatuamme asiasta tiedon eräältä käyttäjältämme, otimme yhteyttä Borenius & Kemppisen juristimme kanssa OP:n juristiryhmän vetäjään ja keskustelumme jälkeen sovimme myös tapaamisen.”
Rough translation: “Actually in the original statement OP mentioned our name also. The whole statement was modified by OP even otherwise 2 times in 24 hours and that is good.
After receiving information about the matter from one of our users, we contacted with our lawyer from Borenius & Kemppinen the leader of OP’s legal department and after a discussion set a meeting with them.”
I don’t understand this. At all. Is Balancion not using the standardized interfaces, or what exactly is the beef here? What makes them so special they’re singled out like this?
Juho: There are no interfaces for Balancion to use. In order to overcome this, as stated in the article: “Balancion uses a java browser to pull data from the bank accounts.”
Wrote about this too:
http://www.pinseri.com/2010/02/01/balancion-ja-opn-oma-talous/
Hei kaikille!
Otetaanko nyt rauhassa pieni aikalisä ;)
Käyn lyhyesti läpi tilanteen ja missä mennään:
1) OP lähetti viime viikolla asiakastiedotteen, jossa kiellettiin sellaisten palveluiden käyttö, jossa verkkopankkitunnuksia luovuteteen kolmansille osapuolille palveluiden käyttöön. Tiedotteen sisältö tosiaan päivittyi 24 tunnin sisällä 2 kertaa ja hyvä niin.
2) Balancionin käyttäjä ilmoitti meille asiasta ja otimme heti Borenius & Kemppisen kanssa yhteyttä OP:n juristiryhmään ja kävimme läpi, mitä Balancion tekee ja mitä se ei tee. Balancionin käyttäjä ei siis luovuta tunnuksiaan kolmannelle osapuolelle, vaan kirjautuu suoraan omaan verkkopankkiinsa hakeakseen tilitapahtumat palveluun oma-aloitteisesti.
3) Tämän johdannaisena tilanne rauhoittui, sovimme tapaamisen OP:n juristien kanssa ja samalla maininta Balancionista poistettiin perjantaina OP:n tiedotteesta. Hyvä niin.
4) Seuraavaksi tapaamme siis OP:n juristiryhmän ja lopputuloksena lienee se, että ko. väärinkäsityksestä johtuva tulkinta, että Balancionin käyttäjä rikkoisi verkkopankkisopimustaam, voidaan unohtaa.
Borenius & Kemppinen on rakentanut kanssamme tavan hakea asiakkaan toimesta Balancion-palvelun avulla omat tilitapahtumatietonsa pankistaan siten ettei se loukkaa lakia, verkkopankkisopimusta tai muutakaan sääntelyn tms. alaista toimintaa.
Tässä kohtaa ollaan siis tehty jo kärpäsestä se kuuluisa härkänen ;) On hyvä, että käydään keskustelua siitä, miten Balancionin kaltainen palvelu voisi koota palvelunsa kannalta kriittisen “raakadatan” nykyistä helpommin ja siitä käymmekin keskusteluja aktiivisesti OP:n ja muiden pankkien kanssa.
Ei leimata nyt siis liian yksioikoisesti OP.ta tai muitakaan pankkeja siitä, jos he omassa roolissaan tuovat esille aktiivisesti, että verkkopankkitunnuksia ei pidä luovuttaa kolmansille osapuolille. Tästä olemmekin samaa mieltä. Nytkään niin ei siis Balancionin kohdalla käy ja siksi uskoisin, että OP-tapaamisemme jälkeen kaikki OP.n asiakkaat voivat taas entistä luottavaisemmin mielin käyttää palveluamme.
OP tai mikä tahansa pankki saa sellaisenaan tehdä sellaista asiakasviestintää kuin se haluaa. Kuitenkin tällaiset väärinkäsitykseen perustuvat tiedotteet ovat mielestämme sikäli harmillisia, että ne antavat helposti aika värittyneen kuvan siitä, mikä on Balancionin suhde suomalaisiin pankkeihin; olemme täydentävä palvelu, jolle on selkeästi olemassa jopa laajempi kysyntä kuin mitä alunperin osasimme arvoida.
Voimme mielellään antaa lisätietoa Actic Startupille ja muillekin kiinnostuneille tahoille, jos haluatte vielä tämän lisäksi lisätietoa asiasta.
Rauha maassa ja ihmisillä hyvä tahto ;)
t. Jussi Muurikainen
perustaja/toimitusjohtaja
Balancion Oy
PS. kiireen keskeltä tämä nyt suomeksi, ehdin varmasti palaamaan asiaan illemmalla “toisella kotimaisella” (Englanti)
Hieno closaus keskustelulle, johon itsekin meinasin juuri osallistua sarkastisen kyynisellä kommentilla siitä, miten iloinen olen jätettyäni Osuuspankin hiljattain. Kyynisyys on kuitenkin sairaus, joka erityisesti meitä suomalaisia vaivaa eikä vie mitään eteenpäin eikä luo uutta. Conan O’Brienin viimeinen puhe TOnight Shown hostina oli loistava nimen omaan siitä syystä ja joku kirjoitti blogissaan osuvasti siitä, miten Apple sotii kyynisyyttä vastaan iPadeineen yrittämällä luoda uutta ja hienoa välittämättä arvostelijoista. Tästä voidaan toki olla montaa mieltä.
Balancion on loistava palvelu, hienoa että nämä jurudusetkin asiat hoidetaan mallikkaasti.
Why do You have to get information directly from each bank?
Why to figth with each of them?
There are not only 2 or 3 even 5 banks where different people hold their money and make their everyday transactions. People use different banks and combinations of them. That is huge effort to integrate all of them via bulletproof API-s, to fullfill all security needs and to sign all contracts (they can discontinue every moment your running service and lawers can find 100 reasons to punish you financially).
There is another way to solve that problem.
Let’s keep away banks and their problems to keep security in higher level (that means we really dont need integrations).
Let’s keep that much more simple.
First: there contract with bank and client.
There is possibility to export from internet bank all transactions using CSV or XML format.
What people do afterwards with their downloaded files is not anymore banks business.
Bank’s business is to fullfill clients query and to output required dataset in required format.
I other hand there is contract in between that person and lets say Balancion. Now that person can upload all different bank’s datasets (CSV-s, XML.s) to Balancion on regular basis (each day, week). Balancion processes them and holds all transactions to different categories – in such way how client setuped own system.
In such way You can cut off all problems with banks and in very easy way you can add 10..20..30 different bank’s output file formats.
Why I can be so confident – because in Estonia we have made so.
We have startup like Balancion doing same things and we just added in that way almost all most important banks in Estonia. They even dont know and want to know about that and dont have to have worries about security issues. That is problem of our customers to trust us and to upload transaction files to our system.
Consider, that is so simple and convinient and You can add all functionalities to process uploaded files and finally You have much more time for core functionalites of Balancion system.
Dont lose time and energy for efortless battle with banks!
Ok, when someone is interested – our working startup in Estonia is:
http://www.fyrca.com
And good luck for Balancion people…maybe somehow we can cooperate, there is only 80 km inbetween us ;-)
Hi Margus, interesting to hear about the Estonian perspective. Any chance you could provide a link to some standards documents for the data formats used by the local banks? Or does each bank perhaps have a proprietary format?
Good to hear though the netbank’s there have account statement download capability. Here in Finland there’s been a migration towards PDF for account statements instead of proprietary CSV formats.
Hi Tuomas!
Each bank uses their own dataformat. They are very similar but are using different datafield names and positions. There is no common standard established. But if to be honest that is only one time work to add one or another bank statments import capability. Hopefully file formats remain for years the same.
Strange that in Finland internet banks as general there are no CSV or XLS or XML output possibilities and only PDF? What is their explanation, if any?
Yes, in Estonia there is also possiblity to get statment in PDF, like third or forth option – CSV, XLS, (XML), PDF.
Estonian main banks (like Swedbank, SEB, Sampo, Nordea) are also owned by “Nordic” money and rules but still have possibilities to handle your own statments as you like – to open in Excel or some accounting software for postprocessing etc. That gives also to us possibility to use all this statments in fyrca.
All the best,
Margus
So here’s the rough translation of my previous post.
—
Hi everyone!
Let’s all take a deep breath and call a time-out, shall we ;)
So here’s what’s happened lately, in brief:
1) Last week OP published a customer statement that prohibits the use of such services that ask for ebank user information for third party use, mentioning Balancion as an example of such service.
2) A Balancion user informed us about the statement, and Borenius & Kemppinen and we contacted OP’s legal department immediately. We wished to make it clear, what Balancion does and what it doesn’t. A Balancion user doesn’t hand over ID’s or passwords to a third party. It’s the user that signs in directly to his/her ebank account to collect the account statement data.
3) After the initial contact things cooled down a bit and so we set up a meeting with the OP lawyers. Meanwhile, the reference to Balancion has been withdrawn from the OP statement, which is nice.
4) So what’s next? We’ll meet up with the lawyers at OP and we believe that the misinterpretation of Balancion violating their ebanking terms and conditions can be forgotten.
The guys at Borenius & Kemppinen and we have carefully created a way in which a Balancion user can safely retrieve one’s data from one’s own ebank account without violating any law, bank-specific terms and conditions or other treaties. I think we’ve seen the classic ‘mountain out of a molehill’ effect here :) It’s good to keeping up the discussion on how to make the raw data retrieval process easier for services like Balancion. It has been and still is an active issue in our discussions with OP and other banks as well.
Let’s not put a bad rep on OP or any other banks for taking an active role reminding people not to hand out any ebank user information to third parties. We totally agree. I believe that after our meeting with OP all OP customers can again feel safe to use our service.
Banks like OP have a right to run their customer communication as they please. But when a statement is based on a misunderstanding, we find it a bit irritating, especially when it portrays Balancion and it’s role in a rather dim light. Our role is to complement the Finnish ebanking services and there seems to be a great demand for a service like ours, even greater than we first thought.
If you’d like to know more, we’d be happy to provide Arctic Startup (or anyone interested) more info on the subject.
Peace & love ;)
Jussi Muurikainen
Founder / CEO
Balancion
Hi Margus,
That´s pretty much what we would like to do here in Finland ;)
It´s all about making it for each user EASY enough to collect all the data needed to draw the big picture about ones personal finances. User friendly solutions provide user friendly tools and no manual work needed. That´s why Balancion helps its users to collect the data with the only possible way there is at the moment.
Our goal is to provide our customers the same XML hub there already is for Finnish business customers (Tuomas Toivonen wrote a blog about this issue here: http://www.kasvua.org/~toivotuo/cgi-bin/blosxom.cgi/2010/01/29#banks-and-opendata),
It would be nice to meet You and discuss more about co-operative actions so please send me an email -> jussi.muurikainen@balancion.com
Best regards,
Jussi Muurikainen
Founder&CEO
Balancion Ltd.
+358 (0)50 567 3100
Hi Jussi!
You are doing rigth things! Service must be absolutely easy and as much as possible automated. I am sure that You have clear picture how to build technically and organisationally that hub for all counterparts.
When I think how in Estonia is possible to build up such kind of central hub then I realize that is possibility to use all available and amazing governmental framework – what we have at this moment.
Let me explain:
1. We have ID-card (and mobile ID) framework. Every citizen can own their personal ID card (almost everybody owns today). At this moment we can use that for identification and signing level in all government institutions and in all Estonian banks as well. We can log into net-banks using ID-card or mobile ID and to do all transactions.
2. We have state owned portal for citizens (www.eesti.ee). In this portal all authorized person can do lot things and as most important to query huge amount of government (and not only) owned databases.
3. All this spreaded (in different locations, formats and ownings) databases are connected each other using special standard X-Tee (X-Path/Way)
4. Using the same infrastructure is possibility to add to that state owned portal also query-engine to all banks (ie. I query my transactions in period 01.01.2010-31.01.2010) and to “push” results to systems like Fyrca (or Balancion). All counterparts use the same infrastructure and standards for security and data transferre.
Everything is under control of person and “act of free will” to handle his/her datasets.
In theory is that one most possible way to solve this problem in Estonia…
All the best,
Margus
Jussi, I’d like to comment on one claim you make:
“A Balancion user doesn’t hand over ID’s or passwords to a third party. It’s the user that signs in directly to his/her ebank account to collect the account statement data.”
Technically, the user does hand over the password to a third party. The logic as follows:
- User downloads java program from balancion
- Java program contains browser functionality that opens the ebank website
- User enters the ebank password into the browser inside the java-program
- The java program crawls the ebank website and sends the transaction data to the balancion website
So if the java program is doing what it should, the password is never sent to the Balancion website. However, the java program is a proprietary program created by Balancion, so there is no way for me to know what it actually does with the password – all I can do is take their word for it and hope that there are no bugs in the program that would expose my password.
To be fair, I am a Balancion user and I do trust them not to abuse my passwords. And at least with Nordea, you have to enter another confirmation password before any money can be transferred, so I don’t see the big problem.
The best way to achieve this would be with the use of a read-only API, but the only way we’ll ever get that is if more people realize that they need it. For that, we need innovative services like Balancion.
Olli
Hi Olli!
How do we know that Mozilla Firefox, Internet Explorer or Google Chrome do not collect the same passwords whenever we use our eBanking solution providers?
I´d like to address and remind that that whenever using Balancion You enter Your passwords through Your own internet browser – and You do exactly the same whenever using Your current ebanking solution. We are not there in between and do not collect passwords etc.
So if we want to question the data security issues about entering the passwords, we should question the web browser security first. This fact has not been addressed enough so let´s do it now ;)
You never know and thats´why we are talking about trust. Is Balancion a trusted service provider, is Balancion building things right? Or isn´t it?
Please do not hesitate to ask, discuss or even doubt…It´s our mission to do things right and build trust. Isn´t it? Users role in this game is to decide whether You trust or not.
So we are here the ones who have to (and do) understand it´s a hard work and will take some time. And we are pretty humble but yet passioned to convince You about us.
Balancion or any other service provider cannot do else than do thigs just as well as they can be done. That´s why we´ve been selecting partners like Nixu, Idean, Mysema, Borenius & Kemppinen, Smilehouse, Nebula and not just building the service in the carage with friends and cousins.
I like the voice tone of this discussion – let´s keep it up!
Best regards,
Jussi Muurikainen
Founder & CEO
Balancion Ltd.
+358(0)50 567 3100
jussi.muurikainen@balancion.com