Toshl Finance Blog

On Brexit, Excrement, Fans, Their Relative Locations and the Resulting Outage.

In 2016 the UK Conservative Party, with David Cameron leading it, fired shots. Into their own feet. As if this act of collective national self-mutilation wasn’t enough, they’re now coming for our feet as well.

WTF does all this have to do with Toshl Finance? 

I’m glad you asked.

Banks in the European Union have a legal obligation to provide automatic data access (APIs) to transactions, financial accounts upon client’s authorisation. In turn, companies accessing that data, need to comply with the regulations as well and get a licence from the national banking regulator. Once the banking regulator in an EU member state issues the licence, it can be easily recognised (passported) by all other EU members. This way, an EU company can access this kind of financial data across the EU.

Lets, for the moment, leave aside that the banks are in many cases still woefully unprepared and merrily breaking this legislation, years after it was first announced and over a year since the last implementation deadline passed (Sep 14 2019). In most cases though, it’s working in at least a good-enough way.

As there are thousands of banks, each with their own peculiarities in technical implementations, we work with partners who help unify these connections and provide data access. The companies we work with right now are Salt Edge and Plaid.

Through either misfortune or lack of foresight, both these companies are registered in the United Kingdom. They got their AISP licence from the banking regulator in the UK (Financial Conduct Authority – FCA).

Due to the upcoming no-deal variation of Brexit, the legal system as described above will no longer apply in the UK. Licences issued by the UK banking regulator will no longer be automatically valid across the EU. They will be automatically revoked on Jan 1 2021.

Due to this, the existing connections via API to banks in the European Union will stop working on Jan 1.

Some will just need to be reactivated, some will not be able to. If you’re not interested in the why and how, skip ahead to instructions on how to fix the connections.

We checked with both Plaid and Salt Edge multiple times during the last few years, especially in recent times when it was becoming clearer that Brexit likely won’t be orderly. Both companies reassured us that they’re taking the required measures and that there won’t be any disruption. Obviously, that didn’t happen as planned.

We also obtained our own AISP licence from the Slovenian banking regulator in 2020 in addition to using the licences of our partners to connect. Due to this, we can certainly appreciate that filling in all the regulatory checkboxes is a large task. The requirements of the PSD2 legislation and consequently of the regulator, are often unnecessarily complex while doubtful in usefulness. We did not yet start the migration to using our own licence as we initially expected to do this more gradually and seamlessly to the end user in 2021. 

Had we known that Plaid and Salt Edge were not prepared with their AISP licences, we could have started this process sooner.

However, Plaid only notified us of these problems on 11 Dec, Salt Edge on 1 Dec.

The two companies came to rather different solutions for these issues. 

Salt Edge

Salt Edge is in the process of registering its new licence with the National bank of Romania, but they were not able to complete it so far and plan to do so in the first half of 2021. They ended up buying (or leasing?) the AISP licence from another company.

The current connections will become inactive, but should be able to be immediately re-added on Jan 1 by using the new AISP licence. The new connection will need to be authenticated again by logging in to your online bank. The connection will also create new financial accounts to import on and they’ll need to be merged with the previous accounts. See instructions.

A secondary issue is that these connections will need to be re-added again once Salt Edge gets its own proper licence. Wherever possible, we will try to use our own licence from here on, so that this second switch won’t be necessary.

Plaid

Plaid is in the process of registering its new licence with the National bank of Netherlands. They however did not even provide a wonky attempt at replacement like Salt Edge did. From Plaid, we just got a straight up notice on Dec 11 that they won’t be offering their services in January 2020 until they receive the new licence. Without even adding an apology. Quite an attitude, especially coming from a well funded company that Visa intends to pay 5,3 billion dollars for. Not exactly starved for resources, if for competence.

Needless to say, we are extremely disappointed with this outcome.

Our action plan

  • Use of our own AISP licence and certificates. Transitioning to them was the plan all along for 2021, but we’re now greatly speeding up those efforts. Unfortunately this also takes some time, as banks need to onboard our certificates, have varying degrees of IT sophistication and there could be staffing issues due to Covid-19 and the end of the year.
  • Replacing Plaid bank connections with the ones from Salt Edge, where available. We currently offer European Plaid connections in Spain, France, the Netherlands and UK. UK will, ironically, be unaffected by this. Quite a few of these connections will have replacements available via a Salt Edge connection, but unfortunately, we cannot promise this will be the case for all. We will likely be experiencing a prolonged downtime with certain connections in France, Spain and the Netherlands until Plaid has a registered AISP licence again. 
  • Searching for new bank connection partners to provide both wider connectivity as well as backup connections precisely for such cases as described here.
  • Notifying all our customers of these issues via this blog, social networks and emails to provide re-connecting instructions and lessen the impact.
  • As we investigate the replacement connection options for banks, we will be providing more detailed information about which banks will be affected, how and notifying the affected users.

How will this look in practice? How can I resolve this with my own bank connections and accounts?

  1. On January 1st, an affected connection will become inactive. 
  2. Re-add it as a new bank connection.
  3. Limit import by date. After authenticating the connection, you’ll be asked what time period you want to import the transactions for. Choose from Jan 1 2021 onward. This is to avoid duplication with your previously imported transactions.
  4. Merge old and new financial accounts. The re-added connection will also add new financial accounts and import on these new accounts. You can then easily merge them with the financial accounts from before, to keep them unified. Select to keep updating the account from the new bank connection.
  5. Done.

Only bank connections to banks in the European Union over an API connection are affected by these issues. 

Replacement connections will be provided for most banks.

Due to Plaid’s January shutdown we won’t be able to provide replacements for some connections in France, Spain and the Netherlands in the meantime.

Connections elsewhere around the world and connections using the scraping method are not affected by this issue.

In conclusion, we realise this is a big letdown. We sincerely apologise to our customers who will be affected by this issue. We will be doing our utmost to remedy the situation and provide more robust connectivity options in the future so that such situations won’t be able to reoccur.

The Brexit omnishambles makes fools of us all. We wish our English, Scottish, Welsh, Northern Irish brethren and all affected by this pest, the strength and perseverance to overcome.

Update 17. 12. : removed a direct quote from Salt Edge upon request and a made factual correction regarding licence purchase.

Posted in Uncategorized