Shitty Bank List

To help people manage their finances in the Toshl Finance apps, we connect to banks with the help of our connection partners. Where available, the data is imported over APIs – official automatic connections, provided by the bank. In the European Union, banks need to provide such connectivity by law (PSD2). Where API connections are not available, data is imported through the transactions lists in online banking apps.

While not perfect, such legislation is a big step forward in enabling people to use their data as they please. Unfortunately, a lot of banks still provide very poorly made APIs or not at all. By doing that, they’re not only doing a disservice to their customers and themselves, but in many cases are also breaking national and EU legislation. The final deadline for all EU banks to have a fully functional API to import transactions and accounts was September 14 2019.

With the hopes of this situation improving and better informing our customers about the (in)capabilities of individual institutions, we are starting this list of shitty banks based on the performance of their APIs. These banks have shown major errors and persistence in not fixing them, despite our reports and those via our connection partners.

Shitty Banks 💩

Shitty banks in the EU and UK

These financial institutions are bound by PSD2 or similar legislation and are likely breaking national and EU law by being this shitty.

OTP (Slovenia, ex-NKBM & SKB) They’re on this list very frequently. After producing month-long downtimes and often faulty log in systems as NKBM, they’ve merged with SKB in Aug 2024. Months later, the systems are still not functioning normally. Users were unable to log in at all for week. Business accounts are not reported. Users unable to add multiple connections to the bank. Many transactions are missing. The bank is extremely slow to reply or fix anything. They should feel shame, but we doubt they have any capacity for it left. Despicable omnishambles of a “bank”. Update: After a 2 and a half month disruption where services were not working for most connection users or worked only partially, they finally resolved the issues. Another update: The reprieve from OTP incompetence did not last more than 2 weeks. OTP log in systems are again broken, reporting “Consent information is null or missing!” for users who already completed the log in. The log in issues resolved again. We’re keeping OTP on the list until they can prove they can provide consistent services without weekly interruptions.

NLB (Slovenia) For failing to ensure the privacy of their customers, notify them of the security risks due to their errors as well as sometimes reporting incorrect balances.

NewDay cards, such as; Aqua Card, Pulse Card, Amazon Mastercard and all other NewDay cards (United Kingdom): The card company only allows for the initial connection, no updates of the card data. Some card connections have faulty authentication systems to boot.

Openbank (Spain): The bank has historically been quite shitty by producing many authentication issues on their end, inability to provide transactions consistently. They also refuse to provide pending card transactions (pending, but not yet settled), despite displaying them in their own apps. This means that the transactions are not provided until 3-4 days after purchase.

BRD (Romania) Another bank way too frequently on this list. Bank representatives respond very slowly if at all, making their frequent technical issues even more difficult to resolve.

BNP Paribas (Poland) The bank has a manual process for updating certificates. After issues with certificate update the bank representatives failed to respond to resolve issues.

PBZ – Privredna Banka Zagreb AKA Intesa (Croatia) Frequent errors on the connections. Despite numerous attempts to contact them and their legal obligations as per PSD2, the bank representatives refuse to even reply.

PKO Bank Polski (Poland) The bank broke their connections, were extremely slow to respond and are not resolving the issues for the customers for weeks.

Crypto.com For sending duplicated transactions via the connections every half a year or so before fixing it again when new reports arrive. Testing in production as a lifestyle?

Trade Republic refuses to provide a bank connection (API) at all, despite their legal obligations as a company with a banking licence in the EU. Trade Republic says that their accounts don’t qualify as payment accounts as per PSD2, however also doesn’t offer an API for the newer type of accounts that are using their banking licence either.

CTT (Portugal) The bank is completely unresponsive when contacted about issues with their API, preventing the resolution of problems.

Millenium BCP (Banco Comercial Português) The bank and their technical partners SIBS announced a migration to a new connection system which broke all existing connections and required them to be reconnected. Even after that, the new system was not responsive for a long time and still doesn’t work for most functionality weeks after the migration is supposed to be complete.

ActivoBank (Portugal) The bank and their technical partners SIBS announced a migration to a new connection system which broke all existing connections and required them to be reconnected. Even after that, the new system was not responsive for a long time and still doesn’t work for most functionality weeks after the migration is supposed to be complete.

ING (Romania) The bank keeps producing duplicated transactions with different ids and descriptions. Despite numerous reports and fixes, the issues keep coming back.

MedioBanca Permier (ex CheBanca!, Italy) The bank requires their customers to re-authenticate every 7 days. They claim this is a security feature. We claim it’s either incompetence of their IT or a deliberate attempt to make their PSD2 APIs useless. Not sure how they think this is legal, given that PSD2 API connections should be able to remain valid for 180 days.

Independently shitty banks

These banks are not bound by legislation to provide automatic connections, but display a generally shitty attitude towards their customers by blocking importing data to 3rd party apps such as ours. Data about own transactions belongs to the user, not the bank.

BBVA Frances (Argentina): The bank is actively trying to prevent its customers from using their data, blocking screen scraping with legal and technical means while not providing a transactions API to import in an officially approved manner.

Raiffeisen Aval (Ukraine): The bank is actively trying to prevent its customers from using their data, blocking screen scraping with legal and technical means while not providing a transactions API to import in an officially approved manner.

DBS (Singapore, Hong Kong): The bank is actively trying to prevent its customers from using their data, blocking screen scraping with legal and technical means while not providing a transactions API to import in an officially approved manner.

BDO (Philippines): The bank is actively trying to prevent its customers from using their data, blocking screen scraping with legal and technical means while not providing a transactions API to import in an officially approved manner.

PrivatBank (Ukraine): After initially offering an official API for customers to be able to import their own data, the bank abruptly cancelled all API access for customers with personal accounts. As they also try quite hard at blocking screen scraping, the bank is now preventing their customers from using their own data with other apps.

Citibank (Singapore): The bank was blocking scraping connections, trying to prevent its customers from using their data. Then, theoretically opened an API for transactions. However, this API isn’t freely available and requires an agreement with the bank. Citi is dragging their feet, responding very slowly, if at all, to requests to integrate. The latest response was that they are not commercially interested in providing the API. The API seems more of a PR tactic rather than something that can be actually used. Prove us wrong, please.

Special shitty distinction

Token.io they’re an integrator of APIs for the banks. Poor one at that. Any hope of a working solution dwindles once they’re mentioned. The cause of many non-working authentication systems of bank connections. They’re slow to respond, don’t offer dynamic registration and keep on pushing their own accounts in addition to the credentials you have at the bank.

SIBS a partner of many Portuguese banks, very slow to respond and resolve issues. Left 2 major banks with non working APIs for months in summer 2024.

General problems with PSD2 legislation

  • Banks are not obliged to provide all user’s financial accounts. “Payment accounts” as interpreted by the European Banking Authority only include bank accounts (those with an IBAN), but not credit cards or savings accounts. Due to this many banks chose not to include them in their APIs, making the API solution sometimes worse than the scraping it was supposed to replace.
  • Requirements to register as an Account Information Service Provider (AISP) or Payment Initiation Service Provider (PISP) with the banking regulator are too vast and sometimes of questionable usefulness. Disproportional cost and time needed to register. So far these regulations contributed to an extended downtime of services, somewhat ironically, as they were made to prevent such circumstances.
  • Vastly different technical implementations between banks / countries, with the Berlin standard being especially problematic. Especially problematic implementations are where IBANs need to be entered upfront, re-authorisation sometimes poorly implemented due to that, difficult to add multiple accounts.
  • Lack of unified system of onboarding account information service providers (AISP) to be able to import data and start doing so automatically. Dynamic registration with fully automated recognition of QWAC and QSeals certificates should be the only legal way.
  • Updating QWAC certificates is still a somewhat manual process in many cases, with banks demanding re-registrations or producing errors during verification of renewed certificates.

Graduates

Banks who were previously featured here, but got their shit together and now offer working APIs. We congratulate and send thanks for the fixes. 👏

Privredna Banka Zagreb (Croatia)

Flik as authentication (Slovenia) is no longer required by banks.

Bunq had authentication issues which were not resolved for months in the first half of 2022. Now fixed.

OTP (Hungary) had authentication bugs that lasted from Sep 2021 until May 2022, now resolved.

SKB (Slovenia) bank responded in the end, long standing re-auth issues were resolved.

Easybank (Austria) issues we resolved, no active reports of problems.

KBC (Ireland) the issues were not resolved insomuch as the bank wimped out. KBC withdrew from the Irish market and are no longer offering their services there. Good riddance.

1822direkt (Germany) the bank representatives did not reply for a month and a half to reports of faulty authentication and required public prodding to reply. Issue now resolved.

Erste (Hungary) had broken authentication for years and was poorly responsive, however was finally fixed early 2023.

Bitstamp (EU) had broken API authentication for almost 2 years, did not respond to calls to fix until regulators got involved. New API provided from April 2023.

Wise Business (EU, registered in Belgium) Pending transactions were missing on API, issues fixed about a year after reporting.

Bitstamp (EU) had a completely broken API authentication for almost 2 years, did not respond to calls to fix until regulators got involved. New API provided from April 2023.

Intesa Sanpaolo (Slovenia) An unfortunate frequent flyer on this list. The last set of insurmountable bugs they produce, this time with Android log in, was resolved after a few months.

Pekao (Poland) The bank has a manual process for updating certificates. After issues with certificate update the bank representatives failed to respond to resolve issues for a long time, but were resolved in the end.

Evo Banco (Spain) Connections started invalidating themselves for no reason, bank representatives and their technical partners Redsys were very slow to respond, but looks like issues are resolved now.

Danske Bank (Denmark) Issues after certificate rotation went unsolved for months, bank representatives very slow to respond. Issues now resolved.

Argenta (Belgium) The bank was extremely slow with onboarding new certificates that enable us to connect. This is something that should be done automatically via dynamic registration to begin with, something that most other banks offer. Most issues now resolved.

Raiffeissen (Romania) Connections are often buggy, bank representatives extremely slow to respond – if at all – to reported issues. They did resolve them in the end.

UniCredit (Slovenia) Bank sent duplicates of certain transactions almost 2 months after they were originally reported. Issues were resolved after several months and multiple reports.

Gorenjska Banka (Slovenia) The bank did not provide transactions immediately in their own apps. The transactions were provided over the PSD2 API only 3-4 days later in violation of the PSD2 legislation. After more than half a year the bank fixed the issue and customers are reporting it’s functioning normally now.

Solaris Bank (EU, banking licence in Germany): The bank introduced a bug which prevents users from connecting their accounts. We’ve reported the issue via our connection partners in December 2021. Solaris Bank still hasn’t resolved the issue by May 5th 2022. Bank’s representatives stopped replying to reports. A renewed integration was added in Sep 2023, currently have no new reports of issues.

Sparkasse (Slovenia) was unable to report financial accounts that several users have access to. Bank resolved the issues after months, no recent complaints.

N26 (EU, banking licence in Germany): The bank stopped reporting correct dates of transactions. They report only the settled date of the transaction, which is usually 3-4 days after the actual purchase. The transactions now usually come with one day delay. N26 initially refused to make changes and claimed all is well, when pressed further they say they might schedule this for future improvements. In the meantime, they show correct dates in their own apps. Frequent issues previously, like duplication of transactions, not working authorisation flows and similar. These have since been resolved and the connections are stable for the most part.

MeDirect (Belgium) Frequent technical issues, bank representatives were very slow to respond, but haven’t had issues for a while now.

CheBanca! (Italy) Required an additional authentication re-direct of the user whenever updating the connection, despite the fact that the user should be able to update uninterrupted for 180 days. This goes against how almost all other banks and regulators interpret PSD2 and its technical standard updates. CheBancaDiMerda would be more like it! The bank stopped doing business under that name, using different connections now, so they’re no longer actively shitty.

Aktia (Finland) The bank was not responding to request to resolve issues with their PSD2 API authentication system. The issues were then resolved so the bank graduated from the shitty list.

Last updated on Dec 6, 2024