To help people manage their finances in the Toshl Finance apps, we connect to banks with the help of our connection partners. Where available, the data is imported over APIs – official automatic connections, provided by the bank. In the European Union, banks need to provide such connectivity by law (PSD2). Where API connections are not available, data is imported through the transactions lists in online banking apps.
While not perfect, such legislation is a big step forward in enabling people to use their data as they please. Unfortunately, a lot of banks still provide very poorly made APIs or not at all. By doing that, they’re not only doing a disservice to their customers and themselves, but in many cases are also breaking national and EU legislation. The final deadline for all EU banks to have a fully functional API to import transactions and accounts was September 14 2019.
With the hopes of this situation improving and better informing our customers about the (in)capabilities of individual institutions, we are starting this list of shitty banks based on the performance of their APIs. These banks have shown major errors and persistence in not fixing them, despite our reports and those via our connection partners.
Shitty Banks 💩
Intesa Sanpaolo (Slovenia): The bank continues not offer a functional PSD2 API. Fixes were made in 2021, so basic functionality was implemented and at one point the bank was prepared to make some fixes. However the bank still doesn’t offer a way to authenticate using it’s up to date app (ISPS) and only has this working in the outdated BankaIN one. In addition to all that, the bank uses dark patterns (or really poor UX, depending on how you interpret) which makes it less likely for users to successfully complete. API updates are often breaking previous functionality. The bank is no longer responding to the reports of errors. All in all one of the shittiest banks out there. We hope banking regulators will someday actually take measures.
Bitstamp (EU): Their authentication system for PSD2 API is broken, partially due to misconfiguration with Token.io (technical partner). We’ve reported the issues in May 2021, they remain unfixed despite multiple reminders.
BRD (Romania): Connection authentication broken since at least September 2021, bank representatives very slow to reply and fix.
DBS (Singapore, Hong Kong): The bank is actively trying to prevent its customers from using their data, blocking screen scraping with legal and technical means while not providing a transactions API to import in an officially approved manner.
Easybank (Austria): Not easy at all. Faulty authentication system when connecting, bank representatives very slow to respond, let alone fix.
Erste (Hungary): Users unable to update transactions, errors on the bank’s API. Despite multiple reports to the bank, remains unfixed. The API has remained non-functional for a year now. Our partners at Salt Edge have removed the bank until they fix their APIs.
KBC (Ireland): Connection authentication broken since October 2021. Bank technical representatives unresponsive, no fixes yet.
N26 (EU): While these connections were usually exemplary, since July 2021 they’ve been producing an inordinate amount of errors. The bank quite often revokes user consent randomly, forcing the user to re-authenticate the connection. These error often repeat very frequently, in some cases the next day. The banks should normally only request re-authentication from users only every 90 days. Bank representatives are very slow to respond, issue still not resolved.
OTP (Hungary): Broken for several months, bank poorly responsive. The connection was removed until the bank fixes the API and starts complying with EU legislation.
SKB, Sparkasse (Slovenia): Banks are not providing the same descriptions as they do to users in their own apps. Bank representatives stated they’re unwilling to implement changes to support full descriptions. SKB also often produces errors when re-authenticating after 90-days, multiple fixes have not helpes.
Aqua Card, all Newday cards (United Kingdom): The card company only allows for the initial connection, no updates of the card data.
Special shitty distinction
Plaid, one of our connection partners for serving this as their most common reply: “We have prioritized this issue based on our evaluation of the user impact and its severity. We’re currently unable to give an exact fix date for this issue, however, we will update you here once this issue is resolved or we have a more exact ETA — whichever comes first. In the meantime, I am placing this ticket on-hold while this issue is being monitored so that we may follow up. Please keep in mind that these types of issues may take 1-3+ months to be resolved.”
While this normally affects scraping connections and less often the API ones, it remains very shitty when trying to offer a good and consistent experience to end customers.
General problems with PSD2 legislation
- Banks are not obliged to provide all user’s financial accounts. “Payment accounts” as interpreted by the European Banking Authority only include bank accounts (those with an IBAN), but not credit cards or savings accounts. Due to this many banks chose not to include them in their APIs, making the API solution sometimes worse than the scraping it was supposed to replace.
- Business accounts are not included by law, making them optional for the banks. Only payment accounts of individuals are included.
- Requirements to register as an Account Information Service Provider (AISP) or Payment Initiation Service Provider (PISP) with the banking regulator are too vast and sometimes of questionable usefulness. Disproportional cost and time needed to register. So far these regulations contributed to an extended downtime of services, somewhat ironically, as they were made to prevent such circumstances.
- Vastly different technical implementations between banks / countries, with the Berlin standard being especially problematic. Especially problematic implementations are where IBANs need to be entered upfront, re-authorisation sometimes poorly implemented due to that, difficult to add multiple accounts.
Banks who were previously featured here, but got their shit together and now offer working APIs. We congratulate and send thanks for the fixes. 👏
Privredna Banka Zagreb (Croatia)
Flik as authentication (Slovenia) is no longer required by banks.
Last updated on December 22, 2021