To help people manage their finances in the Toshl Finance apps, we connect to banks with the help of our connection partners. Where available, the data is imported over APIs – official automatic connections, provided by the bank. In the European Union, banks need to provide such connectivity by law (PSD2). Where API connections are not available, data is imported through the transactions lists in online banking apps.
While not perfect, such legislation is a big step forward in enabling people to use their data as they please. Unfortunately, a lot of banks still provide very poorly made APIs or not at all. By doing that, they’re not only doing a disservice to their customers and themselves, but in many cases are also breaking national and EU legislation. The final deadline for all EU banks to have a fully functional API to import transactions and accounts was September 14 2019.
With the hopes of this situation improving and better informing our customers about the (in)capabilities of individual institutions, we are starting this list of shitty banks based on the performance of their APIs. These banks have shown major errors and persistence in not fixing them, despite our reports and those via our connection partners.
Shitty Banks 💩
Shitty banks in the EU and UK
These financial institutions are bound by PSD2 or similar legislation and are likely breaking national and EU law by being this shitty.
N26 (EU, banking licence in Germany): The bank stopped reporting correct dates of transactions. They report only the settled date of the transaction, which is usually 3-4 days after the actual purchase. N26 initially refused to make changes and claimed all is well, when pressed further they say they might schedule this for future improvements. In the meantime, they show correct dates in their own apps. Frequent issues previously, like duplication of transactions, not working authorisation flows and similar. While these have since been resolved, the bank is a frequent offender who does not hold up to their legal obligations as per PSD2.
Solaris Bank (EU, banking licence in Germany): The bank introduced a bug which prevents users from connecting their accounts. We’ve reported the issue via our connection partners in December 2021. Solaris Bank still hasn’t resolved the issue by May 5th 2022. Bank’s representatives stopped replying to reports.
Bitstamp (EU, e-money licence in Luxembourg): Their authentication system for PSD2 API is broken, partially due to misconfiguration with Token.io (technical partner). We’ve reported the issues in May 2021, they remain unfixed despite multiple reminders.
BRD (Romania): Connection authentication broken since at least September 2021, bank representatives very slow to reply and fix.
Erste (Hungary): Users unable to update transactions, errors on the bank’s API. Despite multiple reports to the bank, remains unfixed. The API has remained non-functional for a year now. Our partners at Salt Edge have removed the bank until they fix their APIs.
NewDay cards, such as; Aqua Card, Pulse Card, Amazon Mastercard and all other NewDay cards (United Kingdom): The card company only allows for the initial connection, no updates of the card data. Some card connections have faulty authentication systems to boot.
Argenta (Belgium) The bank is extremely slow with onboarding new certificates that enable us to connect. This is something that should be done automatically via dynamic registration to begin with, something that most other banks offer. While the bank representatives are unresponsive, our customers are unable to connect. We’ve been reporting the issue since Aug 2022.
Wise Business (EU, registered in Belgium) The payment service refuses to provide an accurate and up to date list of transactions, as they do in their own apps. Pending transactions – the most recent ones, made in the last 2-3 days are not reported via the PSD2 API, despite the payment service providing that information inside their own apps. We reported the issue to them, Wise acknowledged the issue in early June 2022, but refused to fix right away or provide an estimate as to when it would be fixed.
Openbank (Spain): The bank has historically been quite shitty by producing many authentication issues on their end, inability to provide transactions consistently. They also refuse to provide pending card transactions (pending, but not yet settled), despite displaying them in their own apps. This means that the transactions are not provided until 3-4 days after purchase.
Independently shitty banks
These banks are not bound by legislation to provide automatic connections, but display a generally shitty attitude towards their customers by blocking importing data to 3rd party apps such as ours. Data about own transactions belongs to the user, not the bank.
BBVA Frances (Argentina): The bank is actively trying to prevent its customers from using their data, blocking screen scraping with legal and technical means while not providing a transactions API to import in an officially approved manner.
Raiffeisen Aval (Ukraine): The bank is actively trying to prevent its customers from using their data, blocking screen scraping with legal and technical means while not providing a transactions API to import in an officially approved manner.
DBS (Singapore, Hong Kong): The bank is actively trying to prevent its customers from using their data, blocking screen scraping with legal and technical means while not providing a transactions API to import in an officially approved manner.
BDO (Philippines): The bank is actively trying to prevent its customers from using their data, blocking screen scraping with legal and technical means while not providing a transactions API to import in an officially approved manner.
PrivatBank (Ukraine): After initially offering an official API for customers to be able to import their own data, the bank abruptly cancelled all API access for customers with personal accounts. As they also try quite hard at blocking screen scraping, the bank is now preventing their customers from using their own data with other apps.
Special shitty distinction
Plaid, one of our connection partners for serving this as their most common reply: “We have prioritized this issue based on our evaluation of the user impact and its severity. We’re currently unable to give an exact fix date for this issue, however, we will update you here once this issue is resolved or we have a more exact ETA — whichever comes first. In the meantime, I am placing this ticket on-hold while this issue is being monitored so that we may follow up. Please keep in mind that these types of issues may take 1-3+ months to be resolved.”
Token.io they’re an integrator of APIs for the banks. Poor one at that. Any hope of a working solution dwindles once they’re mentioned. The cause of many non-working authentication systems of bank connections. They’re slow to respond, don’t offer dynamic registration and keep on pushing their own accounts in addition to the credentials you have at the bank.
General problems with PSD2 legislation
- Banks are not obliged to provide all user’s financial accounts. “Payment accounts” as interpreted by the European Banking Authority only include bank accounts (those with an IBAN), but not credit cards or savings accounts. Due to this many banks chose not to include them in their APIs, making the API solution sometimes worse than the scraping it was supposed to replace.
- Business accounts are not included by law, making them optional for the banks. Only payment accounts of individuals are included.
- Requirements to register as an Account Information Service Provider (AISP) or Payment Initiation Service Provider (PISP) with the banking regulator are too vast and sometimes of questionable usefulness. Disproportional cost and time needed to register. So far these regulations contributed to an extended downtime of services, somewhat ironically, as they were made to prevent such circumstances.
- Vastly different technical implementations between banks / countries, with the Berlin standard being especially problematic. Especially problematic implementations are where IBANs need to be entered upfront, re-authorisation sometimes poorly implemented due to that, difficult to add multiple accounts.
- Lack of unified system of onboarding account information service providers (AISP) to be able to import data and start doing so automatically. Dynamic registration with fully automated recognition of QWAC and QSeals certificates should be the only legal way.
- Updating QWAC certificates is still a somewhat manual process in many cases, with banks demanding re-registrations or producing errors during verification of renewed certificates.
Banks who were previously featured here, but got their shit together and now offer working APIs. We congratulate and send thanks for the fixes. 👏
Privredna Banka Zagreb (Croatia)
Flik as authentication (Slovenia) is no longer required by banks.
Intesa Sanpaolo (Slovenia) now working via ISPS app log in.
Sparkasse (Slovenia) now working well in most cases, minor description discrepancies remain. Otherwise responsive with fixes.
Bunq had authentication issues which were not resolved for months in the first half of 2022. Now fixed.
OTP (Hungary) had authentication bugs that lasted from Sep 2021 until May 2022, now resolved.
Citibank (Singapore) was blocking screen scraping without alternative for a long while, now offers API.
SKB (Slovenia) bank responded in the end, long standing re-auth issues were resolved.
Easybank (Austria) issues we resolved, no active reports of problems.
KBC (Ireland) the issues were not resolved insomuch as the bank wimped out. KBC withdrew from the Irish market and are no longer offering their services there. Good riddance.
1822direkt (Germany) the bank representatives did not reply for a month and a half to reports of faulty authentication and required public prodding to reply. Issue now resolved.
Last updated on Jan 24, 2023