To help people manage their finances in the Toshl Finance apps, we connect to banks with the help of our connection partners. Where available, the data is imported over APIs – official automatic connections, provided by the bank. In the European Union, banks need to provide such connectivity by law (PSD2). Where API connections are not available, data is imported through the transactions lists in online banking apps.
While not perfect, such legislation is a big step forward in enabling people to use their data as they please. Unfortunately, a lot of banks still provide very poorly made APIs or not at all. By doing that, they’re not only doing a disservice to their customers and themselves, but in many cases are also breaking national and EU legislation. The final deadline for all EU banks to have a fully functional API to import transactions and accounts was September 14 2019.
With the hopes of this situation improving and better informing our customers about the (in)capabilities of individual institutions, we are starting this list of shitty banks based on the performance of their APIs. These banks have shown major errors and persistence in not fixing them, despite our reports and those via our connection partners.
Shitty Banks 💩
Intesa Sanpaolo (Slovenia): The bank does not offer a functional PSD2 API. Multiple attempts have been made to add the connection, but the API was not ready. After the latest attempt to enable the connection in October 2020, the bank began making fixes, but the connection is still not functional. There was very slow progress, after 8 months of fixing, the authentication (with their old apps) is now enabled, but the API still drops after a few hours, cannot maintain a working connection.
NKBM (Slovenia): Extended downtime for large portions of users since merging their IT systems with Abanka on Jan 1 2020. Normal operation has still not been restored. Few types of users are able to connect, but need to unexpectedly enter the 2-factor authentication SMS 3 times in a row, face other random errors.
Openbank (Spain): Authentication broken at least since Sep 2020, poor responsiveness from the bank.
DBS (Singapore, Hong Kong): The bank is actively trying to prevent its customers from using their data, blocking screen scraping with legal and technical means while not providing a transactions API to import in an officially approved manner.
Erste (Hungary): Users unable to update transactions, errors on the bank’s API. Despite multiple reports to the bank, remains unfixed for months.
Privredna Banka Zagreb (Croatia): Bank has been unable to onboard and enable the API connection for months. Not providing API services.
SKB, Sparkasse (Slovenia): Banks are not providing the same descriptions as they do to users in their own apps. Bank representatives stated they’re unwilling to implement changes to support full descriptions.
Aqua Card, all Newday cards (United Kingdom): The card company only allows for the initial connection, no updates of the card data.
Any Slovenian bank still using Flik as the only way to authenticate. Flik is an optional payment service. Bank customers should be able to authenticate using normal means, without them being required to opt into additional services.
General problems with PSD2 legislation
- Banks are not obliged to provide all user’s financial accounts. “Payment accounts” as interpreted by the European Banking Authority only include bank accounts (those with an IBAN), but not credit cards or savings accounts. Due to this many banks chose not to include them in their APIs, making the API solution sometimes worse than the scraping it was supposed to replace.
- Business accounts are not included by law, making them optional for the banks. Only payment accounts of individuals are included.
- Requirements to register as an Account Information Service Provider (AISP) or Payment Initiation Service Provider (PISP) with the banking regulator are too vast and sometimes of questionable usefulness. Disproportional cost and time needed to register. So far these regulations contributed to an extended downtime of services, somewhat ironically, as they were made to prevent such circumstances.
- Vastly different technical implementations between banks / countries, with the Berlin standard being especially problematic. Especially problematic implementations are where IBANs need to be entered upfront, re-authorisation sometimes poorly implemented due to that, difficult to add multiple accounts.
Last updated on May 12, 2021