Blog article
See all stories »

How did I Explain Banking API to My Grandma

Recently I've made a post about the importance of preparing for PSD2 already now. Even though it got quite popular, I thought to myseulf - why don't we take a step back and focus on expaining banking API in very simple words? I got inspired by the title of an article "How I Explained Blockchain to My Grandmother" and decided to make a similar one. Let's check how it went.



Dear Grandma,

I’m glad you asked for my advice when you felt concerned about the service you were about to use. You are right you should be very careful and cautious when some third party wants to know the login and the password to your online bank account. But this time you don’t need to worry, and here is why.

The service you mentioned is a legitimate one — I checked it. This is the first thing you should always do: find out as much as you can about the service or the company behind it. Then, as always again, read everything you are required to agree upon.

You can ask: why do they want my online banking credentials? Well, they want them, because they need to get some information from your account: maybe they will look for your personal data such as name, birth date, ID number, to verify your identity (since your bank already did that, so this information can be trusted); maybe your account balance is important to make payment; or maybe  they want to know your account history, so they would know how much money you get and spend and therefore could evaluate your credibility when you want to get a loan (it’s called scoring).

Either way, they don’t want to steal your money. In fact, in vast majority of cases, none of your money will get affected in any way. It’s all about information about you and your money. And it’s done securely.

The service in question — as well as the others wanting to mine in your bank account — uses small software helpers called APIs to do the job of asking for and receiving the banking data. (By the way, API stands for Application Programming Interface — quite a mysterious and geeky name, huh?). APIs are like researchers designed specifically to retrieve the data from external sources. In our banking case, when you log in, or when a service logs into your online account with your credentials, the API pops in, instructs the system in your bank: “I want this and that”, then grabs the goods and fetches them to its master—the service.

The whole process takes seconds and is as secure as when you are personally using your online banking system. Some services store your encrypted credentials on their own secure servers, some don’t. Again, you don’t have to worry: even if nasty crooks break the safeguards and steal logins and passwords, you are still protected by the one-time passwords necessary to transfer funds anywhere.

In the future APIs will get standardized in the way they communicate with banking systems, at least in the European Union. They will be able to perform only certain operations (for example, money transfers or changes to recipients’ list excluded), and only with your explicit consent as a user. This means you would have to approve their activity on your account: logging in and making operations you permitted them to do. No other actions would be allowed by your online banking system.

To cut the story short, the service you found is safe and the API it uses just wants your credentials to authenticate in your bank account in order to get some information, not your money.

Stay well and see you soon, Grandma!


Your G-son


Comments: (3)

A Finextra member
A Finextra member 21 April, 2016, 18:58Be the first to give this comment the thumbs up 0 likes

Hi konstantin, Even with APIs, no one should be asking for your user id and password I think. It should be the bank's authentication system, right? Just how you use facebook or twiter on various sites. In another case, if an API is allowed, it can also be pre-authorized in the bank's system. Unless I'm missing something.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 21 April, 2016, 19:311 like 1 like

PFMs do ask for Online Banking credentials, whether they're based on scraping architecture or APIs. When I came across this step on Mint, I bailed out. But, judging by the popularity of Mint, millions of Americans have evidently gone ahead. Social logon merely authenticates a user by their Twitter / Facebook creds to a third party site - basically confirm that you are who you claim you are. Apps like HootSuite that post content to / retrieve content from social networks do require your corresponding social network creds. Maybe it's only me but handing over my social network creds to a HootSuite type of app is one thing but handing over my online banking creds to a PFM is a wholly different thing. 

Lu Zurawski
Lu Zurawski - Lu Zurawski - London 22 April, 2016, 13:563 likes 3 likes

Dear Grandson... Unfortunately your last correspondence made me feel a bit dizzy. My medic (Dr. Ebarts) tried to reassure me, and also gave me some new medicine. But this actually made me feel worse. I hope you don't mind if we could just carry on as normal - if you're running short, I can just send you some money in an envelope.

Now hiring