Linking third-parties: Bank logins, transactions & security
CTO and Co-founder, Alex, talks all things security when it comes to linking third parties like Plum to your bank account.
Let’s begin by setting the scene. You hear about Plum from a friend, immediately think it’s a godsend and you excitedly rush to sign up. (Well, at least that’s my hypothesis). After a short chat with Plum on Messenger, you breeze through the personal details section only to be faced with a form, branded in your bank’s colours, that asks for your bank login details — some of which you’ve never heard before. Err… what now? And why does Plum need my bank details?
Plum’s purpose is to help you save money in a simple, fun and stress-free way. In order to do so, it needs to read and analyse your bank transactions to figure out how your balance varies, what are your spending patterns, when you pay your bills and how much income you have. To read your transactions we need to establish a secure link to your bank, hence we need your Online Banking login details. In this post we will do a quick dive into how that works and explain how we use your details, what data we have access to and what the future holds.
Linking to your bank
In order for us to establish a link to your bank and access your transactions, we have partnered with an “account aggregation” service. This service provides us with read-only access to your transactions and account balance, meaning that all we can do is read data — we cannot move any money out of your account! There are multiple such services out there but we chose to partner with Yodlee, the industry leader. Yodlee has been around for 17 years and has a number of prominent backers (Bank of America being one of them). It was a public company in the US until it was bought by Envestnet for a whopping $500mm last year.
This might be the first time you’re asked to provide your bank login details to an application — or even hear about the term account aggregation — and, understandably, it can feel like you’re giving away the keys to the kingdom. In reality, a number of big companies are using services like Yodlee to offer a better experience to their customers. Here are a few examples:
Personal finance tools like Mint (used by 20 million users) offer analytics across multiple bank accounts
Accounting software like Xero (used by 800,000 businesses) use account aggregators to automatically import transactions instead of requiring their customers to manually upload their statements
Accessing and storing your data
After you submit your bank login credentials, we forward them directly to Yodlee which encrypts and stores them securely. The communication between your browser (or phone), our servers and Yodlee is also encrypted with TLS 1.2, also known as “the little green lock in your browser”. It’s very important to note that we do not store your bank login details. We’re much more comfortable leaving this task to the Yodlee experts — they’ve been doing it for many years and undergo multiple security audits per year to ensure their systems are as secure as they can be.
Once your bank login details are stored, Yodlee will then begin the process of gathering your account details and up to a year’s worth of transactions. When finished, we import said transactions, as well as your account details and balance, encrypt any sensitive information (like your account number) and then store them in our database for further analysis. Every day we ask Yodlee for new transactions and your most up-to-date balance and then pass them to our saving algorithm to do its magic.
The account aggregation market has flourished in recent years. While customers demand more analysis and smarter applications, banks have been slow to catch up and refuse to provide an easy way for their customers to allow third-parties (like Plum) to access their data.
Thankfully, a very important regulation has been implemented by the Competition and Markets Authority (CMA) to increase competition between banks, called PSD2. The regulation is the outcome of both the UK and European governments concluding that your financial data belong to you and you should be able to share it with companies of your choice.
As of January 2018, UK banks will have to provide third-parties with secure access to your financial data via open APIs. The result? Increased security, more accurate data and an overall better experience for the customer. It’s a victory for open banking and us, the consumers! ✌️