I investigated this while at Capital One (a couple of years ago) and the main reason was that banks would still be liable for any data leakage that the third party (or in this case you the user whose data it is) would perform, so to make it a little(?) safer it'd be easier to restrict it.
Agreed it's a sucky situation for folks who want their data and could accidentally leak PDFs with the same result 🤷🏽♂️
Also as someone who's implemented Open Banking on both consumer and service provider, it's not necessarily something I'd expect lots of folks to enjoy doing themselves 😂
I know part of it is that (from what I've been told and understand) if you the customer were to I.e. leak your data accidentally, it'd lead to the bank being reprimanded, and so one way it's managed is that only FCA registered third parties can access data. That being said, I don't really know how some third parties allow programmatic access in this case. Also having worked with Open Banking implementation, it's not as fun to use without having an intermediate API that the third party provides to you, rather than the raw OB spec 😅
How are Open Banking Key Ids (
kid) Generated? (1 mins read).
Sharing insight into how Open Banking has generated their
kids for use with JWTs.
I work on Open Banking APIs for a UK credit card provider.
A large reason I see that the data isn't made directly available to the customer is because if the customer were to accidentally leak / lose their own data, the provider (HSBC, Barclays etc) would be liable, not you. That means lots of hefty fines.
You'd also likely be touching some PCI data, so you'd need to be cleared / set up to handle that safely (or having some way to filter it before you received it).
Also, it requires a fair bit of extra setup and the use of certificate-based authentication (MTLS + signing request objects) means that as it currently sits you'd be need one of those, which aren't cheap as they're all EV certs.
Its a shame, because the customer should get their data. But you may be able to work with intermediaries that may provide an interface for that data, who can do the hard work for you, ie https://www.openwrks.com/
You're currently viewing page 1 of 1, of 16 posts.