Recently I've made a post about
the importance of preparing for PSD2 already now. Even though it got quite popular, I thought to myseulf - why don't we take a step back and focus on expaining banking API in very simple words? I got inspired by the title of an article
"How I Explained Blockchain to My Grandmother" and decided to make a similar one. Let's check how it went.
Dear Grandma,
I’m glad you asked for my advice when you felt concerned about the service you were about to use. You are right you should be very careful and cautious when some third party wants to know the login and the password to your online bank account. But this time
you don’t need to worry, and here is why.
The service you mentioned is a legitimate one — I checked it. This is the first thing you should always do: find out as much as you can about the service or the company behind it. Then, as always again, read everything you are required to agree upon.
You can ask: why do they want my online banking credentials? Well, they want them, because they need to get some information from your account: maybe they will look for your personal data such as name, birth date, ID number, to verify your identity (since
your bank already did that, so this information can be trusted); maybe your account balance is important to make payment; or maybe they want to know your account history, so they would know how much money you get and spend and therefore could evaluate your
credibility when you want to get a loan (it’s called scoring).
Either way, they don’t want to steal your money. In fact, in vast majority of cases, none of your money will get affected in any way. It’s all about information about you and your money. And it’s done securely.
The service in question — as well as the others wanting to mine in your bank account — uses small software helpers called APIs to do the job of asking for and receiving the banking data. (By the way, API stands for Application Programming Interface — quite
a mysterious and geeky name, huh?). APIs are like researchers designed specifically to retrieve the data from external sources. In our banking case, when you log in, or when a service logs into your online account with your credentials, the API pops in, instructs
the system in your bank: “I want this and that”, then grabs the goods and fetches them to its master—the service.
The whole process takes seconds and is as secure as when you are personally using your online banking system. Some services store your encrypted credentials on their own secure servers, some don’t. Again, you don’t have to worry: even if nasty crooks break
the safeguards and steal logins and passwords, you are still protected by the one-time passwords necessary to transfer funds anywhere.
In the future APIs will get standardized in the way they communicate with banking systems, at least in the European Union. They will be able to perform only certain operations (for example, money transfers or changes to recipients’ list excluded), and only
with your explicit consent as a user. This means you would have to approve their activity on your account: logging in and making operations you permitted them to do. No other actions would be allowed by your online banking system.
To cut the story short, the service you found is safe and the API it uses just wants your credentials to authenticate in your bank account in order to get some information, not your money.
Stay well and see you soon, Grandma!
Hugs,
Your G-son