Opinion: Visa, open banking and password sharing

Visa’s attempt to acquire open banking company Plaid failed after the US Department of Justice filed an antitrust suit, but now the payments giant has plans to acquire European open banking company Tink.

What do both of these startup companies have in common? Both companies have built open banking connectivity rails used by millions of people. However, to make this open banking connectivity work, both still rely on technologies that require people to share login details and passwords to their bank accounts. 

Open banking powered by password sharing

The EU’s Payment Services Directive PSD2 mandates that all banks create a free application programming interface (API), through which third parties can gain consented access to their customers’ data. This means that bank login credentials remain completely unknown to any third parties and users interact directly with their bank.

Before PSD2 came into full force it was a different story. European tech companies had to come up with more creative ways to connect to bank accounts and access banking data. Enter screen scraping and reverse engineering.

Screen scraping is a technology that requires consumers to share their login credentials with a third party. The third-party app or service then uses them to log into the user's personal bank account using automated scripts and retrieve banking data by “scraping” the data of the online account that’s available on-screen.

This technology is employed by Plaid to connect to banks that don't have a dedicated API. Reverse engineering, used by Tink, also uses a bank customer's login details to access their data but uses unofficial access points reserved for internal applications to reach a bank's servers. 

Both of these indirect connection methods offer unregulated access to users' bank accounts and require users to completely trust the third party that stores their banking credentials.

They leave the important decision of determining which apps or services are legitimate up to the consumer. It’s plausible to speculate that not everyone reads all the fine print when opening a bank account. Bank contracts will almost always have a clause where you agree never to give anyone access to your account. A stolen credit card is traceable, but banks have no way of knowing whether it’s you or someone else accessing your account through the internet. This can leave consumers vulnerable.

Technologies that require password sharing to access banking data have been around for at least 20 years, and have been a contentious topic for debate among both developers and security experts. Several European regulators, such as Finland's FIN-FSA and Sweden's Finansinspektionen, have been explicit about the fact that PSD2 APIs should be the default means of obtaining payment account information. They’ve expressed that alternative methods, such as screen scraping, aren’t welcome.

Plaid operates in the US, where there is no similar legislation to Europe’s PSD2. Banks aren’t mandated to provide an API, let alone a free one, to access their customers’ data.

Europe was in a similar state of disjuncture before PSD2. When Tink was founded 10 years ago, they had to rely on password-sharing technologies to build the first rails for open banking. The company later acquired other pre-PSD2 companies, such as Instantor and Eurobits. These acquisitions also relied on password-sharing technologies to enable banking connectivity for the financial services sector.

Europe in 2021 is different. All major banks now have free APIs that can be used to securely connect to bank accounts without the need to share passwords with third parties. In acquiring Tink, Visa is going to acquire a company that has been on the bleeding edge of open banking for years but is still employing password sharing.

This is unacceptable in an era where the same services can be offered through regulated bank APIs. Visa must leverage all their newly acquired talent and know-how to wipe out password sharing in Europe once and for all.

Open finance without password sharing

Tink has been very open about how they use password-sharing technologies to enable open finance, which is the next generation of open banking. The company has been able to leverage the trust they’ve built with bank customers to expand open banking possibilities in Europe. However, these innovations come at the expense of exposing customers to potential risks. As we prepare for open finance, I can only hope that Visa, as the new owners of Tink, will do the right thing - obliterate password sharing in Europe, instead of cultivating it.

We need more privacy and control over our data, not less. We need regulated open finance that’s freely accessible for everyone, just like PSD2 has done for open banking.

I remain incredibly excited about what the open banking community has achieved and the fact that a trusted financial services company like Visa is bullish on open banking. I sat next to my team while we integrated our API with 1,000 regulated bank APIs in less than six months.

Throughout this short journey, I've become a true believer that regulated open finance will prevail and that password sharing will become a thing of the past. As Europe undergoes the metamorphosis from open banking to open finance, we can’t have progress at the expense of privacy and security.

About the author: Roland Mesters is the CEO and co-founder of Nordigen, the Latvia-based fintech that provided free open banking APIs to businesses globally. He has 10 years industry experience and previously founded and ran Adventure Designs, a web design company.