undefined | Better HN

0 pointsd_k_f2y ago0 comments

I've implemented the bank account checking flow for a German client in a purely B2B setting, and this is essentially based on the PSD2 directive, which requires all/some/most (not entirely sure) banks to provide exactly this functionality (google keywords "PSD2" and "XS2A"). The bank's T&C should reflect this ... somewhere.

The main protection to you not getting scammed out of money this way is in the kind of TAN used for this process. It should/must only allow read access to your account, and at least one of my banks very clearly shows this in the 2fa approval app. Technically, checking your account history and then deducting money will (hopefully) have been two different processes.

The moral/ethical implications of requesting (up to) 365 days of full bank transaction details and being allowed to store this information is a whole different animal, tough, and I'm glad I haven't had to do this myself yet.

0 comments

lucb1e2y ago

> It should/must only allow read access to your account

Besides that it also needs to perform the payment, why do they need to pull 180 days of transaction history just so that I can give the merchant their money? (I'd be happy to just be given an IBAN number and transaction description to use and do it myself.)

At least that's what the consent screen said it was going to do: assess my creditworthiness before withdrawing the money. There was no way to pay without sharing who my employer is and how much I earn, which shops I visit in which cities, where I've been on holiday, what online purchases I do and on which platform and how frequently and for how much, etc. Obviously I declined this but since it's one of the logos you see every time, I guess a lot of people "consent" to this (knowingly or otherwise)

JoshTriplett2y ago

AirBnB has adopted Plaid for credit card verification recently, which wants bank login credentials. Nope, never going to happen.

j / k navigate · click thread line to collapse