Teller is interesting; I have some reservations (mostly around the attitude they portray, which is a bit unprofessional) but they have a good vision.
The downside is they are encouraging you to share passwords, as you say, which isn't driving the right customer behaviour.
More critically; in about 18 months the PSD2 Secure Customer Authentication guidance comes into force and this sort of approach (sharing credentials, which everyone basically refers to as "screen scraping" in its various forms) will be dis-favourer, to the extent that banks might have to go to great lengths to try and stop it. Teller might have to go forward fighting continual reverse engineering battles.
I think we've independently arrived at exactly the same point with our reservations.
In particular I'm concerned that Teller will have a massive target painted on it's back, because it has those full login details - they could become systemically important to the UK banking system, and then perhaps the regulator should step in!
It can no longer be against the terms of service of financial service providers to prohibit sharing the credentials used to access your accounts on their systems?
I have accounts with several banks and other financial services, and I have received various updates to terms in connection with PSD2 over the past few months. However, I don't recall any of them saying it was now OK to share things like passwords or PINs.
Are we talking at cross-purposes here? Encouraging non-experts to share security credentials that give unrestricted access to their accounts with third parties is so obviously dangerous that I find it hard to believe that (a) the financial providers are now required by law to do it, and (b) not a single one of the updates I received from mine drew attention to this in any way that I noticed and recall now.
Surely the entire point of the new access paths under PSD2 is that the financial providers don't have to endorse the dangerous practice, and can instead provide an alternative way to achieve similar results but with much better control and regulation to protect all involved?
What the existing screen scraper companies have done, is to make sure the psd2 directive will allow screen scraping as a fallback method if they are not satisfied with the bank API:s.
That's because the directive is actually a competitive disadvantage for them since they've invested a lot in the screen scraping.
The interpretation is not trivial though. The authentication details in particular are not very clear right now.
We actually don’t do this where we we have an option to, i.e. with Barclays and Nationwide. Regardless, users giving credentials to 3rd parties is not against the terms of any bank in the EU and it’s contrary to EU law for them to make it so. Banks are also on the hook for liability in the first instance and must immediately make good any customer loss, although they can pursue the 3rd party.
Teller isn't part of the PSD2/Open Banking world. They've reversed engineered all the bank's private APIs for their mobile apps, in part because they believe the banks will hobble and cripple the Open Banking APIs because it's in competition with their business model.
