Stevie Graham breaks into banking apps. He’s very good at it. One Friday in early September, he finished getting what he wanted from HSBC, then began chiseling away at Lloyds. By evening the next day, he’d sized up the challenge. Sitting in his humid Soho office, surrounded by screens and Diet Coke cans, he tapped out a tweet.
“The Lloyds app is watertight, clearly some brilliant security folks have worked on it. I think they've been too smart for their good tho 👀 ”
Ten minutes later the official Lloyds Twitter account replied. “Put the hammer down & stop trying to break our lovely mobile app, we'd really appreciate it!! Thanks.”
Recalling the incident, Graham laughs. The Lloyds app is still giving him trouble, but he’s not going to stop until he’s cracked it. “There's no company in the world that can stop us popping their app,” he says. “You can be the best at securing it, but when the best at popping it comes along, they're going to pop it.” (Lloyds declined to comment further.)
Poking around in banks usually only means one thing, but Graham – a swaggering, self-taught developer with a black baseball cap perched permanently on top of his tangle of belly-length hair – isn’t after money. He’s looking for data: data only banks control. Every time money is sent, spent, lent or borrowed, the bank records it in its ledger. Graham wants to make that transaction data available to startups, in the form of a single API: a direct channel to a treasure trove of information.
There’s one problem. After decades of failing to encourage competition in the stagnant banking market, the Competition and Markets Authority announced in 2016 that it would force the nine biggest UK banks to open up their transaction data via standardised APIs. The regulation, which is called Open Banking, comes into force on 13 January 2018. With this well-resourced, official competitor on its way, why is Graham persisting? Because he doesn’t believe the banks will deliver what they’ve promised.
“They're idiots, they're really naive,” he says, referring to Open Banking Limited, the body charged with delivering the new system. “They need to deal with banks like I have to know how malevolent they are.”
Graham, who is 32, started working in fintech in 2013. Before that he was the first European employee of US startup Twilio; working with his current (and only) collaborator Dan Palmer, he also built the Ministry of Justice’s application service for employment tribunals. He enjoyed the experience, because the Government Digital Service placed the user’s needs at the centre of everything it did. In banking, he saw a sector where the exact reverse was true.
At the time, Open Banking was little more than a policy proposal. So, figuring the banks must use APIs internally, Graham tried reverse engineering their apps, cracking them open so he could see their inner workings. By 2015, he was ready to alpha test his new service, which he decided to call Teller. He gave the API for Barclays to five initial customers. That was when the trouble started.
As soon as Barclays spotted Teller, Graham says, it blocked its customers’ devices and banned them from online banking. Fuming at what he saw as this overreaction, Graham went to Canary Wharf to meet director of mobile banking at Barclays.
“‘We can go about this one of several ways,’” he remembers saying. “‘You can stop doing what you're doing and let me operate, because your customers want this service… Or you can carry on doing what you're doing, but we're going to amp it up ten times and cause as much damage to you as possible.”
Barclays seemed to get the message. The director said he would look into a revenue-sharing arrangement, but asked Graham to take the API offline, to avoid antagonising anyone in the bank. Graham did so, then went off to rearrange Teller so it wouldn’t be vulnerable to another blockage. (He’d thought it would be possible to work with the bank, so he hadn’t hidden what he was doing, by disguising IP addresses or refreshing at unpredictable times. He wouldn’t be caught that way again.) The modifications took six months. When Graham came back, the Barclays API didn’t work. The bank had changed its security protocol to shut him out.
Barclays maintains it was simply being cautious. “We continually review and update our online and mobile banking apps to ensure they remain secure and convenient for our customers,” a spokesperson said, confirming that the mobile banking infrastructure had “been improved this year to ensure that our systems are robust.” To Graham, however, it was an act of war, one that confirmed all his suspicions about the banks’ true attitude to Open Banking.
“They're spending millions trying to stop people having API access,” he says. “Shake it out: consider how they're acting now, why would you expect them to act in good faith with something they've been forced to with regulator?”
Even though the banks are required by law to provide Open Banking, the regulation gives them plenty of freedom about how they go about it. Graham observes that the banks have the right to cut anyone suspected of fraud off from the APIs – but, although they have to inform the Financial Conduct Authority (FCA) of their decision, the criteria for exclusion and the appeal process are not clearly defined. “If a bank cuts you off, we might find later they were overzealous, but in the meantime, that startup is dead. The bank might get a slap on wrist from the FCA, but the oligopoly is preserved.”
Read more: To change how you use money, Open Banking must break banks
Graham is funding Teller with his own money – “If this doesn't work out,” he says, “I can make a million pounds a year consulting for banks” – and a £50,000 cash grant from innovation foundation Nesta, which is running a £5 million prize, funded by the banks, to find the best Open Banking products for small businesses. Chris Gorst, who leads the prize, says the discussions among the 20 participating startups have thrown up similar concerns. “There’s still quite a lot of uncertainty about the specifics of how Open Banking will work,” he says. “An example is consent. What does that journey look like from a customer's perspective? How cumbersome, how painful?”
Every time someone agrees to show a third party their transaction data, the rules of Open Banking require them explicitly to approve the exchange, with the startup specifying in clear language exactly how long they will hold the data and what they will do with it once they have it. But although the fintech signs up the customer, the consent screen itself will be managed by the bank. “The nightmarish vision is that they could have a big flashing red screen, saying, ‘Do you really want to do this?’,” says Gorst. “That's obviously not going to happen in the real world. But it does mean that at a point in the customer consent journey, it's taken out of fintech's control.”
Other worries – over the exact format of the data, for instance – reflect the same uncomfortable truth. To succeed, Open Banking needs the willing participation of the very institutions it is designed to disrupt.
Asked, banks say how excited they are about Open Banking, and, in public at least, most fintechs appear inclined to believe them. “The banks have every reason to embrace Open Banking, because it’s far better than being broken up,” says Conrad Ford, CEO of lending comparison site Funding Options. But although Graham is worried enough to have started investigating consumer products, he remains deeply pessimistic about Open Banking’s prospects.
“Considering the incentives, they will not act in good faith with this order. They will find any way they can to subvert it, or to comply with it in such a way that makes it impractical to use, whether that's the hoops you have to jump through to get access to it, whether that's the user experience they inflict on users, or whether it's the actual quality of the APIs, they'll make it unconscionable to consider using them.”
Of course, if the banks don’t fulfil their end of the bargain, that’ll be good news for Teller’s alternative APIs. It took Graham only a few days to get Barclays back online: he also has integrations with Santander, Nationwide, Royal Bank of Scotland, Natwest and HSBC. (His plan is to offer them for free, charging businesses for support.) And if any bank tries to stop Teller again, he’s ready. He’s seen inside their apps. He knows their weaknesses. And, although he knows he’d be “annihilated” with lawsuits, he’s prepared to use that information if he has to.
A few months after Barclays cut off Teller, Graham accepted an invitation to speak at a conference called API Days. He knew representatives from the bank would be attending and he wanted to deliver a warning. Standing on the stage dressed in a black bomber jacket and backwards baseball cap, he quoted DJ Khaled: “I’m fully loaded. I’m war ready at all times. I have so many records in my drive – trust me, anybody act up, I’ll let one go.” Then he added his own twist.
“I have so many private APIs fully documented, clients in multiple languages, mock gateway implementations, automated anti-anti-RE tools and security vulnerabilities in all of the APIs,” he bragged. “Trust me, anybody act up, I’ll let one go.” The crowd clapped and cheered. Graham flashed up the next slide: a picture of a crimson sky torn apart by a nuclear explosion.
This article was originally published by WIRED UK
