Live code demo on FinDEVr stage in London

This was the first time that FinDEVr has been held in London, the venue was the Tobacco Docks in the East End of London, the building was constructed around 1811 and served primarily as a store for imported tobacco, hence the name. FinDEVr is the only conference series focused exclusively on showcasing a new tool, platform, API or case study from a leading technology company designed to help developers of Fintech create better innovations faster.

eWise was on stage June 13th presenting the Aegis SDK and discussing how we help Fintechs and Financial Institutions to transition to the coming Open Banking and PSD2 XS2A (account aggregation) landscape.

Our solution is designed to address two big issues with PSD2 open APIs :

  1. The scope of Access-to-Accounts data access under PSD2 is limited to designated payment accounts (e.g. current accounts and credit cards): with Aegis, we can aggregate non-payment accounts to offer end-users a truly global view of all their financial accounts.

  2. Un-unified API structure: each bank will implement their own API standard and structure. The Aegis SDK takes away the heavy lifting of target institution API development and maintenance allowing you to focus on leveraging standardised data in your user engagement. The Aegis SDK harmonises data being aggregated from various target sources into a consistent data structure.

At the end of the demonstration, there was a short Question & Answer session which covered a range of topics:

  • How do you manage PDV (ie eWise Personal Data Vault) recovery, if the user needs to change devices (e.g. device lost)?

If the device is lost, the encryption key that unlocks the PDV can be remotely deleted. The user will have to re-enter their credentials on a new device.

  • How would you change PSD2?

In an ideal world we see a common industry standard for API implementation by ASPSP's. While we are seeing some collaboration in this area, particularly in Germany, it is unlikely that we will see any standardisation in the short-to-medium term. In the meantime, the eWise mission is to manage the underlying complexity of connectivity, authorisation, aggregation and data harmonisation for our customers.

  • How do you differ from in the US?

Mint (in the United States) is a direct-to-consumer personal money management service owned by Intuit. Mint provides a range of money management features including spending analysis, budget and goal setting and most importantly, the ability to aggregate accounts from all your bank providers.

End-users of the Mint service are required to disclose their online banking credentials to a third-party (Mint) so that the service can use these credentials to aggregate bank account data from the server side. When registering for the Mint service, end-users are required to accept the Mint Terms of Use which includes language permitting Intiut to store the end-users usernames and passwords and use these to access online banking services during aggregation. The following has been extracted from the Mint Terms of Use (14th June 2017):

"When you use the “Add Accounts” feature of the Services, you will be directly connected to the website for the third party you have identified. Intuit will submit information including usernames and passwords that you provide to log into the Site. You hereby authorize and permit Intuit to use and store information submitted by you to accomplish the foregoing"

Because the third-party aggregator (in this case Intuit) will be accessing your accounts from their servers, the Terms of Use will also require the end-user to grant Intuit a limited-power-of-attorney to use their credentials and access their data. The following has been extracted from the Mint Terms of Use (14th June 2017):

"For purposes of this Agreement and solely to provide the Account Information to you as part of the Services, you grant Intuit a limited power of attorney, and appoint Intuit as your attorney-in-fact and agent, to access third party sites, retrieve and use your information with the full power and authority to do and perform each thing necessary in connection with such activities, as you could do in person."

In terms of how eWise is different to Mint, there are three main differences:

1. eWise is not a direct-to-consumer business (B2C), we only work with banks and FinTech organisations (B2B)

2. Our patented "client-side" aggregation platform means that the end-user never discloses their online banking credentials to a third-party. All credentials are stored securely on the Personal Data Vault residing on the end-users device using AES256 encrpytion.

3. All aggregation is performed from the end-users device NOT a server. This means that data is never shared with a third-party unless the end-user consents via privacy controls.

In many financial services markets, regulators and data privacy groups favour the client-side model of data aggregation.

  • Who are your customers? Banks or fintechs? What countries?

We work with both Banks and Fintechs. We have customers across Europe, Asia and Australia & New Zealand.

  • Do you have a mobile app?

We have a native mobile SDK for both iOS and Android, but not a mobile app. Our customers (Banks and Fintechs) integrate our Aegis SDK into their mobile applications.

  • What's your business model?

We are a B2B company, licencing our SDK to businesses who need Account Aggregation to perform their service.

  • Are you getting the users to enter their bank credentials into your (or your client's) website? If yes, is that safe?

End-User credentials are stored locally on their own device (mobile, laptop...) within the eWise Personal Data Vault (PDV). All data within the PDV is secured using AES256 encryption and the encryption keys are held on eWIse servers. In terms of safety, our platform is routinely verified by independent security firms and is subject to penetration and vulnerability tests annually. Because our architecture is distributed (everything done from the end-user device) the platform does not present a single large target for malicious attacks or hacks, this reduces the threat risk to an extremely low probability.

  • How do you minimise, or better yet, avoid 3rd parties changing their screen layouts/structure and breaking your product's aggregation functionality?

We have developed a number of techniques over the past 17 years of implementing our solutions that enable our connectors to navigate changes to 3rd party websites without "breaking". There are of course times when changes cannot be managed internally by the connector and in these instances the changes will be detetected by our automated testing tools. Enhancements to connectors are made by our team and deployed quickly to eWise customers.

  • BBVA has opened up its APIs, is it more difficult to link banks that haven't e.g. Barclays, Lloyds?

It is certainly easier to work with APIs, but we have 17 years of working with Banks that haven’t opened up their APIs via our highly developed HTML parsing method.

  • Which banks in the UK you have integrated with?

We are covering 250+ institutions including banks, building societies, brokerage companies and utility providers.

  • Does the system work with Token or additional validation systems?

Yes, and many other forms of single and multi-factor authentication models.

  • How long does it take to update your code when a psd2 change comes out?

This would be expected to be updated in the same day. This is rolled out seamlessly to the customers and without a fresh compile having to take place.

  • How much control do I, as a company integrating your service into a complex business process, have over the aggregation rules?

Using the eWise Aegis SDK you can orchastrate many aspects of how aggregation is performed. This includes when to aggregate, what to aggregate and whether aggregated data is shared with service providers. This is all on a per institution basis.

  • Are you going to make a react native wrapper?

We don’t currently have one, but it’s something we’re looking at. We do have a phone gap wrapper.