Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What's the motivation for this? Is it coming from inside the industry/is it a suggestion/fun project?

I'm don't understand the purpose - it's all about transmission, not data. Banks could sure do sure do with a standardised API, but is interbank message encryption a problem needing solved? I've haven't heard anything like that.

The author is very sure of it's production-readiness. If this transpires to be true, then I could easily see this spec as a good way to encrypt message-based data of all kinds. But where does this bank angle come from?



Author here. That's a good question. Please see: https://github.com/trustly/bankapi/blob/master/doc/rationale...


Helpful. Are you using this in production with European banks?

I saw that on one of the interactive maps on your site there's no line to/from the UK, which is hardly surprising if you are - I would be staggered if they got on board with anything outside their little circle. Are banks in mainland Europe open to this kind of innovation?


Yes, it's in production by some banks and financial institutions in Europe. Most banks are still using SWIFT though.

I think the main reason why BankAPI has been accepted, is actually the lack of innovation. Banks are in general very skeptic to new "unproven" technology, but as BankAPI relies on old standards like TCP/IP, OpenPGP, RSA, SHA512 and HTTPS, there is nothing "unproven" in it to be afraid of.


In my few years in finance, i never came across anyone using SWIFT. It was all SFTP and the occasional HTTPS POST, with all the key distribution done manually.

But then, i didn't work in anything in the area of settlement or trade execution - it was in the general area of equities advice, so we moved research, trade ideas, restricted lists, prices, performance calculations, etc.

Given that SFTP and HTTPS are doing the job mostly adequately, i'm not sure why i'd adopt BankAPI (or rather, layer BankAPI on top of the HTTPS i already have). What value does it add?


Author here.

BankAPI is actually using HTTPS, but doesn't depend on SSL alone, as the files/messages are also encrypted/signed using OpenPGP. This means banks would not have to trust all the CAs who issue SSL-certificates, as the OpenPGP public keys are imported once for each bank you wish to communicate with, and won't change unless you explicitly update them.

The value it adds is the two layers of security (HTTPS+OpenPGP) and the "DeliveryReceipt" which makes it possible for both parties (the sending and the receiving bank) to prove they did send and did receive all files/messages sent over BankAPI.


I find that quite amazing. There are a few services around that talk to UK banks, and every single one screen-scrapes to get it done (yes, including MITMing your auth creds) because the banks here would never implement a public API.

I've heard of a proper API once - it was only available to corporate account holders with turnover of £3m+ and the bank had to QA your code.

And yet when I took them to task for validating user passwords with `/^[\d\w]{8,16}$/` they refused to see a problem.


> The decentralized design of BankAPI protocol ensures noone controls it, noone owns it, noone can shut it down, just like the Internet. The un-innovative design of BankAPI protocol ensures noone can critizise it, as there is nothing new invented, it's just a combination of existing well proven technologies.

I don't think I'm comfortable with the 1960s singer-songwriter Peter Noone having this much control of your system.

</snark>

This is a grammatical pet peeve of mine[1], principally because I used to use it exclusively and was horrified when a girl I liked at the time corrected me.

1. http://grammarist.com/spelling/no-one-noone/



Thanks for fixing!


Indeed it is sad when the object of one's affection turns out to be an illogical prescriptivist.

For a grammar Nazi, you are rather loose with capitalization.

ttp://www.yourdictionary.com/noone#wiktionary

https://www.google.com/search?&q=noone


It appears to be from https://trustly.com/en/ so perhaps they use it internally and are open sourcing it.


I should have checked that before commenting, itchy trigger fingers I suppose. It makes a great deal more sense now.


They call it "production grade quality", but I don't see a test suite.


There is a system test which tests all components together, see demo.sh and demo-bankapi.sh.


Maybe it's production grade F


this type of encrypted messaging is super common between banks and third parties. it's usually done in a similar manner to what is implemented here but in SFTP and every bank has it quirks/a different system for ACKing transmissions. a standard would be nice :)


And what does it offer above ssh/ssl on their own?




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: