SafetyNet is a UK Open Banking fintech that provides Overdraft Avoidance.
While the uninitiated can Google “overdraft protection” for a prosaic definition of the term, Stanley Bing offers the following tongue-in-cheek description for one of the most lucrative products of banks:
No matter what you spend with your debit card, even if you have no money in your account, the guys at the bank will make sure that you’re not embarrassed. They’ll pay your tab!
In return for having your back, banks charge an overdraft protection fee. Ranging from $20 to $30, this fee is a major source of revenues for banks.
SafetyNet is an Overdraft Avoidance service that provides a temporary credit so that the customer’s account does not go into negative balance and attract costly overdraft protection fees.
For this service, the lending fintech charges 0.8% per day, capped at 40 days. (Assuming no processing fees etc., that works out to an APR of 292% according to the formula given here, although the fintech’s website claims it’s only 68.7%).
How common is "overdraft protection" in the Indian banking industry? TIL that at least two Top 5 pvt sector banks in India offer this facility – called Temporary Overdraft – and, that too, without any fees. https://t.co/yErKeS2MjW via @GTM360
— Ketharaman Swaminathan (@s_ketharaman) March 14, 2019
SafetyNet was featured in the Finextra blog post entitled 9 months in, how is Open Banking faring?.
The article mentioned that the fintech uses “credential sharing” and therefore introduces “security risk”. I was a bit perplexed by this since
- EU Open Banking’s claim to fame is that it does not require credential sharing, and
- US-style open banking products using credential sharing have been around long before EU PSD2 came into force e.g. MINT since 2007.
While the complete details of their operating models can be found in my blog post titled Open Banking: EU v. USA, suffice to say for the current context that Open Banking EU works via API access whereas Open Banking USA works via screen scraping.
Seeking clarity, I left the following comment:
Nice post, especially since I’ve been writing about Open Banking myself: Open Banking Needs A Blockchain Boost.I was shocked to read this passage in your post: “Is the financial benefit worth the risk of handing over your log-in details? People seem content to do so thus far.”
MINT and other PFMs in USA have been enabling budgeting and other functionality in return for access to Internet Banking credentials for over 10 years. Open Banking was supposed to eliminate the need for handing over login details to third parties and instead work on the basis of need-to-know info accessed via API-based architecture.
Any idea why SafetyNet Credit is asking for login details? With such an operating model, how is it even compliant with Open Banking / PSD2?
According to the replies I received, EU PSD2 does not prohibit fintechs from harvesting online banking credentials.
I couldn’t buy this because this logic went totally against the charter principle of EU Open Banking drummed into our heads for the past 5-7 years. I decided to do a test drive to figure out how SafetyNet actually worked.
The fintech’s website put me through the following steps:
- Step 1: Enter your name, income, address and other contact information on the fintech’s website and select your bank from a list of leading UK banks. I selected HSBC. (I could not locate my primary bank Citibank!).
- Step 2: Provide consent for SafetyNet Credit to access your bank account and gather your banking information.
- Step 3: You’re redirected to your bank’s website where you enter your online banking username and password on a page prefixed with .ob (obviously for open banking).
As you can see:
- The fintech’s website does not mimic the bank’s login screen as is the case with Betterment–Plaid. You see the login screen only on the bank’s website. Therefore, this is not phishing.
- You enter your online banking credentials on your bank’s website, not on the website of the fintech as is the case with Betterment-Plaid. So there’s no credential sharing.
Since you do not hand over your login credentials to the fintech, there’s no security risk.
(But customer perception may vary. Although they’re entering their banking credentials on their bank’s website, the Average Joe / Jane Bank Customer might feel unsafe about the fintech looking over their shoulders while they’re doing so.)
Net net, what you’re doing is authorizing your bank to share your banking information with the fintech on an ongoing basis without asking for your consent each time the fintech seeks it. (See Consent Dilemma – Have You Given It Or Not? for more context on the tricky topic of consent.)
This is very similar to how third party social media apps like Hootsuite access your Twitter account to fetch your tweets that they then display on their own dashboards (and post your tweets from their own dashboards to your Twitter timeline).
Put in Open Banking parlance, you’re authenticating the fintech to the bank and defining the contours of the nature and frequency of information your bank should share with the fintech.
tl;dr: No phishing; no credential sharing, no security risk. I still can’t figure out why the author of the aforementioned article brought these topics up.
On a side note, I was wondering why SafetyNet asked me to enter my address, mobile number, and salary in Step 1 above. When it did my KYC while opening my account, my bank already collected all this information.
When I’m giving consent to the fintech in Step 3 to access my bank account, why can’t it automatically fetch these contact details from the bank instead of asking me to enter them? Even 15 years ago, MINT never asked for anything more than name, email address and online banking credentials.
Not sure if this is just bad UX on the part of SafetyNet or the bank in question is refusing to share this data with the fintech. If latter, this would be Exhibit Z of the following limitation of the API access model compared to screen scraping (H/T Byrne Hobart):
When you use scraping, you can get all the info that the logged user can access whereas, when you use API, you’re limited to what the bank provides via API.