Skip to content

Six years of bank feeds

Lucy reconciles bank transactions in our new home page video

On the 28 September 2006, we met with New Zealand’s ASB Bank and pitched the concept of supplying bank transaction data into Xero’s online accounting software. Just a month later, on the 31st October, the very first feed file arrived from ASB overnight, and bank feeds were born.

That was six years ago. We were the first cloud accounting software to link data from banks to an accounting package where the business owner and not just the accountant  could see their bank activity. The feature was a hit – customers could login to Xero, reconcile their transactions and immediately update their financial records to match the activity in their bank account.

The idea for bank feeds came out of our design-led approach. We followed small businesses around and quickly learned that the first business task they do is to check their online bank account to see who paid them overnight. But at the time, business owners didn’t process their accounting transactions there and then; they had to come back later to do the bookkeeping. Bank feeds made bank reconciliation a natural starting point for daily workflow – one of the few substantial small business process changes in many years. Daily reconciliation eliminates catch up work and lets business owners have a real time view of their numbers.

A year later, Xero’s bank feeds service was extended to Kiwibank, ANZ, and the National Bank (ANZ and National Bank of course completed their merger earlier this week), and then BNZ, Westpac and TSB. A year after that, in 2008, we had our first feed from ANZ in Australia.

We’re quite pleased that bank feeds have become a basic prerequisite for all accounting software.

Xero now has direct relationships with all of the major banks in New Zealand, and direct relationships with most of the major banks in Australia, and we are continuing to develop and build these relationships on an ongoing basis. If you’re in New Zealand or Australia and hold a small business bank account – chances are that your bank supplies feeds to us directly. In order to receive one of these feeds, all you need to do is complete an application form and send it in, and we take care of the rest. The bank securely and directly transfers data to us on a nightly basis.

The full list of the financial institutions that partner with us is available in our Help Centre. If you’re setting up a new account for your small business, we encourage you to use one of our listed partners.

Yodlee, the USA and the UK

In 2009 we recognized the need to reach the thousands of banks in the United States in a way that didn’t require us to form relationships with each and every institution individually. Yodlee has been doing account aggregation for over a decade and are the best in class at what they do. Yodlee believes that bank account data belongs to the customer (“your account, your data”) and when a bank fails to make a customer’s data accessible, Yodlee provides a way for that customer to get their data into the systems they want to use.

Our Yodlee integration gave us a way to provide our US and UK customers feeds when financial institutions were too slow or too technologically constrained to supply the data to us directly. Yodlee is well established in the US – so much so that 8 out of the top 10 US financial institutions use Yodlee for their own aggregation purposes. What Yodlee has found is that by opening up the data within those financial institutions – something the institutions in the US and UK market have been reluctant to do – they have enabled a huge amount of innovation across the financial services sector – with over 600 financial institutions and companies using their platform for a massive variety of services: credit-worthiness reporting, debt management, personal financial management, credit-card charge monitoring, account-ownership verification, and of course, small business accounting too.

Yodlee has faced criticism for some of its methods – you need to supply your online banking credentials to use its services – but this is a product of a lack of innovation in the financial institutions that have failed to provide viable alternatives. Yodlee takes security very seriously and has not yet had a security incident. They are a PCI Level 1 Service Provider which is a bank-grade level of security.

Yodlee is completely optional and is provided to Xero subscribers free of charge. You can choose to stick with manually uploading bank transactions if you do not wish to use it. It’s worth noting that other aggregation methods, such as those provided in the US by accounting giant Intuit or FiServ’s CashEdge, work in exactly the same way. It looks to us like the market has spoken and that aggregation services are now a core component of the industry.

Ideally the banking sector would provide direct methods for us to provide the functionality that our customers want, and when they do so, we will migrate to them.  In fact, we are actively working with financial institutions in all markets, and with Yodlee, to evolve alternate methods which eliminate the need to ask for customer credentials.

We were possibly the first to use an aggregation service like Yodlee with small business accounting software, but Yodlee had been used for years with personal financial management products like Mint, and Yodlee feeds will soon be available for Xero Personal too.

Bank Feeds Today

Bank feeds have grown so much within Xero that on a weekly basis we now process over 1.5 million statement lines and generate over 700,000 statements for the 111,000 small businesses using our software. Bank feeds has grown into a significant part of Xero’s business, with three full-time development staff and a dedicated customer support team. Despite the simplicity of the concept (data gets delivered to Xero, Xero delivers data to customer), there is a tremendous amount of complexity under the hood in the variety of ways in which banks supply data to us, and the formats and frequency with which they do so, and all of the queuing, scheduling, processing and parsing that happens every time a file is received or a feed is refreshed. The bank feeds development team do some of the most challenging work in the company.

The Next Six Years

Our direct partnerships with banks have been tremendously successful – for both ourselves and for our partnering financial institutions – and we are in constant conversation with the banks that we work with about how to increase the amount of benefit for our shared customers. Bank feeds are just the start. We believe financial institutions are in a tremendously powerful position to improve the lives of small businesses, and when they partner with us they can start to unlock a lot of small business potential that would otherwise lay dormant.

Ideally we’d like to see all banks offer feeds as a direct service. This might include a standard way for account owners to provision feeds for any product, including Xero. It might include the ability for account owners to provide read only feeds to other stakeholders, as it seems crazy, for example, that boards of not for profit organizations can’t get a summary of bank transactions for the entities they are responsible for. And finally, it might include OAuth style access to bank feeds services which would provide a way for banks and customers to control access to their accounts without providing credentials or completing paper forms.

We’ve been thinking about this stuff for a long time, and it was great to see a lot of these concepts explored by speakers at Money2020 in Las Vegas last week.  We look forward to discussing some of these ideas with financial institutions soon, and I’m sure we’ll get to see most of these ideas put into practice over the next six years.

 

 

Read more about Business

 

34 comments

@CJ_NZ
31 October 2012 #

So ASB provided business bank feeds 6 years ago, but only BNZ can provide personal bank feeds.

Lack of bank feeds is what is stopping me getting Xero personal.

Gayle Buchanan
31 October 2012 #

Happy Happy Birthday

Be Smart Accounting
31 October 2012 #

HaPpY 6Th YEaR BirThday FoR XERO Feeds!!! :)

Adam
31 October 2012 #

As someone who’s works for an FI, the direct model is the only safe one. yodlee screen scraping model is in my jurisdiction a direct contravention of the electronic banking code, as it involves distribution of online client credentials.
P.S PCI is a data standard for Cards, not credentials….Credit cards can be replaced, Client numbers are a much higher risk.
if your bank finds out you give your credentials out, you could lose any protection against fraud.
I hope it never happens but if someone gets Yodlee’s vault, it would catastrophic.
Don’t think it could happen, well neither did Sony, Apple, The FBI and other such well know data breach recipients.

Vince
31 October 2012 #

I agree with Adam. Direct feeds are fine but I would never endorse any of my clients setting up a bank feed using Yodlee. I am sure Yodlee take security seriously but I am also sure they are a prime target for hackers. And as I understand the situation, under most banking agreements if you provide your login and password details to a third party (such as Yodlee) you are liable for any fraud that occurs on your account – the bank does not have to prove it was directly related to the use of the third party.

Xero’s endorsement of Yodlee exposes users to a completely unacceptable level of risk.

Stephen
31 October 2012 #

@CJ_NZ – Have a glance at Xero’s shareholding, that might help explain why BNZ is first off the rank as far as Personal goes.

Matt Vickers
31 October 2012 #

Hi @Adam & @Vince – the financial sector, at least in the US / UK markets, has so far failed to provide a standard for data access that meets customer needs – hence Yodlee’s existence. Those institutions need to sort themselves out, because a decade after this problem presented itself, banking customers have moved on and in those parts of the world where direct feeds aren’t available they have chosen the only option available to them: aggregation services. This applies not just to Xero, but to the hundreds of successful, useful products that would not exist or would be less useful without aggregation.

We acknowledge this isn’t an ideal scenario, so we’re working hard to help financial institutions to develop a standard that meets customer needs, and we’d love to see banks put these ideas into practice sooner rather than later.

In the meantime our customers have the choice to use Yodlee or not, and so far the level of use indicates that customers have weighed up the level of risk with the convenience of using the feeds and have chosen convenience. Many financial institutions themselves have decided to use Yodlee, effectively acknowledging their level of comfort with the service.

Yodlee adheres to many financial security standards, PCI (which, as you correctly point out @Adam, is a standard for the handling of cardholder information) happens to be the one that is most recognisable to our readers.

Matt Vickers
31 October 2012 #

Hi @CJ_NZ & @Stephen – Xero Personal’s a bit tougher because all feeds have an associated cost and without automating the process, it’s not affordable for us to provide the data using the same process that we have for business. Automation requires more effort from the bank so it’s a longer game. The thing that will get you what you want is customer pressure: the more you hassle your bank about it, the more likely it is to happen.

Vince
31 October 2012 #

Matt, what Xero has done is make a decision between making more revenue by providing its service using Yodlee, or taking an ethical stand not to use a service which exposes users to unnecessary risk. Xero has put money ahead of ethics – some of your competitors, such as Kashflow in the UK, have instead put ethics first.

You are right there is a choice to use Yodlee but I wonder how many people using Yodlee have actually read all the fine print in the terms and conditions of Yodlee, Xero and their bank. I suspect it is very few. Most probably don’t know the risk to which they are exposed.

I am sure Yodlee has good systems in place. But you miss my point that by providing Yodlee with login and password details Xero users are probably liable for fraud on their accounts from any other source – and bank fraud unfortunately occurs all too frequently.

And Yodlee is not the only choice available other than direct feeds. Many accounting systems have for years enabled users to download banks statements and import them. It’s not as automated as direct feeds or Yodlee but it is not difficult, it’s secure and it exposes no user to liability for fraud.

Matt Vickers
31 October 2012 #

@Vince – We resolutely put convenience, good design and user experience first.

Liability in the case of fraud is a bank-by-bank question – there’s no clear cut answer that applies to all banks. Some don’t see it that way at all. If your bank’s T&Cs appear to penalise you in the case of fraud, or that is what your bank is telling you and you’re not comfortable with that risk: change banks. We have direct feeds in the NZ, AU and UK markets with some great forward-thinking financial institutions that would love to have your business. We’re working on establishing direct US feeds soon, so our customers will have the choice there too.

We too offer the ability to import downloaded bank statements manually. In fact, in our personal product, unless you’re a BNZ customer this is the only way you can import data. But by a large margin our customers have told us that they prefer the convenience of automated feeds. So automated feeds are on their way.

Hannah Milan
31 October 2012 #

The comment that “has not yet had a security incident” at Yodlee is a bit like the guy who bet he could jump off the Empire State Building without hurting himself. He was winning the bet right until the moment when he hit the ground.

Bank feeds are great when they are available, and there is nothing inherently wrong with screen scraping from a security point of view, but once you share banking credentials with any third party, you are an accident waiting to happen.

Go to 7:47 of this video and hear from an expert in security what he thinks about sharing banking credentials…

http://www.youtube.com/watch?v=eL5o4PFuxTY&playnext=1&list=PLF5E215B406BC04C1&feature=results_video

Brendan
1 November 2012 #

I am a software developer and I wouldn’t have expected that so many other serious organisations’ data could be accessed by hackers, but they did. It happens over and over again. I neither expect that Xero would take such a risk as to use technology or methods that would put their customers’, and ultimately their own business at great risk. So clearly, Xero have thought long and hard about how secure this is and concluded that it’s an acceptable risk. That said, I’m sure the banks, the FBI and others said the same thing, and they with much greater levels of security in place. So while I think Xero is a great product, I would still never use nor promote that feature.

But will Xero or Yodlee take responsibility for any fraudulant activity that may potentially take place as a result of the screen scraping of bank feeds if I use them? Would any professional indemnity insurer offer them insurance for this? If not … why not?

Matt Vickers
1 November 2012 #

@Hannah – Great video. Yes, in order to use the functionality, you have to grant some authority to Yodlee. The T&Cs under which that authority is granted limit what they can do with that authority. In twelve years they haven’t abused that trust.

@Brendan – Yodlee is a tool that provides access to bank accounts that we do not yet supply directly. Like any tool, it’s your choice to use it, and your responsibility.

Thanks all for your concerns – but the market has clearly spoken. Intuit has released a similar platform in the US and it works in exactly the same way. We think Yodlee’s platform is better. It’s a tried and tested approach and without a viable alternative from the financial industry it will become the standard. If banks aren’t happy with this being the approach for the next ten years then they need to open up. If you aren’t happy as a customer of those banks then you need to tell them.

Chris
1 November 2012 #

@Vince, you said:
“Matt, what Xero has done is make a decision between making more revenue by providing its service using Yodlee, or taking an ethical stand not to use a service which exposes users to unnecessary risk.”

What nonsense – Xero makes the service available and users chose whether to use it or not. As suggested above, we’re adults and we can make our own decisions regarding our acceptable level of risk. If you don’t want to use Yodlee then that’s fine. But your position is that no one should have access to this type of data aggregation, and I find that an objectional position to hold.

Vince
1 November 2012 #

Chris, this is not nonsense at all. It’s a very serious issue and one on which there are strongly divided opinions.

Some accounting service providers, such as Xero, have chosen to make available screen scraping services in the belief that this will help them provide better service, gain customers and make more money. On the other hand, there are accounting service providers such as Kashflow and MYOB that have said that screen scraping exposes users to undue risk and have chosen not to make it available for ethical reasons.

This is exactly the decision that Xero made when assessing whether or not to use Yodlee and they came down on the side of making money. Interestingly, there are comments from Xero people which suggests that concerns still remain and that they would rather not use screen scraping. For example Matt’s post above says:

“Ideally the banking sector would provide direct methods for us to provide the functionality that our customers want, and when they do so, we will migrate to them. In fact, we are actively working with financial institutions in all markets, and with Yodlee, to evolve alternate methods which eliminate the need to ask for customer credentials.”

Xero acknowledges the method has weaknesses – yet introduced it and continues to provide the service.

Your argument is that users are adults and should be able to make that decision for themselves. I have no doubt there are Xero customers who assessed Yodlee carefully, read all their terms and conditions as well as Xero’s and also read their bank’s terms and conditions for using internet banking services and then made a fully informed decision. I also have no doubt there are many others who simply said something like “Well if Xero are supporting Yodlee, it must be okay” and signed up to use it without realising the risks to which they are exposed. Certainly, I doubt whether many people using Yodlee are aware they are now probably liable for any fraud committed on their account, whether or not it was connected with their use of Yodlee.

Many people don’t make fully informed decisions, especially when there is lots of fine print involved. I have seen this many times. If I stick my Engagement Letter in front of clients, most sign it without reading it. They trust me, just as I suspect most people have trusted Xero with respect to Yodlee. In this case I think that trust in Xero has been misplaced.

Chris
1 November 2012 #

Vince, I understand the security risks very well. But I believe every user has the right to choose their own security profile and make informed decisions about the risks they take. The information is all out there, so the fact that some users choose not to inform themselves is a weak position.

I don’t personally use Yodlee, but I would if I had to in order to get daily bank feeds. It’s a sub-perfect system, but having weighed the risks and benefits it would be my informed choice to use Yodlee. That you think it’s your place to impose your own risk assessment on me because I may not have fully informed myself is insulting.

Matt Vickers
1 November 2012 #

@Vince – Most of the data, particularly in the US, is actually retrieved via direct arrangement between the bank (who are often Yodlee’s customers) and Yodlee. The US market has moved on.

Intuit, the big boy on the block, are opening up their own data aggregation tools, making feeds a competitive requirement. It takes significant investment to integrate feeds and to maintain them. The smaller guys are also planning to add feeds, when and if they can pull together the resources, so don’t mistake the rhetoric for the reality.

Vince
1 November 2012 #

Chris, sadly people do require protection from their own poor judgment.

Decisions are made all the time by governments and by businesses that restrict freedom of choice but protect people from the consequences of making bad choices. There is nothing insulting about that – it’s needed to keep society functioning in a stable and secure manner.

In this instance I think Xero had erred too far on the side of freedom of choice by making data sourced by screen scraping available to customers – especially when it doesn’t anywhere clearly state the risks from using the service. Instead it hides behind fine print.

The fact that several of Xero’s competitors will not use screen scraping suggests that this argument is a lot more finely balanced that you seem prepared to accept. What you view as insulting is viewed by others as sensible risk management.

Peter Spencer
2 November 2012 #

I totally agree with Chris, and I have to say Vince, I think you are talking patronising nonsense. If you are adult enough to run your own business, and run your own accounting package, then you are adult enough to make an informed decision about Xero & Yodlee.

The risks are obvious, just as they are when you hand-over your credit card in a bar, or write someone a cheque.

The fact that several of Xero’s competitors don’t (not “will not”) use screen scraping suggests that they can’t be bothered to offer this option, and/or don’t want to pay the fee to Yodlee to do so. Screen scraping is a tricky science at best, and I know that Xero have a whole team dedicated to managing it.

Your view of Xero’s competitors as tree-hugging luvvies who don’t want to offer a service to their customers out of the kindness of their heart is cute, but not based in reality I would suggest.

Matt from Xero says that in the USA most of the feeds come direct from the banks anyway; and I know that over here in the UK, you cannot transfer funds or doing anything meaningful with your bank account without your PIN, PIN device, and authentication card.

Just your logon details are useless, and if someone gets your sort code and account number there is nothing magic that they can do with that to start taking money from your account. The very best they could do is go to a charity site and fill in a direct debit form on your behalf. And you then have the right to instantly have your money back with no questions asked.

And again, here in the UK, “small print” is pretty useless in most legal situations if it is not considered fair and reasonable by the courts. All the more so if you did not have a lawyer look it over for you first. So if someone took money from my bank account via a cash machine (for which they would need my credit or debit card details and associated PIN), then the bank ombudsman and courts would not allow the courts to claim it was your fault because you gave someone in the USA the logon details to your bank account. The small print may say one thing; but the real world says something else.

Plus there are loads of scammers here in Europe who put skimmers and cameras on cash machines to grab all your bank details; so the banks pay-up without a fuss if you have fraud on your account.

Fraud does happen for sure; but it’s whipped-up by the media and those in the “security” industry to sell their products. The banks don’t want to pay to make things fraud proof, so instead, they just pay-up when it happens.

The bank, credit card and PayPal feeds are so amazing, and save me so many £1,000′s UKP annually, that I am more than happy to hand over my details, and I think the risk is tiny, tiny, that it would come back to bite me.

It’s true that sometimes people do require protection from their own poor judgment; but sometimes I need protection from the poor judgement of others!

And talking of reading the fine print – I wonder how many times an internet site gets you to “OK” their “agreements”, and you spend the next hour or so actually doing that? !

Vince
2 November 2012 #

Peter

As I said earlier this is an issue in which there are strongly divided opinions and the discussion in this thread confirms that.

On one side there is your classic libertarian philosophy which says anything goes, let the market decide and any interference in this is patronising.

On the other side there is the view that businesses have a responsibility to mitigate risks for their customers and the wider community.

I’m a cautious risk-averse accountant so it’s not surprising I lean on the side of the second approach and will never endorse my clients using screen scraping. I accept you disagree with that but my view is most definitely not nonsense. It is one shared by a wide range of people including many other accountants, small business owners, banks, software suppliers and security experts. And there are also people in each of these groups who share your point of view.

You may find it surprising but I hope that in the end you are proven right. I hope there is never any security breech at Yodlee. I hope there is never any fraud committed on the accounts of Xero customers using Yodlee’s screen scraping services. And I hope you can sit back and say “I told you so”.

Michael Mori
7 November 2012 #

@Vince. If we had to live our lives like you are suggesting, we would not have a life. Because what you are suggesting is that we should never drive a car or walk on a side-walk, because there is a possibility that you could get killed in an accident. If we had to take your thinking into the risk arena, you would legislate that driving and walking on side-walks should only be allowed if there were legal contracts between drivers and pedestrians on the one hand, and the makers of cars and the builders of pavements on the other, that no one would get killed, and if they did get killed, they would be covered by insurance

For the minuscule risk (but very real – as is driving or walking on streets) the convenience of using bank feeds from Yodlee, is a risk my clients and I are very willing to take, because the chances of dying from cancer worrying about all the possible risks in life (as real as they are), are much greater than XERO and YODLEE are willing to destroy their businesses through security breaches.

I have enjoyed life more through bank feeds for 4 years now, but it is good that you have made us aware of the risks, thanks.

Accounting Services
9 November 2012 #

Nice Blog. You have given a good insight and a clear picture of why Accounting services are important with XERO.

David
6 December 2012 #

@ Matt Vickers – in regards to your statement below:

“Liability in the case of fraud is a bank-by-bank question – there’s no clear cut answer that applies to all banks. Some don’t see it that way at all. If your bank’s T&Cs appear to penalise you in the case of fraud, or that is what your bank is telling you and you’re not comfortable with that risk: change banks.”

Does Xero have a list of banks that they know using yodlee won’t breach their terms and conditions? I am not a lawyer, so it is very difficult to determine which banks are ok with it and those that are not. It is clear on ING Direct’s website they do not cover fraud if you provide your details to an aggregations service.

Thanks

Matt Vickers
6 December 2012 #

Hi @David – No we don’t have such a list, nor do we have the resources to maintain one. What we do have is a list of partner banks that we work with directly – so if you have concerns you should use one of those. We appreciate the choices are thin on the ground in the UK and the US, so we’re actively working to form direct relationships with financial institutions in those markets.

David
6 December 2012 #

Hi Matt, thanks for that. I completely understand. I am from Australia and there seems to be a reasonable amount of partner banks (you have the majors at least). Can we assume that if we use yodlee with partner banks for credit card accounts for instance, they will not be in breach of their t&c?

Matt Vickers
6 December 2012 #

Hi @David – sorry, we’re unable to answer that question because we’re not party to the terms, or to the interpretation of terms in an agreement between a customer and their bank, whether that be a partner bank or a non partner bank. In some cases this is further complicated by the bank also utilising Yodlee or other similar 3rd party aggregation services within their own online banking product offerings.

David
6 December 2012 #

Thanks for your insights Matt

David Hillary
6 January 2013 #

Why not set up an additional read-only internet banking log-on with your bank and use that one for yodlee to access and import the transactions without risk of it being used fraudulently?

Sarah
23 May 2013 #

Hello Matt, I’ve been directed here from the Xero FB page.
Can you let me know if/when you expect to have a direct relationship with Macquarie Bank in Australia? Have been keen to implement bank feeds but wont until that doesn’t break their T&C’s in providing a login to a third party. Ditto for HSBC in the UK?

Matt Vickers
23 May 2013 #

Hi @Sarah, we have direct relationships with both those banks already. See our list of partner banks.

Sarah
23 May 2013 #

@Matt, that’s great news, thanks. When I first moved across to Xero – nearly 2 years ago now – that wasn’t the case and I must have missed any updates regarding this. Very glad to hear that will no longer be breaking any bank T&C’s in implementing these now.

Quentin Carter
9 January 2014 #

Hi Matt, Can you tell me if or when MQG will provide direct feeds from the mortgage products. We have approximately 2000 mortgage clients and won’t move a single one there until they do.

Matt Vickers
13 January 2014 #

Hi @Quentin. Feeds for mortgage products aren’t currently supported I’m afraid – we’ll look at when we might be able to add this.

Andy Masters
18 April 2014 #

If you are a techie, it is possible to write your own ‘script’ run from your own PC using tool called Selenium to remote control your web browser. The script can logon to your bank, download bank files as .ofx and then logon to Xero and import the .ofx – no need to give any passwords to 3rd parties, the script can prompt for your password(s) each time it’s run, so it doesn’t have to store any passwords either.

Add your comment





We welcome all feedback but prefer a real name and email address.