Open Banking over iFrames: An Introduction

 In Open Banking, Privacy & Regulations, Security

In 2022, most people have heard of apps that interact with financial institutions in order to provide a specific financial service to users. One well-known and long-existing example of an app like that is Mint, which has been around since 2007 and currently boasts upwards of 10 million users. This personal finance management (PFM) app is built around budgeting – users keep track of their income and expenses, establish spending categories and limits, and then keep track of their input and output to make sure they’re staying in the realms of the goals they’ve set. Budgeting itself obviously wasn’t a new idea when Mint was conceived, but keeping track of all of that through an online account or app that had access to all your financial data was. Today there are countless apps that use the same technological ideas that Mint has for a long time: users sharing their financial data with a third party app in order to manage their financial lives. 

Aggregators and iFrames

Apps like Mint that integrate real-time financial data into their services require something called an aggregator. An account or bank aggregator collects financial data from many different sources – banks, credit cards, investment accounts, etc. – to make all of that data accessible in a separate location. That’s where something called an “iFrame” (or SDK) comes in. An iFrame is a widget that loads an external webpage element within a parent page. 

In the past, apps that wanted to integrate with users’ financial systems had to incorporate an iFrame into their account creation process in order to establish access to a user’s financial information. All bank aggregators built their own custom iFrames that could be inputted into an app’s interface. In that iFrame, users were prompted to enter their banking usernames and passwords so that the data aggregator had permission to access their data from their financial institution and then share it back to the app. This bridged the gap between the app and the data so that the app could perform the service they were designed to perform. 

This process, in both theory and reality, works. But there’s a problem: privacy and security of data is at risk in an iFrame. 

When a user enters their login information into a widget (as opposed to a secure website like their bank’s), the information logically is captured and stored by the aggregator so that they can access the data that’s available when logged in. But therein lies the problem: the more places your login information is stored, the more places your login information can be accessed, making it more vulnerable to being accessed and stolen by people who shouldn’t have access to it. If a consumer is using, for example, two or three different PFM apps like Mint to manage their finances, then there are two or three additional entities that have access to their highly sensitive credentials, making it two or three times more susceptible to being intercepted by the wrong people. That’s a major problem, especially when cyberattacks and data breaches are so increasingly common.

iFrames vs. Open Banking

In recent years with innovative technologies emerging, a new way to access and port data has developed through open banking, which uses APIs (application programming interface) to build communication between financial systems and third party apps. 

Open banking has only been functional since around 2015. Many of the well-known data aggregators, however, have been around for longer than that. Before open banking, iFrames were really the only way to bridge the gap between apps and financial institutions. They allowed aggregators to “scrape” the web for the data they needed, and it worked, but like we asserted above, it wasn’t great for users’ overall privacy and security. 

Another problem with these custom iFrames is that they were all different. Each aggregator developed their own custom, company-owned widget, so there weren’t any standardized protocol or requirements. 

Unlike iFrames, open banking was developed and is maintained according to strict, globally-recognized standards and protocol. For example, the GDPR (General Data Protection Regulation) is an extensive legal document that went into effect in the European Union in 2018 and is continually updated to keep the legislation relevant to changing technologies. In the U.S. the California Consumer Privacy Act (CCPA) became law in 2018 and explicitly states how digital data should be handled, stored, and transferred in order to keep it secure. Open banking is, by law, governed by these regulations that are recognized and abided by worldwide.

Open Banking with Pentadata

Open banking, while still a relatively new concept, is becoming more and more mainstream. Even the original data aggregators and payment networks have begun to convert over to the processes of open banking instead of the old ways of widgets and iFrames. 

So why is open banking with Pentadata different? We have the benefit of coming into existence at the same time the legislation was being developed and approved. We haven’t had to switch over from outdated and insecure methods of porting data; through our entire existence as a company we’ve followed strict compliance standards that are robust, standardized, and approved by all major banks today. We built Pentadata on these principles, and you can rest assured that our technology has always been and always will be tested and secure. 


In the last decade and a half since PFM apps were first created, consumers increasingly want the benefits those third party apps can give them – and there are so many options, with more emerging every week! But consumers also want to be able to trust that through using those apps, they won’t be putting their personal information at risk for theft and exploitation. With open banking, apps can give consumers both of those things: empowerment to use their own data for their own benefit AND assurance that their data will always remain secure. 

If you’re interested in experiencing open banking with Pentadata, you can try it out today! Click here to create a developer account and try our sandbox, or contact us to ask your questions directly. 

Recent Posts