DEV Community

John Frandsen
John Frandsen

Posted on

How to Give Your Accountant Read-Only Bank Access Without Sharing Passwords

#smallbusiness #openbanking #fintech #psd2

Every small business owner eventually faces the same awkward question from their accountant: "Can you send me your bank statements?"

What usually happens next is one of three things, and none of them are good:

  1. You export CSV files manually every month, forget half the time, and your books are always a month behind.
  2. You share your banking password with your bookkeeper (or your cloud accounting tool screen-scrapes it). This violates your bank's terms of service, voids fraud protection, and under GDPR you've just created an unauthorized data-processing relationship.
  3. You pay for an enterprise aggregation tool that costs more than your accountant.

There's a fourth option that most SMBs don't know about yet. It's been legally mandated in the EU and UK since 2019.

PSD2 Account Information Services (AIS)

Under the EU's PSD2 directive and the UK's Open Banking standard, every bank is required to provide a regulated API that lets a licensed Account Information Service Provider (AISP) read your transaction data — with your explicit consent, on a read-only basis, and revocable at any time.

This means your accountant (or their software) can connect to your bank accounts via a secure OAuth redirect flow — the same kind of "log in with Google" flow you've used a hundred times — and pull balances and transactions programmatically.

Key properties of an AIS connection:

  • Read-only. The AISP cannot initiate payments, move money, or modify anything. The access is strictly informational.
  • Consent-based and time-limited. You grant access for a specific duration (typically 90 days under SCA rules), and the bank asks you to re-authenticate periodically.
  • Revocable. You can withdraw consent at any time from your bank's app — no need to change passwords or contact anyone.
  • No credentials shared. You authenticate directly with your bank. The AISP never sees your password.
  • Regulated. The AISP must be authorized by a national competent authority (FCA in the UK, BaFin in Germany, Finanstilsynet in Denmark, etc.).

Why isn't everyone using this?

Two reasons.

1. The eIDAS QWAC certificate barrier. To connect to a bank's PSD2 API as a regulated provider, you need an eIDAS QWAC (Qualified Website Authentication Certificate). This costs €5,000–€15,000 per year and requires a formal AISP/PISP authorization process that takes 3–6 months. This is a deliberate regulatory gate — it ensures only vetted, audited entities can read consumer financial data.

This barrier is why the market is dominated by enterprise aggregators (Plaid, Tink, GoCardless/Nordigen, TrueLayer, Yapily). Their business model absorbs the certificate cost and charges per-API-call or per-connection. For a small business that just wants to share data with one accountant, the pricing models are often opaque and enterprise-oriented.

2. Screen-scraping is still the default in most accounting software. Many popular tools still use legacy screen-scraping (logging in with your credentials and parsing the HTML). It's brittle, breaks when banks change their UI, and creates the exact security exposure that PSD2 was designed to eliminate. But it works in countries without open banking mandates (like the US), so vendors haven't fully migrated.

Practical options for SMBs

If you're in the EU or UK and want to give your accountant read-only bank access via regulated APIs:

  • Check if your accounting software supports PSD2 AIS natively. Tools like FreeAgent, Xero, and some others have begun integrating direct bank feeds via open banking APIs. If yours does, enable it — it's the cleanest path.
  • Use a dedicated AIS provider. If your accounting tool doesn't support it, standalone AIS providers can aggregate multiple bank accounts into a single read-only view or API. The certificate cost is baked into their pricing.
  • For developers and technical SMBs: If you're comfortable with APIs, you can build a lightweight aggregation layer yourself. The Berlin Group NextGenPSD2 and UK Open Banking standards are well-documented. The barrier is the eIDAS certificate — without it, you'll need a provider that offers certificate-free access to the underlying bank APIs.

What to look for

Regardless of which path you choose, verify these properties:

Requirement Why it matters
Read-only access Prevents accidental or malicious payment initiation
OAuth consent flow (not credential sharing) You never share your password with anyone
Revocable from your bank app You retain control and can cut access instantly
SCA-compliant re-authentication Periodic re-confirmation keeps consent fresh (every 90 days)
GDPR Article 28 data processing agreement The provider is a legitimate data processor, not a shadow scraper

Disclosure

I work on open-banking.io, a PSD2 account information service focused on the certificate-free access tier — the gap between expensive enterprise aggregators and risky screen-scraping. I'm not pitching it here; the goal of this article is to explain the regulatory landscape so you can make an informed choice. If you're evaluating options, compare providers on price per connection, bank coverage in your country, and whether they offer a read-only AISP scope (not just payment initiation).

The bottom line: stop sharing your banking password. If you're in the EU or UK, PSD2 gives you a regulated, secure, revocable way to share transaction data — and the tools to use it are getting more accessible every year.

Top comments (0)