Chase and Discover have abandoned OFX in favor of Aggregators
Discover no longer seems to offer OFX/QFX/QIF downloads at their website. People have reported failure via OFX for some time.
Chase's automatic OFX downloads "broke" Wed Oct 5 evening. Normally, I just wait a few days for such to start working again, and I did check to see that Quicken users cannot connect either right now. Still, I found this link very disturbing:
https://www.quicken.com/support/why-am-i-receiving-message-about-my-chase-accounts
EWC+ stands for Express Web Connect + --- it appears to be an extension/API that is beginning to support the FDX concept (I know, a lot of acronyms - just things are changing). FDX is one of the reasons that MD+ was created, as the "new methodology" only supports sharing YOUR data with aggregators, versus you directly.
So, for now, I will just cross my fingers that Chase will fix OFX [edit: nope!] and I can at the moment still download QFX files manually.
I'll stop here, but rather than just wax poetic, I'll answer questions for other things I'm learning right now, but as "just a user".
EDIT: Chase via MD+ works, if you wish to move to the MD+ subscription service.
Instructions that worked for me:
https://infinitekind.tenderapp.com/discussions/online-banking/23868-chase-and-discover-abandoning-ofx-hopefully-still-a-question-versus-a-statement/page/2#comment_56015212
To IK staff - were you actively aware of the Discover/Chase changes, or do you get the information when we discover it? Are you working with Plaid to make sure these transitions flow to Plaid? I assume Plaid is part of the FDX group?
Showing page 2 out of 3. View the first page
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
31 Posted by dtd on 08 Oct, 2022 01:38 AM
just a user - in my process, the "start date" never comes up, though I am aware of it (and helped debug it a while back). I recommend setting the start date to something recent, as if you do so, you don't get new fit_ids from Plaid that must be "assimilated".
I'll look over the process I presented and see if I can trigger the start date versus getting "461 transactions" - the good news for me, is for the 2 of the 7 I've done so far, (I'm taking it slowly so I can address issues that arise like this one) is that auto merge worked 100% correctly - but then again I don't buy two whoppers from Burger King on the same date and the same price on two receipts., which could definitely confuse a computer program (at least it did Quicken when I was using it some time back).
32 Posted by dtd on 08 Oct, 2022 01:48 AM
Alternatives to direct connect with Chase include:
Downloading from each credit card directly - QFX is still offered, so updates can occur, even though it is not automatic - unless you truly require instant updates - I've done this for some banks, downloading like 2-3 times a month.
Manual entry (I do that for some accounts as well, especially accounts my spouse has).
Connecting with Moneydances aggregator - Plaid/MD+ - automatic downloads work there, just not as timely as Direct Connect was.
Overall - the banks declare this a wonderful thing (without telling you about it), and we get a decline in service and privacy.
33 Posted by dtd on 08 Oct, 2022 04:14 AM
MODIFICATIONS TO MY PREVIOUS POST ON MOVING TO MD+ based on moving the rest of my chase accounts.
just a user
There are many ways to get the MD+ setup wrong, and you need something like Toolbox to clean it up. Hopefully, there will continue to be updates to the MD+ section of code - especially as this becomes sadly more predominant.
I suggest the following methodology to move from OFX to MD+ for your chase accounts, especially if you have more than one, or more than one Chase login (I have 7 credit cards over 4 logins)
0) I'd suggest going to Preferences/Network and clicking "Automatically merge transactions" as you will need a new fit_id and such so that you don't get duplicates a lot (instead, they will hopefully be just new blue dots you have to confirm) - you may also consider other boxes in that area based on your needs. You can uncheck this later if you like doing merges yourself.
1) Go to one of the Chase accounts on the sidebar and highlight it, bringing up its transaction list. Then click on Online/Setup Moneydance+ in the menu bar.
2) Assuming MD+ is setup (if not, do so) - click Connect more accounts and walk through the Plaid connection process with Chase. If you have more than one logon, log into the one which contains the account that matches the one you highlighted. Select that account.
**** Pick ALL the accounts you will eventually be connecting. Ignore closed or secondary accounts. This will keep them together versus plaid/moneydance putting them in separate places and then you would need Toolbox to force a refresh.
3) Go back to Moneydance. stay on the account in question, click Setup Moneydance+ again, then hit refresh. You should see the chase account(s) show up, but it will say "Click to select account" next to it. Click it... and select the account name you are working with.
***** Then RIGHT-click on the account you selected which replaced the "Click to select account area". There should be a "Reset Sync Date" item near the top. Click it. Nothing will happen - yet.
4) There is a "Download" button on the top left of your transactions. Click it - now there should be two choices - one is OFX, one is MD+. Test by clicking both (OFX of course won't work, MD+ should download a lot of transactions - which is why step 0 exists.
*****And if or if not you did step zero, but DID do reset sync date, a box should appear allowing you to pick the date to begin from versus "all" --- assuming you have been using ofx for chase, you may be able to pick a fairly recent date.
5) If this goes as expected, then click that download button again and click "Setup Online Banking" and disconnect the OFX link.
Repeat for any other Chase accounts. (you may be able to skip some of the steps if you linked many accounts into MD+ at once)
Hope this helps
34 Posted by dtd on 08 Oct, 2022 06:28 AM
For those wondering about Discover, and manually uploading CSV files, if you are subscribing to MD+, Discover accounts work there as well - you can follow the same procedure in the previous message, if you wish.
35 Posted by Bill Waldron on 08 Oct, 2022 09:29 AM
Thanks, dtd. I've also reluctantly moved to Moneydance+ for my Chase and Discover (card and bank) account downloads. I'd gotten used to manually downloading Discover after they stopped allowing direct connect some time ago -- and was able to use csv instead when they dropped qfx downloads this week. However, with Chase dropping direct connect as well, the manual process would be too much of a PITA for me.
My ire has never been directed at the Moneydance folks -- they've done the best they can to support their customers, and I appreciate their efforts.
36 Posted by Stan Metheny on 08 Oct, 2022 12:57 PM
Thanks, dtd. I will try that on Monday.
Stan Metheny
37 Posted by david.d on 08 Oct, 2022 04:26 PM
I'm getting an error when I try to set up my accounts in MD+. Went through the activation process, then connected Chase. Everything looked good until I clicked Refresh , when I got the following error:
There was an error communicating with your financial institution. The details of this error are below.
Bank Name: Moneydance+
The error code reported by the server was: 0
Received malformed response: Response{protocol=h2, code=401, message=, url=https://mdplus.infinitekind.com/plaid/item/get}
Error: java.lang.RuntimeException: Could not parse error response
After that, the account shows up as "no name" and "Connected". Any clue? Thanks!
*** Update *** The accounts show up correctly after exiting and restarting Moneydance. Resolved.
38 Posted by russell on 08 Oct, 2022 08:05 PM
From: david.d <[email blocked]>
Sent: Saturday, October 8, 2022 12:27 PM
To: [email blocked]
Subject: Re: Chase and Discover abandoning OFX in favor of Aggregators
[Online Banking #23868]
39 Posted by david.d on 08 Oct, 2022 09:08 PM
Follow-up to the discussion. After some tweaking, I managed to get things all set up. A
major bonus was that I am now able to connect to my bank, a small credit union which has never supported OFX but which recently moved to a new system vendor, so that they're now on the list in MD+. And all five accounts came through in a single setup.
One small glitch, however, that possibly IK can address, is that when trying to match up accounts at the credit union, I was unable to connect to my Line of Credit (HELOC); instead, that account showed me only my credit cards as opions. After some experimentation, I found that if I re-created the HELOC as a Liability account instead of as a Loan, it appeared along with the credit cards, and I was able to successfully associate it with the download.
An interesting side note here is that Quicken apparently does not separate Loan from Liability accounts, and when I converted to MD back in 2011, all my bank loans had been changed. No difference functionally, just in labeling.
Bottom line: looks pretty good. Thanks to the IK crew.
40 Posted by dtd on 08 Oct, 2022 09:18 PM
just a user - you cannot connect a MD LOAN account to automatic download. (I have a loan with a bank, and it is listed in MD+, but I cannot connect it.)
As you say, changing it to Liability allows you to connect, but you lose some of the "automatic" functionality of a Loan. Then again, as a Liability, you can download what a loan basically does internally with the program.
41 Posted by david.d on 08 Oct, 2022 09:30 PM
Agreed. For the HELOC, it's better anyway, as the payment or interest rate may change regularly, and it's usually simple interest rather than fixed-payment amortization, which the standard Loan type assumes. I always found that I had to adjust principal and interest amounts pretty much every month, after getting my statement.
For fixed-payment loans, I've never felt the need to download, as long as I verified the balance from time to time, at least at annual reconciliation time.
42 Posted by Dan Hanger on 09 Oct, 2022 01:06 PM
How does all of this affect online bill pay through MD? I've been using online bill pay with Chase for 20 years, originally within Quicken and for the last 5 years or so from within MD. When I open my checking account register in MD and select Online>Online Bill Payment I get the same error screen as when I click on Download from Chase, so is the Bill Payment service also connected to OFX?
I opened my Chase account over 20 years ago and somehow I got online bill paying through Quicken at no charge to me and have been using it all this time until now, never had to use the browser version of bill paying. Now that appears to be broken as well. Boo.
43 Posted by phil23@box747.c... on 09 Oct, 2022 01:36 PM
Has anyone seen a response anywhere by MD developers?
I think they're in a difficult place where the only alternative will be to use MD+. I really don't want to move to MD+ due to the security concerns with 3rd-party aggregators.
I think that most of us can see the handwriting on the wall for direct-connect. :-(
44 Posted by david.d on 09 Oct, 2022 01:40 PM
Money talks. Quicken has likely increased fees, because they can. Monopoly power.
From: phil23 <[email blocked]>
Reply-To: <[email blocked]>
45 Posted by Milo C on 09 Oct, 2022 08:36 PM
@dtd - Your detailed instructions in post #33 worked perfectly. Thanks so much for this.
@david.d - I ran into the same error in your post #37 after initially setting up MD+, but restarting MD resolved it, just as you described. Thank you.
46 Posted by dtd on 09 Oct, 2022 11:06 PM
@Dan Hanger - Basically, Online Bill Pay through OFX is dead. Dead at Quicken too - they encourage their users to use "Quicken Bill Pay" - not surprising.
And Chase never bothered to tell anyone that this was about to happen.... sigh.
47 Posted by dtd on 09 Oct, 2022 11:20 PM
@phil23 - there has been no response from Sean Reilly since the Chase/Discover drop, but the support staff response is this new template:
https://infinitekind.tenderapp.com/discussions/online-banking/23868-chase-and-discover-abandoning-ofx-hopefully-still-a-question-versus-a-statement/page/1#comment_56003982
I'm "just a user", but yes Moneydance is in a difficult space as banks move to aggregators only and abandon OFX. The basic non-aggregator solution is QFX downloads (unless Chase takes those away as Discover did), CSV downloads (which are more difficult to setup and apply), or manual data entry.
You can read (my opinion only) my diatribe against aggregators, and sad capitulation here, as I also present a history (2-3 years) of how this OFX abandonment was forthcoming, and sadly for the consumer, inevitable:
https://infinitekind.tenderapp.com/discussions/online-banking/23868-chase-and-discover-abandoning-ofx-hopefully-still-a-question-versus-a-statement/page/1#comment_56013992
Also, if you would like Sean's viewpoint, here is one of his blogs about the situation from almost exactly a year ago:
https://infinitekind.com/blog/moneydance-plus-privacy-subscriptions
Hope that helps.
48 Posted by phil23@box747.c... on 09 Oct, 2022 11:56 PM
@dtd - thank you for your thoughtful and complete reply.
I probably have this wrong (and would appreciate any correction) but it seems that despite all the encryption and authentication of data-in-motion - which I can live with - somewhere, somehow, the 3rd party aggregator (ex: Plaid) will have to store our clear-text passwords to login to the various banks they support. They may encrypt the password when it's at-rest but of course they also have the decryption key - which is the weak link.
A hacker (or plaid insider) could get their hands on both and have access to your accounts. To see how much they care about your privacy, just google "plaid class action lawsuit". It's enough to make me gag.
None of this is MDs fault, of course, and they are making a valiant effort to support their users.
My current plan is to download Chase QFX files manually each month rather than sign-up for MD+ - not because I dislike MD, but because I don't trust Plaid.
49 Posted by david.d on 10 Oct, 2022 12:10 AM
@phil23 – You’re misunderstanding the nature of the connection, not surprising as it’s not obvious. When the session is originally set up, using the MD+ dialog, a secure “key pair” is generated between Plaid and your bank. Those work together to make the encryption work, and it’s one of that pair that Plaid stores. It only works with your bank and account, and is itself encrypted with a key that lives on your computer. Your password itself is never stored at Plaid, plain-text or encrypted.
The net effect is this: you have a key, in your Moneydance file on your computer, which unlocks a box on a Plaid server that contains a second key to connect to your bank. Once the download is complete and the connection is closed, the box is again locked when you disconnect from Plaid.
Trust is, of course, something each of us will decide for themselves.
-- David
From: phil23 <[email blocked]>
Reply-To: <[email blocked]>
50 Posted by david.d on 10 Oct, 2022 12:17 AM
@Maddy -- Just a quick point on getting rid of the OFX preference when using MD+. I just went into the Chase account, clicked on "Setup Online Banking", and then clicked "Disable". No Toolbox needed.
51 Posted by phil23@box747.c... on 10 Oct, 2022 12:26 AM
@david.d Thanks for straightening me out.
So is it safe to say that a Plaid "insider":
1) Cannot access your registered accounts?
2) Cannot snoop on the data that is read and written to/from your financial institution?
Thanks,
/Phil
52 Posted by MG on 10 Oct, 2022 12:31 AM
This is all very disheartening a long time user. In the end, I guess money rules and through no fault apparently of MD, the end user gets screwed.
53 Posted by david.d on 10 Oct, 2022 12:36 AM
That’s correct, to the best of my knowledge. An insider might possibly be able to determine what banks you had accounts with, but nothing further.
Full disclosure, I am not a computer security professional, but a retired software developer. There may be unusual risks of which I am unaware.
From: phil23 <[email blocked]>
Reply-To: <[email blocked]>
54 Posted by phil23@box747.c... on 10 Oct, 2022 01:41 PM
All,
Buyer beware:
From the horses mouth (see below), as I suspected, Plaid - at least initially - *does* have access to your financial institutions cleartext login credentials. In some cases, they may permanently store those credentials, likely when the institution does not yet support creating a credential token with Plaid. In other cases, they use your cleartext credentials to create said credential token and *may* then discard your cleartext credentials - but they don't have to. In order to trick you into providing these credentials, Plaid was duplicating the Login Page of these institutions to fool you into thinking that you were directly logging into an institutions website - which you weren't. Instead you were actually handing over your credentials to Plaid, which would store/encrypt your credentials and then log into the institutions website. In fact that issue was the basis of the recent class action lawsuit against Plaid. Apparently, Plaid was gathering and storing credentials even when they didn't need to.
Below was copied directly from the Plaid URL: https://support-my.plaid.com/hc/en-us/articles/4410324401047-Does-Plaid-have-access-to-my-credentials-
"In many cases, after you request that we link your financial institution to an app or service you want to use, you will be prompted to provide your login credentials to your financial institution, and, upon successful authentication, your financial institution will then return your data to Plaid. In these cases, Plaid does not access or store your account credentials. Instead, your financial institution provides Plaid with a type of security identifier, which permits Plaid to securely reconnect to your financial institution at regularly scheduled intervals to keep your apps and services up-to-date."
"In other cases, when you link a financial institution to an app via Plaid, you provide your login credentials to us. We store those credentials and use them to access and obtain information from your financial institution in order to provide that information, at your direction, to the apps and services you want to use. We then help keep your data safe and private with best-in-class encryption protocols. For more information on how we use your data, please refer to our End User Privacy Policy. "
55 Posted by Stuart Beesley ... on 10 Oct, 2022 02:58 PM
@phil23 - yup - it depends on where your bank is located and what technology they can use.. So in the UK for example, with Open Banking, you sign on using the bank's own sign page (not Plaid) and Plaid is only then passed a token/key of some sort back from the bank - hence in this situation, Plaid do not have access to username/passwords... BUT where this or a similar technology is not available, then Plaid will have to store your credentials as there is no other way for them to 'logon' later to download information....
This is all my own 'guesswork' and assumptions...
(not support, just a fellow user)
Support Staff 56 Posted by Maddy on 10 Oct, 2022 03:11 PM
@All
Using an aggregator does have privacy implications in that customer transaction data (descriptions amounts, and sometimes additional metadata) goes through the aggregators' servers. On the other hand, the security is often much better than with OFX in that for many banks you will authenticate directly with the bank, including using 2-factor authentication. The aggregators and Moneydance are granted a token that provides access for a certain period of time. In those cases neither Moneydance nor the aggregator will have your password and often not even your username. For connections through Plaid, even Moneydance has no idea of your name, password, or other login credentials.
We chose Plaid specifically for their better privacy policy regarding end-user data. They do not share or distribute your data in any way according to the people we've talked to there as well as their privacy policy which you can find here: https://plaid.com/legal/#end-user-privacy-policy
I hope this information is helpful. Please let us know if you have further questions or need more assistance.
--
Maddy, Infinite Kind Support
57 Posted by TonyRI on 10 Oct, 2022 04:16 PM
Don't banks and other financial institutions have their own layer of additional security as well? I know that when I use a different computer, or a different browser on the same computer to login to my accounts, I have to complete a validation code request, either sent as text, voice, or email.
Further, although after the fact, users can set up other account alerts, such as "Large withdrawal," or "Card not present" type text alerts with their Banks, CU's, or CC companies. I know that Fraudulent Use liability for credit cards is limited to no more than $50 in the US.
Maybe I'm just numb to the privacy concerns as I was part of the Equifax breach and I have freezes on the 3 credit bureaus; and Credit Monitoring services were provided for several years as a result. Additionally, I view my accounts almost daily and I certainly don't have enough money to worry about it (lol, please don't spam me, I'm sure that I'm in the minority).
Just throwing that out there.
Sorry about the issues that you guys are facing with Chase. Hope that everyone has a great day!
58 Posted by dwg on 10 Oct, 2022 09:03 PM
Where there is MFA, Plaid needs the Institution to support the idea of a trusted host so that you get your security code and enter it once, Plaid store this so it then becomes the trusted host for future connections.
59 Posted by ScottA on 11 Oct, 2022 03:49 PM
So Plaid has two ways of working with institutions: one in which they have access to your credentials, and one in which they don't. Since they settled a lawsuit claiming they abused the former just a year ago, I would only be comfortable using them for the latter.
Is there something in the Moneydance+ workflow that makes clear which support each institution has, so I can only use the type I consider safe?
60 Posted by Stuart Beesley ... on 11 Oct, 2022 04:11 PM
It's easy (IMHO).... use md+ setup and go through the Plaid configuration.. If you are presented with a secure bank logon page that is hosted by the bank itself and is clearly the bank's own secure logon, then it should be the very secure method whereby Plaid never know your details.. If however, you are presented with a page asking you to complete your details which is obviously not the bank's own page, and is Plaid's data capture, then it's probably where Plaid store your details..