Overview

Kontomatik is a read-only API to banks. Kontomatik is able to import personal data, account balances and full statements from any supported bank to your system. To do that, Kontomatik will need end user bank credentials (most often a bank login and password). To ask the end user for bank credentials, Kontomatik offers a widget which you can embed on your website as an iframe.

Pleasure to integrate

Kontomatik offers a clean and consistent API over HTTPS.

By default we host Kontomatik for you. We take care of updates, security and reliability (SaaS). You can also host Kontomatik yourself (on-premise).

The big picture:

Documentation

Integration

Banking API - tutorial and reference for programmers on how to embed the widget, import data and use the high-level lending features.

Banking data to email - no IT resources? No problem! Try our zero integration solution. Just copy-paste our widget into your website and receive crisp Excel reports to your email.

PDF parsing API - workaround for banks in Poland who cannot use screen-scraping based banking APIs for regulatory reasons.

Coverage of the World

Kontomatik supports all major banks in 8 countries on 3 continents. From Brazil to Spain to Russia, we go with our clients everywhere, worldwide. If the country you need is missing from our present coverage, just let us know. We will happily develop it for you. See detailed coverage reports below:

Supported countries and banks »

Personal data for KYC »

FAQ

What data can I get?

Kontomatik supports accessing:

How many months of transaction history can I access?

Kontomatik can access the whole transaction history available in an online bank. In practice, this translates to something between 10 years and 2 months depending on a bank.

Typically our clients import 3 months of history. This is a very good balance of speed, reliability and data.

Some clients import 6 months of history. This is also perfectly fine but you will have to wait a bit longer for data. It also very slightly increases the risk of a random error.

Most importantly, this is entirely under your control through the HTTP since parameter.

How long does it take to import the data?

This varies greatly between banks, users and kind of data you want to import. Some banks have very slow online platforms while others are blazing fast. Some users have few transactions while others have thousands.

Our worldwide median is 12 seconds for 3 months of transactions. This is a total session ‘runtime’ including signing-in.

If you are only after owners personal data (identity confirmation) then it will get down to 1-3 seconds on average.

Kontomatik is known for speed among competing solutions. Kontomatik is fast because we do not run a farm of headless browsers, we do not run any JavaScript and we do not download any assets. We reverse engineer how HTTP requests are put together and then we recreate them directly in Java with no overhead.

Does Kontomatik support importing credit cards, term deposits, mortgages, insurance policies, mutual funds, stocks and other assets?

Kontomatik supports importing personal data of account owner(s), current and saving accounts and transactions from those accounts.

As of today there is no support for importing any other data, except for Poland where we do support credit cards and term deposits.

If you need support for additional data then there is no technical limitation for us to develop it but we would need your close cooperation with regard to providing test bank accounts with those specific assets on your target market.

How does Kontomatik access bank data? Does Kontomatik have agreements with all supported banks?

Under the hood Kontomatik uses screen scraping to mimic a human using a web browser. By using the very same protocol as a web browser Kontomatik can potentially support any bank worldwide in a permissionless way. Kontomatik does not need agreements with all supported banks. Kontomatik exemplifies permissionless innovation.

When a bank introduces a change how long does it take for Kontomatik to catch up?

The fix takes between several hours and several days depending on the severity. Most issues are resolved very quickly.

By the way, most issues affect few users and do not impede the overall conversion rate in a meaningful way.

In the extreme case of a completely new online system it can take us 1-3 weeks to add support. However, banks often allow both systems to be used for some time before retiring the old one, which buys us more than enough time to switch seamlessly.

If support for some bank is temporarily broken we dynamically turn it off in the widget and API with zero action necessary on your side.

To sum up, we aim to create a “just works” experience for the API client. You are not expected to manage this in any way.

Does Kontomatik support hardware tokens, SMS codes, mobile OTPs, CAPTCHA-s and anti-phishing pictures?

Yes, Kontomatik natively supports hardware tokens, SMS codes, mobile-application-generated One-Time Passwords, CAPTCHA pictures and anti-phishing pictures.

Can banks block Kontomatik?

Firstly, Kontomatik aims to be as not-intrusive and gentle for banks as possible. We do the minimal number of HTTP requests to fetch the data without overhead. For example, we do not download pictures, JavaScript files, CSS files and most HTML files. We aim to go directly for the data via the shortest path. In some cases we intentionally slow down the scraping to not over-stress the target system.

Secondly, in the European Union, the Kontomatik model of operation is protected by the Payment Services Directive 2 (PSD2) which specifically requires banks to not hinder this kind of solutions. With PSD2, regulators aim to increase competition and benefit the customer.

That being said, in principle screen scraping can be detected and prevented, but this is a cat and mouse kind of thing and we are good at it. Our experience so far is that banks’ IT departments have more important things to do than targeting Kontomatik in a meaningful way.

We are doing pretty well on all covered markets and we feel confident entering new ones.

Can I safely assume Kontomatik can add support for any online bank in the world?

Well, almost. Our track record is to give up on about 1 bank in 25 - not because it’s impossible but because it would be very ineffective cost-wise (for us) or usability-wise (for the end user). Contact us for more information.

Can I easily CSS-customize Kontomatik SignIn Widget?

Please carefully read the docs to learn to what extent this is currently possible.

How can I implement my own login front-end? I don’t want to use Kontomatik Widget. I need a full control.

We do have a fully-featured login API to potentially enable custom front-ends but we highly discourage this path.

Without Kontomatik Widget:

For the reasons outlined above we consider Kontomatik Widget obligatory part of our technology and offering.

If you strongly feel like developing your own frontend anyway, please let us know and we will reconsider your specific case.

Native mobile apps - how can use Kontomatik there?

Kontomatik Widget sports a fully responsive design, ranging from iPhone 4 screen size.

In a mobile web app simply embed the widget as ususal. Don’t forget to make your web app’s design responsive.

In a mobile native app please use a webview component to embed the widget. Using just little a bit of JavaScript you can easily wire it up with your native app. The details are platform specific and do not have much to do with the widget itself. Please follow online webview tutorials for your platform.

Can I import data periodically in the background to update my application while end users are offline?

If you mean to import data from your own bank account(s) then yes. In this scenario you would not use the widget. Instead you would use our sign-in API directly, passing your own bank credentials every time. For example, this makes sense if you want to track incoming payments on your bank account to mark invoices as paid, or loans as repaid. Documentation for this (sign-in) part of the API is not available online. We will provide you with it once the contract is signed.

If you mean to import data from the bank accounts of a limited group of your trusted business contractors then yes. See the above answer. You would have to officially store the bank credentials of your contractors.

If you mean to import data from the bank accounts of your end users (for example into your PFM-like solution), then no. Kontomatik never stores end users’ bank credentials, and we strongly advise our clients to not store end users’ bank credentials either. However, there is a workaround which gives you most benefits without the risk. We advise you to store bank credentials encrypted in the web browser local storage. Your JavaScript code can optionally get these credentials from Kontomatik SignIn Widget right after the end user has successfully signed in. This way the end user still has to login to your app but does not need to provide bank credentials anymore, at least unless he wipes or changes the web browser. This functionality is only enabled on demand to selected clients.

Also, please see the chapter on security.

Can you add callbacks to Kontomatik API?

Kontomatik never calls your app. You poll for results of async commands. This is by design. We believe this is right. Please consider:

The only downside is that you will need some kind of a background job runner in your app. But having one is best practice anyway, except for the most trivial apps.

What IP address will be used to access bank systems?

In the SaaS model, this will be a Kontomatik-controlled IP. In the on-premise model, this will be an IP controlled by our customer.

SaaS

Kontomatik is securely hosted in our infrastructure so you can focus on your business. We take care of updates, security and reliability. This is a recommended option selected by most of our clients.

On-premise

Kontomatik API can be hosted in your own infrastructure. Kontomatik API has few dependencies and is very lightweight on resource usage.

Technical requirements:

Kontomatik requires a minimum of 1 dedicated server (physical or virtualized).

For HA setup, we suggest 4 servers (2 x webapp + 2 x db) in a sticky-session setup.

The above are requirements for financial data import service (Kontomatik API). This does not include the Kontomatik SignIn Widget, a front-end piece to facilitate login.

With on-premise hosting you should be aware of several things:

Security

The following is relevant for both SaaS and on-premise, except for the latter the “Kontomatik servers” would be obviously in your own infrastructure.

Summary

Kontomatik servers store very little data. Bank passwords are never stored and financial data is removed ASAP. Kontomatik API requires two-factor authentication based on API key and IP whitelist.

Detailed security breakdown