The upcoming Moneydance+ is easily the most significant update to Moneydance ever. It makes online banking accessible to far more people than ever before, but also raises privacy questions and the dreaded S word: subscriptions. This article is meant to describe our approach to privacy and security, answer these questions, and explain our new (entirely optional!) subscription pricing.
First, let me say upfront that Moneydance is not going subscription only and never will. If you buy a license, you can use that version (and usually the next major update) for as long as you like. In addition, we have neither the desire nor even the ability to deactivate or “sunset” features.
The Moneydance+ service does require a subscription, but it is an additional service that is purely optional. The subscription is necessary to cover our costs for connecting to the aggregator, Plaid. The previous online banking system in Moneydance will remain in place and free of charge for as long as there are banks with OFX servers to which Moneydance can connect.
The fee schedule for Moneydance+ depends upon whether you’ve already got a Moneydance license. If you have a license for Moneydance 2022, then we plan to charge $2/month for the service. If you don’t already have a Moneydance license and would prefer to go subscription-only, you can do so for $5/month. Disclaimer: These prices are subject to change, but we don’t expect them to.
The State of Online Banking
We spend a lot of time and effort on Moneydance’s online banking system. We talk to many banks about how to establish and maintain connections between Moneydance and your accounts. In the past, we used the open-standard OFX protocol, with Moneydance connecting directly to the financial institution’s servers.
Problem 1: Many smaller (and some larger) banks have never supported the OFX protocol. So if their customers wanted to sync with their favourite personal finance app, they would need to download a file from the bank’s website and import it into Moneydance, as if it were 1995.
Problem 2: Some of the banks that did provide OFX services could be flaky and unreliable, meaning that you still might not be able to download transactions if it happened to be a certain time of day or if the server was down for a couple of days for maintenance
Problem 3: In the past few years, an increasing number of banks have started decommissioning their OFX servers. They have good reasons for doing so, primarily because 2-factor authentication is impossible to add to OFX without breaking all existing software. Also, a simple username and password are no longer secure enough to protect access to your accounts.
Multiple major banks have contacted us to indicate that they are moving away from OFX and will eventually stop running their servers. We have met with many of them about alternative methods of connecting and even joined as full members of the Financial Data Exchange (FDX). We were clear that our preference is for Moneydance, on your computer, to connect directly to their services, avoiding any “middle men” or aggregators.
I was shocked to hear from the banks that they wanted us to use the aggregators. If we wanted to connect directly to them, there would be an indeterminate delay in being allowed to do so. Many months later, we’re still waiting. That’s another thing about the newer protocols like FDX or the EU and UK’s Open Banking initiatives – they are more secure. Still, clients usually need to be registered and authorised to connect, so we would need explicit approval from each bank. It was clear that that approval was not forthcoming. I don’t blame the banks, as it is so much easier for them to deal with a few significant aggregators rather than hundreds or thousands of different software vendors.
On the Moneydance+ side of the connections, we take a minimalist approach to data storage. We run a server that provides access from Moneydance to your Plaid connections, and there’s, unfortunately no way around that. However, our server stores the smallest amount of information possible to provide the service. Here is the information stored on our server:
Your email address: this is necessary to set up your account and link your data files (which stay on your computer) with your account.
- An RSA public key for each data file that you have activated with Moneydance+
- An encrypted access token for each bank login that you’ve added using Moneydance+
- In other words, the only personal information stored on our server is your email address, and we are happy to remove that at any time upon request.
As you can imagine, security is a big deal when handling connections to banks and financial data. As mentioned above, we designed the Moneydance+ service to be an ultra-minimal gateway to the data aggregator. The only credentials stored are an email address and RSA public key, which lets us encrypt and store access tokens so that only you can read them.
The access tokens that Moneydance uses to list accounts and download transactions are immediately one-way encrypted using your RSA public key directly after receipt. Only the private key which lives in the data file on your computer can decrypt those tokens. These tokens need to be stored encrypted on the server because the authentication process that generates them happens in a web browser. Your desktop web browser can handle the complicated authentication needed to log in to many banks and often has an integrated password manager to assist.
Moneydance, running on your device, will periodically retrieve these access tokens, decrypt them, and then use them to download transactions from any accounts and banks to which they grant access. These download requests currently need to go through our server to verify that the requests are linked to your data file and your account. We do not store or log any of the transactions or other data that passes through the server.
We are actively working with our aggregator to avoid the need for these requests to go through our server at all, or at least to be transmitted as end-to-end encrypted “black boxes” which our server cannot read.
Overall, we believe the security of an aggregated system is better than OFX due to the ability to use 2-factor authentication and tokens whose access expires after a reasonable time, requiring re-authentication. Neither Moneydance nor the Moneydance+ service ever has access to your bank login and password. In many cases (all cases in the UK and EU) even our aggregator doesn’t have access to them, and all authentication is delegated to your bank’s web site. Privacy with an aggregated system is honestly not as good as with using software that talks directly to the data source. However, we think using an aggregator is worth the compromise, but leave that choice to you.