Sign in Subscribe
By Teal in UX

OpenBank

OpenBank is Santander’s digital banking platform, established as one of the first fully online banks in the market. Originating from a phone banking offering, it provides a range of standard banking services such as current accounts, savings accounts, investment products, and loans, all managed via an online platform or mobile app.

Unfortunately, OpenBank’s implementation of PSD2 (Revised Payment Services Directive), internationalization (i18n), and general user experience (UX) all leave quite some room for improvement.

OpenBank and PSD2

The Revised Payment Services Directive (PSD2) is a regulatory framework introduced by the European Union, which came into effect in 2018. It mandates European banks to open their payment infrastructures and customer data to third-party providers with customer consent, aiming to enhance competition, increase innovation, and improve the security in the payments industry.

For applications and web services that allow users to connect their own bank accounts, PSD2 was both a blessing and a curse – there is now a standard way to grant access to one’s accounts, but the actual implementation is very hit-and-miss. PSD2 also relies on an internet-reachable server somewhere along the way, so it cannot be implemented purely locally.

For a long time, their PSD2 integration simply would not work at all for many Third-Party Providers (TPPs). Even when it finally did, the implementation was annoying: OpenBank would always load the PSD2 consent flow in Spanish, with no country set. Since OpenBank login usually works through a state-issued ID document, customers from outside Spain will need to change the country and language manually to be able to even chose their identification method.

OpenBank and Internationalization

OpenBank’s translation management is … not good: The screenshot below states (in German) that “Your device was removed from your list of trusted devices” and that it needs to be re-added. It instructs the user to “click” the “Annehmen” (Accept) button, even though it’s running on a touchscreen device and the button is labeled “Registrieren” (Register).

Screenshot of the OpenBank mobile app, stating (in German) that “Your device was removed from your list of trusted devices” and that it needs to be re-added. It instructs the user to “click” the “Annehmen” (Accept) button, even though it’s running on a touchscreen device and the button is labeled “Registrieren” (Register).

Similar mistranslations and inconsistencies appear with regularity across their web and mobile applications, as well as customer communications.

OpenBank’s UX

For being launched as a “purely digital” bank, OpenBank has a number of UX warts.

First off, their authentication and security system is wild: Users are encouraged to log in with their passport number or similar ID document serial number, plus a four-digit PIN. Passport or ID card serial numbers are not secrets – they are even printed on the front of the cards. This means the security of your account largely hinges on a four-digit PIN, that OpenBank bizarrely tries to protect by scrambling an on-screen number pad for you to click. Luckily, you can just use the number keys on your device to simply enter your PIN (which they also insist on calling a “password”).

The OpenBank team must have realized that this feels viscerally insecure, so they added a “signature key” that you need for certain more impactful authorizations. This key is an eight-digit number they will send you by physical mail, which they claim will happen “within 10 working days” of requesting a new one. The web site or app will then ask for four randomly selected digits from that key. Obviously, this does not add significant security to most situations: If an attacker has local control and can log your keys or take screenshots, they can still log the data, or fake the session. For all other situations it’s just another piece of data (likely, paper, for most people) to keep around.

Lastly, OpenBank uses one-time authentication codes of four hexadecimal (0-9, A-F) digits for most other transaction and account changes. These are normally insecure by virtue of being sent as SMS, but there is an option to receive them through app push notifications instead, marginally improving security for some users. However, a funny failure mode I encountered here is that the app would simply de-register my mobile device from the trusted device list, which would cause it to not receive the push notifications anymore – but it did not tell me it did that until I randomly opened the app again months later after being frustrated that my PSD2 login would not work because I would not receive an auth code SMS or push. The moment I opened the app and told it I wouldn’t want to re-add my device as trusted, OpenBank reverted to sending me SMS again and the whole thing worked.

Conclusion

I opened an account with OpenBank way back when they were offering actual interest rates on a money market account, back in the days of Zero Interest Rates Policies (ZIRP). I also tried their current account offering and their robo-advisor. The overall experience was always similar – everything felt slow and cumbersome, badly explained, and not well thought out. So I stopped using OpenBank as soon as I could, and I don’t believe that I’m the only one. A rather modest amount of UX research and design fixes could go a long way to make OpenBank much better, although obviously I don’t know how much the backend is limiting them – from what I can see on the frontend side, I would expect the backend to be anything but “digitally native”.

Subscribe to Everything's UX

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]
Subscribe