How do I programmatically download my bank transactions from Chase without using a third party?

ofx
agtsai picture agtsai · Jan 8, 2018 · Viewed 8.3k times · Source

I'm interested in downloading my transactions from Chase without using a third party such as Mint, Quicken, Yodlee, Plaid, and so on. I don't trust third parties with handling my data, which is why I want to do it myself.

Answer

agtsai picture agtsai · Jan 8, 2018

Works as of 1/8/18

Summary

Chase uses OFX to support programmatic interactions with its financial data. It does so somewhat reluctantly however, as this fact isn't widely advertised nor well documented - banks would rather have you use their products directly, rather than go to third parties. That being said, support for desktop products like Quicken still exists, and so one method is to spoof yourself as a desktop product (the other options are to use a third party service or use a screen scraper). Obviously this solution is completely at the mercy of Chase's whims, and as a discouraged access pattern this is not robust. But you're still reading, so let's do this!

Solution

  1. Set up your account to accept connections from Desktop apps Account > Profile & Settings > Manage Account Security > Desktop apps > Click enable

  2. Generate a Client UID. Chase will use this to verify that the OFX requests it's receiving are intended. Go to https://www.uuidgenerator.net/ and generate a UID.

  3. Use ofx-ba-tfb.py to POST the following to https://ofx.chase.com. Comments begin with a # sign, do not include them.

Headers:

OFXHEADER:100
DATA:OFXSGML
VERSION:102
SECURITY:NONE
ENCODING:USASCII
CHARSET:1252
COMPRESSION:NONE
OLDFILEUID:NONE
NEWFILEUID:{Insert random alphanumeric string}

Payload:

<OFX>
    <SIGNONMSGSRQV1>
        <SONRQ>
            <DTCLIENT>20180108012004
            <USERID>{Insert user id}
            <USERPASS>{Insert password}
            <LANGUAGE>ENG
            <FI>
                <ORG>B1     # Comes from ofxhome.com 
                <FID>10898
            </FI>
            <APPID>QWIN
            <APPVER>1800
            <CLIENTUID>{Insert random alphanumeric string}
        </SONRQ>
    </SIGNONMSGSRQV1>
    <CREDITCARDMSGSRQV1>
        <CCSTMTTRNRQ>
            <TRNUID>{Insert random alphanumeric string}
            <CLTCOOKIE>4
            <CCSTMTRQ>
                <CCACCTFROM>
                    <ACCTID>{Insert account id here}
                </CCACCTFROM>
                <INCTRAN>
                    <DTSTART>20171208
                    <INCLUDE>Y
                </INCTRAN>
            </CCSTMTRQ>
        </CCSTMTTRNRQ>
    </CREDITCARDMSGSRQV1>
</OFX>
  1. Verify the request You will get a response that says, "Please verify your identity within the next 7 days. Using your desktop computer, go to your bank's website and visit the Secure Message Center for instructions." After a small delay (in minutes), you will receive a message in your Secure Message Center asking to confirm that you made this request. Confirm the request. This response and verification happens with each new Client UID you submit.

  2. Make the OFX request again, and you should receive your transactions!

Comments

Many thanks to Harry Sit @ thefinancebuff.com for doing most of the work!!

More is possible through OFX, it's a complicated standard. Look to the specification for details.

You can also use GnuCash to see other promising settings.

This is using OFX 1.02, but Chase is now at 2.2

References

https://thefinancebuff.com/replacing-microsoft-money-part-5-ofx-scripts.html#comments

http://www.ofx.net/

http://www.ofxhome.com/

http://www.ofxhome.com/ofxforum/viewtopic.php?id=47456

https://rhye.org/post/parsing-ofx-leex/