0

I have been testing the new Customer Account Data (AggCat) API. For some accounts, I can call discoverAndAddAccounts and then call getAccountTransactions without an issue. However, when testing with a MFA (multi-factor auth) account (where I successfully finish the discoverAndAddAccounts MFA flow, entering the answer to MFA question(s)), a call to getAccountTransactions returns no records and a NotRefreshedReason of CHALLENGE_RESPONSE_REQUIRED . This happens even though I just answered the MFA to get the account list.

Now, if I then call updateInstitutionLogin requesting a refresh, I get challenged again (different question) and then the update is performed (seems to be on all accounts at the institution), so subsequent calls to getAccountTransactions return the data I expect.

My question is - is this expected for MFA accounts (this test was for TD Ameritrade)? I'm wondering if we would need to have a (somewhat awkward) flow in the application where, if you setup/link your accounts, you'll have to be prompted multiple times to fetch transaction data. Ideally of course, I'd like them to only have to go through that MFA flow once to identify themselves.

Manas Mukherjee
  • 5,270
  • 3
  • 18
  • 30
Matt Hagopian
  • 103
  • 6

2 Answers2

0

Initial call to discoverAndAddAccounts does not do a deep dive into the FI to retrieve details. So updateInstitutionLogin call immediately after 'discoverAndAddAccounts' with refresh flag set to true is always recommended( That triggers an explicit refresh request to the FI).

Manas Mukherjee
  • 5,270
  • 3
  • 18
  • 30
  • Thanks for the quick reply @manas. So then you are saying there is no way to avoid the multiple-step issue? Also, do you have to call updateInstitutionLogin again (over time) or just this first time (for MFA)? TIA – Matt Hagopian Jul 11 '13 at 16:51
  • If you want refreshed/most-updated data, then updateInstitutionLogin call is essential. – Manas Mukherjee Jul 11 '13 at 16:59
  • Thanks. Just to verify (specifically), if I had an app that updated each day with the latest transaction information (to help monitor their account), you are saying that for an MFA account they would need to go through the process each time? – Matt Hagopian Jul 11 '13 at 17:54
  • The user should not need to enter the MFA challenges again. Can you please submit a support ticket so we can look into the FI? https://developer.intuit.com/docs/9_other_resources/0030_support/0010_submit_support_incidents – Peter Lavelle Jul 11 '13 at 18:19
  • Good to know. hanks @peter. BTW, do you mean I shouldn't have to even initially, or just later when refreshing? Either way, I'll open an incident this afternoon. – Matt Hagopian Jul 11 '13 at 18:32
  • Just to follow-up. @peter, I submitted an issue. Not sure if you are looking at it or someone else. Also, if you submit a separate answer for the question, I'll mark it accepted as it seems the extra call I'm making will be unnecessary. Thanks. – Matt Hagopian Jul 16 '13 at 15:06
  • @MattHagopian, I responded to your case on the 11th. Can you please check your spam folder? – Peter Lavelle Jul 16 '13 at 15:46
  • Additional follow-up: @peter, from the latest update Ben is telling me that "this is the way it is" for the institution (TD Ameritrade). What I don't understand is, why not give the ability to do both a discover AND refresh in one call (which would then mean only one session by the Intuit server and one MFA prompt for our end user)? Again, as it stands now, it means a user will have to answer two questions (separately - 1 at a time) for many MFA accounts where the user question is rotated. – Matt Hagopian Aug 07 '13 at 17:14
0

The DiscoverAndAdd API logins and grabs the accounts on the summary page. The following API calls will attempt to capture the Transactions: GetAccount, GetCustomerAccount, GetLoginAccounts, GetAccountTransactions, UdpdateInstitutionLogin with Refresh="True".

The additional challenge occurs when the Financial Institution doesn't recognize our subsequent login and challenges the login with a question we do not know.

This is not a typical use case but has been seen with TD Ameritrade.

Ben Gummelt
  • 101
  • 3