Resolving errors for those having multiple accounts at Chase and other OFX 103 banks


A commenter on the Pocketsense blog named John has come up with a solution for those that are getting errors while trying to download OFX data for multiple accounts from a particular financial institution.  I encouraged Kevin N. to try this out and he has verified that these instructions function as written.  It is very possible that Robert will incorporate these suggestions into Pocketsense in the future, or a similar strategy, but I’m writing this up to help others having difficulties with Chase and some other banks needing a solution.

Background:

This situation only arises if that bank or brokerage house has chosen to upgrade to their server to OFX version 1.03, which adds an additional requirement of a 128- bit universally unique identifier (UUID) number being part of the OFX request, as another layer of security.  Pocketsense currently allows for this requirement by generating a value and appending it to your sites.dat file as the variable ClientUID (if it doesn’t already exist in that file).  Should you have multiple accounts at that institution though, you are going to run into problems trying to use that same ClientUID for the subsequent data requests.  Some users that have 2 accounts at one bank (Chase as an example) – one for them and another for their spouse, get around this by running two separate instances of Pocketsense to get around this annoyance.  But say you had some IRA accounts there as well, a Roth and a traditional and the same in your spouse’s name and a joint checking account, etc.  Well this is where John’s solution saves the day.

Script modification:

John has a nice color coded presentation for his modification at  http://pastebin.com/9UJ333RZ , (you just delete the text that is brown and add the text that is green to your ofx.py and site_cfg.py scripts), so I am not going to try and duplicate that effort.  Essentially what he has done is come up with yet another variable for each sites.dat entry for those multiple accounts at the financial institution causing you headaches, called siteClientUID which you manually enter and is used instead of  ClientUID.  An easy method for coming up with a version 4 UUID value to assign to these siteClientUID entries is by simply going to https://www.uuidgenerator.net/ .

SiteName : CHASE
AcctType : BASTMT
fiorg : B1
url : https://ofx.chase.com
fid : 10898
bankid : (use appropriate routing #)
brokerid :
appid : QWIN
appver : 2400
mininterval :
ofxver : 103
siteClientUID  :

Detailed explanation:
(thanks to Dave Reiser who was resolving the same problem as a GnuCash user)

What happens with the connection is that the first time Chase sees an ofx header version 103 connection with a ClientUID that hasn’t been associated with your account, it will let you download transactions, but it fires off the ‘action required’ mail to the address associated with your account, telling you to visit the Secure Message Area in your account page on the web. For me that outside email appeared approximately 3 seconds after I had connected. In that secure message, there’s a link that jumps to a verification web page (and Chase has pasted in your one-time authentication PIN) where all you have to do is click Next. There was some kind of successful completion page displayed.

If I’m reading Chase’s tea leaves correctly, after February 15, 2016, you won’t get any grace period — you’ll have to authenticate before you can access any transaction data. It looks like the authentication PINs will expire in 7 days, now and in the future. If you go beyond 7 days (or maybe if you launch several attempts to log in without authenticating) it looks like Chase’s system will keep generating new PINs for each attempted login.  Their mail message mentions you have to be sure to use the most recent PIN if you have received several secure messages regarding authentication.

The FAQ mentions that DirectConnect servers have to be at version 103 in order to implement MFA via ClientUID. In the Quicken realm all versions that haven’t been locked out of DirectConnect for failure to pay Intuit’s upgrade tax already use header version 103. Servers using version  103 are not required to use ClientUID, but 102 and earlier server versions are unable to use UIDs.

If you have already logged into a Chase account with Quicken and authenticated your ID, you might have to call Chase and have them clear your authentication. Intuit suggests that banks allow at least 2 valid ClientUIDs per account. But the banks can do what they want. Intuit also suggests that implementation of ClientUIDs be invisible to the user. Quicken stores the ClientUID in the data file, and at least in Quicken 2013 provided no way to see the number. The ClientUID was also redacted from the Quicken ofx logs, at least when I looked. Because the ClientUID is stored in the data file, you don’t have to update your authentication when you upgrade Quicken. The good news there is that GnuCash [and Money] users might be able to use their authenticated ClientUID essentially forever (at least until Quicken’s potential new owner changes something else).


Just in case the PasteBin link ever goes down, here’s a hopefully helpful copy of John’s changes (don’t actually use the + and characters, which signify added text and deleted text) :

  1. — OfxPy/orig/ofx.py   Wed Feb 11 10:07:36 2015
  2. +++ OfxPy/ofx.py    Thu Feb 11 23:37:36 2016
  3. @@ -86,7 +86,14 @@
  4.          clientuid=””
  5.          if “103” in self.ofxver:
  6.              #include clientuid field only if version=103, otherwise the server may reject the request
  7. –            clientuid = OfxField(“CLIENTUID”,userdat.clientuid)
  8. +
  9. +            # if a site-level clientUID is defined, use it, otherwise default to global clientUID
  10. +            clientuidval = userdat.clientuid
  11. +            if FieldVal(site,”siteClientUID”) <> ”:
  12. +                clientuidval = FieldVal(site,”siteClientUID”)
  13. +
  14. +            clientuid = OfxField(“CLIENTUID”,clientuidval)
  15. +            print “using ClientUID of: “, clientuidval
  16.          fidata = [OfxField(“ORG”,FieldVal(site,”fiorg”))]
  17.          fidata += [OfxField(“FID”,FieldVal(site,”fid”))]
  18. — OfxPy/orig/site_cfg.py  Wed Feb 19 20:51:56 2014
  19. +++ OfxPy/site_cfg.py   Thu Feb 11 23:11:21 2016
  20. @@ -142,6 +142,7 @@
  21.                  bankid=”
  22.                  brokerid=”
  23.                  ofxver = ‘102
  24. +                siteClientUID = ”
  25.                  appid  = DefaultAppID       #defined in control2.py
  26.                  appver = DefaultAppVer
  27.                  mininterval = 0
  28. @@ -161,6 +162,7 @@
  29.                               ‘BANKID’: bankid,
  30.                             ‘BROKERID’: brokerid,
  31.                               ‘OFXVER’: ofxver,
  32. +                      ‘SITECLIENTUID’: siteClientUID,
  33.                                ‘APPID’: appid,
  34.                               ‘APPVER’: appver,
  35.                          ‘MININTERVAL’: mininterval,
  36. @@ -181,6 +183,7 @@
  37.                      elif field == ‘BANKID’: bankid = value
  38.                      elif field == ‘BROKERID’: brokerid = value
  39.                      elif field == ‘OFXVER’: ofxver = value
  40. +                    elif field == ‘SITECLIENTUID’: siteClientUID = value
  41.                      elif field == ‘APPID’: appid = value
  42.                      elif field == ‘APPVER’: appver = value
  43.                      elif field == ‘MININTERVAL’: mininterval = int(value)
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: