A commenter on the Pocketsense blog named John has come up with a solution for those that are getting errors while trying to download OFX data for multiple accounts from a particular financial institution. I encouraged Kevin N. to try this out and he has verified that these instructions function as written. It is very possible that Robert will incorporate these suggestions into Pocketsense in the future, or a similar strategy, but I’m writing this up to help others having difficulties with Chase and some other banks needing a solution.
This situation only arises if that bank or brokerage house has chosen to upgrade to their server to OFX version 1.03, which adds an additional requirement of a 128- bit universally unique identifier (UUID) number being part of the OFX request, as another layer of security. Pocketsense currently allows for this requirement by generating a value and appending it to your sites.dat file as the variable ClientUID (if it doesn’t already exist in that file). Should you have multiple accounts at that institution though, you are going to run into problems trying to use that same ClientUID for the subsequent data requests. Some users that have 2 accounts at one bank (Chase as an example) – one for them and another for their spouse, get around this by running two separate instances of Pocketsense to get around this annoyance. But say you had some IRA accounts there as well, a Roth and a traditional and the same in your spouse’s name and a joint checking account, etc. Well this is where John’s solution saves the day.
John has a nice color coded presentation for his modification at http://pastebin.com/9UJ333RZ , (you just delete the text that is brown and add the text that is green to your ofx.py and site_cfg.py scripts), so I am not going to try and duplicate that effort. Essentially what he has done is come up with yet another variable for each sites.dat entry for those multiple accounts at the financial institution causing you headaches, called siteClientUID which you manually enter and is used instead of ClientUID. An easy method for coming up with a version 4 UUID value to assign to these siteClientUID entries is by simply going to https://www.uuidgenerator.net/ .
SiteName : CHASE
AcctType : BASTMT
fiorg : B1
url : https://ofx.chase.com
fid : 10898
bankid : (use appropriate routing #)
appid : QWIN
appver : 2400
ofxver : 103
(thanks to Dave Reiser who was resolving the same problem as a GnuCash user)
What happens with the connection is that the first time Chase sees an ofx header version 103 connection with a ClientUID that hasn’t been associated with your account, it will let you download transactions, but it fires off the ‘action required’ mail to the address associated with your account, telling you to visit the Secure Message Area in your account page on the web. For me that outside email appeared approximately 3 seconds after I had connected. In that secure message, there’s a link that jumps to a verification web page (and Chase has pasted in your one-time authentication PIN) where all you have to do is click Next. There was some kind of successful completion page displayed.
If I’m reading Chase’s tea leaves correctly, after February 15, 2016, you won’t get any grace period — you’ll have to authenticate before you can access any transaction data. It looks like the authentication PINs will expire in 7 days, now and in the future. If you go beyond 7 days (or maybe if you launch several attempts to log in without authenticating) it looks like Chase’s system will keep generating new PINs for each attempted login. Their mail message mentions you have to be sure to use the most recent PIN if you have received several secure messages regarding authentication.
The FAQ mentions that DirectConnect servers have to be at version 103 in order to implement MFA via ClientUID. In the Quicken realm all versions that haven’t been locked out of DirectConnect for failure to pay Intuit’s upgrade tax already use header version 103. Servers using version 103 are not required to use ClientUID, but 102 and earlier server versions are unable to use UIDs.
If you have already logged into a Chase account with Quicken and authenticated your ID, you might have to call Chase and have them clear your authentication. Intuit suggests that banks allow at least 2 valid ClientUIDs per account. But the banks can do what they want. Intuit also suggests that implementation of ClientUIDs be invisible to the user. Quicken stores the ClientUID in the data file, and at least in Quicken 2013 provided no way to see the number. The ClientUID was also redacted from the Quicken ofx logs, at least when I looked. Because the ClientUID is stored in the data file, you don’t have to update your authentication when you upgrade Quicken. The good news there is that GnuCash [and Money] users might be able to use their authenticated ClientUID essentially forever (at least until Quicken’s potential new owner changes something else).
Just in case the PasteBin link ever goes down, here’s a hopefully helpful copy of John’s changes (don’t actually use the + and – characters, which signify added text and deleted text) :
- — OfxPy/orig/ofx.py Wed Feb 11 10:07:36 2015
- +++ OfxPy/ofx.py Thu Feb 11 23:37:36 2016
- @@ -86,7 +86,14 @@
- if “103” in self.ofxver:
- #include clientuid field only if version=103, otherwise the server may reject the request
- – clientuid = OfxField(“CLIENTUID”,userdat.clientuid)
- + # if a site-level clientUID is defined, use it, otherwise default to global clientUID
- + clientuidval = userdat.clientuid
- + if FieldVal(site,”siteClientUID”) <> ”:
- + clientuidval = FieldVal(site,”siteClientUID”)
- + clientuid = OfxField(“CLIENTUID”,clientuidval)
- + print “using ClientUID of: “, clientuidval
- fidata = [OfxField(“ORG”,FieldVal(site,”fiorg”))]
- fidata += [OfxField(“FID”,FieldVal(site,”fid”))]
- — OfxPy/orig/site_cfg.py Wed Feb 19 20:51:56 2014
- +++ OfxPy/site_cfg.py Thu Feb 11 23:11:21 2016
- @@ -142,6 +142,7 @@
- ofxver = ‘102‘
- + siteClientUID = ”
- appid = DefaultAppID #defined in control2.py
- appver = DefaultAppVer
- mininterval = 0
- @@ -161,6 +162,7 @@
- ‘BANKID’: bankid,
- ‘BROKERID’: brokerid,
- ‘OFXVER’: ofxver,
- + ‘SITECLIENTUID’: siteClientUID,
- ‘APPID’: appid,
- ‘APPVER’: appver,
- ‘MININTERVAL’: mininterval,
- @@ -181,6 +183,7 @@
- elif field == ‘BANKID’: bankid = value
- elif field == ‘BROKERID’: brokerid = value
- elif field == ‘OFXVER’: ofxver = value
- + elif field == ‘SITECLIENTUID’: siteClientUID = value
- elif field == ‘APPID’: appid = value
- elif field == ‘APPVER’: appver = value
- elif field == ‘MININTERVAL’: mininterval = int(value)