Guids in bank descriptions munged to XXXXXXXX-XXXX



I’m uploading a number of transactions to a virtual account using the API, which are intended to be correlated to invoices also created via the API.

Unfortunately, when I have a guid in the bank statement, it is replaced by Xs if the first part of the guid contains only numbers e.g.:

36871183-3574-43a6-86ad-d7dbb03f14ea Payment for Someone by Somone 

in a description is replaced with

XXXXXXXX-XXXX-43a6-86ad-d7dbb03f14ea Payment for Someone by Somone 

This is clearly quite frustrating, since it stops me doing the correlation correctly. Obviously, this is some kind of attempt at PCI-DSS compliance, but it’s a hammer to crack a nut, and makes the system somewhat unusable.


Hi Adam,

Ewa from FreeAgent here again — I’m pleased to see you’ve resolved the issue you encountered when creating invoices via our API, and sorry to hear you’ve come across a new stumbling block importing transactions! I’ve spoken to the relevant engineering team who own bank statement uploads and from our investigation it looks like part of your guids gets obfuscated due to the slightly overzealous logic of our bank statement sanitiser (which aims to hide any sensitive account details which sometimes get included in bank transaction descriptions). It seems there’s potential to tighten the logic we use for identifying sensitive information in bank statement uploads, so I’ve now opened an issue report for the current behaviour, which is currently being triaged by our engineers. In the meantime, you could try to work around this by replacing dashes in your guids with a different symbol (such as underscore), or, if you have control over the format of transaction guids, using alphanumeric strings at the beginning of your guids would also prevent them from being obfuscated during import.

I hope this helps, but if you have any further questions, please don’t hesitate to ask.

Best wishes,