WASHINGTON After a year examining the security and privacy issues raised by online account aggregation services, BITS, the technology arm of the Financial Services Roundtable, on Thursday issued a thick book of voluntary guidelines that are meant to be a code of best practices for banks and third-party aggregation firms.
The guidelines crafted by more than 200 financial services firms, regulators, and technology vendors offer both technical recommendations and policy suggestions. For example, BITS recommends that companies offering account aggregation post policies on their Web sites regarding personal identification numbers, as well as disclaimers about the accuracy and completeness of information available through the service.
The guidelines describe types of information companies should share, recommend ways to handle consumer disclosure, and list laws and regulations that apply to account aggregation.
They also suggest that aggregation providers follow financial industry standards for encryption of sensitive data and use multiple servers to provide extra security. Computing systems should be configured in ways that monitor for intruders and provide appropriate limits on data access rights, according to BITS.
The effort to produce the guidelines, which has been one of BITS central initiatives this year, stemmed from questions about how to let regulated businesses financial services companies together with unregulated companies the aggregators supply sensitive data to consumers.
BITS executives said they will now work to eliminate screen scraping, the practice of grabbing customer data from another company without its consent. Screen scraping has become an accepted practice in account aggregation, but some bankers worry about the security and reliability of information obtained that way.
Our customers want aggregation services that provide them with an overall view of their financial situation, said Catherine A. Allen, chief executive officer of BITS. And financial institutions want to allow their customers to do so in a secure and sound environment.
Gayle Wellborn, a senior vice president at First Union Corp., said demand is growing for account aggregation. At yearend 2000, about 800,000 people were using these services, she said, and the total is expected to grow to 3.4 million by the end of this year and to 35 million by yearend 2004, according to the BITS report.