Banks and their regulators are still trying to tame account aggregators. Some aggregators have even become banks' newfound allies.
Account aggregation by independent technology companies continues to concern bankers, who fear the murky regulatory status of these "screen scrapers" could leave banks liable should customers' money get misdirected.
The notion of consolidating on one Web site the various accounts a consumer has at different financial institutions has been in the planning stages among bankers for some time. But, to their dismay, technology providers got into the space first, leaving banks as passive repositories of information that the screen-scrapers have learned to exploit quite effectively-and with access authorization provided by the banks' own customers.
"Two years ago, we at BITS (Bank Industry Technology Secretariat) identified financial aggregation as an important area for banks to play. What happened is, frankly, the technology folks beat them to it," says John Burke, outside counsel for BITS, which is based in Washington.
The reason aggregation appeals to bankers is that they see it as a way to hold tight to customers who might otherwise wander off in the boundary-less world of online financial services.
"The strategy is to entangle the customers, and aggregation is being looked on as key to this strategy," says Surya Kolluri, head of strategy at Destiny Web Solutions Inc., Conshohocken, PA, a firm that does "e-solutions" consulting for financial institutions. "Providing aggregation puts banks in a position to gain information about customer 'life-cycle' events (whether a person is buying a house or the kids are going to college) and then offer the appropriate products and services."
But with the genie out of the bottle and their customers now in the hands of screen-scraping interlopers, the banks also saw potential for mayhem, with funds disappearing out of customer accounts into some untraceable corner of cyberspace and banks possibly implicated in such losses.
Perhaps most importantly, the potential growth in account aggregation activity lends urgency to the issue. Celent Communications, Cambridge, MA, for instance, predicts 7 million users of account aggregation by 2003, while US Bancorp, San Francisco, did a report in April suggesting there could be 50 million users by 2005. Currently, there are about half a million consumers using account aggregation services, industry analysts say.
Banking is, of course, a highly regulated industry, and bankers are lobbying for regulatory oversight of the aggregators. The technology companies themselves, at least at the beginning, saw things differently, though they are coming around.
"It was a real wake-up call to some of these technology providers when they first got involved with regulators and banks. The aggregators discovered that they're treading in an area where we're going to be looking at them," says Jennifer Dickerson, director, technology risk management, at the Office of Thrift Supervision.
In fact, OTS has taken the position that aggregation technology companies which provide services to financial institutions -a number that is growing- fall within the agency's jurisdiction.
"We consider the aggregation of financial information to be a financial service, and in Gramm-Leach-Bliley this type of activity is defined as a financial service," Dickerson says.
Even so, the ruling by OTS is narrower than it may at first appear. As Dickerson explains, aggregators working independently of any financial institution and may or may not be subject to regulation when offering their services directly to the public.
Asked whether a pure screen-scraper technology operation, wholly independent from a bank, falls under OTS jurisdiction, Dickerson had to admit, "I don't have an answer to that. That has to be looked at. Thus far there's been no case of a bank complaining about such an activity and asking us for help."
If banks have been slow to file formal complaints, it isn't because they're happy with the regulatory shadow area in which some of the account aggregation is taking place.
As Dickerson herself says, the "worst model" for account aggregation activity is one in which the bank has no control and no knowledge of the actions of the screen scrapers.
Gayle Wellborn, director of customer advocacy for the E-channels division at First Union Bank, Charlotte, NC, would agree.
The "big issue," Wellborn says, is that the practice of screen scraping-the hallmark of which is that it occurs undetected by the bank's systems- usually requires "the storage of the customer's information locally, which is a big security risk."
Aggregators have "not been regulated in any way," Wellborn says, "and therefore not held to minimum security and privacy standards."
First Union in December sued Secure Services Inc., providers of the Paytrust.com e-billing service, saying the company violated the bank's security and customer privacy policies. First Union subsequently dropped the suit, having reached an understanding with Secure Services, but representatives of the bank are still pushing government regulators to clarify the issues.
Further, despite the fact that the OTS has defined aggregation (albeit in a circumscribed way) as a financial service subject to regulation, the Office of Thrift Supervision doesn't speak for all government regulators.
"The concept of a 'financial institution' is a very significant concept and may be interpreted somewhat differently depending on which regulatory agency you're dealing with," says Burke of BITS.
"What you'll see in ecommerce a lot is the 'non-regulateds' coming into contact with the 'regulateds.' This is a classic example of that," Burke says.
The major agency that has yet to weigh in on the subject is the Federal Reserve Board, which is responsible for the broad area of electronic funds transfers, as spelled out in the 1978 Electronic Fund Transfers Act, or Regulation E.
Under the law, the financial institution at which a customer has an account or which issued the customer an "access device" (such as an ATM and PIN) is responsible when security is breached and a customer loses money.
Now the Fed must decide whether the financial information aggregators come under the jurisdiction of Regulation E.
Some technology providers have taken the position that since they may only be taking a customer to the bank's Web site, they are beyond the reach of "Reg E." So the question becomes: Is this link provided by the aggregators tantamount to an access device?
Regulation E falls short, according to some observers, in that it fails to address a situation in which two entities share responsibility for maintaining security over an access device.
Kyung Cho-Miller, a lawyer at the Federal Reserve, says, "A couple of components must be established before you say that Reg E applies to the aggregators: that they are issuing an access device, a PIN, for instance, that allows the customer access to his asset account; and whether the aggregators are offering to do EFTs. Some are and some are not."
Almost all of the aggregators have what's called an automated log-in feature, with a hot link to the customer's bank accounts. BITS has a study group on aggregation and is trying to determine whether the automated log-in constitutes an "access device" in Reg E. In other words, does it trigger Reg E?
Financial institutions say aggregators know fund transfers must occur when consumers come to the sites. Consequently, the bankers maintain, the aggregators are, in effect, agreeing to provide EFT services.
"There's an argument to be made that they are," Cho-Miller says. "That's what the Fed is looking at."
Some bankers argue that whether aggregators are technically performing electronic fund transfers is beside the point; just the fact that they hold this sensitive financial information is enough reason to turn the regulatory spotlight on them.
"The risks are just as great for the data-aggregation side as for EFTs. The question is: How well is the information held by an aggregator secured? There are risks from hackers, and there's the question of employee access to the information. None of that is regulated or addressed today," says Wayne Sams, senior vice president and assistant counsel at First Union.
The Fed asked for comment on the issue. That comment period ended Aug. 31, and Cho-Miller says the Federal Reserve now will consider the comments and "take appropriate action" by the end of the year.
"Policy wise, there may be reason to treat the aggregator as a financial institution," she says, alluding to the fact that protecting the consumer is a prime consideration of regulation. She acknowledges, too, that the gray area in which account aggregation activity occurs does raise questions of security.
But Cho-Miller goes on to say that the Fed may, after all, not bother issuing a clarification of Regulation E.
"The banks and aggregators seem to be working things out on their own," she says. "We do not want to be placed in a position where we are stifling technology. With financial institutions becoming aggregators themselves, I don't know if the demand for clarification is as urgent."
Nonetheless, Cho-Miller and her colleagues have reason to move with all deliberate speed in assessing the regulatory policy issues surrounding account aggregation. Since the first few months of the year, the situation has changed markedly, with some major banks tapping the technology aggregator companies in order to offer aggregation services themselves. Other banks appear to be lining up to follow suit.
Citigroup, New York, using the technology of Yodlee Inc., a company based in Sunnyvale, CA, and the biggest of the aggregators, has set up the MyCiti account aggregation site. And Chase Manhattan Corp., New York, also has a deal with Yodlee to set up a Chase Web site for aggregation. Like Citigroup's, it will be open to customers and non-customers alike.
This move reflects in part the major strength of banks, with their well- established role as trusted advisers to the public. They may move slower than the more nimble tech start-up firms, but, as a group, banks not only have vast capital resources but also the comforting establishment presence that accompanies such financial strength. At least some customers, it seems, are unlikely to share their highly guarded financial information-account numbers and passwords for bank accounts, credit cards, investment funds, etc.-with companies that didn't exist 24 months ago.
A survey of consumers who use the Internet by Star Systems, Maitland, FL, showed security issues are very important to potential users of aggregation services, with 89% of those polled saying they favor bank involvement in any aggregator site they might sign on with.
Such sentiment no doubt figured in the decision by the technology companies to change course.
In 1999, the big aggregation companies like Yodlee and VerticalOne, the latter of which is owned by S1 Corp., Atlanta, were focused on providing aggregation services independently. Today, however, their focus has shifted to becoming technology providers to big financial institutions.
"What's happened is that banks have embraced-have co-opted- aggregators," says Kolluri of Destiny Web Solutions. "I see banks very forcefully embracing the technology."
The fear among bankers, and even among the established aggregation companies, is that some screen-scraping technology cowboy will cause havoc and bring the house down on everybody in the form of onerous regulation. This dim prospect, in turn, has motivated all players in the business to take a stab at working together.
"I've seen, in an unbelievably short period of time, the tech industry and banking industry working toward creating a set of rules-recognizing that they have to," says Dickerson of OTS. "They don't want regulators to come in and pass rules for them."
And Burke notes the fact that aggregators are covered by the privacy provisions enacted as part of the recently passed Gramm-Leach-Bliley banking reform act "brings them to the table, knowing they have to deal with these issues."
Among the companies at the table is Yodlee, whose director of marketing communications, Melanie Flanigan, declares, "We are in full support of regulation in this area to the extent that consumers need protection, especially as these services become more transaction oriented."
She says Yodlee already has a good security structure in place, but adds: "We have to be concerned about others out there that aren't meeting these standards and (are) thereby jeopardizing the whole industry."
Yodlee's chief marketing officer, Jim Taschetta, says the company "wants to make sure we are around many years into the future, and that's why we support regulation to protect consumers."
Co-chairing BITS' initiative to establish voluntary industry guidelines for financial aggregation services is Wellborn of First Union. More than 150 companies are participating in the effort, including financial institutions, non-financial aggregators and regulators.
"We recognize a need to create a network of trust among all the players," Wellborn says. "Should there be a breach in security it's not going to reflect well on any of us."
But, she pointedly notes, "We're not there yet."
"We talk about those who have come to the table at BITS," says First Union's Sams, "but there are many, many more aggregators not at the table."
The nature of the technology is such that "we don't know who's out there. That's one of the primary reasons we are looking to the Fed for some clarification. There may be some of the larger technology aggregators willing to deal with these issues, but there are many others that are not," he says.
Taschetta says the point is "to just make sure everyone is in compliance. No one wants to make adoption of this useful technology harder than it needs to be."
He emphasizes that the goal should be to set standards "rather than piling on regulations. I won't say you can rule out the possibility of a rogue player, but those are the things you can't regulate out anyway."
No matter how one views the business, what adds urgency to the situation is that the technology is evolving to a point at which the information collected by aggregation companies soon will become much more "volatile."
"The aggregation that happens today is superficial-that is, you can't do anything with it," Kolluri says. She adds, however, that some companies are working with banks and "will, with the banks' permission, put 'pipes' from the aggregation sites into the different financial institutions to collect data and to do transactions."
Of course, if the technology is there to perform such an operation, it can also be done without the bank's permission, much like screen scraping.
"And that's what has us all sitting on the edge of our seats," Dickerson of the OTS says.