PFM Sites Seek Thaw in Frosty Relationship with Banks
The Financial Services Information Sharing and Analysis Center is calling attention to the security risks and potential fixes to a common practice: consumers handing over online banking credentials to financial advice sites.
Brian Moynihan and Bill Demchak raised concerns Tuesday about the conduct of data aggregators, and particularly how well they protect customer data. The comments come amid reports that banks have been trying to strangle aggregators' access to their systems.
More and more consumers are using personal financial management tools to better manage their money --and that's causing quite a rift between banks and the providers of such tools.
In the last few months news reports have confirmed what many fintech observers have long suspected: that the biggest banks sometimes block PFM providers from accessing their customers' data.
Bankers have expressed concern that PFM sites' methods for accessing customer data could present data-security problems. An even bigger reason why banks' might block access is because these PFM firms, also called data aggregators, often update account information during peak user periods, overwhelming banks' servers.
"I call them 'aggravators,'" Bill Demchak, the chief executive at PNC Financial Services Group, said at a conference in November. "They slow service for the rest of our accounts. It's a real issue."
Still, analysts say that banks should be careful about letting the relationships with aggregators turn adversarial.
Restricting access could be a good way to catch their attention, but it could also wind up alienating the increasing number of bank customers using PFM tools, said Bill Butterfield, an analyst with Aite Group. The largest of the PFM providers is Intuit's Mint, and its monthly traffic in November was up more than 73% year over year, to nearly 14 million visits, according to the web site TrafficEstimate.com.
"Maybe this is a shot across the bow, [but] "I don't think it would be a viable strategy for banks to turn off the spigot forever," Butterfield said.
In addition, many banks have partnerships with some aggregators to handle some part of their mobile-banking interface -- Bank of America uses Yodlee's platform for its online banking, for example. Cutting off access could endanger valuable relationships.
Aggregators themselves want to coexist with banks and say that closer cooperation could iron out the security and server-capacity concerns.
"The knee-jerk response is to cut [access] off, but that's not the solution," said John Luciano, founder of the data aggregator Aqumulate. "At the end of the day, consumers want to use these applications and banks for the most part understand that."
Data aggregators and banks already coordinate to avoid overwhelming bank servers, but they need to do a better job, he said. For instance, banks often ask aggregators not to update their information during certain periods where they're doing website maintenance or expect high traffic.
"If the aggregator doesn't abide by that request the institution has no other recourse than to block access," said Luciano.
But both sides also need to also improve their techniques and technology, analysts say. Data aggregators need to modernize their techniques so they're less burdensome on bank websites and abandon crude, older forms of screen scraping that "hammer" bank servers, said Lowell Putnam, the CEO of the aggregator Quovo. With more modern, targeted methods, aggregators can lighten the load on servers.
"Aggregation companies need to recognize that financial institutions are partners, not adversaries, and we need to get data in ways that are friendly and not overly intrusive," he said.
But banks have to look in the mirror, too. The burden on their servers from all quarters is only going to grow, and they need to invest in more capacity.
"Banks do need to accept a higher load on their servers," Putnam said. "That problem is eminently fixable and not that expensive, and in the long run it may end up saving them money."
Security is a trickier problem to solve. While banks are subject to tight rules about treating customer data, the thousands of data aggregators in the market are all but unregulated. The Federal Trade Commission in theory has authority over them, but it has not yet punished any aggregators for mishandling customer data.
The aggregators don't see themselves as weak links. There have been no data breaches at aggregators, they say. Furthermore, most aggregators don't actually store login credentials, but license them from larger companies like Fiserv or Yodlee, thus lessening the risk of a data breach.
Aggregators and banks "are both held to the same standards by our clients and we both have the same to lose in a data breach," Putnam said.
One solution to both the server and security problems would be having direct data feeds from banks and aggregators so that the aggregators wouldn't have to use customer credentials to access it. However, there are so many banks and credit unions that it would be difficult to set up individual data feeds with each, experts say.
A more practical alternative would be to for the industry to create a secure central database into which banks would feed customer data and from which that aggregators could pull it. There is a central database called the Open Financial Exchange that partially serves this function, but it's nearly 20 years old and needs updating, aggregators say.
The Financial Services Information Sharing and Analysis Center, an industry group dedicated to improving the security of financial data, has proposed creating a new central database, but it is not clear how far those efforts have gone. A spokesman for the group declined to comment or provide details on the plan.
In the absence of an industrywide fix, banks and aggregators need to work collaboratively on a solution, said Aqumulate's Luciano.
"A lot of new technology is disruptive to the banks' core business model, and you can see why they'd want to cut them off," he said. "That's not the case here. We're all working toward the same goal."