WASHINGTON — Outdated regulations could leave banks liable when glitches lead to problems in the booming business of consolidating, or “aggregating,” a customer’s financial information on one Web site — a business currently dominated by nine nonbanks.

“The customer is going to come back to the financial institution, even if the nonfinancial institution caused the problem,” said Wayne Sams, senior vice president and assistant general counsel at First Union Corp. “We would have to put the money back in the customer’s account and then chase the aggregator.

“We could be stuck holding the bag.”

That’s because it is unclear whether Federal Reserve Board rules cover screen-scraping firms, such as VerticalOne Corp. or Yodlee Inc., that have signed up 300,000 bank customers.

The Fed’s Regulation E enforces the 1978 Electronic Fund Transfer Act, providing a basic framework of participants’ liabilities and responsibilities when funds are transferred electronically. If something goes wrong — money is stolen, payments are misdirected — liability rests with the financial institution that holds the customer account or issued an “access device,” such as an automated teller machine card or personal identification number.

But the regulation was written when ATMs were at the cutting edge of money transfer technology. Now, two decades later, Regulation E encompasses Internet-based aggregation, or screen-scraping, services, which let people transfer funds, manage various financial accounts, and pay bills in one place.

Most nonbank aggregators say Regulation E does not apply to them since they are merely taking the customer to the bank’s Web site. Bankers, however, claim the aggregator is providing an access device and should be liable if an unauthorized transaction is made.

“A number of aggregators take the position that they only take you to the [bank’s] Web site. Is that a form of access device? If it is a form of access device issued by a nonbank aggregator, does that place Regulation E responsibility on the nonbank aggregator? That is the $64,000 question that nobody has the answer to,” said Wells Fargo Bank vice president and assistant general counsel John Jin Lee, the San Francisco-based institution’s aggregation maven.

“That’s where Regulation E is really screwed up,” Mr. Lee said. “Reg E was never drafted in a way where you could divide responsibilities between two parties.”

Recognizing the problem, the Fed has asked for public comment on how to clarify the rule.

“The question for us is to determine whether an aggregator is covered by Regulation E. Are they providing electronic funds transfers, and are they issuing an access device?” said Kyung Cho-Miller, a Fed lawyer working on the issue.

“The aggregation model is unique in that there are often two access codes being used — one by the bank and one by the nonbank aggregator. Generally speaking the [original] regulation never contemplated two different access devices being used. That’s the novel issue being presented by aggregation: Does the aggregator’s access device preempt the [bank’s] device, or are they both responsible?”

Ms. Cho-Miller said the earliest the Fed will issue the revised Regulation E is yearend. Comments are due Aug. 31.

First Union’s Mr. Sams said he thinks the Federal Reserve “is on the right path.” The revisions “just need to be done as soon as possible.”

Mr. Lee agreed, but said that when banks start providing aggregation services, “things could change radically. There’s a big difference between having a few thousand versus millions of customers using aggregation.”

Many large banks and brokerages, including First Union, Chase, Citigroup, FleetBoston Financial Corp., and Merrill Lynch & Co., plan to offer aggregation services on their own Web sites by yearend.

Most nonbank aggregation services give customers a “hot link” that takes them directly to the bank’s Web site. Once there, customers can access their account in one of two ways. Under one scenario, the aggregator requires them to enter their password themselves. In this case, most banks and nonbanks agree, the bank is responsible if the customer experiences a loss.

However, most nonbank aggregators use a second, “fuller service” method. They ask for customers’ personal identification numbers when people sign up for the service. That way, when customers enter the aggregator’s Web site, they are automatically logged into their bank accounts using the password they gave the aggregator.

Regulations are not clear on which party is liable in such a situation. Many nonbank aggregators skirt Regulation E liability by transferring funds via paper check, rather than electronically — the regulatory trigger.

While aggregators let customers move their money and pay bills electronically, the aggregator itself usually sends the merchant a paper check for the amount the customer requested.

“They use paper checks for two reasons,” Mr. Lee said: it ensures that merchants lacking wire transfer capabilities “have the ability to be paid, and they avoid Regulation E.” Bankers want this loophole closed.

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.