WASHINGTON Outdated regulations could leave banks liable when glitches lead to problems in the booming business of consolidating, or aggregating, a customers financial information on one Web site a business currently dominated by nine nonbanks.
The customer is going to come back to the financial institution, even if the nonfinancial institution caused the problem, said Wayne Sams, senior vice president and assistant general counsel at First Union Corp. We would have to put the money back in the customers account and then chase the aggregator.
We could be stuck holding the bag.
Thats because it is unclear whether Federal Reserve Board rules cover screen-scraping firms, such as VerticalOne Corp. or Yodlee Inc., that have signed up 300,000 bank customers.
The Feds Regulation E enforces the 1978 Electronic Fund Transfer Act, providing a basic framework of participants liabilities and responsibilities when funds are transferred electronically. If something goes wrong money is stolen, payments are misdirected liability rests with the financial institution that holds the customer account or issued an access device, such as an automated teller machine card or personal identification number.
But the regulation was written when ATMs were at the cutting edge of money transfer technology. Now, two decades later, Regulation E encompasses Internet-based aggregation, or screen-scraping, services, which let people transfer funds, manage various financial accounts, and pay bills in one place.
Most nonbank aggregators say Regulation E does not apply to them since they are merely taking the customer to the banks Web site. Bankers, however, claim the aggregator is providing an access device and should be liable if an unauthorized transaction is made.
A number of aggregators take the position that they only take you to the [banks] Web site. Is that a form of access device? If it is a form of access device issued by a nonbank aggregator, does that place Regulation E responsibility on the nonbank aggregator? That is the $64,000 question that nobody has the answer to, said Wells Fargo Bank vice president and assistant general counsel John Jin Lee, the San Francisco-based institutions aggregation maven.
Thats where Regulation E is really screwed up, Mr. Lee said. Reg E was never drafted in a way where you could divide responsibilities between two parties.
Recognizing the problem, the Fed has asked for public comment on how to clarify the rule.
The question for us is to determine whether an aggregator is covered by Regulation E. Are they providing electronic funds transfers, and are they issuing an access device? said Kyung Cho-Miller, a Fed lawyer working on the issue.
The aggregation model is unique in that there are often two access codes being used one by the bank and one by the nonbank aggregator. Generally speaking the [original] regulation never contemplated two different access devices being used. Thats the novel issue being presented by aggregation: Does the aggregators access device preempt the [banks] device, or are they both responsible?
Ms. Cho-Miller said the earliest the Fed will issue the revised Regulation E is yearend. Comments are due Aug. 31.
First Unions Mr. Sams said he thinks the Federal Reserve is on the right path. The revisions just need to be done as soon as possible.
Mr. Lee agreed, but said that when banks start providing aggregation services, things could change radically. Theres a big difference between having a few thousand versus millions of customers using aggregation.
Many large banks and brokerages, including First Union, Chase, Citigroup, FleetBoston Financial Corp., and Merrill Lynch & Co., plan to offer aggregation services on their own Web sites by yearend.
Most nonbank aggregation services give customers a hot link that takes them directly to the banks Web site. Once there, customers can access their account in one of two ways. Under one scenario, the aggregator requires them to enter their password themselves. In this case, most banks and nonbanks agree, the bank is responsible if the customer experiences a loss.
However, most nonbank aggregators use a second, fuller service method. They ask for customers personal identification numbers when people sign up for the service. That way, when customers enter the aggregators Web site, they are automatically logged into their bank accounts using the password they gave the aggregator.
Regulations are not clear on which party is liable in such a situation. Many nonbank aggregators skirt Regulation E liability by transferring funds via paper check, rather than electronically the regulatory trigger.
While aggregators let customers move their money and pay bills electronically, the aggregator itself usually sends the merchant a paper check for the amount the customer requested.
They use paper checks for two reasons, Mr. Lee said: it ensures that merchants lacking wire transfer capabilities have the ability to be paid, and they avoid Regulation E. Bankers want this loophole closed.