Back in 1999 when we were first building VirtualBank I went on a business trip to visit a company named Vertical One to discuss a new idea called account aggregation. We sat in a presentation on account aggregation and listened to how it works and saw a demo that pulled together bank accounts, air line travel awards and credit card information all in one nice summary. It was very impressive and then I asked how do you get the data?
They answered that the user gives us their username and password and then they go out and screen scrape the data each night. I stopped the presenter and said wait a minute, you mean to tell me that users will come to you and give you all their usernames and passwords for all their financial and other web sites? He said yes. I remember saying to myself that will never work. People won't trust anyone but banks and well known financial institutions with their credentials. Well we did a deal (with mixed results) with what turned out to be Yodlee Corp in a merger that occurred in 2001 and of course I was wrong about people handing out their credentials.
Fast forward 10 years later and we now have many new financial web sites in the market place like Mint who are putting banks to shame with what they are doing and the way they are innovating. Of course underlying, Mint is using account aggregation to collect their financial data and putting it together in a very meaningful way.
Now there are many new players in the financial web 2.0 market with strange names like Jwaala, Wesabe, Geezeo and others and people are giving their credentials out to them. To be fair many of the sites do not store the credentials which are passed through to their aggregators. Have people forgotten that they are giving their credentials out to a non regulated entity or have all the security breaches at banks and financial institutions made them think that it can happen to anyone? This seems to be the one area that has not changed much in 10 years.
Don't know if consumers realize that when they give out their username, password, PIN, secret questions or whatever else is required that if it these credentials are compromised they are handing out the full transaction keys to the kingdom. I am not saying there are not other controls in place but it's scary the way aggregation works behind the scenes. For many sites the task to extract the data from a financial web site is sent off to India (or similar country) where they generate the code needed to access your accounts. If a financial institution changes their web site and something breaks almost just as quickly the code is updated to keep it grabbing data from the website.
The problem is that there is no accepted, inexpensive, open standard yet for safely exposing financial data for aggregators. I am not sure aggregators would want it anyway since they are getting paid for each user they collect data on. A safe standard that incorporates a common data format and a token based authentication would make it easy for companies like Mint to simply collect the data themselves if they chose too.
One approach we are rolling out at VirtualBank is a download only set of credentials. The client will be able to log into our on-line banking and generate a username and password that can be handed to the aggregators. This set of credentials allows only limited permissions needed to download the data without exposing any sensitive data that would compromise a user's identity or account.
While this does improve security it doesn't solve the long term problem, no standard. We are considering some other simple ways of exposing the data for the aggregators using some proposed simple standards as well. The problem is not hard to solve since it is not a technical challenge. It is the way the industry is right now though. It would be a nice problem to solve for consumers, banks and just about everybody else.