In recent weeks, major US banks have prevented automated logins from aggregators like Mint and Digit, which use client-provided credentials to log in to user accounts and scrape out financial data. The Wall Street Journal’s coverage (article behind paywall) implied that banks have acted primarily out of competitive motivations, but that isn’t the case.
For these account aggregators to present competitive risk to banks, they would have to offer substitute services – ATMs, cash withdrawal, credit cards, savings accounts, etc. Yet the majority of these aggregators offer services that are complementary to banks. For example, Mint makes it easier for bank clients to consume their financial data, and the application HelloWallet encourages financial health through personalized guidance.
In fact, after briefly mentioning competitive threats, the WSJ article then spends far more time on the real issue, security concerns, than on competition. The article states:
[There is] growing concern within the banking industry that rising use of such sites will overload bank servers, on top of worries that customer data could potentially be vulnerable to hackers….In addition, it isn’t clear if consumers’ finances would be protected if they willingly handed over their confidential information to a site that was later hacked…[The aggregators] could present growing risks to consumers because of the detailed financial information the sites require from users.
Historically, Mint and Yodlee have been the dominant aggregators, but lately newer aggregators have emerged. These newer account aggregators present two considerable risks. First, unlike Intuit-owned Mint and established aggregator Yodlee, these small start-ups cannot provide a comparable level of security and protection to clients as the banks. Second, with new aggregators popping up everyday, banks have a harder time detecting fraudulent activity when aggregators log in and scrape out data because automated attackers and aggregators are hard to tell apart. The bank’s security team then has two options – restrict all automated logins, or expend resources trying to distinguish safe aggregator bots from all other nefarious bots. The latter is expensive, so it appears that the banks highlighted by the WSJ have chosen the former path of action.
It is not in banks’ long term interests to block account aggregators. As the customers quoted in the WSJ demonstrate, aggregators provide a valuable service. Banks recognize this fact, which is why they created the FS-ISAC’s Aggregation Working Group. The group was formed specifically to solve the problems outlined above while still allowing account aggregators to operate. They ultimately proposed a token-based authentication system that allows account aggregators to directly access the data they need, eliminating the need for clients to provide their user credentials.
Yodlee publicly announced its support for the API system over a year ago and is working with banks to adopt the win-win solution. It is unclear if other aggregators are also in favor of this method and if the token-based system will become the new standard. What is clear, though, is that banks are taking automated online activity very seriously, and so should you.
“Banks, at Odds With Personal Finance Sites, Disrupt Service.” The New York Times. 10 Nov. 2015.
Huang, Daniel, and Peter Rudegeair. “Bank of America Cut Off Finance Sites From Its Data.” The Wall Street Journal. 9 Nov. 2015.
Sidel, Robin. “Big Banks Lock Horns With Personal-Finance Web Portals.” The Wall Street Journal. 4 Nov. 2015.
Watson, Colin. OWASP: Automated Threat Handbook: OWASP. 26 Oct. 2015.
“Yodlee Announces Support of FS-ISAC, OAuth as Standard for.” Yodlee. 16 Oct. 2014.