Banks are increasingly issuing warnings to users of banking aggregators such as Personal Capital and Intuit's Mint.com under the guise of security risks, but that's not the whole story.
For many people, the use of cloud-based banking aggregators such as Mint.com, Personal Capital, and related services like FileThis, are vital to keeping track of not just spending habits, but where their money is. With the ease of opening accounts at financial institutions online, it is possible to open accounts at institutions that do not necessarily have a physical presence nearby.
Some banks, like Ally, specialize in this. With the relative proliferation of credit cards, mortgages, student loans, investments, and other financial products--each often serviced by different companies--a significant number of people have a very real need to manage accounts across financial institutions.
SEE: Cyber defense in financial services: Trends, strategies, and best practices (Tech Pro Research)
The process of doing so, however, often requires disclosing account credentials to a third party service, which then logs in to your account and screen-scrapes information to display in their management interface. This is causing concern for banks, which are urging customers not to disclose their account credentials with third party services.
The case against cloud banking aggregators
The first step of practically any security policy is "do not share your username and password." Considering that the ability to use cloud banking aggregators is predicated on sharing your username and password, there is a very obvious cognitive dissonance involved in using these services.
Theoretically, when uploaded to cloud banking aggregators, financial account credentials are encrypted. While Mint.com has a strong record of security, their parent company Intuit has had various security issues, the most recent and notable of which happened earlier this year as tax returns were fraudulently submitted via TurboTax, either by having an existing TurboTax account compromised, or identity theft that occurred outside the program was used to submit fraudulent returns.
J.P. Morgan Chase goes as far as to tell users that by disclosing account credentials with third party services, customers are "putting your money at risk" and they "could be responsible for money you might lose as a result." However, federal banking laws known collectively as "Regulation E" (12 CFR 1005) greatly restrict end user liability for electronic fraud, even with the use of cloud banking aggregators.
Perhaps a more accurate assessment of the motivations behind these warnings is in profit--cloud banking aggregators generate revenue by analyzing your banking information and using that to sell financial products. For example, such a service would notice a savings account with an abnormally low APY, and prompt you to register with a competing bank, for which the company receives a referral fee from the servicing institution. If a user bypasses the website of their bank by instead using a cloud banking aggregator, this could feasibly result in potentially lost sales by the original bank.
The case for cloud banking aggregators
The suggestion that users of cloud banking aggregators are at risk is a difficult one for banks to make, particularly as banks themselves have a particularly spotty history of data security. In 2014, J.P. Morgan Chase was the victim of a particularly large hack of 83 million accounts, 76 million of which were personal accounts, the remainder of which were small businesses.
In 2013, 14 GB of internal data from Bank of America was released by Anonymous. The Lazarus Group, perhaps best known for their high profile hack of Sony Pictures Entertainment, has recently been hacking various banks internationally.
Additionally, information about how customers spend money is inherently the property of the customer. While banks (particularly the credit card market) package usage analytics as a product to be sold, the ability for customers to access their own spending habits should not be infringed.
Searching for an elegant solution
While the risk associated with sharing your banking account credentials with a cloud banking aggregator is non-zero, the chance of an actual issue occurring due to this is minimal, assuming the aggregation service in question has done their due diligence in securing user-submitted information. The ugly part of this equation is the way the sausage is made, so to speak--screen scraping is an ugly legacy technology that should not be relied upon in 2016.
While systems like Plaid and Wells Fargo work on APIs that allow cloud banking aggregators to access data without needing full account credentials, implementing solutions on a per-bank level would be particularly challenging for developers. In order to truly solve this issue, an open API and XML-based transaction standard are necessary for easing the pain of managing bank accounts for financial institutions, aggregator developers, and end users.
What's your view?
Do you use a cloud banking aggregator? Have you experienced difficulties getting that service to connect to your bank account to update data? Share your experiences in the comments.
- IBM X-Force finds major malware hitting Brazil banks ahead of 2016 Olympics in Rio (TechRepublic)
- Hackers hit central banks in Indonesia and South Korea (ZDNet)
- Mobile banking: Is it worth the security risk? (TechRepublic)
- Singapore bank releases APIs for app development (ZDNet)
- Report: Big banks to move 30% of workloads to public cloud within three years (TechRepublic)