Financial-Services Companies Aim To Lower Aggregation Risks
The Security Assertion Markup Language is one direction for online authentication.
Financial-services companies are examining ways to mitigate the risk of sharing customer IDs and passwords with third-party providers of account-aggregation services, which enable high-net-worth individuals and their financial advisers to view and make transactions against accounts at multiple institutions from a single Web page.
The Financial Services Roundtable, an industry trade group, earlier this month published a set of guidelines establishing the need for institutions to exchange information securely with account-aggregation services using open, interoperable direct data feeds. In the past, those exchanges have relied on screen-scraping, in which a customer provides the aggregation service with his or her passwords; the service then logs on to the customer's accounts and gathers the account information for viewing by the customer.
To the extent that screen-scraping requires sharing credentials that weren't meant to be shared, the practice has spawned a host of privacy, security, and risk-management issues for banks. Those risks multiply when service providers begin to offer services beyond simple aggregation, such as funds transfer. "The more transaction capability is provided, the less desirable [screen-scraping] is from a risk perspective," says Gary Roboff, a senior consultant to BITS, the Financial Services Roundtable's technology research arm.
BITS has formed a working group of financial-services companies and aggregators such as Yodlee Inc. to study the means by which they authenticate online users of financial services. Security Assertion Markup Language, an XML-based specification for online authentication, is one direction for online authentication, Roboff says; another banking group, the Financial Services Technology Consortium, has praised SAML for providing a bridge between financial institutions and online customers.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.