Financial-Services Companies Aim To Lower Aggregation Risks

Financial-services companies are examining ways to mitigate the risk of sharing customer IDs and passwords with third-party providers of account-aggregation services, which enable high-net-worth individuals and their financial advisers to view and make transactions against accounts at multiple institutions from a single Web page.

The Financial Services Roundtable, an industry trade group, earlier this month published a set of guidelines establishing the need for institutions to exchange information securely with account-aggregation services using open, interoperable direct data feeds. In the past, those exchanges have relied on screen-scraping, in which a customer provides the aggregation service with his or her passwords; the service then logs on to the customer's accounts and gathers the account information for viewing by the customer.

To the extent that screen-scraping requires sharing credentials that weren't meant to be shared, the practice has spawned a host of privacy, security, and risk-management issues for banks. Those risks multiply when service providers begin to offer services beyond simple aggregation, such as funds transfer. "The more transaction capability is provided, the less desirable [screen-scraping] is from a risk perspective," says Gary Roboff, a senior consultant to BITS, the Financial Services Roundtable's technology research arm.

BITS has formed a working group of financial-services companies and aggregators such as Yodlee Inc. to study the means by which they authenticate online users of financial services. Security Assertion Markup Language, an XML-based specification for online authentication, is one direction for online authentication, Roboff says; another banking group, the Financial Services Technology Consortium, has praised SAML for providing a bridge between financial institutions and online customers.