|
The Screen-Scraping Threat Slow from the gate to offer account aggregation services of their own, banks must now grapple with a slew of offerings run by nonbanks and built on renegade technologies. This uneasy relationship is raising a host of troubling privacy, security and disintermediation issues. To begin with, there's the "screen-scraping" technology itself, which involves lifting customer information from a bank Web site without that institution's permission. Major developers include Yodlee Inc., Redwood Shores, Calif.; Atlanta-based VerticalOne Corp.; and ezlogin.com Inc., a subsidiary of Toronto's 724 Solutions Inc. Some vendors attempt to cooperate with banks, but others use passwords supplied by the customer to do their work surreptitiously. "A lot of banks are upset that someone else can come in and freely lift the information that they have labored to create and maintain," says Timothy Keehan, a partner with Mayer, Brown & Platt in Washington, D.C. Can aggregators be trusted to handle this information responsibly? Their privacy policies run the gamut. Some vow not to even look at the information they gather for customers, but others acknowledge they might use it for marketing purposes. Banks fear they will be cut out of the relationship if aggregators begin cross-selling products and services to their customers. Regulations in this area are scant. And even the Federal Trade Commission's contention that nonbank aggregators are financial institutions under recent federal banking legislation may not hold up in court. Keehan says any misuse of customer information by an aggregator would leave a bank vulnerable to lawsuits, even if the customer willingly gives his authentication information to a third party. "The customer could say, "I gave permission for this aggregator to get my information, but I wasn't aware that my name, address and everything else would get taken.'" While most of the aggregators in the market appear to be acting responsibly, security could also emerge as a serious issue. Consultant Octavio Marenzi warns of a "significant" risk that some user passwords could fall into the hands of hackers. "For banks and brokerages, that would be devastating," says Marenzi, president of Celent Communications, Cambridge, Mass. Keehan points out that the Federal Reserve Board's Regulation E, if strictly interpreted, says a bank is liable after the first $50 of losses, even if customers willingly give away their data. Reg E governs companies that conduct electronic transfers on the Web. But the rule didn't envision aggregators when it was last amended in 1998. And many aggregators issue paper checks when transferring funds for clients, which exempts them from its reach. Banks are now lobbying regulators to expand Reg E to cover nonbank aggregators. The Fed entertained comments on this issue and could announce revisions near yearend. Otherwise, banks' options are disturbingly limited. Most institutions have rebuffed aggregator attempts to obtain direct data feeds of account information, and some regularly re-jigger the way that information is presented on their Web sites to hinder the aggregators. Such efforts can slow the process. But they will have little long-term effect as aggregation technology improves. More robust security measures, such as software-based digital certificates or smart cards, would be both costly and cumbersome, and likely to alienate customers. Moves to sue aggregators have come to naught. Keehan says courts would likely conclude that customers, not the bank, own their financial information and can use it as they see fit. Education seems the best defense. Many banks have begun warning customers through Web site disclosures or printed account statements that they cannot be held responsible for losses that result from giving pass codes to a third party, even though courts may rule otherwise. They're also trying to highlight the fact that many of the nonbank aggregator services are not regulated. Close this window to return to the article. |