The Next Level
by Kenneth Cline
For Yodlee executive Sukhinder Singh, account aggregation's real promise lies in value-added applications such as funds transfer and wealth management tools.
Morphing from mortal threat to potential ally, Yodlee Inc. has come a long way in its relationship with the banking industry. Incorporated in February 1999, the Redwood Shores Calif.-based outfit was first seen as a menace. And no wonder: its "screen scraping" technology extracts information from bank Web sites without the institutions' permission. Also known as "account aggregators," companies such as Yodlee consolidate customer accounts on one screen, using customer-supplied codes to access data from various providers.
Bankers cooled down when they realized aggregation was appealing to many of their high-end customers. By mid-2000, major banks were announcing aggregation programs of their own. Meanwhile, Yodlee cemented its dominance with a yearend agreement to merge with rival VerticalOne Corp., a subsidiary of Atlanta-based S1 Corp. Together, the duo serves many of the biggest online players, including America Online, Citigroup Inc. and Wells Fargo & Co.
Now that account aggregation is unquestionably here to stay, bankers with online ambitions need to understand this technology and how it might affect them. Highlighting the industry's increased interest, Yodlee co-founder and vice president Sukhinder Singh gave one of the keynote addresses at BAI's Retail Delivery conference late last year in New Orleans. Following her speech, the executive sat down with Banking Strategies to discuss aggregation from Yodlee's point of view.
Ms. Singh, not surprisingly, defended screen-scraping as a "good technology for getting broad, shallow data fairly accurately." But she also said the aggregation business needs to incorporate more powerful capabilities, such as funds transfer and investment management tools, to achieve its full potential. Viewing multiple accounts on a single screen is one thing, in other words, but actively managing those accounts is quite another. And attaining this higher level of functionality, she notes, depends on the banking industry's cooperation.
Banking Strategies: Banks were initially hostile to Yodlee and other aggregators because of the screen-scraping issue. What's the relationship now?
Singh: These days, we have a remarkably good relationship with the banking industry. Of course, it wasn't always so. Bankers looked askance at first, as if to say, "Who are these guys?" It took a while to sell them on the philosophical concept that consumers want seamless online access to their finances, no matter how many institutions are involved.
But once an institution accepts the premise that consumers should have unrestricted access to their information, then it has two choices: either adopt an aggregation service itself or work with external aggregators to ensure the reliability and security of its systems.
Today, we are viewed less as an agitator and more as an accelerator and a facilitator. I think banks are awakening to aggregation as a platform for some key applications that will take fuller advantage of proprietary and third-party data — as a way to round out their business initiatives.
Most banks are currently serving their customers with a limited set of data and a limited set of products. Going forward, as banks gain access for the first time to their consumers' entire financial picture, they will gain a better ability to target clients and tailor interesting products and services to their needs.
Banking Strategies: Although Yodlee has established direct data feeds with some financial institutions, you still use screen-scraping. Is that technology still central to your business model?
Singh: That technology provided a critical jumpstart. In the absence of robust data feeds, it was the best way to enable consumers to obtain composite information on their own authority. The only consent required is that of the user.
Screen-scraping essentially creates a robot that goes to a Web site, pretends it's the user, retrieves information and brings that data back to a central point in a secure manner. Much fuss has been made about the methodology. But screen-scraping is a good technology for getting broad, shallow data fairly accurately. If you just want to know your bank and brokerage balances, I'd argue that screen-scraping works just as well as direct data feeds.
The shortcomings of screen-scraping become apparent when the user wants to go to the next level with value-added applications such as asset allocation and wealth management tools. More detailed information is then needed, and sometimes that data isn't available on a Web site. Instead, it's only available directly from the institution. The cost basis of securities is a perfect example. You won't find that on a brokerage Web site, but it's ritical for tax planning. So screen-scraping starts to fall short when you need deep data.
Screen-scraping remains a large component of our business model, and I think it will always be in the mix. While we believe more financial institutions will build data-feed connections using the Open Financial Exchange or Interactive Financial Exchange protocols for electronic messages, that's time-consuming and costly. Such investments are justified only for multiple applications.
Personal financial management functionality is the key driver for building a data-feed solution. If all you want to do is enable one aggregator to get one piece of data from your Web site, I'm not sure you'd build an OFX server. But if you want PFM functionality that serves multiple aggregators, that moves data back and forth between multiple internal properties, then you're going to invest in that technology.
Banking Strategies: Which institutions now feed data to you using OFX connections?
Singh: We're not at liberty to identify all the institutions, although Morgan Stanley Dean Witter & Co. has talked publicly about their intent to provide us with a data-feed solution. So far, we've had fair success converting about 20 large and mid-tier financial institutions. They either give us OFX or IFX, which is an evolved standard of OFX that also incorporates an important Web programming tool called Extensible Markup Language. We can accept both.
Banking Strategies: So establishing an OFX data feed is not essential to your business model?
Singh: I don't know if it's essential right now. Can we keep running our business without it? The answer is yes.
On the other hand, direct data feeds will be essential for future value-added applications. We will be inherently limited if we cannot pipe in the richer data stream needed for robust financial planning tools.
The advantage of a direct data feed is that the aggregator doesn't have to take the customer's user name and password, which makes it more secure. I think financial institutions will move independently to direct feeds in order to provide better protection for their customers. BITS, the bank technology group, is already working in a number of forums with regulators and leading financial institutions to minimize security risks.
The key driver here will be demand — the increased use of account aggregation by bank customers.
Banking Strategies: What sorts of customers are attracted to account aggregation? Is there a standard demographic profile?
Singh: The profile fits that of the typical online banking customer almost perfectly. Keep in mind, our view is based on early focus groups we conducted with our customers and on feedback from third-party research companies. We don't collect very much registration information on our customers today because we don't want to make them nervous that we're going to do anything with that data.
But based on the early focus groups, we can say our demographic is skewed to males between the ages of 35 and 55, married, with above-average income. This group also possesses "early adopter" characteristics, although I think we'll see more mass-market customers as the service becomes available at heavily-trafficked Internet destinations such as America Online, Alta Vista and Quicken.com.
At the moment, for example, America Online uses our aggregation service in its personal finance channel. One can envision the day, however, when the aggregated account page is the first screen customers see when logging on to AOL.
It depends on how well some of these mass-market portals leverage the technology. It also depends on the ultimate level of convenience realized by the customer. Account aggregation is easy to use in practice, but that's not the main point. The technology's ultimate payoff hinges on the workload it carries for each customer — the more online accounts it handles, the more value it provides. As people move more of their assets into online accounts, we'll see a corollary growth in account aggregation.
The process can be accelerated if our partners are smart and use account aggregation to attract customers to their sites.
Banking Strategies: How important is the use of mobile devices in speeding adoption rates?
Singh: I've been amazed by the statistics we've seen. Right now, one of every five of our customers uses a mobile device such as a cell phone or Palm Pilot to access aggregated account information. And that's across a base consisting of tens of thousands of users. Our average mobile user maintains 10 accounts in the service and logs in 20 times a month, which is extraordinary.
Unlike a personal computer, the mobile device is not really conducive to in-depth online activity, like going from Web site to Web site and logging in at each to pick up a single piece of information. It is, however, very well suited to quick access — pulling unique pieces of information from a single hub, such as the one an aggregator can provide.
The proliferation of mobile devices is definitely a wind in our sails. But we'll also benefit from multiple uses of the land-based telephone. Take the voice recognition unit, for example. Customers can dial in to Citibank today and get their bank balance from the VRU. Why not put account aggregation functionality on the VRU so those customers can get their Chase balance as well? It's technically possible.
One day, you'll be able to get account aggregation services on your automated teller machine or from the teller at your local branch.
Banking Strategies: Can customers go to Yodlee directly for an account, as opposed to accessing your service through a financial institution or Internet portal?
Singh: Yes. When we first pioneered the technology, we needed to launch it somewhere, so we did that on our Yodlee.com Web site. Although we haven't shut down that site, we don't market it now. When customers go to Yodlee.com, they see a page listing all of our partners. If they still want to avoid our partners and set up an account through us, we'll do that. But we don't encourage it.
Banking Strategies: How do you generate revenues in your business model?
Singh: We're providing a service bureau model, if you will, where we host the aggregation service and run it for the financial institution partner. We license the core service with a one-time setup and maintenance fee. Then we charge an annual per-user fee based on the number of people using the system. All of our income flows from the institutions because most of them do not charge their customers for the service.
We also sell a number of value-added services, such as mobile device applications and data mining tools. We're further planning to introduce some premium services such as asset allocation tools and funds transfer capabilities.
Banking Strategies: You are, of course, a private company and don't have to publish your financial statements. But can you say whether you're profitable yet?
Singh: I'll put it this way: it's hard to make money with tens of thousands of users. It's hard to make money with hundreds of thousands of users. But our system is going to make money with millions of users. It's a volume play. So we're not profitable yet. But we are positioning ourselves to serve millions of users. Right now, our 65 institutional partners reach more than 100 million retail customers.
Banking Strategies: How do the banks fit into this business model?
Singh: A bank can interact with us in two ways. As a distribution partner, the bank essentially purchases our services and offers it to their consumers on their Web site. Chase Manhattan Corp. is a distribution partner, for example, as are Citigroup and Morgan Stanley. They're essentially using us to offer a private-label aggregation service.
The second method applies to banks that don't want to offer account aggregation on their own Web sites. Instead, they work with us to ensure the security and integrity of the data we pull from their site. They do this as content partners with the Yodlee aggregation service, through direct OFX feeds.
Ultimately, other models could develop as we build additional applications. Some of those models could be co-developed with our banking partners. For example, we're looking at leveraging some of our current partnerships to develop new models for activities such as funds transfer, or person-to-person transactions.
So I think you'll see us develop some core applications with financial services partners in the coming years.
Banking Strategies: Looking down the road, say five years, how do you think Yodlee will be positioned, vis-à-vis the banking industry?
Singh: In five years, I see us as a critical component or part of the infrastructure of the bank. I think it's quite plausible that we'll be sitting somewhere within a bank's firewalls as a key piece of technology that's running alongside the online banking platform, or within the online banking platform.
As banks use more proprietary and third-party data to create a robust set of services, they'll start to look lot like portals. And we'll be a critical part of the platform enabling that functionality.
Banking Strategies: Banks, of course, are very concerned about the security and privacy issues involved with aggregation. How does Yodlee deal with that concern?
Singh: Security is not inherently tied to screen-scraping, but rather involves managing the password, the authentication system. When we pull information from a site, we do so with a secure connection. Every session is encrypted. In fact, the protocols are more secure than those used on many financial Web sites today.
The key security risk lies with the storage of the customer's user name and password. For us, the question is: how do we store that password so it can't be accessed by a Yodlee employee or a third-party hacker?
We mitigate that risk by storing the user's authentication credentials within the highest security systems available at a third-party data facility managed by our strategic partner, Exodus Communications of Santa Clara, Calif. We're one of three companies on the Internet that has that level of security.
The user's Yodlee master password, in fact, is encrypted in such a way that no one, including any Yodlee employee, can retrieve it. If you lose it, even I can't retrieve it for you. We would rather you set up your system again than risk unauthorized access to that password.
In addition, physical access to the database is restricted to just two or three senior Yodlee employees. And even those employees need to present physical identification and submit to biometric authentication — a fingerprint scan — to get that access.
We also pledge to our institutional partners that we're completely at fault if our employees do anything fraudulent or misuse the customer data. Our contractual obligations are unlimited. If a Yodlee employee compromises a partner's data, that partner can seek damages against us without limit, as it's within our control to hire the right people to manage this sensitive system.
Finally, many of our financial institution partners perform regular security audits on us, as does Ernst & Young, our security partner, and hacking companies whose names we don't reveal.
Banking Strategies: Critics often accuse aggregators of offering unregulated, and therefore unprotected, service. What sort of regulation does Yodlee deal with today, and what do you envision for the future?
Singh: Statements to the effect that there are no protections are untrue. The protections are created in one-to-one, negotiated commercial relationships. When we sign contracts with companies such as Chase, Citigroup and Morgan Stanley, we live up to the protections promised in those contracts.
There is no industry benchmark for what we should and should not do. And because our first clients were influential institutions that were anxious about protecting their customers, they extracted a lot from us in terms of protection. But those protections are not visible to the consumer, nor transparent and benchmarked against an industry standard. That's the issue.
Now, there are pertinent regulations contained in the recent Gramm-Leach-Bliley law, in the privacy section. There's also Regulation E, which has to do with unauthorized funds transfer. Both are consumer- oriented and applicable to consumer-facing Web sites.
While Yodlee is not a consumer-facing Web site, it is a vendor to a regulated industry. So examiners probably have the right to come in and audit us. That hasn't happened yet. But we expect that if OCC examiners were looking at, say, Salem Five Cents Bank, they could also ask to audit Yodlee as a vendor. It all depends on how well we govern ourselves to maintain consistently high standards. We need to make our financial institution partners feel comfortable with our procedures and policies.
The biggest risk we face is a "bad egg" risk. It's the risk that a startup company will decide to dabble in aggregation without first establishing the proper infrastructure and safeguards. Bad experiences with one provider can hurt the general perception of all the others.
I'm not saying we're perfect at Yodlee. But we spent a year and a half building this infrastructure and had it audited by consumer financial institutions such as banks, brokerages and credit card companies. We want to make sure the bar is set high in this industry, in terms of infrastructure requirements, so that you can't just put the service out there without having the proper security and technical infrastructure in place.
Mr. Cline is senior editor of Banking Strategies.