Aggregation is surely a boon to consumers—just ask travelers who go to these sites to find the best deals from airlines and hotels. But while serving up convenience and value, do they take revenue away from providers? And if so, is that a bad thing?
While there have been many aggregators catering to the financial services industry for some time now, the question is taking on new urgency, and not for a particularly good reason. In sum, it’s because some big names in the business have shut off access, if only temporarily, to their data vaults. If such actions become cemented in policy, other banks will surely follow suit, and it could have a profound impact on the entire industry dynamic.
Let’s step back for a second. The reasoning behind account aggregation makes perfect sense—it compiles key data from multiple accounts and sources, including bank accounts, credit cards, investments, etc., and serves them up with a single view. This is exactly how technology should work. So what’s the problem?
Well, it was recently reported that Bank of America, JPMorgan Chase and Wells Fargo—all blue-chip names in our industry—have disrupted relevant data flow to third-party financial aggregators. With minor differences, the primary reasons cited are similar: This level of open access introduces unwanted technical difficulties and potential security risks.
It’s undoubtedly a valid concern: Even without the rash of security breaches, banks are under enormous pressure to maintain tight security over their sensitive customer information. Theoretically at least, the more access third parties have, the more possible vulnerabilities there are.
That said, there have been no reported cases of significant data breaches at any of the well-known financial aggregation services providers. In fact, most of them highlight the level of security they ensure for all of their services. By contrast, there have been quite a few successful hacks at the largest banks. Just last month, three people were charged with committing the largest theft of consumer data ever from a financial services provider. The institution in question: JP Morgan Chase, one of the banks that recently cut off access to third-party providers.
To be clear, these banks are not acting in concert—each has its own particular reasons, mostly having to do with upgrades to their own security systems. For example, Wells Fargo maintains that customer data security is an ongoing priority, which regularly mandates the implementation of new technologies and policies. Understandably, these can sometimes cause compatibility problems, which can usually be managed by customers verifying their credentials. Meanwhile, Chase wants customers to realize “that they may be trading account security for convenience when handing over their password [to the third-party sites].”
But there’s likely more to it than that. First, the practice of third parties using the banks’ own data to offer alternative services must rankle many in the business. It may be inevitable, but it’s still unwelcome.
More to the point, it takes the old question of technology vs. financial services even further. Providers like Mint and Yodlee didn’t originate in the banking business, and they don’t play by the same rules. Nor are they content with offering a single-access view—they offer many other capabilities, and they’ll keep doing so. Meanwhile, moving forward, there’s going to be more competition from more startups in this area, and that will put even more pressure on the banks themselves to allow even greater access without interruption.
In the future, just going by the law of probability, there might be a high-profile breach at one of the third-party providers, giving the banks more reason to restrict access. However, just as aggregation has become woven into the foundation of many other industries—think travel, retail and insurance—this might be a genie that’s not going back into the bottle. Instead of curtailing access, financial institutions may need to come up with alternative solutions that maintain a competitive edge against third-party solutions.