Should you trust online bank-account aggregators?

Online tools can offer an easy way to keep an eye on your money, but security worries remain. New EU rules could change that next year, says Emma Lunn.

How many bank accounts do you have? The chances are that you have a current account for day-to-day transactions, a savings account, an individual savings account, a mortgage and credit card, among others – quite possibly more than one of each. And it’s highly unlikely all your financial products are with the same provider. Shopping around can yield better deals – but it can also make keeping an eye on your financial situation tricky and time-consuming.

Account aggregators, or personal financial management (PFM) software, offer a solution. These compile information from different financial institutions and types of account in one place. Aggregators are nothing new (the now-defunct Egg Money Manager was launched in 2001), but they’re becoming cleverer and more intuitive as well as being available as smartphone apps rather than just on the web. And new European Union regulations coming into force next year mean that we’re likely to see more aggregators entering the market.

Dutch bank ING is the latest institution to back an aggregator app, Yolt, which is currently in the beta-testing phase for iOS and Android. It takes on more established players such as OnTrees (owned by MoneySupermarket and available on the web and iOS) and Money Dashboard (available on the web, iOS and Android). All three services integrate users’ financial accounts from different providers into a dashboard. Features vary but, in general, users can get an overview of their finances, see where they are spending their money, and see a predicted month-end balance based on upcoming payments.

Cui bono?

So what’s in it for the aggregators? Unsurprisingly, they haven’t invested millions in technology for altruistic purposes, and they usually make money by sharing data, selling products, or both.

Yolt, for example, offers an energy price comparison tool in conjunction with Runpath and a partnership with money transfer comparison service Moneytis. It plans more partnerships for the future. Money Dashboard makes money from both selling data – not about individuals but anonymous spending information from groups of users – plus commission from providers if a user buys a financial product based on its suggestion. OnTrees’ privacy policy states that it shares information both with suppliers and other firms in the MoneySupermarket group.

“Data selling is something a lot of aggregators need to do to keep their businesses running,” says Jamie Campbell of Bud, a new account aggregator that launched in November 2016. It aims to be part personal-finance dashboard, part fintech marketplace, and says it does not sell customers’ data. “Our company makes revenue from the bank partnerships and the introduction of new financial services to customers.” To this end, Bud has already partnered with a number of fintech companies such as Nutmeg (investments), Azimo and TransferWise (currency exchange), and PensionBee (pensions). It’s also finalising a partnership with Western Union.

The security threat

However, it’s not just data privacy that users are likely to be concerned about. Accessing your account details requires a way of logging into your account. Handing over your PINs and passwords to a third party raises some serious security issues. A few platforms, such as Bud, say they have built their systems internally, but most apps – including Yolt, OnTrees and Money Dashboard – use a US-based data-aggregation platform called Yodlee that has become the industry standard provider in this area.

When you supply your bank authentication credentials, it’s Yodlee that stores them, accesses your account, reads your balance and then provides your account aggregators with your data – but not login information. Importantly, the account aggregators themselves are mostly designed to be read-only, which means that they can’t carry out transactions or move money around. But what would happen if Yodlee (or any platform that holds this information) was hacked and the details leaked?

Unsurprisingly, Brian Costello, chief information security officer at Envestnet, Yodlee’s parent company, is keen to point out a major security breach is unlikely at his firm. “Envestnet Yodlee’s security controls are indeed ‘bank grade’ and are regularly assessed by regulators, industry standard bodies, and our financial institution clients,” he says, “Additionally, a key control for us is the encryption of consumers’ credentials. Credentials are encrypted when at rest, when in motion and usually both.”

Check your terms and conditions

Yet in a worst-case scenario in which account details were leaked, account aggregation users may find they’re not covered for losses by their bank as they normally would be. It’s important to read your bank’s terms and conditions before you hand over your details as not all financial institutions take the same stance on this kind of security issue.

For example, Lloyds’ position is that customers who provide their secure credentials to a third party in order to participate in aggregation are putting themselves at risk. The bank’s terms and conditions state that online banking credentials should not be shared with any party and doing so removes Lloyds’ online fraud guarantee protection. Meanwhile, TSB says it assesses all fraud incidents on a case-by-case basis. A statement from the bank says that, provided the third-party firm was authorised by the Financial Conduct Authority (FCA), it’s unlikely a customer would be liable for fraud as a direct result of sharing their details with a third party. Both OnTrees and Money Dashboard are regulated by the FCA, while Yolt’s parent company ING is regulated in the Netherlands. (However, it seems to us that the presence of Yodlee – a US company – in the chain could complicate things.)

OnTrees is open about the fact that use of the platform may breach banks’ terms and conditions. Its small print states that “the use of this service may result in your bank refusing to pay out on any fraud associated with your account regardless of whether it is connected in any way to the service”.

However, Money Dashboard claims that “use of an aggregation service is not a reason for your bank not to compensate you”. Indeed, Money Dashboard’s head of operations Rory Bailey describes the terms and conditions of banks such as Lloyds as “unhelpful and potentially confusing” and claims that a bank would need to prove the account aggregation service was the source of any fraud in order not to pay out. “Our application is read-only and we have stringent security standards on a par with the rest of the banking industry. For these reasons, we remain confident that a consumer would not be disadvantaged by using our service,” he says.

A helping hand from the regulators

However, despite assurances from the aggregators, Professor Alan Woodward, a computer-security expert from the University of Surrey, is not so sure. “It’s convenient to see all your accounts in one place, but I don’t know whether it’s worth it. The services are read-only, but the information obtained in any hack could be used in other ways – to access accounts or in a scam,” he says. “Aggregators talk about encryption, but that’s more marketing than anything else – most people won’t know what it means anyway.”

Whether using an account aggregator makes good security sense at present is clearly open to debate. The risks that Yodlee is hacked and its encryption cracked may be small, but the potential consequences – given how many firms it serves – could be huge.

However, we’re likely to see more account-aggregation services launching from next year due to new European Union regulations – and at that point the security position may improve. The open banking initiative under the second payment services directive (PSD2) will force banks to open up access to customer data for third parties through the form of secure application programming interfaces (APIs).

“As of next year, we will likely see the arrival of aggregators in Europe that do not require your login details in order to access and aggregate your data: all of the benefits without the privacy and security risks,” says John Egan, director at digital financial services firm Anthemis. “It seems increasingly likely that banks themselves will also look to aggregate people’s data in order to help them optimise the decisions they make.” When this happens, aggregators may become much more popular tools.