Plaid, Envestnet Yodlee, and MX Technologies aren’t exactly household names. But because of their sheer reach, they are some of the most powerful data exchanges in the world connecting many of the apps we rely on every day. Recently, Plaid said that 1 in 4 people with a bank account in the United States had used Plaid.
The reality is, most people don't know what data aggregators are – let alone how they impact their financial habits or how financial institutions are using them. On the other side of the equation, financial institutions are also often lacking in information about data aggregators, and are ill-prepared to communicate the risks and benefits to their end-user.
Having a deeper knowledge of how data aggregators function is key to unlocking the benefits they offer while avoiding their potential security risks.
Data Aggregators are companies that facilitate data exchange by connecting a consumer or business’ financial accounts to authorized fintech partners, providing information the companies need to power their services.
For example, the person-to-person payment service Venmo uses Plaid to connect with banks and credit unions to transfer funds. Betterfin uses Envestnet Yodlee to get access to cash flow data to facilitate small business loans. When someone signs up for Venmo or Betterfin, they give those fintech companies access to their bank accounts using data aggregators.
Data aggregators, like any technology, come with the potential for risk. For one thing, aggregators connect with many institutions, which means more possible points for breaches and leaks. For another, aggregators that rely on scraping rather than on APIs are more susceptible to not only security issues, but compliance issues as data is obtained without explicit permission. These practices can lead to future connectivity and accessibility issues as institutions block these aggregators. Other connectivity issues are linked to the number and quality of connections. These risks put into question how “future-proof” these data aggregators are; can they adapt to the ever-changing digital environment and continue to provide good information? When you know what questions to ask, you’ll have a better idea of the potential risks.
Luckily, there are constantly evolving ways to reap the benefits of data aggregators while minimizing risk. The key is to know how aggregators work, how they gather information, and to be aware of other practices like open authorization protocols that can be leveraged to protect customers and institutions.
When looking for an aggregator, it's best to know how many connections to financial institutions the aggregator has, but also understand how many connections come from scraping and how many come from APIs. Ideally, your aggregator should be using APIs to make connections, as they are more secure and less likely to end up leaking sensitive data.
As fintech companies such as Venmo and Betterfin make widespread use of data aggregators, banks and credit unions can use them as well to make their customers’ financial lives easier. For example, Envestnet Yodlee, which serves 15 of the top 20 banks in the United States, can pull data from a variety of sources, including investments and credit cards outside the financial institution. Banks and credit unions can use that information to offer customers a complete view of their financial lives, not just of their bank or credit union accounts, which means that customers can also take advantage of what aggregators offer.
The Spanish banking giant BBVA USA, for example, has a mobile app and online banking tool that allows customers to track spending using all their checking, savings and credit card accounts, inside and outside the bank. Customers can pre-set budget limits inside the tool and watch the colors change from green to yellow to red as they near or exceed their spending limits. The tool also allows customers to pay off debt and forecast cash flow.
Financial institutions also can use data aggregators to suggest products and services to customers. The aggregators can tell you which customers have an auto loan with a competitor or what interest rates customers pay on a competitor’s mortgage. Banks and credit unions can use that information to target customers for specific offers that will be attractive to them. Data aggregators are also used by financial institutions to ensure compliance with Bank Secrecy Act and know-your-customer regulatory requirements.
Data aggregators can also serve clerical functions. They verify identities and retrieve names, phone numbers, addresses, and emails for account holders. Data aggregators are used to autofill applications for customers, who then verify the accuracy of the autofill, speeding up new customer applications and onboarding.
They can also help customers manage their accounts, and cut down on paperwork. These small efficiencies can make a real difference when it comes to the ease and speed of using banking apps – something that can mean the difference between a fully opened account and an abandoned application.
Of course, not all banks and credit unions are happy about the security implications of data aggregators. Security is arguably a financial institution’s most important service to its users. The problem is that some data aggregators historically have connected to a bank account using screen scraping – obtaining a customer’s login and password and using that to unlock the bank account. For many, this poses alarming concerns. Will the data aggregators sell the data they obtain or scrape much more than they need from a customer’s account? Will they store that information and then lose it in a cyberattack? In some instances, banks have even blocked some aggregators over the issue of screen scraping.
To answer such concerns, the industry is moving toward using APIs. An API is the gold standard for connection with outside firms and are much more secure than screen scraping because they allow bank and credit union customers to use third-party applications without giving up their passwords and credentials.
APIs also help limit the scope of data the aggregators get. The largest bank in the nation, JPMorgan Chase & Co., requires Plaid and other data aggregators to connect securely to the bank using APIs. It’s expensive and time-consuming to develop APIs in-house. Digital banking providers can develop secure APIs for banks and credit unions so they don’t have to find the staff and time to do so. Financial institutions need to make sure their digital banking providers offer an easy-to-use API solution to power the revolution in banking services.
With secure and accessible APIs, banks and credit unions can leverage the benefits of aggregating data without compromising the protection of customers, resulting in superior digital platforms that are safe to use.
And of course, one of the best things financial institutions can do is to educate their customers alongside themselves when it comes to data aggregators. That way, customers can feel more confident about their finances and take a more active role in expressing their needs and concerns. Some banks even provide the kinds of questions mobile customers should ask regarding their data.
Financial institutions can provide this information for their customers & members through literature and FAQs, and become a trusted resource on financial and fintech literacy.