Appendix D: Aggregation Services
Account aggregation is a service that gathers information from many websites and presents that information in a consolidated format to the customer. The information gathered can range from publicly available information to personal account information (e.g., credit card, brokerage, and banking data). Typically, the aggregator obtains the personal account information by using customer-provided usernames and passwords to enter websites. Aggregators typically collect information through direct data feeds from the aggregation target or by "scraping" the information from the targeted webpages. The collection method used varies based on the aggregator's relationship with the operator of the target website. Emerging capabilities include offering customers the ability to initiate transactions, obtain financial advice, and use shopping services to scan the Web for products. Many experts believe institutions that provide aggregation services have the opportunity to deepen their customer relationships by leveraging their position as trusted financial intermediaries.
Financial institutions engaged in aggregation services assume an increased level of risk and must institute compensating risk management practices.
Transaction/operations risk - The highly sensitive nature of the information collected and stored by aggregators greatly increases the risk associated with aggregation services. The aggregator's ability to protect stored customer IDs and passwords and to provide accurate and timely delivery of information from the customer's accounts is the most significant factor in assessing the level of operations risk in aggregation services.
Strategic risk - Strategic risk is the second highest exposure in aggregation services. This is due not only to the relatively unproven success of this service, but also to the fact that the applicability of legal and compliance requirements to the service have yet to be fully defined.
Reputation risk - Reputation risk is another significant consideration in aggregation services. However, in most instances it is a second-tier issue (i.e., potential damage to the institution's reputation stemming from operational or legal risk issues discussed above).
Risk management of aggregation services is based on the same concepts that apply to other financial services (i.e. risk identification, measurement, monitoring and control). Some of the unique concerns financial institutions should consider in managing aggregation risks are discussed below.
AGGREGATION SERVICE PROVIDERS
Typically, a financial institution provides an aggregation service under its brand name through a third-party service provider. That service provider serves as a prime contractor, specializing in gathering, storing, protecting, and presenting information to the customer. The third-party service provider, in turn, may outsource some of its features, such as bill payment, to other specialists. The institution or third-party service provider also may provide or outsource software that analyzes customer behavior and suggests financial products for that customer. Aggregated financial information often comes from other websites, the owners of which may not be aware that they are providing content and thus lack contracts or agreements with the aggregating institution or service provider.
Because aggregation is at an early stage of development and customer acceptance is low, institutions should consider how evolving standards and customer acceptance for aggregation services may affect e-banking strategies. Further, reliance on third-party service providers introduces strategic risks that institutions should consider. For example, some third-party service providers may be financially unstable or unable to provide reliable service. Others may develop or market services in ways that are incompatible with the institution's goals. Further, some arrangements, such as co-branding, may make it more difficult to change providers, if problems arise.
The viability of aggregation services depends heavily on meeting customer expectations, including availability, confidentiality, data integrity, and overall service quality. Moreover, as customer acceptance grows, customers are likely to expect aggregator institutions to innovate and provide additional services. Failure to meet customer expectations (whether provided by the institution or a third-party provider) can undermine customer confidence and trust. This could hinder the institution's ability to retain existing customers and to offer other e-banking products and services in the future.
Aggregation relies on data transmission from various websites through the aggregator's website to the end-customer's Internet browser. If the integrity of the data is compromised or if the data is not current, the customer could receive erroneous or dated information, which could adversely affect customer decisions. Timely and correct information is especially important in environments where purchases, sales, and asset transfers take place.
Information security is critical because aggregators centralize the storage of usernames and passwords that provide access to other websites, as well as personally identifiable customer information from many other websites. A security breach could compromise numerous customer accounts. Because sensitive information is centralized, attackers may be more likely to target the aggregator's systems. A financial institution acting as an aggregator should carefully consider its potential liabilities and assess whether it and its third-party providers have adequate security.
Inadequate authentication measures may expose aggregator institutions to liability if these measures weaken the security of other websites. Because both the aggregator and the customer typically enter the target website using the same username and password, the target Website may not be able to identify the true system user (i.e., customer or aggregator), diminishing the effectiveness of the target's access controls and record keeping. Additionally, entry to the target website may be gained automatically at the aggregator's website, effectively bypassing some of the target website's protections against fraud and theft of authentication devices.
Aggregators that receive and facilitate transactions have the additional risk of liability for unauthorized or disputed transactions. In situations where a dispute arises after an aggregator communicates a request from the customer to another website, the aggregator may need to trace the transaction. If the aggregator does not have good audit trails that prove the customer originated the transaction and that the transaction was transmitted correctly, the aggregator or institution would be potentially liable.
Aggregators typically collect data from target websites by one of two means: screen scraping or direct data feeds. Screen scraping involves copying information from a target webpage accessed using the customer's previously provided password and PIN. Such activity may occur without the consent or knowledge of the target website. Direct data feeds involve the cooperative exchange of information between the target website and the aggregator. Data-feed arrangements frequently reduce transaction risk by implementing technologies that are more reliable and traceable than other data-gathering techniques.
In some cases, aggregators may be blocked from gaining access to information from target websites. For example, target websites may change the location of information on a webpage or change passwords. Additionally, the target websites may have data integrity problems that they report on their webpage. This information may not be captured by the aggregator's information collection mechanisms and reported to the institution's customers. Such situations may result in failing to meet customer expectations and may result in inaccurate or incomplete information. Another challenge facing aggregators is the interpretation and accurate presentation of the data gathered from other websites. For example, aggregators may discover similarly named data elements have different definitions. An incorrect presentation of data could result in customer confusion and incorrect decisions.
LEGAL AND COMPLIANCE REQUIREMENTS
Aggregation services raise three key compliance risks issues: the application of Regulation E, asset management, and privacy.
In aggregating customer information, institutions should closely monitor regulatory changes in the application of Regulation E. Currently, Regulation E, which implements the Electronic Fund Transfer Act, does not specifically address the responsibilities of aggregators. The Federal Reserve Board requested comments on this issue in June 2000. A final regulation had not been issued at the time of this booklet's issuance. In the absence of guidance, institution management should be conservative when interpreting possible Regulation E compliance obligations in connection with aggregation services.
Aggregators that provide electronic fund transfer services could come within the current coverage of Regulation E in the following ways.
- If the aggregator is a financial institution and holds consumer accounts in the institution, the aggregator is covered by Regulation E when it agrees with the consumer to provide electronic fund transfer services to or from the account.
- If an aggregator institution issues a card, PIN, or other access device to the consumer and agrees to provide electronic fund transfer services with respect to accounts at other institutions it is generally covered by Regulation E. However, if the aggregator institution does not have an agreement with these other institutions concerning the electronic fund transfer services, a special set of rules under Regulation E for "service providers" applies.
Institutions and aggregation service providers should also consider the possibility that providing customers with an automatic log-on feature to conduct electronic fund transfers on other entities' websites could trigger the application of Regulation E if such automatic log-on features could be considered, in essence, an access device for electronic fund transfer services.
Asset management encompasses a broad range of activities, such as trust and fiduciary services, retail brokerage, and financial planning, where investment advice is provided for a fee or commission. In particular, institutions aggregating clients' account information should ensure compliance with the Bank Secrecy Act. Depending on the nature of the services provided in connection with aggregation of account information, financial institutions should also comply with the Employee Retirement Income Security Act of 1974 (ERISA), and other applicable laws, regulations, and policies. Banks should also comply with applicable fiduciary standards imposed pursuant to 12 CFR Part 9 and savings associations should also comply with 12 CFR part 550.
In addition to aggregating account information, aggregator institutions may provide links to affiliated and unaffiliated third-party websites that allow consumers to buy securities and insurance products directly. In these instances, institutions should clearly distinguish on their websites between products and services that are offered by the institution and those offered by third parties. In general, the institution should use clear and conspicuous language to explain their role and responsibility for products and services offered on any third-party webpages. For institution webpages that provide links to third-party pages that enable institution customers to open accounts or initiate transactions for non-deposit investment products, the disclosures also should alert customers to risks associated with those products (e.g., by stating that the products are not insured by the FDIC, are not a deposit, and may lose value).
It is important to note that compliance with one statute will not guarantee compliance with the other.
If aggregation services include the initiation of transactions, institution management should assure aggregation processes are sufficiently robust to address issues relating to the validity of transactions, such as attribution and non-repudiation. Those processes go beyond security measures and encompass coordination of record keeping with other websites. That coordination should be sufficient to enable the tracing of a transaction from the customer through the institution to the other websites, with reasonable controls to protect against unauthorized changes to the transaction. Good records can improve a financial institution's position in the event of disputes. Record keeping requirements should be based upon the level of activity and risk.
Appropriate contracting can mitigate strategic, reputation, transaction, and compliance risks. Management should seek to control and manage these risks by structuring arrangements between the institution and the involved parties. Standardized contracts and the development and use of industry standards can facilitate those arrangements.
Contracting will primarily involve the institution, the institution's customer, and the aggregation technology provider. Customer agreements should specify the scope of the aggregating institution's authority to use the customers' passwords and other authenticators on their behalf. Moreover, customers should be advised of the degree of responsibility the institution assumes for the timeliness or accuracy of the information obtained from other websites.
The customer contract should provide the basis for realistic expectations about such matters as data timeliness and completeness, support, and service levels. For instance, transaction risks relating to data definitions and timing can be controlled by clearly disclosing when the aggregated information was obtained from the other websites and any material changes in the definition of data elements. Institutions should consider how best to direct customers to those customer service areas, whether at the institution, technology provider, or operator of another website that can most directly and effectively help resolve customer issues. Institutions should also be aware that the websites where information is aggregated might post disclosures that belong with the aggregated information. Management should consider whether and how to notify their customers of those disclosures.
The institution's contracts with technology providers should ensure the provided activities conform to applicable legal and policy standards, and should acknowledge the institution's regulator's authority to examine and regulate the provided activities authorized by 12 USC 1867(c) for banks and 12 USC 1464(d)(7) for savings associations. The contract should clearly disclose and authorize the roles and responsibilities of the institution and the technology provider. Contracts also should cover security requirements and reporting, performance reporting, data usage restrictions, data ownership, indemnification arrangements, data retention policies, business continuation arrangements, and submission of financial statements.
Contracts with Other Websites
To the extent that agreements with other websites are practical, those agreements should address:
- System security applicable to the acquired data and authentication information;
- Use of customer information;
- Timing and method of data access;
- Methods for verifying the aggregator's authority to access data on behalf of the consumer (including the authentication and authorization procedures used to verify the identity of account holders);
- Need for transaction logs of specific consumer instructions for the aggregator;
- Responsibility for the timeliness and accuracy of information to be provided; and
- Responsibility for delivery of disclosures and consumer notifications.
Appendix C: Laws, Regulations, and Guidance
Appendix E: Wireless Banking