Account aggregation is a service that gathers information from many websites, presents that information to the customer in a consolidated format, and, in some cases, may allow the customer to initiate activity on the aggregated accounts. The information gathered or aggregated can range from publicly available information to personal account information (e.g., credit card, brokerage, and banking data). Aggregation services can improve customer convenience by avoiding multiple log-ins and providing access to tools that help customers analyze and manage their various account portfolios. Some aggregators use the customer-provided user IDs and passwords to sign in as the customer. Once the customer's account is accessed, the aggregator copies the personal account information from the website for representation on the aggregator's site (i.e., "screen scraping"). Other aggregators use direct data-feed arrangements with website operators or other firms to obtain the customer's information. Generally, direct data feeds are thought to provide greater legal protection to the aggregator than does screen scraping.
Financial institutions are involved in account aggregation both as aggregators and as aggregation targets. Risk management issues examiners should consider when reviewing aggregation services include:
- Protection of customer passwords and user IDs - both those used to access the institution's aggregation services and those the aggregator uses to retrieve customer information from aggregated third parties - to assure the confidentiality of customer information and to prevent unauthorized activity,
- Disclosure of potential customer liability if customers share their authentication information (i.e., IDs and passwords) with third parties, and
- Assurance of the accuracy and completeness of information retrieved from the aggregated parties' sites, including required disclosures
Additional information regarding management of risks in aggregation services can be found in appendix D.