It became apparent to me lately that there is confusion about how personal financial data are accessed by fintech startups. As users are indifferently signing up for digital financial services, startups are glossing over data access mechanics and associated risks, and banks are hiding behind their legal clauses.
What am I talking about here? Let me break it down. Many finance apps rely on access to user bank accounts to pull transaction data for analysis, decision making, etc. Personal finance management apps like Mint and cloud-accounting software like Wave require access to bank accounts, however, the banks in Canada — especially the large ones — don’t offer such access to third parties.
So how can fintechs access bank account data with no ready way to do so?
A workaround emerged since the early days of online banking, Account Aggregation. Account Aggregators come in many shapes and sizes, but in Canada, it seems that Yodlee, Plaid, MX, and Flinks are the most popular. An Aggregator’s primary function is to access user bank accounts and retrieve transaction details. To do so, Aggregators store usernames, passwords, and answers to verification questions. Using those credentials, they access user accounts and pull account data. They employ several methods, mainly screen scraping, to retrieve the data. Screen scraping is exactly what it sounds like, the user’s online banking pages are rendered and the transaction data are “scraped”, much like how Google crawls the web.
Pretty much every fintech that requires user bank account information (like Mint and Wave) rely on Aggregators to provide that service. Some smaller banks in Canada, like ATB and National Bank, use Aggregators to provide their users with a holistic view of the myriad accounts and credit cards they possess. The alternative would be the impossible task of a fintech connecting to every financial institution under the sun. Aggregators fill a critical role in advancing fintech innovation.
So what’s the problem?
This workaround is creating suboptimal user experiences. Integration issues are recurrent, resulting in lags in transaction detail transfers, inaccurate mappings of data, and outright disconnections. Users are often asked to “reconnect” by re-entering their credentials. The causes of these issues can be as simple as the introduction of an advertisement on a bank webpage or the addition of new account security steps throwing off the automated scraping scripts. When this happens, Aggregators scramble to understand the changes and update their scripts, taking days or even weeks to resolve connection issues.
Fintechs have acknowledged flaky bank connections as an “industry-wide phenomenon”, accusing banks of upgrading their websites with no regard to knock-on effects. A large Canadian fintech announced to its complaining customers that “…very few banks are actively helpful…and occasionally, will actively try to disrupt connections by taking steps to block IP addresses, etc.”
An even bigger problem is that users are burdened with the entire risk of cyber-attacks and misuse of their personal data. With specific clauses in their online terms of service, banks have washed their hands from any online breaches that result from users sharing their credentials with third parties. In effect, users who sign up to fintech apps and connect them to their bank accounts are in violation of their banking terms of service and therefore agree to invalidate any protections.
When I asked my bank, BMO, about the use of aggregators, they began by acknowledging the fact that many third-party apps exist and require users to share their credentials. Then they went on to “strongly recommend against providing information to such apps as they are not supported by BMO and this can expose you to theft for which you may not be reimbursed.” They then reminded me that I’m “protected by BMO’s 100% Electronic Banking Guarantee as long as you keep your digital banking password and BMO Debit Card number confidential at all times.” The other four big banks have identical policies and warnings. Similar warnings have been issued by the Financial Consumer Agency of Canada.
In turn, fintech apps and services absolve themselves from any responsibilities by requesting from users to hold them harmless and releasing them from any liability resulting from the use of Aggregators. Even ATB Financial, which itself uses an Aggregator to provide services to its clients, in the same breath, reminds them that they’re fully on their own if they share their ATB credentials with a third-party.
As far as I know, none of the aggregators have been hacked. But this is not a pretty picture for users who are hungry for novel financial services. If a major cyber-attack happens, they will be left to fend for themselves, all the while they endure clunky user experiences.
Everyone needs a reality check…and open banking needs to happen
Our neighbors to the south have realized that this situation is untenable and established the Financial Data Exchange (FDX) to “unify the financial services industry around a common and interoperable standard for the secure access of consumer and business financial data.” FDX membership includes not only major banks but also aggregators, credit card companies, consultancies, and a variety of fintechs. A fine example of cross-industry collaboration for us to follow here in Canada.
As Canada lags behind its global peers in open banking readiness, the Government – in an opaque process – is still reviewing its merits with no clarity on the road ahead. Reasonable voices have been advocating for a Canadian open banking vision for quite some time, most recently, Will Buckley from Xero laid out an excellent market-led path in this article and several fintech leaders have expressed frustration at the slow legislative pace.
The bottom line
A consumer-centric approach is not only wise but essential for the progress of the Canadian fintech landscape. The widespread self-preservation mindset must be kept in check.