Many moons ago, I warned all my email subscribers about using data aggregation services like Mint dot com and other similar services.
Lots of personal finance startups have jumped on the bank wagon since then and it’s like… everyone and their brother wants to get in on this game.
If you’re scratching your head as to what I’m yammering on about, think on this:
Some financial services companies have started offering a service where you, as their customer, hand over all your bank and investment account login credentials. In other words, your user name and password for your bank account and investment account.
They will then aggregate or gather all your financial information into one place.
The way they do this is… they take your user name and password and log into your account for you, using a computer software program, take a “picture” of your account details, and then import that information into their system where they can sort and organize it for you.
Sounds cool, yes?
It all hinges on you giving some stranger the keys to your financial kingdom… which many people are shockingly comfortable with.
The risk, of course, is that you give up 100% of your privacy and you void your bank and investment broker’s liability protections. Meaning, if your data gets stolen (i.e. password), you have no real protection and no way to get your money or data back if someone decides to help themselves to it.
The price of convenience, I guess.
Recently, FINRA (a self-regulatory agency in the securities industry) issued this warning:
“A key risk is that the aggregators could be storing all consumer financial information or security credentials in one place, creating a new and heightened security risk for consumers.”
Al Pascual, senior vice president of research and head of fraud and security at Javelin Strategy & Research also chimed in on this dealybop:
“Finra’s warning is prudent, especially as more and more fintechs have joined the wealth management and investment space,” he said. “These organizations are unregulated, but are being trusted with access to investors’ financial accounts. If these organizations are compromised in a breach, or if their apps are vulnerable, the credentials for a variety of investors’ accounts — including traditional bank accounts — could be misused and leave investors exposed to financial losses where they have limited recourse.”
Obviously, companies who are taking your data and mashing it together into a cool new app don’t think what they’re doing is dangerous.
Now, don’t get me wrong. This sort of technology is cool if it is secure… meaning, if they use APIs and only use data streams and not personally-identifiable information. The way it’s being implemented currently, however, isn’t so secure or at least it’s not as secure as tech companies would have you believe.
Handing over the user name and password to your financial accounts to some tech company in Silicon Valley generally isn’t a safe thing to do for the same reasons handing over your username and password to anyone else isn’t a safe thing to do… which is why banks void your fraud protection when you do it.
They don’t want to be responsible for a 3rd party who isn’t a bank customer.