Investor Alert

Know Before You Share: Be Mindful of Data Aggregation Risks

If putting all your financial information online and in one place sounds like a good idea, there are many companies—often called data aggregators—ready to help you organize your financial life. However, before you share your account information and other sensitive financial details with data aggregators, it pays to know how these services operate, and how to protect yourself from potential privacy and security risks.

Nuts and Bolts of Data Aggregation

Beyond Scraping

Instead of scraping, a growing number of financial institutions are offering aggregators an "application programming interface" (API) which offers a pre-agreed arrangement to transfer data from the financial institution to the aggregator.

These APIs give consumers the ability to authorize access, limit scope and specify whether fund transfers are permitted. A contractual agreement between the aggregator and the financial institution imposes responsibilities on both sides to safeguard your data and privacy. For this reason, security experts often consider APIs a safer option than scraping.

At its most basic, financial data aggregation puts information about your financial holdings under one roof. Your "dashboard," sometimes called a personal financial management hub or portal, can display your investments, savings, insurance policies and credit balances.

In addition to a snapshot of your overall finances, depending on the provider, your service may also include services such as financial and tax planning, budgeting, and the ability to track home value and mortgage information. More robust services may include portfolio analysis, advice (for instance, recommending an asset allocation model), credit monitoring, bill paying and more. There may be costs associated with some services.

You can aggregate information through a non-financial organization or you can add information from outside financial accounts to an existing financial provider, such as a brokerage firm, advisory firm or bank.

In either case, aggregation is possible because you, the consumer, generally agree to provide the aggregator with the login information for your financial accounts.

For example, say you want to aggregate and track information from an IRA, a 401(k) account, a savings account and two credit cards—a total of five accounts, all residing with separate financial institutions. To create a single dashboard, the aggregator will ask you to provide five separate sets of username/password credentials so that it can access each one of those financial accounts.

Your security credentials allow the aggregation service to grab or "scrape" this data, often on a daily basis. Scraping is the practice of using an automated process involving a code or a "robot" that goes out to the third party websites, registers using your security credentials, and collects applicable account information (see sidebar Beyond Scraping).

Know the Risks

Many customers value the convenience of financial data aggregation and appreciate having a single snapshot of multiple accounts. But sharing security credentials for financial account information can come with some risks.

Foremost, you can potentially expose yourself to privacy and security risks. These include potential vulnerability to cyber fraud, unauthorized transactions and identity theft. A key risk is that the aggregators could be storing all consumer financial information or security credentials in one place, creating a new and heightened security risk for consumers.

Many data aggregators may operate under limited regulatory oversight and are not subject to the same regulation that registered financial institutions are subject to, particularly in areas of data privacy and security.

One more thing to keep in mind: If your aggregator sells investment products, you might receive sales recommendations from that entity. Evaluate any investment on its merits and with a clear understanding of risks and costs.

Before You Share

These tips can help you protect yourself if you decide to share your financial information with a data aggregator or service providers who use data aggregators:

Weigh the benefits of aggregation against the risks of sharing your security credentials. Be particularly diligent when you authorize a third party to facilitate payments on your behalf. Check to assure payments go to the right place.
Read the terms and conditions of any user agreement or contract you sign. Know what rights you are granting with respect to accessing your financial accounts and using your data. For instance, how often are your accounts scraped and what data is collected?
Verify that the aggregator will access only the information it needs to provide the desired service to you. Also be aware that there may be charges for certain transactions and services you elect to use.
Understand the aggregator's privacy and data security measures. A good place to begin is by reading the aggregator's terms of use, privacy and security information. Here are some things to look for:
- Does (or may) the aggregator share your security credentials and data with, or provide access to your accounts to, another data aggregator or service provider? Does the aggregator sell your data to a third-party entity? If so, are you comfortable with that?
- Does the aggregator use encryption when retrieving your data? How long is the data retained? What is the process of purging or disposing the data once you terminate your contract?
- What happens if there is a data breach or any unauthorized access to your account? Is there a process in place to notify consumers and financial institutions should a breach occur?
- What type of liability, if any, does the aggregator bear in the event of a consumer loss due to a data breach or unauthorized access? Does the aggregator have the financial capacity or insurance coverage to compensate consumers for loss? Is there a dispute mechanism in place to resolve any issues related to data breaches or unauthorized access?
How accurate are the scraping algorithms used to collect data from your financial accounts? To find out, you can ask whether the aggregator conducts periodic checks to ensure that it is collecting data and using it accurately to provide the required service. You should also check the data yourself against your primary source accounts.
Check with financial data providers to find out what, if any, data is delivered to aggregators through an Application Programming Interface (API), which is generally considered a safer alternative than scraping.
Do your own online research and due diligence. Look up any reviews, complaints or lawsuits against the data aggregator or the third-party service provider you are contemplating using.
Finally, make sure you cancel your account and terminate the access and rights you have granted to the aggregator once you discontinue using the service. Failing to do so may expose your financial information to ongoing security risks. Understand and follow the steps that need to be taken to stop the ability of the aggregator to access your account. This may involve more than just deleting the software application from your computer or mobile device.