If putting all your financial information online and in one place sounds like a good idea, there are many companies—often called data aggregators—ready to help you organize your financial life. However, before you share your account information and other sensitive financial details with data aggregators, it pays to know how these services operate and how to protect yourself from potential privacy and security risks.
Nuts and Bolts of Data Aggregation
At its most basic level, financial data aggregation puts information about your financial holdings under one roof. Your "dashboard," sometimes called a personal financial management hub or portal, can display your investments, savings, insurance policies and credit balances.
In addition to a snapshot of your overall finances, your service might also include services such as financial and tax planning, budgeting, and the ability to track home value and mortgage information, depending on the provider. More robust services might include portfolio analysis, advice (for instance, recommending an asset allocation model), credit monitoring, bill paying and more. There could be costs associated with some services.
You can aggregate information through a non-financial organization, or you can add information from outside financial accounts to an existing financial provider, such as a brokerage firm, advisory firm or bank. In either case, aggregation is possible because you generally agree to provide the aggregator with access to your financial account data.
For example, say you want to aggregate and track information from an IRA, a 401(k) account, a savings account and two credit cards—a total of five accounts, all residing with separate financial institutions. To create a single dashboard, the aggregator will likely use one of two methods: an application programming interface (API), which offers a prearranged agreement to transfer data from the financial institution to the aggregator, or screen scraping, in which you provide your login credentials for each financial account so the aggregator can access that data.
Screen scrapers use an automated process to send a “robot” to the third-party websites, sign in with your credentials and collect account information. APIs give consumers the ability to authorize access without sharing security credentials, as well as to limit scope and specify whether fund transfers are permitted. The agreement between the aggregator and the financial institution also imposes responsibilities on both sides to safeguard your data and privacy.
Though screen scraping was once the standard, aggregators are increasingly using APIs to transfer data. Security experts often consider APIs a safer option than screen scraping. Some financial institutions have even begun blocking scraping by third parties, so if you’re interested in a data aggregator that uses this method, you’ll want to make sure the accounts you plan to connect allow it.
Know the Risks
Many customers value the convenience of financial data aggregation and appreciate having a single snapshot of multiple accounts. But providing access to your financial information can come with some risks.
Foremost, you can expose yourself to privacy and security risks. These include potential vulnerability to cyber fraud, unauthorized transactions and identity theft. These risks are especially heightened for aggregators that use screen scrapers and require you to share your security credentials. A key risk is that this type of aggregator could be storing all consumer financial information or security credentials in one place, creating a new and heightened security risk.
Many data aggregators might operate under limited regulatory oversight and aren’t subject to the same regulation as registered financial institutions, particularly in areas of data privacy and security.
One more thing to keep in mind: If your aggregator sells investment products, you might receive sales recommendations from that entity. Evaluate any investment on its merits and with a clear understanding of risks and costs.
Before You Share
These tips can help you protect yourself if you decide to share your financial information with a data aggregator or service providers who use data aggregators:
- Weigh the benefits of aggregation against the risks of sharing access to your accounts. Be particularly diligent when you authorize a third party to facilitate payments on your behalf. Check to ensure that payments go to the right place.
- Understand whether the data aggregator’s connections to your financial institutions come from screen scraping, API or both.
- Read the terms and conditions of any user agreement or contract you sign. Know what rights you’re granting with respect to accessing your financial accounts and collecting your data.
- Verify that the aggregator will access only the information it needs to provide the desired service. Also be aware that there might be charges for certain transactions and services you elect to use.
- Do you have control over what type of data is shared, with whom, for how long and for what purpose? Can the aggregator sell your data to a third-party entity? If so, are you comfortable with that?
- Does the aggregator use encryption when retrieving your data? How long is the data retained? What’s the process of purging or disposing of the data once you terminate your contract or revoke access?
- What happens if there’s a data breach or any unauthorized access to your account? Is there a process in place to notify consumers and financial institutions should a breach occur?
- What type of liability, if any, does the aggregator bear in the event of a consumer loss due to a data breach or unauthorized access? Does the aggregator have the financial capacity or insurance coverage to compensate consumers for loss? Is there a dispute mechanism in place to resolve any issues related to data breaches or unauthorized access?
- If the aggregator uses scraping algorithms to collect data from your financial accounts, does it store your credentials? How accurate is the data it collects? To find out, you can ask whether the aggregator conducts periodic checks to ensure that it’s collecting current data and using it accurately to provide the required service. You should also check the data yourself against your primary source accounts.
- Do your own online research and due diligence. Look up reviews, complaints or lawsuits against the data aggregator or the third-party service provider you’re considering using.
- Finally, make sure you cancel your account and terminate the access and rights you have granted to the aggregator once you discontinue using the service. Failing to do so might expose your financial information to ongoing security risks. Understand and follow the steps that need to be taken to stop the ability of the aggregator to access your account. This might involve more than just deleting the software application from your computer or mobile device.