Compliance Requirements for Account Aggregation Services
by Mary Beth Guard
Imagine the convenience of being able to log in to a single Web page with one user name and password to review your account balances and loyalty points from all your credit cards, your deposits, investment accounts, airline miles, mortgage loan, IRAs and more. For some lucky individuals, this fantasy of convenience is now a reality, thanks to account aggregation services.
Account aggregation services utilize technology to gather information on the consumer's accounts from many different Web sites and present it in a consolidated format for the customer to view. The early offerors of this service were non-financial institutions. Now, some banks are offering the service, after realizing whoever controls the information, controls the customer.
By offering an account aggregation service, a bank has an opportunity to see the full scope of an individual's financial picture. By wisely data mining the information, the institution is in a position to effectively cross-market its products and services. For example, if it determines that the rate its customer is paying on a mortgage loan from another institution is higher than what it could provide to the customer, it could pop up a message on the screen saying, "Did you know you could save $1378 in interest in one year by refinancing your home loan with us today?" Or, if the fees the customer is paying on a deposit account at another bank are excessive, the message could say something to the effect, "Switch to a NOW account at our bank today and save $12.00 per month in fees over what you're currently paying."
This is a natural extension of a bank's position as trusted steward of its customers' confidential information. It is a smart new source of fee income, and it provides yet another "barrier to exit" that will help you retain your customers.
There are some risks, however, and those are discussed in OCC Bulletin 2001-12. Specifically, banks that offer account aggregation services may be exposed to:
- Strategic risk. This includes choosing the wrong technology and utilizing an unstable third-party service provider.
- Reputation risk. If the bank doesn't meet customer expectations, confidence can be undermined.
- Transaction risk. Unless the data is accurate and current, it could adversely affect the customers' decision-making. If the bank receives and facilitates transactions, it may have additional risk of liability for unauthorized or disputed transactions.
- Information security risk. The account aggregator becomes the keeper of the keys to all the customers' financial data. As the central repository for user names and passwords, its information security is crucial to safeguarding the confidentiality, accuracy and integrity of the customers' information.
Of particular concern to the readers of the Informer is the final category of risk: Compliance risk. The OCC points to three specific areas of compliance risk posed by account aggregation services:
Regulation E. Account aggregation is not specifically addressed by Regulation E at this time, but the Federal Reserve asked for comments on the issue in June, 2000. In the absence of specific regulatory guidance in Regulation E, OCC urges banks to take a conservative approach to interpretation of Reg E compliance obligations to account aggregation services.
If the bank provides customers an automatic log-in feature to conduct electronic fund transfers on other entities' Web sites, this may trigger the application of Regulation E. If the automatic log-in allows a customer to click a hyperlink and cause the customer's user names and passwords stored by the bank as aggregator to be used to log in to the other sites, this may be considered the equivalent of offering an access device for electronic fund transfer services!
In order to minimize liability, aggregator bank should design adequate security systems for access devices and maintain the security of user names and passwords used to access the customers' data on other Web sites.
Asset Management. If the bank compiles asset management information on customers, various requirements may apply, including the Bank Secrecy Act and, in some cases, applicable fiduciary standards under ERISA and the national bank trust rule, 12 CFR Part 9.
Where the aggregator bank provides hyperlinks to unaffiliated sites that offer securities and insurance products, appropriate disclaimers should be made to ensure the customers realize these products are not FDIC-insured and entail a risk of loss. It should also be clear that the bank does not provide, endorse, or guarantee any of the third-party products or services.
Privacy. Because of the extremely sensitive nature of the data collected through aggregation, banks must pay particular attention to the privacy challenges posed by aggregation services. The bank's GLB privacy notice must reflect the types of information the bank collects and discloses in its role as an aggregator. The OCC even notes that special privacy notices for aggregation customers may be warranted so that the bank can fully and accurately describe its information practices relating to these customers. While a bank may share its information about its own transactions and experiences with customers with its affiliates, if it chooses to share with its affiliates information about the customers' transactions with third parties that it gathers as an aggregator it must first disclose that sharing and provide a right to opt out.
Although your bank may not currently be offering account aggregation services, this guidance will help you understand the risks if you consider doing so in the future.
First published on BankersOnline.com 7/23/01
First published on 07/23/2001