Financial account aggregation has long used a method known as screen-scraping to harvest account information from bank websites. Now, however, there’s a new trend in the aggregation industry that adopts token-based API connections that use OAuth (Open Authorization) framework to access sensitive client account information.
What is OAuth?
OAuth is an open authorization framework that allows individuals utilizing third-party services or apps to use one set of login credentials when accessing multiple applications.
Typically, when you download a new app or create a new account online with a website, the app or website requires authentication. The app or website creator develops a login process that includes creating a username and password. With OAuth, you can opt-out of creating a new account (e.g., username/password) every time you sign up for a new app or website.
You very may well have utilized OAuth recently without realizing what it is.
An example of how you may have used OAuth when registering for a new app is if you already have a Facebook account, you only need to utilize OAuth once to link your Facebook account with other apps. Say you want to sign up for Netflix. The Netflix sign-up page offers the traditional method – create username/password – but it also offers you the ability to sign up using your Facebook credentials. The latter option is an example of OAuth. All you must do is authorize the Netflix app to use your Facebook login information.
What does this mean for client bank accounts as it relates to account aggregation?
Let’s first explore how account authorization has worked within account aggregation platforms such as Aqumulate, Yodlee, or Plaid. Traditionally, you would enter your banking credentials (e.g., Bank of America username/password) into one of the aggregators who then passes those credentials to the Bank of America servers for authentication.
The new method of a token-based API connection that utilizes the OAuth (Open Authorization) framework, creates a process like the Netflix and Facebook example. With OAuth in place, clients never share their banking login information with the aggregation platform.
Once in the aggregator platform, the account owner will “authorize” Bank of America to pass data to the aggregator. To do this, they will be redirected from the aggregator’s app/webpage to the Bank of America website to establish the authorization. The aggregator will no longer prompt to enter banking login information inside their application.
Customer Have More Control Over Data
Banks that use OAuth provide customers with more transparency and control of their account information because the account owner can grant or deny other apps permission to utilize their information.
In the traditional password authentication process, a third-party app creator has
complete access to all a customer account information, and the banking customer has no way to track what that third-party is going to do with that information. Are they going to resell it? Are they sending it to another system downstream, who in turn is sending to a new application?
With OAuth in place, banking customers will see:
Greater Security – No sharing of login credentials, and the bank controls the data aggregators can access.
Greater Transparency – See the exact data that is being shared with third-parties.
Greater Control – Ability to revoke access to a third-party with the click of a button.
How Aggregators Benefit
Aggregation providers welcome the change for the added security it provides, as well as the elimination of invalid login and challenge question prompts. With OAuth in place, gone are the days where accounts fail to connect or update due to changes in login credentials or the way the banks collect that information from the aggregator.
Will You Have to Do Anything Within Your Current Aggregation Setup?
Maybe. With the release of OAuth, banks are requiring aggregators to make changes related to additional security, as well as how the data is sent to downstream applications that the aggregator connects to.
A common use for aggregation within the advisor community is to streamline both the collection of data, as well as the entry of data in other applications. If you are using an aggregation provider and they are passing your client data to a third-party application, then both the aggregator and the downstream application (e.g., performance reporting software integrated with the aggregator) must both adhere to new security standards around:
1. Storing of data
2. Data usage
3. Revocation of consent
4. Purging databases of all client data upon revocation of consent by the end-client
5. Audit rights
This is a big change, and you may have questions around how this may affect you. AllBackoffice’s team are experts in data aggregation and own the Aqumulate data aggregation engine. If you want to discuss how to prepare for these changes, give us a call (919) 741-6104 or send an email advisors@allbackoffice.com. We’re here to help you navigate these upcoming changes, so you and your clients have a smooth transition.