Data Aggregation

What Are the Challenges of Using Data Aggregator Services?

Data aggregation services – websites and apps that allow a customer to view all financial account activity on a single unified platform – are a popular way for customers to see their complete financial picture, track their financial habits, and set goals. However, customers often do not know how their data is being used, stored and shared by aggregators, thus increasing the risk of misuse or misappropriation. Customers that share their personal account log-in credentials with third-party data aggregators may be at further risk.

Expert Insights: What are the challenges of using data aggregator services
from Stuart Rubinstein, Fidelity Investments

First, customers should be aware that some aggregation services are not affiliated with regulated financial institutions. As a result, those services may not be subject to the same privacy, data security and fraud monitoring standards as banks or broker-dealers. Customers should review the aggregators’ terms of use and privacy policies before signing up for those services.

Second, customers should also pay attention to the type of technology an aggregator uses to collect and compile data. For example, if a customer must give the aggregator his or her log-in credentials to use the service, that aggregator is likely using “screen scraping” technology to gather financial data. The aggregator’s software then logs in to the customer’s financial accounts using their access credentials to copy (“scrape”) the data away from the institution and onto their platform.

Aggregators must store customer log-in credentials on their systems to regularly update the account information. Those credentials could be misused or stolen if the aggregator is hacked. Given the increase in cybersecurity breaches in recent years, customers should consider the possible risks carefully before sharing financial account access credentials with anyone.

Furthermore, customers should be sure they know what the aggregator is doing with the collected customer data through the service. Before signing up for any aggregation service, customers should review and understand the aggregator’s terms of service, security and privacy policies to understand how the aggregator intends to use, store and share the information while the customer is using the services. Customers should also know whether the aggregator is collecting confidential data that is unrelated to the planning or budgeting tools being offered.

Further, customers should understand what happens once they decide to terminate the relationship with the aggregator. Simply deleting an aggregation app from a mobile device does not typically stop the aggregator from continuing to scrape account data. The aggregator should have a process for notifying the aggregator of your desire to stop using the service.

Before signing up for an aggregation service, customers should ask the following questions:

  • What data is the aggregator collecting on my behalf?
  • What am I authorizing the aggregator to do once it has my personal information?
  • Is the aggregator selling or otherwise sharing my personal data with other entities or firms, and if so, what are those entities or firms doing with my information?
  • How are aggregators or their affiliates tracking my financial activity, and for what purpose?
  • What does the aggregator do with the data they have collected after I close my account?
  • Do aggregators and their supporting applications keep my data on their systems indefinitely, leaving my data susceptible to a security breach even after I stop using the service?
  • Does the aggregator have access to conduct transactions or movement of money or trading activity on my behalf?

Not all aggregator services are transparent about how they use or share customer personal data they gather. Remember the adage that “if you’re not paying for it, you’re the product,” when deciding to share sensitive personal data with any company.

In our next article, we’ll take a closer look at the steps that need be taken to address these concerns and protect customers and their data from potential misuse.