There has been a debate brewing for a number of years now about the legitimacy of third party data aggregators such as Yodlee, and whether end-user banking agreements are breached if a consumer or business decides to use this service. I’ll address this matter later in this blog, but first some background.
From my time with Xero, I’ve been well across the issue of bank feeds and use of third party data aggregation solutions such as Yodlee for a number years. In the early days, Yodlee was the only game in town for fintechs wanting access to banking data for customers, business or consumer, that they ultimately serve.
The way this technology works is that customers supply Yodlee with their bank internet login ID and password via a secure plug-in to fintech providers like Xero and myprosperity. Yodlee then uses clever technology to mimic a web login, so that it can extract transaction data and feed it into their chosen fintech application. The approach is often referred to as “screen scraping”, and whilst in this world of rich API connectivity and sophisticated integrations it is considered a somewhat crude approach, it is a very effective and secure technique which certainly beats the alternative of manual data entry or CSV file uploads.
As Xero began to grow rapidly, a number of the big banks took note and quickly understood that offering direct feeds to their joint customers with Xero, resulted in better reliability and improved customer experience. It also opened up strategic opportunities in accessing (with the client’s consent) customer accounting data. Cashflow analysis, assessing credit worthiness or streamlining lending approvals, etc could be substantially sped up and streamlined.
NAB was one of the early movers on this front announcing a strategic partnership with Xero back in April 2015. Now Xero has direct bank feeds for business accounts with more than 100 financial institutions in Australia, so things have really progressed from those early days.
Unfortunately, the sort of progress and innovation that I saw in the SME space with accounting software and bank feeds has not yet made its way into the consumer banking space. That was until this week when we saw a bold and welcomed announcement from Macquarie Bank in support of open banking to assist fintechs like myprosperity, who provide applications that rely on secure access to consumer banking data. We congratulate Macquarie Bank for taking the early lead on this important opportunity for the industry as a whole. We’ve been aware of Macquarie’s efforts in this space for a number of months based on conversations with them at various levels. As a result we are hopeful of working with them in the near future as one of number of early fintech adopters who will benefit from this new initiative.
Source: The Australian Financial Review
Efforts to encourage and even force more banks to adopt this new open banking approach is underway with the Open Data Regime initiative now a big focus of the Productivity Commission. More needs to be done to bring this to the fore, but until such time that this is all mainstream, Yodlee is the only practical option available to most of us fintech “disruptors”.
So coming back to my Yodlee discussion, does it mean that you are in breach of your bank’s terms and conditions if you use Yodlee? Well the legal situation on this point is still a little grey, but the reality is that the practice of using Yodlee is broadly accepted in the industry and considered commonplace by many fintech providers. Australian banks, whilst perhaps saying one thing when it comes to the use of Yodlee, have accepted the use of these services for many years and to my knowledge there has never been a breach that has prompted a bank to follow through on the threat of applying their punitive terms and conditions with a customer. Some banks appear to make their position on this quite strict (no names mentioned) whereas others might present a more seemingly balanced position on the issue. They won’t explicitly state if it constitutes a breach of the terms and conditions, but will instead advise customers to take “reasonable steps to protect and not share their access codes with third parties they do not know or trust”.
But here is the reality. Yodlee is one of the biggest financial data aggregators in the world. They have 70 million users worldwide and many of the world’s leading financial institutions use their technology to deliver online services due to their exceptional credentials in bank-level security. In Australia, Yodlee continues to supply bank feeds from virtually all the big and small financial institutions, banks and industry super funds to a multitude of fintech customers including cloud accounting software Xero, Intuit & Reckon; peer-to-peer lender SocietyOne and RateSetter, and personal financial management tools such as MoneySoft, MoneyBrilliant (owned by AMP) and of course yours truly, myprosperity. Even ANZ Bank themselves were using Yodlee up until August 2016 for their own money management product, ANZ MoneyManager.
It’s interesting to also note that to our knowledge APRA has never challenged Yodlee-powered solutions offered to any financial institutions, nor has ASIC ever stood in the way of lending institutions using this third party solution. Hence many observers in the industry expect that any attempt by a bank to assert a breach in terms and conditions to a customer using Yodlee, albeit that a breach appears to have never occurred, would probably fail since the ASIC ePayments code would likely override any of the bank’s terms and conditions. This ASIC code states that online banking users are permitted to give their credentials to a third-party aggregator service which is explicitly or implicitly endorsed by the banks. So my theory on this is that if your bank allows Yodlee feeds to be used on your bank accounts (and they’ve all been doing so for years) you’ve got a pretty solid argument that your bank implicitly endorses the service.
OK, so that may not be the black and white statement you were looking for and ultimately consumers need to weigh up whether or not they are comfortable using a service like Yodlee in the absence of clear legal endorsements from all involved. But the greyness on this matter is all set to change in the not too distant future. Firstly, resistance from banks in providing banking data is likely to soften due to new innovative products like myprosperity which give increasing weight to direct feeds on consumer bank accounts. Add to that the Federal Government’s position on all this. With the sort of support and strong language coming from the Australian Government regarding the recent Open Banking inquiry by the Productivity Commission, I think it would take a very brave bank to decide to block access to services like Yodlee under the guise of enforcing end user terms and conditions on customers.
Old school behaviour from banks wanting to own and block access to customer banking data will give way to a far more open approach. Like I saw in my journey with Xero, the government along with fintech providers and the consumers they serve will put increasing pressure on banks to open up banking data. Ultimately we are going to see some exciting changes take place around openness of banking data and it is the fintech industry and the consumers that we serve who will be the major beneficiaries of this change.
Chris Ridd
CEO, myprosperity
I think these data aggregator solutions definitely have their place, however what are your thoughts on them having a limited lifespan? I only ask as my bank – CBA – currently provide this service for me already. I have seen the features and benefits of myprosperity and my first thought was ‘but I already get all of that from my bank.’ Granted, the majority of my personal accounts, savings, mortgage, loans, credit card, super, investment accounts etc are all with CBA so it makes it an easy job for them and convenient for me, but surely it’s only a matter of time before the Big 4 banks create platforms to integrate external data feeds themselves?