If you’ve used apps such as Venmo, Credit Karma or Cash App, and linked an external bank account (Chase, Bank of America etc.) using your username and password, have you ever wondered what’s happening in the background?
It’s called Account Aggregation!
Account Aggregation is an automated service that impersonates you, logs into your external bank account, and retrieves data linking your account to the banking app. This allows the user to send money to a peer or retrieve funds from a bank to invest. In this same manner, transaction data and balance information can be retrieved from your account to be used for a number of purposes, including potentially budgeting your money better.
Some reasons for the disapproval that users and banks have with the current method:
- Financial Technology (Fintech) companies are storing users’ credentials, and misusing account data (I don’t agree here but I’m biased 🤣)
- Banks are unaware of who they are interacting with when there’s login activity on a user’s account
- Users don’t have control of which accounts they want shared with third party aggregators
- Banks fear of competition from the growing disruption of their industry by Fintechs
All the above are valid fears!
The Future of Account Aggregation…
Banks are now building token-based access to your account to ban Fintech companies from impersonating you without your or the banks’ knowledge. Issued private keys by the banks will now allow Fintechs to use banks API’s in order to aggregate the data in your account.
With access to these new APIs, Fintechs will be able to aggregate your account without having access to your banking credentials. Instead, they will have to create a redirect link with their issued private keys to direct you to the specific bank’s website, where you will enter your banking credentials and state which accounts you want to make available to the Fintech. Then, you are redirected back to the Fintech’s app with a code/token that gives the aggregator access to the accounts you’ve signed off on. This is all without the user ever having to provide banking credentials to the Fintech.
How do we feel about this?
I think this is a good thing! The move to implement token-based access to users’ account data is brilliant and will serve its purpose of adding more security while also allowing users to be more aware of the type of access Fintechs have to their account.
My current concerns:
- There are still security issues. User information isn’t provided for some of the token-based APIs. This information is important for Fintechs to check whether an account actually belongs to its current user.
- Implementing some of these APIs have steps that are overkill. Security is important, but you can achieve secure implementation and be more concise with the steps that banks require.
- Currently, there’s no room for creativity in the UI/UX of the login flow at the bank site. Fintechs should be allowed to add their personality within the user flow.
The future of account aggregation is part of the Open Banking initiative being adopted around the world. It gets even more complicated in other countries, due to licenses needed to aggregate a user’s account. I’m very excited to start learning more about data aggregation in the EU/UK through my company’s expansion.
I hope the next time you “add a bank” through instant verification, you remember this post!
Please comment any thoughts or opinions below 😊!!