APACS (the association for payment clearing services) has urged
retail banks to adopt best practice guidelines involving mutual
consent for aggregating banking services from third-party financial
institutions.
Last week, Egg stole a march on rival retail banks, launching the
first UK service to offer consumers a single view of their bank
accounts by aggregating bank balances from several financial
organisations on the Egg site.
It found a way to launch the service, called Money Manager, without
requiring explicit permission from rival banks to access the
customer bank account information they hold.
In spite of Egg's lead, Nigel White, a senior consultant at APACS
and co-ordinator of its the banking aggregation group, said, "We
are recommending banks develop service-level agreements such that
their customers are protected."
He said there was a need for "best practices" in banking
aggregation to avoid customers being exposed to risk such as
fraudulent sites and sites with poor security.
Andy Thompson, head of new product development at Egg, said the
Money Manager service provided users with a button that enabled
them to log in automatically to other online bank accounts.
Egg used screen scrapping, a technique applied in mainframe
computing to provide users with a modern Windows front-end to
legacy systems, to gather the relevant customer balance information
from other online financial institutions without gaining their
explicit permission.
One rival, HBOS, claimed Egg had contravened the guidelines for
aggregated banking services proposed by APACS, which included
mutual consent for sharing customer bank account details.
The Financial Services Authority, which oversees UK banks, said it
was not responsible for regulating aggregated banking services. Its
Web site, however, contains a set of guidelines aimed at
safeguarding consumers looking to use such services in the
future.
To avoid falling foul of the Computer Misuse Act, Thompson said
that all interaction with the bank is initiated by the customer.
"The balance is presented directly on the customer's PC." Logging
into multiple bank accounts takes place using an ActiveX control
that contains a scrambled version of the relevant passwords
encrypted using Tripe-Des (128-bit encryption).
When a customer logs into the Egg service the ActiveX control is
triggered. Thompson said the control runs a script from the
customer's PC, which automates the logging-in process for the
online bank accounts available through the Egg service.
Since the customer's PC performed the login on behalf of Egg,
Thompson said, "We did not need to approach the other banks. As far
as we were concerned we have not broken any laws."