Egg cracks banking code

APACS (the association for payment clearing services) has urged retail banks to adopt best practice guidelines involving mutual...

APACS (the association for payment clearing services) has urged retail banks to adopt best practice guidelines involving mutual consent for aggregating banking services from third-party financial institutions.

Last week, Egg stole a march on rival retail banks, launching the first UK service to offer consumers a single view of their bank accounts by aggregating bank balances from several financial organisations on the Egg site.

It found a way to launch the service, called Money Manager, without requiring explicit permission from rival banks to access the customer bank account information they hold.

In spite of Egg's lead, Nigel White, a senior consultant at APACS and co-ordinator of its the banking aggregation group, said, "We are recommending banks develop service-level agreements such that their customers are protected."

He said there was a need for "best practices" in banking aggregation to avoid customers being exposed to risk such as fraudulent sites and sites with poor security.

Andy Thompson, head of new product development at Egg, said the Money Manager service provided users with a button that enabled them to log in automatically to other online bank accounts.

Egg used screen scrapping, a technique applied in mainframe computing to provide users with a modern Windows front-end to legacy systems, to gather the relevant customer balance information from other online financial institutions without gaining their explicit permission.

One rival, HBOS, claimed Egg had contravened the guidelines for aggregated banking services proposed by APACS, which included mutual consent for sharing customer bank account details.

The Financial Services Authority, which oversees UK banks, said it was not responsible for regulating aggregated banking services. Its Web site, however, contains a set of guidelines aimed at safeguarding consumers looking to use such services in the future.

To avoid falling foul of the Computer Misuse Act, Thompson said that all interaction with the bank is initiated by the customer.

"The balance is presented directly on the customer's PC." Logging into multiple bank accounts takes place using an ActiveX control that contains a scrambled version of the relevant passwords encrypted using Tripe-Des (128-bit encryption).

When a customer logs into the Egg service the ActiveX control is triggered. Thompson said the control runs a script from the customer's PC, which automates the logging-in process for the online bank accounts available through the Egg service.

Since the customer's PC performed the login on behalf of Egg, Thompson said, "We did not need to approach the other banks. As far as we were concerned we have not broken any laws."

Read more on Data centre hardware