Account aggregation navigates uncharted territory with privacy issues

Northwestern Financial Review, Sep 1, 2001 by Crews, Jennifer Goepfert

With all of the buzz about privacy disclosures since the Gramm-Leach-Bliley Act passed, some bankers are expressing concern about privacy issues that arise from account aggregation. Account aggregation seems to offer incredible convenience for customers by bringing together data from multiple accounts to one central spot on the Internet. But what sorts of privacy questions arise when a bank gets involved in "screen scraping?"

"There are a lot of potential privacy issues," said Ted Dreyer, attorney with Bankers Systems, Inc. of St. Cloud, Minn. "This is uncharted territory. The financial industry is a highly regulated industry. Here we are dealing with things that are not well defined."

Banks must consider the impact of aggregation when formulating policies and practices. Dreyer pointed out that a bank must make a decision to modify existing privacy disclosures or to compose a separate disclosure for account aggregation.

"There will be a need for really explicit authority and agreement from the customer to do this," said Dreyer. "Obtaining information about financial institutions under false pretensions is a federal criminal offense after Gramm-Leach-Bliley."

Even with a customer's consent, banks must take measures to protect themselves in case of hacking, intrusion or a security breach. Most banks have firewalls to protect their customers' information when they bank online. When a bank brings in third-party information, however, the ability to control the information and keep it secure is more difficult. If a customer's privacy is invaded, the bank can be held responsible.

Account aggregation also poses a myriad of possibilities for inadvertent policy violations. For example, advertising regulations could easily be breached as a bank cannot advertise FDIC insured products on the same page that nonFDIC products are advertised.

For banks, privacy issues in terms of account aggregation have not yet been clearly defined. For this reason, banks must exercise extra caution, Dreyer said. "Banks must ask, ' Does the customer actually know about all the risks

involved?" said Dreyer. A privacy disclosure can ensure against some liability, but essentially, a bank has the duty to thoroughly explain the inherent risks to their customers.

Dreyer stated that a bank must address two essential areas before launching account aggregation. The bank must choose an Internet service provider that is competent, knowledgeable and trustworthy. Once the program is ready, the bank should bring in a variety of compliance consultants to check for possible legal, operational and technical faults. The bank should have the process audited so that if a privacy issue does come up, the bank can be sure it did everything possible to avoid trouble and will not be at fault.

"Technology is out-racing regulations and the law," said Dreyer. "Things that used to change in a decade now change in a few months. With account aggregation, there is presumably a minefield of possible risks. There are a lot of issues here, and there is a lot that isn't already known. Don't go into this thinking that this is a riskless thing to do. In account aggregation, you are dealing with highly regulated industries that have twists and turns. Banks are used to dealing with only internal issues. Now before involving a third party, they must understand the scope of what they are dealing with."