Financial account aggregation: The liability perspective

Fordham Journal of Corporate & Financial Law, 2003 by Spiotto, Ann H

INTRODUCTION

When a consumer thinks about using a financial account aggregation site, one concern is whether or not such use is safe. A related question is who has responsibility for unauthorized transactions or other fraud-related problems occurring as a result of a consumer providing his account information, usernames, and personal identification numbers ("PINS") or other access codes to the aggregation site. An additional question is, who is responsible for costs and expenses incurred by the consumer as a result of actions he takes based upon inaccurate, incomplete or obsolete information (bad account data) provided at the site.

This Article explores the potential financial risks to the consumer and account holding financial institutions ("AHBanks") from aggregation. It also analyzes the current state of the law and contractual relationships relevant to such risks. It concludes that: (1) with respect to unauthorized transactions, parties other than the consumer appear to bear the ultimate liability for financial losses in most situations and parties other than the AHBank appear to bear the ultimate responsibility for financial losses in a number of situations, and (2) with respect to losses resulting from reliance upon bad account data, the consumer will probably have a more difficult time shifting losses to either the AHBank or another party.

The question of whether legislative or regulatory action is necessary at this time with respect to liability issues is then addressed, with the conclusion reached that at the current stage in the evolution of aggregation services such action appears to be premature.

The following framework is used in reaching these conclusions. First, the question "What is financial account aggregation?" is addressed in Part I. Part II identifies and discusses potential financial liabilities connected to aggregation, specifically those resulting from the display of inaccurate, incorrect, or incomplete information and those resulting from unauthorized transactions. Part III follows with an analysis of who has liability for unauthorized transactions, beginning with a discussion of the basic rules ("SIMPLE ANSWERS") governing liability in those simple situations where an unauthorized transaction occurs and the consumer has not used an aggregation site.

After conclusions are reached for the simple situations, Part IV continues the analysis by adding one additional factor to those situations already discussed: the consumer signs up for aggregation. It analyzes whether and how the previously defined simple answers change once the existence of the consumer's relationship with an aggregation site is added to the mix. After this discussion, the author concludes that significant concerns over consumer or AHBank liability for unauthorized transactions as a consequence of the consumer arranging for aggregation are premature at this time. Consequently, Part V offers some suggestions on why such concerns exist and why the evolution of aggregation over the past couple of years should have diminished those concerns.

This Article concludes that at this stage in the evolution of aggregation services, legislative/regulatory action with respect to liability issues is premature and recommends that no such action be taken at this time. It points out that where theoretical problems are "solved" by new legislation/regulations before problems actually develop, the solutions may be unnecessary or result in unanticipated negative consequences. It recommends that (1) the financial services industry be allowed to exercise its judgment in developing the aggregation product under the existing regulatory framework and (2) regulators continue to monitor business practices and developments in connection with the aggregation product and take regulatory action only if the need is actually demonstrated.

I. WHAT IS FINANCIAL ACCOUNT AGGREGATION?

In order to answer the questions identified above, one must understand what aggregation is and who the participants are. Aggregation as discussed in this Article is relatively new, appearing on the landscape in 1999-2000. A Morgan Stanley Report estimates that there were just 10,000 aggregation users nationwide at the beginning of 2000; by September 2000, the number was estimated to be 500,000;1 and at the beginning of 2002, the number of aggregation service users was estimated by various analysts at between 300,000 and one million U.S. consumers.2

The following simple statement conveys the essence of aggregation:

Web aggregation services are provided by companies-either financial institutions or third-party Internet companies-that [the consumer] can authorize to collect [his] account information so [he] can view it at a single place on the Internet. [The consumer gives] the Web aggregator [his] account information (which may include checking, savings, insurance, mortgage, credit card, investment and brokerage accounts), [his] ID codes and passwords. In turn, the Web aggregator collects [his] account information online and allows [him] to access it, with a password, on its Web site for "one stop" viewing.3