Know Before You Share: Be Mindful of Data Aggregation Risks

Financial Data Aggregation: What You Need to Know and How to Protect Yourself

If putting all your financial information online and in one place sounds like a good idea, there are many companies—often called data aggregators—ready to help you organize your financial life. However, before you share your account information and other sensitive financial details with data aggregators, it pays to know how these services operate and how to protect yourself from potential privacy and security risks.

Nuts and Bolts of Data Aggregation

At its most basic level, financial data aggregation puts information about your financial holdings under one roof. Your “dashboard,” sometimes called a personal financial management hub or portal, can display your investments, savings, insurance policies and credit balances.

In addition to a snapshot of your overall finances, your service might also include services such as financial and tax planning, budgeting, and the ability to track home value and mortgage information, depending on the provider. More robust services might include portfolio analysis, advice (for instance, recommending an asset allocation model), credit monitoring, bill paying and more. There could be costs associated with some services.

You can aggregate information through a non‑financial organization, or you can add information from outside financial accounts to an existing financial provider, such as a brokerage firm, advisory firm or bank. In either case, aggregation is possible because you generally agree to provide the aggregator with access to your financial account data.

For example, say you want to aggregate and track information from an IRA, a 401(k) account, a savings account and two credit cards—a total of five accounts, all residing with separate financial institutions. To create a single dashboard, the aggregator will likely use one of two methods:

• Application Programming Interface (API) – a pre‑arranged agreement to transfer data from the financial institution to the aggregator.

• Screen scraping – you provide your login credentials for each financial account so the aggregator can access that data.

Screen scrapers use an automated process to send a “robot” to the third‑party websites, sign in with your credentials and collect account information. APIs give consumers the ability to authorize access without sharing security credentials, as well as to limit scope and specify whether fund transfers are permitted. The agreement between the aggregator and the financial institution also imposes responsibilities on both sides to safeguard your data and privacy.

Though screen scraping was once the standard, aggregators are increasingly using APIs to transfer data. Security experts often consider APIs a safer option than screen scraping. Some financial institutions have even begun blocking scraping by third parties, so if you’re interested in a data aggregator that uses this method, you’ll want to make sure the accounts you plan to connect allow it.

Know the Risks

Many customers value the convenience of financial data aggregation and appreciate having a single snapshot of multiple accounts. But providing access to your financial information can come with some risks.

• Privacy and security risks – potential vulnerability to cyber fraud, unauthorized transactions and identity theft. These risks are especially heightened for aggregators that use screen scrapers and require you to share your security credentials. A key risk is that this type of aggregator could be storing all consumer financial information or security credentials in one place, creating a new and heightened security risk.

• Limited regulatory oversight – many data aggregators might operate under limited oversight and aren’t subject to the same regulation as registered financial institutions, particularly in areas of data privacy and security.

• Potential conflicts of interest – if your aggregator sells investment products, you might receive sales recommendations from that entity. Evaluate any investment on its merits and with a clear understanding of risks and costs.

Before You Share

These tips can help you protect yourself if you decide to share your financial information with a data aggregator or service providers who use data aggregators:

1. Weigh benefits vs. risks – be particularly diligent when you authorize a third party to facilitate payments on your behalf. Check to ensure that payments go to the right place.

2. Know the connection method – understand whether the aggregator’s connections to your financial institutions come from screen scraping, API, or both.

3. Read the fine print – review the terms and conditions of any user agreement or contract you sign. Know what rights you’re granting with respect to accessing your financial accounts and collecting your data.

4. Limit data access – verify that the aggregator will access only the information it needs to provide the desired service. Be aware that there might be charges for certain transactions and services you elect to use.

5. Assess privacy and security measures – look for:

   • Control over what type of data is shared, with whom, for how long and for what purpose.

   • Whether the aggregator can sell your data to third parties and if you’re comfortable with that.

   • Use of encryption when retrieving your data, data retention periods, and the process for purging or disposing of data once you terminate your contract or revoke access.

   • A clear breach‑notification process and a plan for notifying consumers and financial institutions if unauthorized access occurs.

   • Liability provisions – does the aggregator bear any liability for consumer loss due to a breach or unauthorized access? Does it have the financial capacity or insurance coverage to compensate consumers? Is there a dispute‑resolution mechanism?

6. Scraping‑specific concerns – if the aggregator uses scraping algorithms, ask whether it stores your credentials, how accurate the collected data is, and whether it conducts periodic checks to ensure data is current and accurate. Compare the aggregator’s data against your primary source accounts.

7. Do your own research – look up reviews, complaints, or lawsuits against the data aggregator or the third‑party service provider you’re considering.

8. Terminate access when you’re done – cancel your account and revoke the aggregator’s access once you discontinue using the service. Simply deleting an app may not be enough; follow the provider’s steps to ensure the aggregator can no longer reach your accounts.

By following these guidelines, you can enjoy the convenience of financial data aggregation while minimizing the privacy and security risks associated with sharing your sensitive financial information.