Account aggregation is a relatively new service made possible by recent technological advances. The idea is to allow an account holder to gather information from various financial institutions (or other sources) and to organise and display it in an aggregated format – usually on a single webpage.
The marketing and customer relationship possibilities are obvious – a customer will only need to access one site to obtain all information, reducing the need to remember passwords and making the whole experience easier and more useful. However, a single point of access causes concerns for financial institutions that are competing to retain relationships with customers. It also opens the banking relationship to entities other than financial institutions, such as internet service providers (ISPs) and other online content providers.
There are currently three types of aggregation service under development. These can be divided into two categories – 'screen-scraping' and 'data feed'. Screen-scraping is further separated by those services where the customer's password data is collected by the service provider and stored on the service provider's server (server-side) and those services where the client stores their password data using the service provider's software on their own PC (client-side). In each case the aggregation software uses the passwords to retrieve the financial information. With the client-side model, arguably the client retrieves the information; in the server-side model this is probably done by the service provider. The other main method of aggregation is a direct data feed, where account information is fed from the financial institution to the service provider.
Legal obstacles to the provision of aggregation arise out of the question of authorisation: who accesses the financial information and are they authorised to do so?
The financial institution from which the data is retrieved may prohibit in its terms and conditions access to the online account information by anyone other than the customer. If the service provider rather than the customer accesses the online account information, the customer may well breach its contract with the institution, and the service provider may even commit the tort of inducing the breach of contract. One argument against this interpretation is that the service provider acts as the agent for the customer (the principal) and retrieves the information as agent. This may assist unless the terms and conditions expressly prohibit service provider access.
Similarly, financial institutions' terms and conditions often prohibit 'deep linking' into their sites, so that third parties may only access the site via the homepage. If the aggregation service links directly to the database and not via the homepage, the party accessing it is likely to breach the prohibition on deep linking (and the service provider may have induced that breach).
It is likely that a collection of online account information will constitute a 'database' or even a literary work for copyright purposes. The unauthorised extraction and reproduction of the information is likely to infringe a financial institution's rights to the information. While the customer is probably authorised to retrieve its information (albeit subject to compliance with the terms and conditions), if the service provider is doing the retrieving, it is probably not authorised, resulting in infringement by the aggregator of the financial institution's intellectual property (IP) rights.
Problems also arise under the Computer Misuse Act 1990 if access is not authorised. Again, while a customer may be authorised, the service provider may not, so if the service provider is assessing (or if the customer accesses in an unauthorised manner) criminal penalties may apply. Unauthorised access may also constitute trespass to property if it can be successfully argued that an IT system is 'property' for the purposes of this cause of action.
Where the service provider is a bank or other financial institution, aggregation is also affected by various codes of banking practice. The Association of Payment Clearing Services (APAC) best practice aggregation guidelines suggest that aggregation should take place only with the consent of the financial institutions from which data is retrieved, although these guidelines are voluntary and not legally binding. The Banking Code does not address the question of aggregation directly, but does contain provisions safeguarding the customer's passwords and other security information. These provisions may be breached where the customer puts their passwords at risk (which may occur in either method of screen-scraping). Again, this code does not have any legal effect, but the Banking Code Standards Board, which enforces the code, does have disciplinary powers against the banks subscribing to the code.
The Financial Services Authority (FSA) has indicted that it will have no powers to regulate the provision of account aggregation. However, the FSA may regulate aggregation services directly, eg where the service provider includes 'regulated' activities on its site. The FSA has, however, expressly stated in a discussion paper that authorised firms should not provide aggregation services if the advice received is that any aspect of their business model is more likely than not to be illegal, even if prosecution is believed to be unlikely. The FSA has therefore put the onus on financial institutions to guarantee the legality of the aggregation service. Of course, where a service provider is not a financial institution it will not be regulated, which creates an imbalance in the service provider market.
The major legal risks are probably avoided if the party retrieving the financial information is authorised to do so by the owner of the database. It is currently unclear if authorisation will be given explicitly or will be assumed from acquiescence. Unlike the US, where aggregation is more prevalent, the UK banking community has yet to decide whether it will accept the widespread sharing of customer financial data or will take action to stop a service provider entering the market.
While some institutions take a more liberal 'it's good for the customers' line, not wanting to stifle innovation, some are still sceptical of the risks both to themselves and to customers (and unwilling to risk losing relationships with customers). Any service provider entering the market will take a risk unless authorisation is clarified. It will be interesting to see whether the market embraces this technology and allows aggregation to be provided (possibly by the formulation of comprehensive codes of practice regulating aggregation between financial institutions). It is likely that consumer pressure will prevail, so that aggregation will become widely available and banks will have to work harder at retaining customers.
Travers Symons is an assistant solicitor in Stephenson Harwood's business technology group