Most people don’t read their Terms of Service agreements with banks. In fact, I admit that I don’t often if it wasn’t to find out if I was protected in case of a security breach by services such as Yodlee. Now don’t get me wrong, Yodlee has created a great thing and I find that their aggregation business is actually very brilliant. It’s more of the way they do things that worries me since from my perspective, it’s entirely unethical and can get you into trouble if they lose your bank logins.
So basically how it works is that Yodlee aggregates all of your financial data in one place. The way they do this is that you put in your logins and passwords, and they go in and use a technique called “screen scraping” which logs in as you. I don’t know why they didn’t create an API connector where it secures the connection with each of the major banks… well, I know why.. because it’s the long and complicated way even though that’s the right and secure way to run the business. Now, while there are many people that defend what they do as part of the advancement of technology, screen scraping has been around for decades. The problem doesn’t lie in the ethics of screen scraping (although this does bother me), but the legality of allowing some other service to act on your behalf.
You see, some major banks have specific terms of service that say that if you authorize a third party service to act on your behalf, then if there is a breach from that third party service, then the bank is not liable for loss. This translates into … if Yodlee gets compromised, then any loss of funds are your end will not be insured by the bank since you authorized them to act on your behalf. And if you read the legal terms of Yodlee, they basically go and protect Yodlee from lawsuit and not you as a user.
I’m not saying that Yodlee doesn’t practice good security policies or anything, but that clause gives me the willies. I mean, that basically means that on the off-chance that some hacker or script kiddy does get your bank data and comes and empties your accounts, neither the bank or Yodlee would protect you. Thanks but no thanks. Some people are willing to take the risk of their bank accounts being emptied without the bank protecting you, but not I. Not I.
This is also the same reason why I have kept it away from my small business accounting service even though it doesn’t give me quite the range. I have to think about my customer base in both legal and technological fashion for them and protect them as best as I can. If you give users ease of use but go lacks on security, it’ll come back and bite you in the long run. Call me crazy, but I’d rather protect my customers from a potential breach.