Statement aggregation, aka screen scraping, has become a big issue. Considering that a bank you can mine up-to-the-minute customer data from your competitors, it’s no surprise the first law suit was filed just a few months after S1’s VerticalOne unit pioneered the practice But, with banks jumping on board, Fleet (Yodlee), First Tech CU (Corillian), Hibernia (Corillian), and Virtual Bank it’s only a matter of time before statement aggregation is a common Net-banking feature.

For more than two years we’ve forecasted an upsurge in truly virtual banking services, products that don’t require a bank charter, just HTML and an entry point to the ACH system (see Creating the Amazon.com of Financial Services, OBR 38/39). After a slow start, they began arriving on the scene in mid-1999, accounting for six of our top 10 developments of 1999 But there have been a few bumps on the road. January saw two of the pioneers bloodied, but they both recovered well.

1. First Union sued PayTrust for screen scraping customer data (with user permission). It’s probably not a coincidence that PayTrust is competing with First Union and Spectrum in the bill payment space.

2. X.com was vilified by John Markoff in the New York Times for “permitting customers for almost a month to transfer funds from any other account in the nation’s banking system”. We were surprised how little play the story got. We expected the first confirmed fraudulent activity at a Net bank to be blasted across every paper in the country. Perhaps X.com benefited from being a newcomer. If it had been Citibank, the repercussions would have been more severe. Also, Bill Harris, media-savvy X.com CEO, did a good job putting the situation into perspective, believably saying it wasn’t so much a security problem, but rather an example of where the company’s desire to provide an easy-to-use product was exploited by a few small-time crooks.

Who is Liable?

The $64 billion dollar question: Who pays if a screen-scraped bank account is plundered?

a.) the bank

b.) the third-party pulling the data

c.) the end-user

d.) it depends

We think the only acceptable answer is, (a.) the bank. No other response makes business sense. Even if a third party was negligent, how are you going to prove it? Since most users use the same codes at multiple sites, a compromised password could have been lifted from dozens of places. Banks must step up and protect their customers from monetary loss. Period. Later, the bank can go after the third party to recoup its losses. But all that should be transparent to users.

You should take aggressive steps to educate users about the dangers of handing over the keys to their accounts, but also make it clear that you are on their side should an abuse occur. For generations, customers have looked to banks to safeguard their assets. Whether it’s gold bullion in the vault or bits on your network, you have the responsibility to thwart cybercrooks just as you do the Jesse James variety.

OnePage, a statement aggregation service in formation, was founded by the team that started BillPoint, the person-to-person payments company sold to eBay in 1999.

First Union’s Warning on Screen Scraping

First Union posts a warning telling customers not to share access codes with third-party Web sites.

First Union has posted the following message on its Web site, accessible via a link from the login page (above). The non-threatening message is a good first step in educating customers about the very real danger of providing account access codes to fraudulent third parties (our italics):

First Union offers Online Banking, Brokerage and Bill Pay services to our customers. These services allow you to access your deposit and brokerage accounts through an authentication process which uses personal access codes and passwords such as Customer Access Numbers (CANs), PINs, and Codewords. We employ a number of measures, as described in our Security Statement, to provide these services in a secure manner. These measures allow us to properly authenticate your identity when you access our services and protect your information as it traverses the Internet between your PC and First Union.

Our security measures must rely on these access codes remaining confidential. Please do not share these codes or other personal identifiers with others. Certain third party providers such as bill pay and bill presentment sites, financial aggregator sites, brokerage sites or other e-commerce sites may offer to provide services to you by accessing your accounts through our site. We cannot guarantee the security of your account when you allow third parties to access your accounts.

Furthermore, the bank’s account agreement requires users to keep access codes confidential.

Use of these Access Codes is the agreed security procedure to access the Services. You agree to keep these numbers and codes confidential to prevent unauthorized access to your accounts and to prevent unauthorized use of the Services.

What to Do Now

Be glad that First Union (Charlotte, NC; $253 billion ) stepped up to be the bad guy by suing PayTrust. It may become an important precedent in establishing business rules for ecommerce. EBay is embroiled in a similar suit against auction aggregators such as AuctionWatch, a partner of X.com. These aggregators mine eBay listings and present them on their sites aggregated with similar listings from 300+ auction sites. eBay has been trying to prevent this practice with technical and legal roadblocks, a move that triggered counter-suits and Justice Dept. scrutiny into whether eBay’s efforts violate anti-trust laws.

We don’t know how the courts will rule on eBay or First Union’s cases if they ever make it to trial. But we advise against basing your business plans on a swift resolution in favor of the content originators. Instead, control your own destiny as follows:

1. HIGH PRIORITY — Beef-up security procedures on monetary transactions: The simplest way for banks to thwart hackers and screen scrapers is to require periodic password changes, an approach used by NextCard. But this is tough on users and a burden for customer service. A better approach is to require an additional “transaction password” whenever users want to move money out of an account. Customers would agree to NEVER give their transaction password to anyone or any Web site.

2. Educate consumers on how to avoid fraudulent virtual banking services and Web site spoofs: We recommend a low-key approach enlisting the support of the customer, but not threatening to leave them high and dry if there is a problem. For example, “please be aware that we cannot guarantee the privacy of your info if you give your password to a third party.”

3. Work with aggregators to ensure that customer data is safe; forge partnerships for favorable placement on third-party sites.

4. Lobby for oversight of statement aggregators and e-payment companies (license requirements, bonding, SAS 70 audits, etc.).

5. Train your e-reps on EXACTLY what to tell customers about specific aggregator sites.

6. Flag accounts being scraped and send periodic notices to the customer that their data is being grabbed by xyz.com; develop fraud detection algorithms for these accounts to watch for any unusual withdrawal activity; and potentially seek confirmation from the customer before processing any large or unusual withdrawals.

7. Send an email to the user each time their account is accessed.

8. Monitor your log files to see how much activity is coming from aggregators.

9. Most importantly, offer statement aggregation yourself, so that the activity takes place on your turf, not a Web site in Azerbaijan.

While other statement aggregators pitch their services as one-safe-place to view email, bills, travel accounts, and so on; eBalance¹ appears to be aimed squarely at banks. Its tag line is, “the best way to manage money” and the home page touts “automatic account balancing and consolidation.” Finally, its privacy statement discusses optional BILL PAYMENT and CREDIT BUREAU ordering.

Statement aggregation is inevitable. Don’t waste energy and resources fighting it. Use it as catalyst to improve the services at your own Web site. Your customers want to bank with you online, but you must offer a complete package. And we think statement aggregation will soon be a must-have Net banking feature.

¹eBalance is not talking openly to the press right now, but if you sign the NDA you can get an online demo from the company. Contact: Roger Bertman, Chairman; Myles Suer, CEO, (925) 904-2000.