Yodlee Opens Up on Bank Feeds: Interview

Yodlee
  • Screen scraping just as accurate as bank feeds
  • Yodlee audited for security by top 20 US banks and federal government
  • All Australian banks will accept Yodlee methods within three years

In the heated debate about bank feeds for cloud accounting programs, one voice has been noticeably absent. Yodlee is one of the biggest financial data aggregators in the world and the supplier of bank feeds to cloud accounting programs Xero, Saasu and the soon-to-be-released Reckon One.

Yodlee’s software company customers have signed non-disclosure agreements which forbade them from discussing Yodlee’s technology. As a result, Xero and others have been unable to combat effectively accusations that bank feeds supplied by Yodlee were insecure or inaccurate.  Rival BankLink in particular has criticised screen scraping, where Yodlee created a bank feed by copying transactional information from a user’s online banking screen.

Last week Yodlee’s chief strategy and development officer, Joe Polverari, visited Sydney on a trip to meet clients. BoxFreeIT interviewed Polverari about Yodlee’s technology, security, screen scraping and its plans in Australia. Below is an edited transcript of the conversation.

 

BoxFreeIT: Some Australian banks say that Yodlee users are breaching terms and conditions by handing over credentials. What’s your take?

Yodlee: For us it’s a question of understanding and education. We are a relatively new in the market, even though we have large customers like the ANZ Bank. In our home market we are powering most of the digital experiences for most of the largest banks. And we’re doing that with a data utility that is unique in the industry, that is highly secure, that is regulated by our federal government and is audited by each and every one of our customers.

Is this something people are comfortable with in our market? Absolutely, this is the way things are done in Australia and New Zealand? Not yet, but they will be comfortable because I’ve seen it happen again and again in Canada, in Mexico, in the UK and it will happen in Australia.

 

BoxFreeIT: Where do you stand on direct bank feeds versus screen scraping?

Yodlee: The conversation is about data feeds or data acquisition, which is screen scraping or html data gathering. We take 85 percent of our data on a volume basis from most of the biggest financial institutions in the world and give it to 50 million end users on a data fed basis, not screen scraping.

 

BoxFreeIT: Is that 85 percent in Australia as well?

Yodlee: No, that’s outside in Australia. That 15 percent is what we call the long tail. The ANZ Bank is one data source, but it has multiple account types and we cover all those as well. We have over 10,000 data sources in over 100,000 account types, all represented in our data utility, 85 percent of which on a volume basis get delivered through feeds.

 

BoxFreeIT: So Australia sounds like the land of the long tail – most of Yodlee’s transactions here are gathered through screen scraping. Are you working to change that?

Yodlee: Yes it is, and yes absolutely. And the way the Yodlee model works is that as we scale up volume in a region we certainly have outreach into the financial institutions or they have to us where we both agree that it’s better to have a data feed.

The other thing to keep in mind is that this is entirely a consumer permission or business permission model. We don’t do anything around data until the ‘owner’ of that data says ‘Please go do this’. So really Yodlee is a bunch of users who own accounts, wanting to come up with a more automated way of seeing and using those accounts for their benefit.

 

BoxFreeIT: What percentage of feeds in Australia are direct?

Yodlee: We don’t publish that information. We do have feeds in Australia and we do do more screen scraping in Australia than feeds.
BoxFreeIT: You say you aren’t known to consumers here. But don’t you have to convince the banks? Because the banks are saying they might not pay out if your account is defrauded because you shared the password.

Yodlee: That is competitively motivated by risk guys that don’t understand technology, to be totally honest with you. And to give you an idea of our technology, we are more secure from a digital perspective than any online bank out there. I’ll tell you why.

Our very first customer was Citibank. Our second customer was Bank of America. Our third was Chase. We went through the top 10 US banks accumulating users and technology, and every single one of those banks runs you through an audit process and a security process that is exhaustive.

When you go to Citibank they say great, you will do security our way. Then you go to Bank of America and they say, we don’t care what Citibank does, you’re going to do it our way. And so on.

Then the US federal government comes in because we are considered a tier one tech provider to the financial services space. That means that if something bad happens to us there’s a risk to the integrity of the entire financial system because we have so much data in there.

And so they say we’re going to supervise you too and we have our own audit processes and own security procedures.

After you’ve done that for 12 or 13 years for all of those fairly heavyweight organisations, you’re pretty airtight. Now the discussion at least in the US is never around security. To the contrary, we have made so many innovations in security that some of the banks have rolled them out internally.

It’s easy to gloss over (screen scraping) and say it seems insecure without truly understanding what the technology is and how it works and who it’s been vetted by. We’ve not had an incident in 13 years.

 

BoxFreeIT: But the bank says it won’t pay out on the account if there’s fraud.

Yodlee: That’s what they said in the US back in 2000 but they gave up on that because they didn’t want to cross their customers. And they knew that we were more secure than they were at that point.

They said it in the UK but they don’t say it any more. Some people say it in Australia – not all. Soon none will say it. Soon could be one to three years, who knows.

BoxFreeIT: What’s the tipping point?

Yodlee: It’s usage. It’s consumers and businesses who want to access their data in different ways to do different things. And the smarter banks in particular are the ones that say I do have to open it up because otherwise they’re going to go somewhere where people do have it.

From a policy and terms perspective, go ask a lawyer locally here if a provision like that – if you disclose your credentials we will not stand behind your account if there’s a fraud – go ask them if that’s void as against public policy, go ask them if it’s enforceable, go ask them if at the end of the day they really think a bank would even commercially try to do that.

That is very difficult from a customer relationship point to put yourself in, especially when it’s not unlikely you’re an offerer of the very sort of service you’re saying breaches your terms.
BoxFreeIT: So the risk guy’s not talking to the tech guy at the bank?

Yodlee: I think it’s not being carefully considered, and well thought through in a majority of banks where we have not been in the market for a few years. There’s a big educational process.

Let’s talk about our technology. Users input their credentials and we never actually see it. And people like Xero never actually see it. They enter it into an interface and when they hit send it gets encrypted and separated from that point. It’s hashed all the way back through the hardware. It’s not just software encryption, it’s all the way down into the boxes themselves.

We store you as a user with a Yodlee ID. You have a password and a credential that is hashed and exists somewhere else and is matched to your user ID, and then your transaction and financial data they sit somewhere else encrypted all the way through to the hardware.

We don’t know where you are in those four instances, but when someone like Xero delivers a service that is specific to a user it all comes right back together only at the point it is presented to that user.

So then you have a philosophical question. Have I or have I not disclosed my credentials? Or have I disclosed only something that is an encrypted hash of someone’s credential as it exists in the Yodlee network? We have done everything possible from a user and a bank perspective.

 

BoxFreeIT: How much can you trust the feed that is coming through? Is it a replacement for the bank statement?

Yodlee: Properly implemented it absolutely is a replacement. Here’s the trick with banks. One is from a systems perspective. We’re taking a picture of the data in the bank’s database, recording and distributing it back and we just do it a lot so it’s always fresh and always current.

But we have never had an instance in the history of the company where the data we have brought back is not the data that was in the system of record.

Here’s where it gets a little complicated. Those systems of record in the bank are like a gigantic tangle of yarn under there because there are so many platforms and they all update themselves at different times. Some will do straight through processing with real-time transactions, some will not. Some will update as a system wide system of record only once a day.

And so we have to manage that across 13,500 data sources with multiple times more core systems to make sure that the data that’s in the account at the time it’s needed is the data that’s reflected in Yodlee at the time it’s needed. And we are good with that to a 99.8% accuracy, whether it’s data feed or screen scraping it makes no difference.

Where we have failings in that is when frankly a data feed doesn’t work right. We have had instances in the US where the bank has messed up the data feed. The bank is going back into their system and saying oh my G-d our system doesn’t have it in the right way.

Data is like a living, breathing thing. We haven’t had any material issue with folks saying the data is not reliable or that it’s inaccurate data because it’s really just a picture of what’s in there. The system of record for our purpose are not perfect.

We have a lot of processing in our own system where we sort that out. We have 700 people in the company, and one third of them do nothing but process data to make sure it’s right. I think there’s a lot of misunderstanding about how this stuff works and how reliable it can be.

 

BoxFreeIT: There have been complaints about duplicate or missing transactions in Yodlee feeds. Some bookkeepers haven’t found out until months down the track that it was wrong. BankLink on the other hand is claiming that even if the bank is wrong it will be able to sort out the errors ot 0.0001%.

Yodlee: I don’t believe it. Unless you were checking data every five minutes how could you possibly do that? We do more data and bigger data than any other company in the business and there are just certain fundamental failings that occur across a portfolio of data sources. I can’t imagine – unless they’re going into every bank physically, hourly, saying is the system of record correct? Is the system of record correct?

I’ll give you one example. Our data is so fresh and reliable that there is a major bank in the US, a top 20 bank with millions of online users and multiple systems – we actually are their system of record. We’ve been their system of record for four years. We didn’t even know it. They told us.

 

BoxFreeIT: People think the paper statement is the same as the bank feed but it’s not. And the paper statement is assumed to be more trustworthy than a bank feed.

Yodlee: It depends on the bank. I think you could find some corner cases where that might be true. But it’s not true for the larger banks and the more modern systems.

Some banks may not offer statements off the system of record. The statement of record, especially in today’s digital economy, changes wildly throughout the day. Every day. So it’s like hitting a moving target. To say one thing is more reliable than another you have to be careful because you may not have thought through what exactly that means in the digital world. It’s very sort of fragmented now.

 

BoxFreeIT: Although Xero has direct links with Australia’s biggest banks these only cover the mainstream business accounts. Xero still gets feeds from Yodlee for credit cards and other accounts at the Big Four banks, right?

Yodlee: Yes, then there’s all the sub-accounts. We have to because originally we were consumer facing.

The way we view this partnership, and we have been partners for a long time in Australia and New Zealand together, is that we have the best of breed data platform, these guys have the best of breed accounting technology, and together there’s a lot of mutual parties that have adverse interests that we are taking on together.

So it’s a really a nice match. It’s great for our business and hopefully good for their business as well as they’re knocking off QuickBooks which is owned by Intuit who is our competitor. They are knocking out the other companies that compete.

Look at QuickBooks which has dominant market share in the US right now. Xero has a better product. We have better data. And we can help them move very fast. If they had to get data on their own from someone else it would take them literally years.

We’re going to help them innovate in a market that is very lucrative and is ripe for disruption. This time it will be at the expense of QuickBooks if we’re doing both of our jobs right. Better data plus better technology on the accounting side equals a better solution for accountants, bookkeepers and users equals a better market. That’s what’s happening, right?

 

BoxFreeIT: So are you introducing Xero to banks in the US?

Yodlee: We can’t comment on that. Right now we won’t, but these guys are doing great on their own. Even though we have the world’s greatest bank relationships inside the US.

Comments
10 Responses to “Yodlee Opens Up on Bank Feeds: Interview”
  1. Brilliant! Great to hear Yodlee’s perspective on this. Will be interested to see how this discussion continues to evolve.

    • Yes, it was a very interesting conversation. Yodlee’s point of view could be summarised as: “Are you f-king serious? We are SAFER than the banks.” Most unusual discovery: screen scraping is as accurate as bank feeds. According to Yodlee.

      Basically Yodlee is saying that the banks’ systems are causing all the problems.

      • Adding to that last comment – Yodlee appears to handle credit card feeds for the Big Four banks, despite Xero and Saasu having direct connections. So maybe it’s the systems of record for credit cards that are the weak point, and Yodlee is just reflecting it. Would be interesting to do a bake-off BankLink vs Yodlee!

  2. Sholto, as far as I know, credit cards have never been provided via direct bank feeds, always via Yodlee (please correct me if I’m wrong).

  3. Very interesting article. Always great to hear from the source with the amount of FUD being spread on this issue. I’m looking forward to the day this is a non issue with some sort of standard in place that makes the data easily accessible.

  4. Aren Shaw says:

    I find it interesting that they point out how secure they are, then mock the banks for following a code set down by ASIC (EFT Code of Conduct) which details how users are to store and hold their credentials. The Banks didn’t write that document, the Government did.
    From the banks perspective, if Yodlee is so safe, why do they ever have to worry about banks enforcing their rights in a fraud situation? It should be a non issue.
    And Yodlee have every right to establish their business, but who is taking the risk here, it is the Bank, not Yodlee who is faced with financial loss if its customers data is ever breached (Apple, Sony, FBI, have all said they wouldn’t be breached, and where), as they rightly point out, most Banks would not enforce this right on their customer as it would be a PR nightmare.
    This relationship would be so much more productive if Yodlee treated their suppliers with a little more respect and sought a reciprical mutually beneficial relationship based on serving their customer, rather than threats about taking over the world.

    • Hi Aren thanks for the comment. I think Yodlee’s point is that the code is either out of date or not being applied incorrectly. Some Australian banks have raised concerns but not all. ANZ uses Yodlee itself, so clearly they don’t have any problems with it. Same goes for risk – some banks are assuming high levels of risk without examining the technology. At least, that’s Yodlee’s position.
      I’m sure Yodlee is lobbying the banks behind the scenes to review their positions…

      • Aren Shaw says:

        That’s fine Sholto, but if they’ve got a problem with the EFT code of conduct, they should be lobbying the Government, not the banks. I agree, however there is a risk free way to do this and that is by a Direct Feed, as this would not contain any Credential Type information pertaining to the client (it’s not stored on your bank statement)
        So instead of running an argument for the highest risk option, that could present a catastrophe in the unlikely event of a breach, maybe time needs to be invested with the Direct Links and going through the Front door.
        Banks should be more approachable and easy to deal with when it comes to establishing direct feeds also, they have to play their part.
        Both Banks and Software providers need to work closer to better service their clients and keep the risks minimised.

Trackbacks
Check out what others are saying...
  1. [...] of record correct?” said Joe Polverari, chief strategy and development officer at Yodlee, who spoke to BoxFreeIT in Sydney earlier this [...]



Leave A Comment