Account Aggregation Services

02-CU-08 / April 2002
Account Aggregation Services
To
Federally Insured Credit Unions
Subject
Cybersecurity
Status
Active
To
Federally Insured Credit Unions
Subj
Account Aggregation Services

As credit unions strive to meet the evolving needs of their members, many are considering adding account aggregation to their on-line service offerings. This letter provides answers to frequently asked questions related to account aggregation and provides additional reference sources that may be beneficial for credit unions considering account aggregation.

What is account aggregation?

Account aggregation is a service that “aggregates” information from a member’s various on-line relationships and presents it in a consolidated and centralized manner for review and inquiry. These on-line relationships can include, but are not limited to: credit union accounts, bank accounts, credit card accounts, brokerage accounts, electronic bill payment, shopping services, e-mail accounts, frequent flyer accounts, etc.

How does it work?

The member need only authenticate at the aggregator’s site to gain access to all of their on-line relationships. Members are initially required to provide the aggregation service with the same authentication information they would otherwise use to access their various on-line relationships such as: account number, password, PIN (personal identification number), etc. This information is stored and used to access the member’s various on-line accounts. Select information is pulled (or “scraped”) from these sites and delivered to the member in a consolidated format.

In approximately half of the cases, information is not “scraped” from third party sites, but rather obtained directly via direct data feeds between the aggregator and certain third parties.

How is the service provided?

Frequently, a third party service provider is utilized. The service is typically branded with the credit union’s name. In such cases, there is a contract between the credit union and the service provider. There is a separate contract between the credit union and the members who sign up for the service. The third party service provider usually hosts the service, but in some instances it can be hosted at the credit union site.

Why might a credit union decide to offer account aggregation services?

Credit unions may wish to accommodate those members who do not wish to commit to memory the web site addresses, numerous account numbers, passwords, and PINs for their ever-increasing number of on-line relationships. Some members may begin to view account aggregation as an integral part of their on-line experience.

What are some primary factors that should be considered when evaluating the appropriateness of offering account aggregation services?

Business Case Justification

In considering whether to utilize aggregation services credit unions are encouraged to evaluate the needs of their members and the on-line strategy of the credit union. This process may include member surveys, focus groups, speaking with experts, inquiring as to other credit unions’ experiences, completing a cost/benefit analysis, etc. Credit unions are encouraged to review NCUA Letter to Credit Unions #97-CU-05, Interagency Statement on Retail OnLine PC Banking. Although this guidance addresses implementation of a PC Banking initiative, the risks and issues addressed are applicable to individual products and services offered in such an environment.

Risk Assessment Results

Credit unions should complete a thorough risk assessment as part of their determination to offer account aggregation. This process includes identifying risks and threats, determining their likelihood, and appropriate risk mitigation methodologies. Key considerations include security, privacy, and liability. The credit union’s risk education process can include a review of related regulatory guidance, review of industry guidance, review of news articles, discussions with its bonding company, discussions with legal counsel, discussions with consultants, attending conferences on the subject, and discussions with other credit unions. Credit unions are encouraged to review related guidance in NCUA Letter to Credit Unions #01-CU-11, Electronic Data Security Overview.

The credit union’s risk assessment process should recognize the importance of strong security controls over the members’ authentication information. Protection of this data is critical.

  • If the aggregator’s database that stores authentication data provided by the member is compromised, all of the members’ on-line account relationships are at risk. This exposes the credit union to the potential of financial losses due to fraudulent use of the information (at the credit union and other financial institutions), potential of extortion, and potential for legal action by the impacted members and financial institutions. Members could also face the risk of identity theft. Credit unions are encouraged to review related guidance in NCUA Letter to Credit Unions #01-CU-10, FFIEC Guidance on Authentication in an Electronic Banking Environment; NCUA Letter to Credit Unions #00-CU-02, Identity Theft Prevention; and NCUA Letter to Credit Unions #01-CU-09, Identity Theft & Pretext Calling.
  • Liability of the third party aggregation service providers is usually limited via contractual provisions with the credit union. Credit unions should assess the risk exposure they could face related to such occurrences and determine if they have adequate insurance coverage. Credit unions are encouraged to review related guidance in NCUA Letter to Credit Unions #01-CU-12, e-Commerce Insurance Considerations.

The Office of the Comptroller of the Currency (OCC) has issued pertinent guidance that discusses the risks and related control mechanisms that banks should consider when they offer aggregation services. These risks include: strategic, reputation, transaction, and compliance. The risks are similar for all financial institutions, including credit unions. I encourage you to review the guidance in OCC Bulletin 2001-12, Bank-Provided Account Aggregation Service, a copy of which is enclosed.

Service Provider Evaluation

Credit unions should complete a through evaluation of potential service providers. This evaluation would include the financial and operational abilities of the service provider to meet the credit union’s needs. Additional considerations include: contract provisions, audits, disaster recovery, and service provider insurance. Credit unions are encouraged to review related guidance in NCUA Letter to Credit Unions #00-CU-11, Risk Management of Outsourced Technology Services.

The referenced Letters to Credit Unions can be obtained via the Information Systems and Technology (IS&T) link found on the Reference Information page of NCUA’s website, www.ncua.gov.

If you have any questions or concerns, please contact your examiner, NCUA Regional Office or State Supervisory Authority.

Sincerely,

/S/

Dennis Dollar

Chairman