Skip to main content

In the race for real-time data, are banks putting their customers in danger?

These days if you’re not real-time, you’re not squat. Website analytics, customer service, parcel tracking; all these and more have made the leap to real-time, and businesses making the most of this up-to-the-minute data are reaping the benefits.

You could quite convincingly make the argument that real-time is actually yesterday’s news. Services that algorithmically predict user behaviour (like Google Now) are becoming widespread, and last year’s inaugural LeWeb London conference had the lofty (although perhaps somewhat trite) theme of “Faster than real-time”. Despite real-time data being flavour of the month there is one notable and important holdout: banks.

There are certain elements of our cobbled-together financial system that operate in real-time, but it’s rather hit-and-miss. Card transactions at certain outlets will appear in your account instantly where some will not. Transfers between certain banks will happen straight away, others may take a few hours or days.

The reason for this hodgepodge is the ageing infrastructure relied on by our financial institutions. Many legacy systems are now chopped and changed to support functionality they were never intended to, and just the slightest nudge in the wrong direction can cause the whole house of cards to collapse.

NatWest’s infamous outage last year year was triggered by IT staff attempting to update an internal system that batch-processed transactions overnight. An error in this software caused file corruption, and the problem snowballed from there. The software, CA-7, has been around since the 80s.

Not only do banks refuse to invest in modern upgrades to their infrastructure, they use the crutch of security to deny users and developers access to their data. Of the large UK banks, only two provide anything approaching a usable data API. The first, HSBC, charge heavily for access (I’ve heard quotes in the six digits range for a year's access) and the second, Barclays, restrict access to selected partners.

The demand for structured, real-time financial data from individuals and small businesses is a fairly new one; a demand most banks have yet to comprehend, digest or even notice. Thankfully, we live in an enterprising, entrepreneurial age - and if banks won’t provide data feeds for their customers, someone else will! Enter Yodlee, a company offering banking data feeds for around 600 financial institutions around the world, and providing data to some 40 million end users.

Yodlee’s system has one fundamental flaw, however. As innovative a company as Yodlee may be, they are still left to polish the turd the banks have served them, and the majority of their data (in the UK, at least) is gathered by screen-scraping internet banking services. This is a process whereby their software logs in pretending to be you to retrieve data, and means in most cases to use their data feeds you must surrender your banking login credentials (and suffer frequent service outages when banks update their websites, causing Yodlee’s scrapers to break).

Ordinarily handing over login details for any service is big no-no, however with banking it carries an extra layer of danger - by surrendering your login details you may be waiving your right to liability cover should your money vanish. This uncertainty has led to one South African bank blocking Yodlee altogether, claiming the divulgence of login details to their scrapers “conflicts with the clear fraud awareness messaging supported by all banks.”

Unsurprisingly, Yodlee remain mum on this issue (although it’s worth noting their security record is spotless), however many consumers and businesses refuse to use their services for this very reason.

Bank feeds have been a bone of contention in accounting software circles for years. To get to the bottom of the issue, I decided to directly approach the big banks to get their answer - if I hand over my login details to a third party, am I putting my money in danger by way of forfeiting my liability cover? The answers were not what you would call concrete.

After explaining my query exhaustively, HSBC, Barclays and the Co-Operative simply stopped responding to my emails. NatWest and Santander never responded in the first place. Perhaps the most telling answer came from Lloyds TSB:

We’re unable to comment on the security of any third party software application or our Fraud procedure, sorry. However, we only recommend logging in directly through our site. This is not to say that a customer would not be covered if they choose to use a third party application and are a victim of fraud. In these circumstances, we’d ask that the customer contacts us directly and we’d look into this on a case by case scenario.

Consumer group Which? don’t provide much clarity on the issue, simply saying: “Banks tend to discourage the use of aggregator websites that require you to disclose your username and password. Some claim use of these sites puts customers in breach of their terms and conditions, and could leave them liable for fraud on their account.”

These responses, from an industry which is famous for its aversion to uncertainty, is poor at best, and dangerous at worst. It would appear the only way to find the answer definitively would be to sign up to a Yodlee-powered service, defraud myself, and see how each bank dealt with the problem.

The blame for this quagmire lays solely at the feet of the banks. By allowing others to paper over the cracks in their service and failing to address the needs of their users they have put many individuals and small businesses in a situation where they may be forfeiting vital protection of their finances, and even worse - they may not even realise it.

Jon Norris is a freelance writer and Web Editor at online accountancy firm Crunch (opens in new tab)