It looks like you're new here. If you want to get involved, click one of these buttons!
I've used account aggregation at Schwab and First Republic Bank for several years now. I did wonder about the potential security risks, but rationalized that if the risks were significant then large banks and brokerages probably wouldn't involve themselves with the service, especially as it's likely there isn't much profit in it. Maybe I'm being too complacent about all of this.From Investopedia
What is Account Aggregation?
How Account Aggregation Works
Account aggregation usually occurs only within a single financial institution. However, certain assets held outside a financial institution may be included if the account holder has agreed to that.
Many personal finance services offer customers the ability to aggregate data from all of their savings, checking, and brokerage accounts, as well as other financial assets across all the institutions with which they do business. These services usually require that users provide account-access information, such as a username and password, for each of the accounts that they wish to include in the aggregation. Using this information, the service "scrapes" or downloads account balances and other data from each account to include in the aggregation.
However, account aggregation software is often allowed only to access balance information and transaction records. And for security reasons, many aggregation services do not permit users to make transactions from within the service.
In addition to aggregating data from savings, checking, brokerage, and other financial accounts, some aggregation services and software—particularly those used by professional financial advisers on behalf of their clients—aggregate additional net-worth data, such as recent home-value estimates. Account aggregation platforms may also categorize cash inflows and outflows.
From "The Balance"
Account aggregation services only give the software permission to view your account balances and transactions, not make transactions. If you actually want to access your money or move it, you would need to sign in to each account's website.
Additionally, the software draws on many advanced security features. For example, if you are logging on from an unknown computer or device, additional authentication will likely be necessary.
© 2015 Mutual Fund Observer. All rights reserved.
© 2015 Mutual Fund Observer. All rights reserved. Powered by Vanilla
Comments
Most brokerages provide account aggregation as convenience. Look at the fine print whether the brokers' SIPC or excess insurance will cover if account problems arose from 3rd party aggregator and who would have the primary responsibility, broker or aggregator?
I would trust Schwab or PersCap for account aggregation far more than some fintech startup run by a bunch of idealistic and incompetent tech-bros. (*cough* youknowlikeFTX)
@rforno- Yes sir, that nicely summarizes my perspective also. However, since a heavy hitter like Yogi suggested caution in this area I thought that it would be a good idea to see what the general consensus might be. Thanks for your input.
I know Vanguard offers to track outside investments. But you have to manually enter the data.
I'm sure M* is doing something with the portfolio information I have entered over there. I know I am no longer being threatened with the end of that feature.
(Of course I could spend less time here on MFO and check each account individually, but what a drag, man.)
I have been tempted for years to use Yodelee or the aggregator ( most also use Yodelee) at one of my four brokerages ( don't ask!) but always shied away, as I could not be convinced that giving them my password was safe.
I have never been able to get them to demonstrate how they limit their ability to access anything other than balances and positions. Your passwords are still stored in their computers and how safe is that?
Ever so often I would google "Yodelee hack" to see if any had occurred. Haven't done it recently
When I asked my broker at Morgan Stanley how safe it is, he said he knew nothing about it and MS had no responsibility. I assume Schwab would say the same thing.
Quicken will download transactions from all brokerages, but the passwords are on your computer and not Quickens. I copy and paste them into the software temporarily just as an added safeguard.
I think this is safer than going through two third party websites
Only recently has Schwab required users specifically certify that this Quicken downloading is acceptable. No one else requires this.
I have been unable to find out is this is due to a security breech, but it is a bit concerning.
Is this really a risk question, simplify as you get older to better and easier track your monies?
Best
Baseball fan
The second does not involve any direct contact with an aggregator. This situation occurs when we utilize a bank or brokerage which we deal with, and authorize them to initiate and maintain an information exchange with another financial entity- could be a mutual fund, a bank, or another brokerage, for example.
The bank or brokerage which we deal with then utilizes a financial aggregator to perform the data transfers between them and the other institutions that we authorize.
From what I'm seeing, none of this is guaranteed to be impervious to hacking, but the second method- institution-to-institution- is theoretically less susceptible to a hack than interacting with a financial aggregator directly via a user app. This is because a hacker would have to first breach the financial institution, and then follow that by also breaching the aggregator. It's presumed that this would not go unnoticed, and that intercepting security measures would prevent such a deep penetration of two separate financial institutions.
Well, maybe. Anyway, that seems to be the general story so far.
Again, I'm just trying to sort through all of this along with everyone else. The lack of transparency on the part of all players in this setup isn't helpful. The suggestion seems to be that if you have asked Schwab (for example) to aggregate your accounts, then that account information is somehow safer than if you regularly interact directly with the aggregator. Again, this is why I started this thread- maybe between all of us we can learn a bit more about the risk/benefit ratio involving aggregators.
Note that the account credentials you are providing (either to Schwab or Yodlee directly) are traversing the internet from your machine to Schwab and from Schwab to the aggregator. Yes it is encrypted and all that good stuff but it can be hacked including from bad apple insiders (this is how Capital One was hacked)
In a cloud based world, hacking is a lot easier than the pre-cloud world because of the distributed nature of all services. In the age of the internet, security and privacy are not realistically possible. Over the last 5-7 years at least 5+ of my accounts with large corporations have been hacked -- Target, Capital One, Home Depot, Experian, etc..
Hell LastPass recently got hacked, in effect LastPass is the equivalent of an account aggregator but much worse since it has a lot more confidential stuff than just financial accounts.
the broker may not reimburse you for these losses.
Fidelity Customer Protection Guarantee
"Also not covered is any activity by an employer/plan administrator, financial intermediary, or third-party who is authorized by you to access your data (or who received your data as a result of that access), or with whom you've shared or provided access to your username, password, or account number, or from malware or a breach of security that affects the systems of any of those parties."
Link
I use KeePass (free, open-source) which stores credentials locally on my PC.
I think that my discomfort level about 3rd party aggregators rose significantly years ago when in addition to account# and password, they started asking for info on other forms of authentications - images (this system is getting old), authentication codes, etc.
As others have noted, there are risks in anything we do. But I decided that this risk from aggregators isn't worth for me. I do use Portfolio services (old M* Portfolio - offline, new M* Investor, Stock Rover) but there too, I don't link my brokerage accounts and rely on manual update of transactions.
Do you manually enter each transaction? M* Portfolio still lets you download a file with positions and average price, although M* Investor still refuses to allow this.
Has anyone heard of any brokerage account hacks?
I always assumed that if you used Schwab's offer to use an aggregator, the credentials were at the aggregator, not at Schwab, so therefore protected only to extent aggregator protects them. Any hint of a data breach and their business would collapse, but still who knows how good their security is?
Nor have I been able to document how they claim that they only get transactions and balances without being able to trade, move money etc. Once a hacker got your PW etc, they could do anything they wanted, obviously.
While I have not tracked it down yet, it would be interesting to compare Schwab policies with a full service broker like Morgan Stanley, where it is impossible to trade without a human being.
You would think your money is safer at Morgan Stanley, but getting access to an account illegally would still allow transfers out without a human involved. However, adding a new account requires two factor authorization, and trial deposits just as it does at Schwab.
I doubt your broker monitors accounts so carefully that they would alert you to something unusual
But neither Schwab nor Morgan Stanley will allow you to set alerts to notify you of all account activity; Schwab will send trade alerts, but not deposit, withdrawal alerts and MS only sends balance alerts. You get an email if there is a trade, but not what it is.
I assume ( but I do not know) that since Schwab requires a manual sell order to raise cash, they would not transfer money out of the account without the sell order being placed ( and maybe settled too?), if your cash balance is low. I don't think you would be notified of the trade until it occurred.
My bank and credit card text me every time there is any activity of $0.01 or more. If brokerages had this function, it would be added security that nothing could happen without your knowledge.
Of course, you might hear about the fake trial deposits and intervene in time, but you might not. And once the money leaves, being told about it a few seconds later would not stop it leaving. With the ease of money transfer today, your money would probably be in Nigeria before you opened the email or logged on to see what was happening.
In the past, when I asked about risks , Personal Capital rep claims aggregating everything would increase security because you could see any new transactions immediately.
Does anyone have any experience with this?
I imported all M* Portfolios into Stock Rover (SR). It is a bit tricky, but I have described details/steps elsewhere.
Old M* Portfolios are still active & may remain so in 2023. I don't plan to use the new M* Investor UNLESS M* adds some portfolio analytics - there is almost none now.
A good thing is that M* Portfolios automatically update for dividends (reinvestment or in cash). Unfortunately, this needs to be done manually at SR - somewhat tedious to do & keep up.
Both M* Investor & SR have linking option to brokerages to update positions, but I will not be using that.
What I am asking (as of all imagined harms) is how would this work? what would happen? what are the steps and the mechanism? and if a bad actor "gets into" yodlee systems, then what? what are the consequences? our login information gets revealed and ... we get robbed? accounts depleted? what have the losses been? has this kind of worst-case thing ever happened?
Note the mechanisms here and human involvements, for example:
https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline
Using stolen credentials the attacker can liquidate your portfolio and move money out of the brokerage account.
For example if your Robinhood account got hacked, an attacker can buy crypto and transfer it to their wallet within a matter of minutes.
From a social engineering hack angle, Yodlee is a very attractive target.
Yes, a hacker can compromise your credentials at a bank, broker, or Yodlee.
But Yodlee and other account aggregators are not required to view accounts or execute transactions.
Using account aggregators provides another opportunity for the "bad guys" to infiltrate your accounts.
If an investor incurs losses due to an account aggregator breach, these losses may not be reimbursed.
Not worth the additional risk in my opinion...