- Screen scraping just as accurate as bank feeds
- Yodlee audited for security by top 20 US banks and federal government
- All Australian banks will accept Yodlee methods within three years
In the heated debate about bank feeds for cloud accounting programs, one voice has been noticeably absent. Yodlee is one of the biggest financial data aggregators in the world and the supplier of bank feeds to cloud accounting programs Xero, Saasu and the soon-to-be-released Reckon One.
Yodlee's software company customers have signed non-disclosure agreements which forbade them from discussing Yodlee's technology. As a result, Xero and others have been unable to combat effectively accusations that bank feeds supplied by Yodlee were insecure or inaccurate. Rival BankLink in particular has criticised screen scraping, where Yodlee created a bank feed by copying transactional information from a user's online banking screen.
Last week Yodlee's chief strategy and development officer, Joe Polverari, visited Sydney on a trip to meet clients. Digital First interviewed Polverari about Yodlee's technology, security, screen scraping and its plans in Australia. Below is an edited transcript of the conversation.
Digital First: Some Australian banks say that Yodlee users are breaching terms and conditions by handing over credentials. What's your take?
Yodlee: For us it's a question of understanding and education. We are a relatively new in the market, even though we have large customers like the ANZ Bank. In our home market we are powering most of the digital experiences for most of the largest banks. And we're doing that with a data utility that is unique in the industry, that is highly secure, that is regulated by our federal government and is audited by each and every one of our customers.
Is this something people are comfortable with in our market? Absolutely, this is the way things are done in Australia and New Zealand? Not yet, but they will be comfortable because I've seen it happen again and again in Canada, in Mexico, in the UK and it will happen in Australia.
Digital First: Where do you stand on direct bank feeds versus screen scraping?
Yodlee: The conversation is about data feeds or data acquisition, which is screen scraping or html data gathering. We take 85 percent of our data on a volume basis from most of the biggest financial institutions in the world and give it to 50 million end users on a data fed basis, not screen scraping.
Digital First: Is that 85 percent in Australia as well?
Yodlee: No, that's outside in Australia. That 15 percent is what we call the long tail. The ANZ Bank is one data source, but it has multiple account types and we cover all those as well. We have over 10,000 data sources in over 100,000 account types, all represented in our data utility, 85 percent of which on a volume basis get delivered through feeds.
Digital First: So Australia sounds like the land of the long tail – most of Yodlee’s transactions here are gathered through screen scraping. Are you working to change that?
Yodlee: Yes it is, and yes absolutely. And the way the Yodlee model works is that as we scale up volume in a region we certainly have outreach into the financial institutions or they have to us where we both agree that it's better to have a data feed.
The other thing to keep in mind is that this is entirely a consumer permission or business permission model. We don't do anything around data until the ‘owner’ of that data says ‘Please go do this’. So really Yodlee is a bunch of users who own accounts, wanting to come up with a more automated way of seeing and using those accounts for their benefit.
Digital First: What percentage of feeds in Australia are direct?
Yodlee: We don't publish that information. We do have feeds in Australia and we do do more screen scraping in Australia than feeds.
Digital First: You say you aren’t known to consumers here. But don't you have to convince the banks? Because the banks are saying they might not pay out if your account is defrauded because you shared the password.
Yodlee: That is competitively motivated by risk guys that don't understand technology, to be totally honest with you. And to give you an idea of our technology, we are more secure from a digital perspective than any online bank out there. I'll tell you why.
Our very first customer was Citibank. Our second customer was Bank of America. Our third was Chase. We went through the top 10 US banks accumulating users and technology, and every single one of those banks runs you through an audit process and a security process that is exhaustive.
When you go to Citibank they say great, you will do security our way. Then you go to Bank of America and they say, we don't care what Citibank does, you're going to do it our way. And so on.
Then the US federal government comes in because we are considered a tier one tech provider to the financial services space. That means that if something bad happens to us there's a risk to the integrity of the entire financial system because we have so much data in there.
And so they say we're going to supervise you too and we have our own audit processes and own security procedures.
After you've done that for 12 or 13 years for all of those fairly heavyweight organisations, you're pretty airtight. Now the discussion at least in the US is never around security. To the contrary, we have made so many innovations in security that some of the banks have rolled them out internally.
It's easy to gloss over (screen scraping) and say it seems insecure without truly understanding what the technology is and how it works and who it's been vetted by. We've not had an incident in 13 years.
Digital First: But the bank says it won't pay out on the account if there’s fraud.
Yodlee: That's what they said in the US back in 2000 but they gave up on that because they didn't want to cross their customers. And they knew that we were more secure than they were at that point.
They said it in the UK but they don't say it any more. Some people say it in Australia – not all. Soon none will say it. Soon could be one to three years, who knows.
Digital First: What's the tipping point?
Yodlee: It's usage. It's consumers and businesses who want to access their data in different ways to do different things. And the smarter banks in particular are the ones that say I do have to open it up because otherwise they’re going to go somewhere where people do have it.
From a policy and terms perspective, go ask a lawyer locally here if a provision like that – if you disclose your credentials we will not stand behind your account if there's a fraud – go ask them if that's void as against public policy, go ask them if it's enforceable, go ask them if at the end of the day they really think a bank would even commercially try to do that.
That is very difficult from a customer relationship point to put yourself in, especially when it's not unlikely you're an offerer of the very sort of service you’re saying breaches your terms.
Digital First: So the risk guy’s not talking to the tech guy at the bank?
Yodlee: I think it's not being carefully considered, and well thought through in a majority of banks where we have not been in the market for a few years. There's a big educational process.
Let's talk about our technology. Users input their credentials and we never actually see it. And people like Xero never actually see it. They enter it into an interface and when they hit send it gets encrypted and separated from that point. It's hashed all the way back through the hardware. It's not just software encryption, it's all the way down into the boxes themselves.
We store you as a user with a Yodlee ID. You have a password and a credential that is hashed and exists somewhere else and is matched to your user ID, and then your transaction and financial data they sit somewhere else encrypted all the way through to the hardware.
We don't know where you are in those four instances, but when someone like Xero delivers a service that is specific to a user it all comes right back together only at the point it is presented to that user.
So then you have a philosophical question. Have I or have I not disclosed my credentials? Or have I disclosed only something that is an encrypted hash of someone's credential as it exists in the Yodlee network? We have done everything possible from a user and a bank perspective.
Digital First: How much can you trust the feed that is coming through? Is it a replacement for the bank statement?
Yodlee: Properly implemented it absolutely is a replacement. Here's the trick with banks. One is from a systems perspective. We're taking a picture of the data in the bank's database, recording and distributing it back and we just do it a lot so it's always fresh and always current.
But we have never had an instance in the history of the company where the data we have brought back is not the data that was in the system of record.
Here's where it gets a little complicated. Those systems of record in the bank are like a gigantic tangle of yarn under there because there are so many platforms and they all update themselves at different times. Some will do straight through processing with real-time transactions, some will not. Some will update as a system wide system of record only once a day.
And so we have to manage that across 13,500 data sources with multiple times more core systems to make sure that the data that's in the account at the time it's needed is the data that’s reflected in Yodlee at the time it's needed. And we are good with that to a 99.8% accuracy, whether it's data feed or screen scraping it makes no difference.
Where we have failings in that is when frankly a data feed doesn't work right. We have had instances in the US where the bank has messed up the data feed. The bank is going back into their system and saying oh my G-d our system doesn't have it in the right way.
Data is like a living, breathing thing. We haven't had any material issue with folks saying the data is not reliable or that it's inaccurate data because it’s really just a picture of what’s in there. The system of record for our purpose are not perfect.
We have a lot of processing in our own system where we sort that out. We have 700 people in the company, and one third of them do nothing but process data to make sure it's right. I think there’s a lot of misunderstanding about how this stuff works and how reliable it can be.
Digital First: There have been complaints about duplicate or missing transactions in Yodlee feeds. Some bookkeepers haven’t found out until months down the track that it was wrong. BankLink on the other hand is claiming that even if the bank is wrong it will be able to sort out the errors ot 0.0001%.
Yodlee: I don’t believe it. Unless you were checking data every five minutes how could you possibly do that? We do more data and bigger data than any other company in the business and there are just certain fundamental failings that occur across a portfolio of data sources. I can't imagine – unless they're going into every bank physically, hourly, saying is the system of record correct? Is the system of record correct?
I'll give you one example. Our data is so fresh and reliable that there is a major bank in the US, a top 20 bank with millions of online users and multiple systems – we actually are their system of record. We've been their system of record for four years. We didn't even know it. They told us.
Digital First: People think the paper statement is the same as the bank feed but it's not. And the paper statement is assumed to be more trustworthy than a bank feed.
Yodlee: It depends on the bank. I think you could find some corner cases where that might be true. But it’s not true for the larger banks and the more modern systems.
Some banks may not offer statements off the system of record. The statement of record, especially in today's digital economy, changes wildly throughout the day. Every day. So it's like hitting a moving target. To say one thing is more reliable than another you have to be careful because you may not have thought through what exactly that means in the digital world. It's very sort of fragmented now.
Digital First: Although Xero has direct links with Australia’s biggest banks these only cover the mainstream business accounts. Xero still gets feeds from Yodlee for credit cards and other accounts at the Big Four banks, right?
Yodlee: Yes, then there’s all the sub-accounts. We have to because originally we were consumer facing.
The way we view this partnership, and we have been partners for a long time in Australia and New Zealand together, is that we have the best of breed data platform, these guys have the best of breed accounting technology, and together there's a lot of mutual parties that have adverse interests that we are taking on together.
So it's a really a nice match. It's great for our business and hopefully good for their business as well as they're knocking off QuickBooks which is owned by Intuit who is our competitor. They are knocking out the other companies that compete.
Look at QuickBooks which has dominant market share in the US right now. Xero has a better product. We have better data. And we can help them move very fast. If they had to get data on their own from someone else it would take them literally years.
We're going to help them innovate in a market that is very lucrative and is ripe for disruption. This time it will be at the expense of QuickBooks if we're doing both of our jobs right. Better data plus better technology on the accounting side equals a better solution for accountants, bookkeepers and users equals a better market. That's what's happening, right?
Digital First: So are you introducing Xero to banks in the US?
Yodlee: We can't comment on that. Right now we won't, but these guys are doing great on their own. Even though we have the world's greatest bank relationships inside the US.