Illustration: Colin Daniel

Consumers who decided to try out the latest personal financial management tool, 22seven, may be left with no choice but to deactivate their internet banking profiles after having divulged their customer-select PINs (CSPs) and passwords.

To use 22seven you log in using your online banking credentials. This is to allow 22seven’s third-party service provider, a company called Yodlee, to access your financial records.

Yodlee is a US-based aggregator. (An aggregator is a website or computer software that aggregates a specific type of information from multiple online sources.) According to the company’s website, it has more than 11 years’ “banking experience and innovation” with “over 300 leading financial institutions and portals offering Yodlee-powered solutions to millions of consumers worldwide”.

The disclosure of online banking credentials to a third party is a breach of the terms and conditions applicable to online banking with all local banks.

Clive Pillay, the Ombudsman for Banking Services, says divulging your internet banking credentials, “to an institution such as 22seven, or any other, clearly exposes one to enormous risks.

“If one did voluntarily divulge one’s log-on information to a third party, and one’s bank account was breached then it raises questions of where the compromise occurred, whose system is culpable, and how to apportion liability.

“I’m not sure that one could sign up with 22seven not fully understanding the risks, because service providers are obliged, in terms of prevailing consumer legislation, to ensure that a consumer fully understands the risks involved.”

Absa this week blocked Yodlee from accessing its clients’ records and warned clients who signed up for the service that should they become victims of internet banking fraud the bank will not necessarily accept liability.

Adrian Vermooten, the head of internet and mobile banking at Absa, said the bank was not questioning Yodlee’s security. Its concerns were about 22seven’s capacity to protect clients from phishing attacks.

Christo Vrey, the head of digital banking services at Absa, says that submitting sensitive personal details to a third party posed “a fundamental risk to customers’ security”.

Standard Bank, First National Bank (FNB) and Nedbank have also reacted unfavourably to 22seven.

Standard Bank clients who logged on to their internet banking profiles this week were greeted with the following message: “Your information security begins with you! Your log-on details (password and CSP) must be kept safe – don’t fall victim to fraud! Many websites offering financial management tools request you to provide your confidential internet banking log-on details. The security of these sites cannot be guaranteed. Be cautious of websites that request your log-on details as these may not be legitimate and could result in your security being compromised. Never enter or store your log-on details on any third-party websites or applications.”

Kershia Singh, a spokesperson for the bank, says Standard Bank does not support the disclosing of any log-on credentials to third parties and recommends that clients do not use websites that ask for log-on credentials as this puts their accounts at risk.

Lee-Anne van Zyl, the chief executive officer of online banking at FNB, says that while the bank has decided not to block 22seven, clients are being urged never to disclose their online banking log-on and password credentials.

“FNB will investigate each instance of online banking fraud, but the bank is unlikely to reimburse losses arising from customers who have given their log-on details to a third party.”

Van Zyl says the bank intends to educate clients on setting up a secondary profile with a different username and password to that of the primary profile, an option already available on FNB online banking. This secondary profile could be limited to read-only access.

Nedbank this week stressed that clients should be aware of the risks associated with disclosing personal credentials to third parties “on any service”.

Anton de Wet, the managing executive of personal banking at Nedbank, says clients should only use service providers that they trust.

Aggregators’ US experience

Christo Davel, the chief executive of 22seven, says the market precedent that played out in the United States when aggregators launched there strongly determined 22seven’s launch strategy. He summarises it as follows:

* The US banks’ initial responses (around 1999) varied from threatening litigation to ignoring the first aggregators.

* First Union, the bank that wanted to litigate, withdrew litigation within three months.

* First Union soon offered aggregation in partnership with Yodlee.

* The stated objections of the US banks were based on security fears at that time.

* The US banks improved security measures and communicated with their customers soon after the arrival of the first independent aggregators. Equally, 22seven rates South African banks’ online security measures and controls as world-class – probably more advanced than their international counterparts.

* Currently, most US banks now have their customers’ data – always with the customer’s permission – aggregated by Yodlee. This is done either by intelligent “screen-scraping” or with direct data feeds (application programme interface or APIs).

* A number of US banks now offer personal financial management (PFM) tools as a service to their clients.

* Some US banks offer aggregation of their competitors’ customer data as a service to their own customers.

* The US banks have not abdicated their responsibility for security breaches.

Says Davel: “All this played out over the past decade. We assume that South African banking executives are aware of this. Some local banks are now working on PFM tools for their clients. How freely that will enable their customers to view data from their competitors, we don’t know.

“I’m not surprised some banks don’t like what we’re doing. I am surprised by the attempt to liken the security risk of our offering to that of fraudulent phishing scams. I will be very surprised if the banks maintain the same stance once their own PFM tools are in the market, and all the comparative facts and benefits are clear to consumers.

“Each one of us at 22seven has been using our service with our own personal banking and financial data. We feel confident that our partner, Yodlee, is indeed the best, and that our own data will never be compromised. We believe consumers have the right to choose what tools or services they use to improve their personal financial situation and predict that some will prefer unbiased, easy-to-use, third-party services.”

22seven founder hits back at the banks

22seven is the brainchild of Christo Davel, the founder of the defunct online bank 20Twenty. The personal financial management (PFM) tool is designed to help you gain mastery of your personal finances. It pulls together all your personal financial data – from your bond account, cheque account, credit card to store card accounts – and intelligently sorts it to give you a visual-rich, holistic view of your finances. Among other things, it enables you to examine your spending and set goals to save. You can’t transact or move money through 22seven.

This week, Davel hit back at the banks, saying he wouldn’t be intimidated. “The responses reflect the personalities of the various banks,” he says. Local banks were reacting the way banks in the US did when aggregators entered that market over a decade ago. (See “Aggregators’ US experience”.)

On its website, 22seven says data aggregation, although new to South Africa, has been used by millions of people around the world for some time. “Yodlee has been doing it for 13 years and has an impeccable track record.” The company’s clients include Barclays (Absa’s parent company), Bank of America and Citibank.

Taking umbrage to messaging by some banks that put 22seven in the same category as a phishing scam, Davel said: “We’re not some little start-up in a garage. We’re a team of veterans; we have blue-chip funders; we have the best technical partners; and we’ve collaborated with the smartest behavioural scientist in the world.”

Duncan McLeod, the founder of information technology website TechCentral, says there is very little doubt that 22seven’s service or that of Yodlee’s is safe. “The real risk is violating your bank’s online banking terms and conditions.”

Davel agrees. “The danger is … that the banks will use this as an excuse to abdicate liability for any breach. I am confident they will address this issue very soon. Yodlee is in discussions with them. Their stance will have to change when they roll out their own Yodlee-backed PFM tools.”

He says the position taken by FNB is early evidence that the more innovative banks will find a way forward to enable customers to access and view their personal online information any way they wish, as is the global norm.

Davel has come under fire from technology experts and commentators online for launching the service without engaging the banks.

“I’m the guy who started 20Twenty and now I’ve developed a tool to help people get out of debt. What do you think they would have said? I’ve been on the inside of big financial institutions. If you look at the Competition Commission’s inquiry into banking in 2008, I’m surprised that nothing more came of that. These are large institutions, big machines. Entrepreneurs who go to them with smart ideas get copied or blocked. That’s been my experience.”

When asked if he would be reporting Absa to the Competition Commission for anti-competitive behaviour – for effectively preventing Absa clients from accessing his service – Davel said he would rather spend his energies on developing the business.

There are benefits and disadvantages to being “the first mover in this space”.

“People will have to go through an education process. In 2001, when we launched 20Twenty, we had to convince people that online banking was safe. Now there are about six million people in this country banking comfortably online. The same applies to aggregation.”

22seven client Shawn Roos says the tool is unlike anything available in South Africa. “Tools like moneysmart, which I’ve used, aren’t real-time or intelligent. They don’t allow me to log in and see where I’m at, which is a massive minus. 22seven is sexier in terms of design and functionality.

“Yes, technically, my information may be at risk, but technically I’m at risk of dying every time I fly, yet I do it all the time.”

Roos, who is a director of Cape Town-based digital relationship agency knnktr, says he thinks the banks’ reaction to 22seven exposes a mentality.

“The banking fraternity is making out like 22seven is doing something dodgy here. Yodlee has a track record better than any South African bank.

“Why aren’t the banks developing applications to allow third parties to empower consumers with information that helps them understand how they are managing their money? It’s because they don’t embrace the idea of accessibility. They lock clients into their ecosystem – and that mentality is being exposed here.”

Beware of the fine print

Clauses 15 and 16 of 22seven’s terms of service state that 22seven will not be liable if the information provided to you is inaccurate, unreliable or incomplete, or even contains viruses. Clause 17 reads: “You indemnify us… against all third party claims, liability, damages, expenses and costs… caused by … use of the service, the website (sic) … infringement by any other user of your account, or the infringement of any intellectual property or other right of anyone.”

Trudie Broekmann, a director at Gunstons Attorneys, says 22seven is breaching the Consumer Protection Act No. 61 of 2008, which applies to the provision of goods (including data) and services, as well as terms of service, even if users are not paid subscribers to 22seven, since the Act considers the information supplied to 22seven by its users as payment.

“The Act prohibits indemnities, such as the one in clause 17, unless they are fair, reasonable and just to consumers. It is not fair to expect a user to pay up if 22seven infringes someone else’s rights or gets sued. Consequently, the indemnity is void. The Act also requires it to be specifically drawn to the attention of consumers and they must sign next to it. This cannot happen with an electronic version.”