ING Direct's customers now have one more hoop to jump through to use a personal financial management site. ING isn't apologizing for the inconvenience, and perhaps counterintuitively, PFM providers see no reason ING should.
Customers of the U.S. unit of ING Group NV, a prominent Dutch financial-services conglomerate, can no longer provide their passwords to third-party PFM sites. Instead, ING Direct is requiring its users to type a special code that grants access only to transaction data. If hackers steal that code, they cannot use it to move money out of a user's account.
When PFM providers debuted, giving consumers a way to view spending data from multiple banks in one place, many questioned how such businesses could succeed given the security risk consumers take in sharing their passwords. It soon became clear that a large enough group of consumers was comfortable with the security trade-off. Today, many banks have begun hosting PFM tools on their own sites to meet the demand.
But just because consumers were comfortable with the process doesn't mean consumers were safe. Rudder Inc., for example, in 2009 broadcast some users' transaction data over email to people who were not authorized to access those accounts. The company failed last year.
"We feel it is best practices not to share your credentials with a third party," said Rudy Wolfs, the chief information officer and chief marketing officer for ING Direct. "Customers can choose to share access to this information with the appropriate trusted organization in read-only [format] and avoid any form of fraudulent transaction."
No other bank has required this extra level of verification before, experts said. The security benefits are significant, they said, even though most PFM providers don't allow customers to transact.
"ING is creating a separate credential for aggregation," said Madhavi Mantha, head of banking research at Novarica, a Novantas LLC subsidiary. "You are not putting your personal credentials for online banking out in public, and this makes sense."
Though the process of obtaining the code is a one-time operation, ING said it will urge customers to update their codes periodically. The change went live on May 25.
"One benefit could be that there will be a direct data pass from the ING account straight to the third party with the security code," said Jacob Jegher, a senior analyst at Celent. He said ING's new process might nevertheless be burdensome for PFM users.
Typically, PFM providers and account aggregators gain access to customer accounts by asking for passwords and usernames as well as answers to security questions.
ING customers will only hand over their username and the new code they obtain from within ING Direct's online banking site. Wolfs said ING had been working with the top account aggregators and top PFM sites to ensure the new process works seamlessly.
"It fits what [ING Direct is] doing and what they know their customers are doing elsewhere," said Cathy Graeber, founder of the consulting firm Swimming Upstream.
Many of the top PFM providers said they favored the changes.
"We've been working closely with a number of customers to help design and implement new security protocols," said Peter Hazlehurst, the chief product officer for Yodlee Inc. of Redwood City, Calif., in an email. "This is great for certified vendors like Yodlee."
Aaron Patzer, founder of Intuit Inc.'s Mint.com, said in an interview, "It makes aggregating your information on Mint.com much easier." Patzer said previously that only 20% to 30% of ING account holders added their accounts because the process was too burdensome. The secure code, he predicted, would increase sign-up rates for ING's account holders.
Jaidev Shergill, the chief executive of Bundle Corp. of New York, said the access code would also circumvent the problems many customers encounter when a bank makes unannounced changes to its website. Such changes frequently shut down access for the account aggregators, particularly those that depend on screen scraping.
Some industry observers said ING's security access code could be used to track which customers use PFM. "ING could use this information to simply assess the demand they have among their customer base for PFM," said Ron Shevlin, a senior analyst at Aite Group LLC of Boston.
Shevlin said that ING may want to keep tabs on PFM providers that gather spending information to help cross-sell products from competitors.