With the entry into force of PSD2 across the European Union and the inception of AISPs (Account Information Service Providers), bank account aggregation is going to go from being a niche technology to widespread use.

Because of this, we decided to shed a little light on its workings, and explain what is going on under the hood when a company uses this technology to extract data from a bank account.

What is account aggregation?

Account aggregation is the process by which an interested party gathers financial information from one or more bank accounts, collects it in one place, and makes it available to other systems.

The data can be output in various formats, such as JSON arrays which are readable and usable by other applications, or in spreadsheets which can be used for manual analysis, accounting, and other tasks.

The technology has many applications, such as risk-oriented credit analysis, financial scoring, or making accounting easier for businesses by gathering data from all their accounts in a single location.

How does account aggregation work

The data contained in a bank account is private and belongs to the account’s owner, but there are scenarios in which the owner might want it to be accessible to a third party to be able to receive certain goods or services. A common use case would be to perform a risk analysis when a person requests a loan from a credit institution.

In such cases, the account holder can provide the access credentials to their online banking platform to a third party, who can then access that person’s account and obtain the information they need to provide them with different services.

The information is accessed using the API of the bank where the account is located. Banking APIs use a specific nomenclature for requests so third parties can access different kinds of information depending on their specific needs.

Some commonly used data categories are the balance of the account, a list of movements within a specific period of time, or the data of the owner of the account.

The request specifies which bank is to be read (“bank_id”) and provides a user and password. In a real reading, these would correspond to the online banking credentials of the person whose data is to be read and analyzed.

Having received the correct credentials, the bank authorizes the request and returns the information requested in the call to the application.

A request like this one would return the following data:

• The account owner’s name (“account_owner”)
• The account’s IBAN code (“iban”)
• The bank cards associated with the account (“cards”)
• The bank loans associated with the account (“loans”)
• A list of all movements (“statements”) between 1/1/2018 (“start_date”) and 25/10/2018 (“end_date”)

In most cases, the bank’s response will take the form of code, and the receiver will be responsible for formatting the data appropriately to be able to process it and integrate into their business processes.

Depending on the purpose of the data, it will receive a different treatment that suits the company’s specific use case:  

• Pure data output in JSON format, readable by applications to integrate into the business processes of a company.
• Export in one of several formats (PDF or CSV for example), some of which are useful for integration in other processes or analysis systems.
• Recreate the data in a visual interface for viewing, such as an analytics dashboard.

What are the uses of account aggregation

The information obtained by reading a person’s bank account can be very useful. Companies can use it to eliminate many uncertainties from their decision-making processes and apply it to all sorts use cases.

With the sample reading shown above, a company could perform a credit risk analysis of the account owner and decide whether or not to grant them a loan based on their financial health. What is the average balance of the account? How much income does the account owner have, and how much money does he spend? Does the account owner have significant debts? Are there any observable risk factors, such as spending on gambling or numerous and elevated credit card bills?

Below, we list some potential applications of account aggregation technology:

• Credit risk analysis to evaluate loan requests: using account aggregation, the loan issuer can know if the requester is solvent and financially healthy.
• Consumption habits analysis: list of historical transaction data gives insight into what a person spends money on, where they spend it, when, and more. This information can be used for marketing purposes and to create more personalized offers that speak to customers more directly.
• Bank account consolidation: a company’s accounting processes can be simplified significantly through account aggregation, as it allows all the company’s financial data to be consolidated into a single format and viewed in a single location.
• Personal finance apps: known as PFM’s, or Personal Financial Managers, these apps use account aggregation to extract the user’s financial data from their bank accounts and provide various services such as automated savings, financial advice, personal spending analysis, etc.
• Financial management applications for businesses: BFM’s, or Business Financial Management applications. They fulfill a similar function as PFM’s: making financial management of a business easier by collecting all relevant data and presenting it in a single place to make it easy to use and act upon.

Security and regulatory framework: PSD2

Account aggregation deals with private financial data of companies and individuals, so it is essential to guarantee the security of the information at all times to avoid it being used in a manner that is harmful for the interested parties.

Fortunately, PSD2 (the new Payment Services Directive, in force since January 2018) is very strict on these matters and establishes rigid guidelines to guarantee user safety.

The objective of the directive is twofold: on the one hand, to liberalize the market for online payments and associated services, including obtaining financial information through account aggregation, and on the other, to regulate participation in this space and create standards that apply to all parties to ensure that the user is protected at all times.

In terms of security, this translates into the requirement that organizations that provide bank account reading services implement what is known as Strong Customer Authentication (SCA). SCA is an authentication paradigm which demands that a user provide a minimum of 2 out of three unique authentication factors: something they know, such as a PIN code or password; something they possess, such as a mobile phone or hardware token; and something they are, such as a fingerprint or retinal scan.

Together, these factors guarantee a high barrier of access to a service and go a long way towards preventing fraud.

At the same time, the organizations that provide these services will be strictly controlled under PSD2. Until now, bank aggregation services existed in a kind of legal limbo. They were not illegal, but there was no standard regulation governing who could offer them and under what conditions, and the most common method to obtain data was screen scraping.

Under PSD2, screen scraping will be phased out in favor of direct access to the bank’s database via API, which makes applications much more maintainable and safer. To be able to access these banking APIs, the providers of these services will have to become certified.

To this end, PSD2 introduces two new figures, Payment Initiation Service Providers, or PISPs, and Account Information Service Providers, or AISPs. This second figure, AISPs, is the one that applies to companies that offer account aggregation and bank reading services.

Since the directive entered into force, companies wishing to offer this type of services must obtain the relevant certification from their national regulatory body. In the case of Spain, the organization that is responsible for granting these licenses is the Bank of Spain.

Therefore, in addition to transforming the online payments ecosystem by enabling new types of products and services, PSD2 also significantly increases the safety of users thanks to stricter regulation of providers.

In conclusion

The deadline for full implementation of PSD2 is September 2019. Most EU member states have already transposed PSD2 into their national legislation, and the European Banking Authority is currently solidifying the Regulatory Technical Standards that will govern access to bank data using account aggregation.

When it arrives, all companies that wish to use or offer account aggregation services will need to be regulatory compliant.

With only a few months left to make the shift, taking the right steps now will be essential to avoiding another ‘GDPR Effect’.

But this process doesn’t have to be a headache. Rather, it should be viewed as an opportunity.

Now is the perfect time for many organizations to undertake the digital transformation of their operations.

Banking data can be a powerful tool, enabling better decision-making and full automation of many processes.

Companies that successfully integrate this new source of data into their operations will hold a big advantage over those that are still making decisions based on incomplete information.