Fraud and Privacy Violation Risks in the Financial ... › content › dam › tedrogersschool ›...

PRIVACY AND CYBER CRIME INSTITUTE

Fraud and Privacy Violation Risks in the Financial Aggregation Industry

by Anastassios Gentzoglanis

Avner Levin

April 2014


1

Table of Contents 1. Introduction ................................................................................................................................. 2 2. Methodology ............................................................................................................................... 4

2.1 Data and variables ................................................................................................................. 6 3. The financial aggregation industry in Canada .......................................................................... 12

3.1. Historical developments and future trends ........................................................................ 12 3.2. Current trends in the Canadian aggregation industry ........................................................ 14

4. Technology and innovation ...................................................................................................... 20 4.1. Technology and innovation issues in financial aggregation industry ................................ 21 4.2. Regulation of the financial aggregation industry: technology to the rescue of innovators 24

5. Conclusions and recommendations ........................................................................................... 27 References ..................................................................................................................................... 30 Appendices .................................................................................................................................... 34

Appendix 1: Comparisons between Quebec and Ontario ......................................................... 34 Appendix 2: Principal investigator’s contact ............................................................................ 43


2

1. Introduction

Financial aggregation is on the rise again. A growing number of new personal finance and non-finance sites combine many new technological features and ingenuity to provide account aggregation services and novel financial management tools to an ever-increasing number of individuals interested in completing their financial transactions and financial planning online.

Financial aggregators are financial service firms, mainly institutions either banks or non-banks, which collect data online, group them together and present them to customers within a single application interface. Financial aggregation is an expanding industry south of the border and has already conquered foreign markets in Europe (UK), Asia (Japan and South Korea) and Canada. Mint and Yodlee, two very well-known financial aggregators catering so far to the American public are expanding rapidly internationally. Although their international divisions are not fully-fledged yet, the increasing competition makes them more alert and ready to deploy strategies which will strengthen their operations in Canada and elsewhere.

As a result of the increasing competition in this industry, chartered banks in Canada have already started offering aggregation services to their clients free of charge. For instance, RCB offers myFinance Tracker and Bank of Montreal has set its BMO MoneyLogic, while Canada Post seems to be one of the first aggregators in Canada with its epost service1. These banking aggregation services are limited though to the banking accounts clients have with the same institution. Although these are aggregation services indeed, nonetheless, their scope is quite limited and clients desiring a full-gamut of aggregated services may use specialized institutions capable of bundling all accounts in one place. This is so because “genuine” financial aggregators are able, through the use of powerful software, to pick up the financial and non-financial transactions of an individual and present them in a single location. Other services, such as monitoring customers’ banking and investment transactions and credit accounts, are bundled together and typically offered by financial aggregators for fee2.

It goes without saying that this novel approach to aggregating and managing several aspects of an individual’s financial life online has significant advantages but also important disadvantages.

1 Canada Post describes its aggregation service as a three-step simple procedure that simplifies life of its customers. Customers login first to create an account, and then they add bills and statements. Lastly manage their mail with epost. 2 Not all financial aggregators offer the service for fee. Many offer them free of charge. This may change in the future but such policies may be justified either because the service/product is new so its free offering may entice new customers to use the service, or because the offering firm needs to acquire more information about its clients’ habits in order to be able to offer a better service in the future for fee. According to the industry analysts, the year “2011 has been a banner year for account aggregation, but [the industry] is divided on how to price the service” (http://wealthmanagement.com/data-amp-tools/banner-year-account-aggregation-pricing-questions-remain).


3

On the one hand, this innovation is quite interesting and responds to ever-increasing needs of individuals who desire to group their financial and utility accounts. Dealing with all these accounts is not only tedious (remembering and frequently updating user names and passwords, responding to soliciting advertisement and surveys, etc.) but also time consuming. Individuals who monitor multiple accounts waste their time, i.e., they do it at the expense of leisure. Financial aggregation not only reduces search costs (costs of monitoring and tracking specific accounts) but also frees time of busy individuals who could make better use of it and increase their wellbeing.

On the other hand, financial aggregation may cause some inconveniences and even create serious problems. Security risk and violation of privacy may be the most serious ones. For instance, while a user is on a non-bank online personal finance site, his or her information is usually protected by using a method known as a single-factor authentication (simply using a username and password). It is notoriously known that single-factor authentication sites are more prone to phishing and fraud. Malware and other intrusive programs used by fraudsters may extract funds or perform other fraudulent activities under a user’s name while the latter is using financial aggregation services. Getting easy access to consumer banking data and committing bank fraud are thus serious concerns that arise from the particular technology nonbank financial aggregators use. Banks and other heavily regulated financial institutions normally use both a multifactor authentication method and aggressive consumer education with respect to security and privacy.

The growth of the Canadian financial aggregation industry depends on the success of these and other innovative financial services offered to the Canadian consumers. But the questions related to privacy and the issues of identity theft, fraud and misuse may hamper its growth potential. Further, the ever increasing use of cloud computing and storage by financial aggregators and the banking industry may exacerbate the problems of fraud and privacy. Personal data may be stored in the cloud and used by fraudulent individuals around the globe. The risks of fraud and violation of privacy rules are looming large in the era of cloud computing and financial aggregation.

As these services become widespread in Canada, either by means of the US subsidiaries or the creation of new Canadian and foreign start-ups, the need for monitoring the expansion of this industry becomes more urgent. Given that the industry is in its infancy in Canada, the Canadian regulators overseeing financial and personal information are not yet very active in this field, although warnings have been issued by the Financial Consumer Agency of Canada (FCAC) as to the possible threats financial aggregation may present to Canadian consumers.

This research explores the privacy, fraud and potential online financial risks and security issues arising from the increasing use of account aggregation services offered to Canadian consumers by a growing number of nonbank and bank aggregators. To do so, a unique methodology is used. A modified version of the so-called SCP paradigm is used in order to identify the main issues to be investigated and analyze them in detail with the objective to understand thoroughly the


4

structure of the aggregation industry in Canada, the conduct of financial aggregators and their respective performance. The idea behind this detailed examination of all aspects of the account aggregation industry in Canada is to develop a framework for implementing recommendations with respect to the need or not to implement a new regulation in in the financial aggregation industry. To this end, we developed a questionnaire and distributed to two distinct groups of Canadian users, French-speaking and English-speaking Canadians (Quebec and Ontario). The idea was to investigate the behavior of the Canadian consumers with respect to the financial aggregation services and analyze the similarities and differences in such a behavior.

It appears that the two groups have some behavioral characteristics in common but important differences about perceptions concerning the financial aggregation industry. The main differences concern their believes with respect to the trustworthiness of financial aggregators, their attitude towards the risks concerning violation of privacy, fraud and the level of security of the technologies used by financial aggregators. These differences are also reflected in their willingness to pay a premium to get a safer service form financial aggregators. Although French-speaking customers are more risk-averse, they do use more often the financial aggregation services than English-speaking. This last difference may be attributed to the demographic and social-economic differences in the two samples investigated.

As far as the regulation of this industry is concerned, it is concluded that regulation may not be appropriate at this stage of development of the financial aggregation industry. The latter is at its infancy, at least in Canada, and financial aggregators are striving to find the most appropriate business model to penetrate the market. Although some use a fee-for-service model, some others offer the service for free. Further, the technologies used by the industry are changing drastically and there is no, as yet, a dominant secure technology. Disruptive technologies make competition between traditional banking firms and new non-financial firms possible by blurring their boundaries. At this stage of technological convergence and development of the financial aggregation industry regulation as prevention mechanism is rather inappropriate. 2. Methodology

There are various frameworks that can be used to analyze the financial aggregation industry in Canada. Some authors may prefer the Porter’s five forces model while others may choose Anssof’s matrix, the SWOT model, the Bain’s SCP model or any other similar one. The goal of these models is to identify the main characteristics of firms in an industry and develop strategies for their growth and development.

Our goal is not limited though in the identification of the main characteristics of the firms in financial aggregation industry in Canada. As it was mentioned in the introduction, another objective is to propose recommendations as to the appropriate regulatory framework to be


5

adopted for this industry, given the analysis on its structure, conduct and performance. For our purposes, the most important element for judging the appropriateness of regulation of the financial aggregation industry is undeniably its performance. The latter could be measured by some indices that we will construct through a questionnaire with respect to fraud, the violation of privacy, theft identity and the degree of security that prevails in this industry. Although these indices are not traditionally used to measure performance in well-established industries, admittedly the financial aggregation industry is rather new and under development. Therefore, the traditional measures of performance such as profitability, allocated efficiency, equity and dynamic efficiency are less appropriate. This is the reason why we prefer adopting the SCP paradigm and use it, in a modified version, to analyze the financial aggregation industry.

The traditional SCP paradigm may briefly be described as follows. For an industry, particularly a well-established one, competition is determined by its structure (the number and size of the firms in the industry, the existence or not of economies of scale, etc.). The latter determines the behavior or conduct of individual firms (their pricing policies, their strategies in terms of research and development and mergers and acquisitions and their tendency to collude). Conduct determines, in turn, its industry performance as measured by profitability and allocative and dynamic efficiencies. There may be feedback effects among the three basic elements and government policies are driven by performance. The graph below illustrates the relationship among the three elements. [Insert here] Graph 1.1. The traditional SCP paradigm For our purposes performance may be measured differently. Indeed, develop indices for measuring performance and analyze the dynamics of the financial aggregation industry in Canada are one of the main objectives of our study. We can then associate performance to the desirability of government intervention in this industry. The use of the SCP paradigm, through an empirical investigation, is thus appropriate for our purposes. The modified version of the SCP paradigm used in this study is as follows. [Insert here] Graph 1.2. The modified SCP paradigm


6

2.1 Data and variables There is no available data for the financial aggregation industry in Canada. As it was mentioned above, this industry is rather new and incumbents are very reluctant to give information, which may be viewed sensitive for many purposes. Unfortunately, the lack of cooperation of the Canadian aggregation industry didn’t allow us to get the primary data required for the analysis of this industry. Nonetheless, the review of the literature and secondary data we got from various internet sources allowed us to depict this industry and the technologies it uses to provide the account aggregation services. It is worth mentioning that we put a considerable effort to establish negotiation with companies that offer financial aggregation services in Canada. We contacted 7 companies with the request for an interview that would have covered the following questions and beyond:

1. Can you explain to us the mobile app financial aggregator business? 2. Can you explain to us the regulatory framework in which you operate? 3. Where do you see the risks for your business coming from? 4. How do you protect the personal information that your customers provide? 5. What are the technological security measures that you use?

The companies that we contacted included Mint, Savvy Money, PocketSmith, MVelopes, Check.me, iBank, and Yodlee. It is interesting that none of the companies refused to participate right away. In fact, through different people in their organizations we have got a hold on Security Managers or CEOs, who seem to be interested in the study and we spent a month discussing the details of our research and their involvement. Mint was the only company that declined to participate in the research without even negotiating the terms and getting to know what we intended to ask. All the other companies were ready to provide their responses or maintained the appearance of being extremely interested, but at the last moment refused to give an interview and sign consent agreement, because they did not see how their participation could be beneficial for their business. For the purpose of getting a comprehensive representative information about the attitudes Canadian users have with respect to the account aggregation industry we have developed a questionnaire (Appendix 1) which was distributed in both official languages (English and French) in two Canadian provinces, Ontario and Quebec. A number of questions were asked to elicit information with respect to the use and knowledge Canadians have of the financial aggregation industry and their concerns about privacy, fraud and security issues. The questionnaire was divided into four parts. The first part concerned questions related to the use of financial aggregation services and the awareness of users about the existence and the type of aggregation services offered in Canada. The second part concerned questions related to how users perceive financial aggregator firms in Canada and what type of platforms or devices they


7

use to access these services. The third part concerned questions related to privacy, identity theft, fraud, and issues of security. Questions concerning their willingness to pay to safeguard the offer of secure services were also included in this part of the questionnaire. Finally, the fourth part concerned questions with respect to their socio-economic and demographic characteristics. We got 110 responses of people living in the province of Quebec and 145 in Ontario. Summary statistics concerning responders’ gender, their age group, annual income and the highest degree obtained are indicated in the tables below.

Responders’ gender Quebec

(%) Ontario (%)

Male 63% 37% Female 37% 63% Total 100 100

Table 2.1. Responders’ gender.

Responders’ age group Quebec

(%) Ontario (%)

Between 20 and 29 years old 80% 22% Between 30 and 39 years old 16 21 Between 40 and 49 years old 3 25 50 years and beyond 1% 32% Total 100 100

Table 2.2. Responders’ age group.

Responders’ annual income Quebec

(%) Ontario (%)

Less than $19,999 72 6 Between $20,000 and $39,999 16 91 Between $40,000 and $59,999 3 19 Between $60,000 and $79,000 6 18 Between $80,000 and $99,999 2 16 Over $100,000 0 19 I'd rather not say 0 14 Total 100 100


8

Table 2.3. Responders’ annual income.

Responders’ highest degree Quebec

(%) Ontario (%)

High school diploma 1 4 College diploma 23 7 University diploma (Undergraduate - Bachelor’s degree)

54 35

University diploma (Graduate - Master’s degree) 18 37 University diploma (Postgraduate - Doctorate) 3 17 Total 100 100

Table 2.4. Responders’ level of education. A first glance at the summary, statistics indicate that there are important differences between responders residing in Quebec and Ontario. The Quebec sample is mostly composed by males while the opposite is true about the Ontario sample. Quebec sample is composed of chiefly young professionals most of them with a bachelor degree while the Ontario sample is mostly dominated by middle-aged persons most of them holding a master’s degree. As far as the income is concerned, Quebec sample is situated in the lower income bracket while the Ontario sample is in the next upper income bracket. The statistical analysis of these two samples is done in Appendix. The answers to the questions related to responders’ knowledge concerning the existence of the financial aggregation services in Canada show that the majority, more than 37%, had a very good knowledge and uses frequently these services, while more than 28% had some idea about their existence and use them occasionally. As far as privacy policy and security issues are concerned, 21% of Quebecers answered that they do read the privacy policy of financial aggregators before making any transactions with them while this percentage is much higher for the responders from Ontario (37% of Ontarians). Thus, 1 out of 5 Quebecers and 2 out of 5 Ontarians do read the financial aggregators’ privacy policy. Given that these documents use a jurist language, which is difficult to understand and these policies are generally quite long, these high percentages show that users of financial aggregation services are seriously concern about privacy. This finding is consistent with the answer users give to the questions concerning their level of concern about privacy, identity theft and fraud when they make financial transactions on different platforms or devices. The results show that 93 % of Quebecers are concerned and 86%


9

of Ontarians are highly concerned. Given this overwhelming concern of users about privacy and risks of fraud, financial aggregation service companies should be very careful and able to offer reassurance about the safety of their technologies and the policies they use internally for preserving privacy and thwarting fraud. These high levels of concern are reflected as well to the answers they gave to the questions concerning their willingness to make transactions with well-established financial aggregators as opposed to the new comers, in many instances virtual ones. Quebecers, 35% of them, are willing to deal only with aggregators having a physical presence in the market (as opposed to virtual ones) and 41% of Ontarians have the same attitude. The physical presence of financial aggregators is not enough. These companies must have an explicit policy on privacy and a record of integrity. Thus, more Ontarians prefer to deal with brick and mortar financial aggregators than Quebecers. By and large, established financial aggregators and banks with long history of presence in the market have a competitive advantage compared to newcomers less well-established financial aggregators. To the more technical questions concerning the encryption technologies used by financial aggregators to provide their services and the level of trust they show towards these technologies, the results differ dramatically between Quebecers and Ontarians. Although a high percentage of Quebecers, 55% of them, trust the encryption technologies, this percentage is only 14% in Ontario. It is obvious that with these results, financial aggregators must make considerable efforts to increase their reputation and confidence among actual and potential users. The industry’s survival and growth depends on its capacity to use the most advanced technologies that inspire confidence to users. Trust in financial aggregators is not equally shared among the two groups of responders. Quebecers declared that they trust (42% of responders) their financial aggregators because of good reputation (26%) and the absence of any problems associated with security issues. In Ontario the percentage was much lower. Only 26% of Ontarians trust their financial aggregators although they declare that they have never had problems with them (43%) with security, privacy and fraud issues. Reputation is thus important for Quebecers while the absence of problems is more important to Ontarians. From these results, it is possible to surmise that Ontarians judge their financial aggregators using tangible criteria like absence of privacy violation and security problems. Knowing customers’ online behavior particularly the frequency with which they consult their accounts and make transactions is important because financial aggregators may target their customers according to the type of transactions, their duration and frequency. Their profitability depends, to a great extent, on knowing their customers. Every financial aggregator uses cookies, persistent and non-persistent for marketing but also for safety purposes. This provides opportunities for increasing market shares and returns on investment. Most of the responders


10

(52% in Quebec and 45% in Ontario) complete their transactions once every two weeks and 24% in Quebec and 34% in Ontario once a day. Given the changing nature of technology and the fact that mobile banking is getting more and more the new standard in this industry, knowing the platforms or devices used by customers to complete their financial aggregation services is becoming important for aggregation providers. The latter must make investments in infrastructure to make their interfaces compatible with the platforms or devices customers use to access the services. It appears that Canadians in Quebec and Ontario use laptops, desktop computers, tablets and smart phones to access the aggregation service providers. Notwithstanding, 63% in Quebec and 39% in Ontario declare that the laptops are the most frequently used platform or devise to make their financial transactions but Ontarians trust more their desktop computer, 32% compared to 17% of Quebecers. As far as the change in attitude is concerned in the use of a particular platform because of privacy or security issues, 72% of Quebecers reported that they have not changed attitude at all while this percentage is only 56% for Ontarians. Furthermore, about equal percent of Quebecers and Ontarians (95% and 92% respectively) declare that they have never had to change bank, financial institution or financial aggregators because of their concern about the protection of personal data. The importance customers give to financial aggregators with explicit privacy policy is illustrated by the answers of the two groups. Patronage is encouraged for financial aggregators with explicit privacy policy even if their deals are less attractive than the ones offered by financial aggregators without explicit privacy policies. This is important for both groups but Ontarians (79%) give higher importance than Quebecers (49%). This illustrates that an explicit and well-articulated privacy policy is a requirement for patronage even if most of customers won't read it, as it was indicated above. Fraud, theft of identity and online security are serious concerns for all customers. If the latter wanted to reduce the probabilities of occurrence, they may be willing to pay a fee to aggregation service providers to get the warranty that these risks would be reduced to the minimum. The answers to the question “How much they are willing to pay to have the warranty that the service would be provided almost risk free” vary dramatically between the two groups. A large majority of Quebecers (63%) is willing to pay a “prime” up to $10 per month to be assured that financial services are offered securely. This percentage drops to only 37% for Ontarians. This difference in behavior may be explained as follows. Quebecers are either more risk-averse and they are ready therefore to pay a premium to get the warranty for a better quality service or Ontarians believe that their data are well protected and there is no need to pay an additional fee (insurance) for that.


11

All in all, the financial aggregation industry is growing but there are some stumbling blocks to its growth. Data protection, privacy, security and fraud issues are some serious concerns users have which may inhibit or at least would retard future growth. Financial aggregation service providers should acknowledge these customer attitudes and adopt new technologies and strategies that would increase safety and establish a good reputation for the industry. This is particularly important at every stage of development of any industry but more important for the financial aggregation industry which is currently at its infancy. Given the newness of this industry, the low rate of incidences related to privacy violation and fraud, regulation does not seem to be necessary. Regulation as a prevention mechanism would not make good to this industry and therefore no such action is required at this time. There are some potential and real problems associated with the development of this industry, but introducing new regulations before the problems actually develop is premature. Therefore, we recommend therefore that (1) the financial aggregation industry be allowed to exercise its potential free of new regulations and (2) regulators continue to monitor the industry and alert users with respect to the potential problems associated with privacy, theft identity and malware intrusions while completing their transactions online. We accept that the existing regulatory framework is adequate to exercise some discipline in the market. The current anti-spam legislation (CASL Bill C-28 to be in effect from July 1st 2014) banns unsolicited electronic messages such as emails and texts, and although is meant to crack down on unwanted spam and to protect customers from harassment, identity theft, spyware and fraud, it would also contribute to limiting the use of persistent cookies by financial aggregators for marketing and other purposes not related to the financial aggregation services – for instance, the use of personal information by other divisions of financial aggregators to sell products like insurance and/or financial products. Table 1.5 summarizes our findings.

Anglophones Francophones

Trust in encryption technology

Strongly 77 55

Fairly 6 7

Read privacy policy Yes 54 18

Never 40 78

Level of concern Very 46 61


12

Table 2.5. Summary of the main findings. 3. The financial aggregation industry in Canada 3.1. Historical developments and future trends Financial aggregation is a nascent industry. As yet, it is not fully developed in Canada despite the fact that this industry exists since the early 2000s. It was during the dot com era that the hype was at its climax. Financial aggregators first appeared in the US and their prospects of growth were very high as investors were seeing dollar signs in every technology that was emerging at that time. The growth expectations of this industry were thus quite high but the burst of the dot com bubble was a significant setback to this industry. After many years of restructuring, mergers and acquisitions and bankruptcies this industry is on the rise again but this time it develops under a different business model. Most financial aggregators have become specialized firms offering aggregation services to banks, financial institutions and brokers while few of them offer retail services to final customers in competition with banks and other financial institutions. Citibank was the first and most important account aggregator in the USA. It introduced MyAccounts service in the early 2000s and gradually expanded its service in the U.K. and other countries. My Accounts service was more than just about financial data. It meant to bring together a wide range of financial and lifestyle information for managing customers’ daily life. The service was offered free of charge because Citibank was aiming at increasing its awareness, reinforce its brand as a leading player in electronic financial information, win more customers

Fairly 45 29

Change in attitudes Yes 39 25

No 57 72

Platform choice

Laptop/smart/tablet 36 69

Desktop 41 17

Virtual vs bricks and mortar

Virtual with privacy 73 49

Bricks and mortar without privacy

16 36

Willingness to pay $0 55 25


13

and enable it to cross-sell financial services to its competitors' customers. Citibank was able to offer the aggregation service by using the standard screen-scraping technology to get information from other financial institutions and businesses needed by its clients. Citibank did not encounter any problems to get the authorization by other financial institutions to screen-scrape their sites. According to J. Mindell, Sales & Marketing Director of Citibank, service providers were cooperating in the offer of financial aggregation service by allowing to screen-scrape their sites without any trouble. Citibank was expecting at that time (in 2000) that most of the aggregation service providers would eventually offer aggregation services to individual customers. So it was in everybody's interests to co-operate in this industry (Mearian, 2001). In late 2005, Citibank ended its service without offering any explanation. The hype about this service started subsiding since the touted benefits of aggregation such as customer and web site loyalty these services may generate for providers of aggregation services were not materialized. Apparently, the lack of responsibility and commitment by the providers are the reasons for the failure of the service. Although some banks like Citbank could abandon the service without leaving scars, other financial aggregators, particularly the specialized ones, declared bankruptcy. For instance, a well-known personal finance firm named Wesabe dot com shut down in July 2010. Other firms have followed suite. Thus many financial aggregators have pursued projects although they were skeptical concerning the return on their investment. In a sense, online account aggregation was viewed as a necessary evil. Indeed, another account aggregator, which followed a growing pack of banks and brokerage firms that use online account aggregation technology, was the First Interstate BancSystem Inc. The latter invested in this technology with some trepidation but competition in the industry was the driving force for these investments. Another firm, The Billings bank in the US has invested in aggregation technologies hoping that the technology would allow it to attract "technology-savvy" customers who might otherwise look elsewhere. Although the concerns of these financial aggregators were very high particularly regarding the perception customers would have of the technologies and how they would be received by prospective customers, they had to invest nonetheless should they wished to stay in business. Nonetheless, the uneasiness concerning these investments was high because the new technologies would allow customers to make comparisons of different money market accounts making account aggregators more vulnerable to competition. All in all, in the 2000s financial aggregators were investing in these technologies because of the fear to be left behind by competitors who were investing in hordes to be the first ones in the industry. The argument of the first-mover advantage was advanced to fully justify heavy investments in these technologies. But such investments were not justified on financial criteria (the net present value – NPV – criterion is conventionally used to evaluate investment projects) but chiefly on competitive reasons. Not surprisingly most of them have failed and financial aggregators went bankrupt. "You're going to adopt something out of fear that others will". "At the prices [vendors] want, fear is a bad motivator." (Mearian, 2001).


14

Despite the initial fears that companies offering financial aggregation would (a) become invisible to their customers; (b) have difficulties in recruiting new ones and (c) allow customers to shop for lower rates and services fees, all of them have agreed that financial aggregation is a must-have strategy and a tool to recruit and retain customers and to cross-sell financial services and products. Investment in aggregation technologies were viewed as a necessity and offering a competitive advantage. "If you're behind the curve, and someone else gets your accounts, you'll never get them back" (Mearian, 2001). Some firms viewed financial aggregation as an essential business and committed to develop it quickly. For instance, Ameritrade Holding Corp. believed online account aggregation to be core to its business and created a subsidiary called OnMoney.com Inc. to develop its online financial management Web site. More than 100,000 customers signed for its aggregation services soon after the site went live. In summary, in the early 2000s, account aggregation was fast becoming a basic expectation of banking customers, and companies were racing to install the technology that would allow them to reach millions of new customers. Only very few were able to hold their ground against the systems. Unfortunately, these predictions were wrong and in the aftermath of dot com bubble most of them went bankrupt. Once again, the survivors have been harshly hit chiefly because of the recent financial crisis. After these two major shocks, the financial aggregation industry is on the rise again. This time, the technologies are better known and the internet has become more widespread and better understood by services providers and customers alike. The account aggregation industry has started all over again but this time it is based on solid ground. 3.2. Current trends in the Canadian aggregation industry Competition over the internet is now a reality. Financial and non-financial firms use various technologies to collect data and other sensitive information to study their customers’ behavior and get a competitive edge over their rivals. Indeed, the Internet has created a paradigm shift in almost any type of businesses and is forcing traditional financial institutions to transform themselves at a rapid pace and at an unprecedented scale. Financial institutions initially viewed the internet as another distribution channel. They have not seen the potential of this new vehicle for increasing their businesses and profitability and have simply transferred their traditional business model online. But as competition intensified from non-banks and near-banks, the traditional banking firms realized that their market shares are shrinking even in their core businesses. A change in strategy was thus necessary. Canadian financial firms and particularly Canadian banks adopted strategies that break with the past. They shifted from the traditional product-centric orientation of financial services towards a customer-centric approach in which price, convenience and value-added services became critical. But they


15

still face a significant problem. They are still striving to figure out how to make their aggregation sites profitable. So far, the Canadian banks and internet portal services don't charge for the aggregation services. Admittedly, Canadian banks are not able to charge for the service simply because it is not well-developed yet. It will take more competition from new entrants to incentivize Canadian banks to improve the aggregation service. It is a classical dilemma of firms used to their traditional financial services. They normally have problems in identifying new market niches with new technologies. This was the case for Bell Canada, a long time regulated firm, which was almost lost in a competitive environment. It took more than twenty years before Bell Canada reinvents itself and develop profitable strategies in a competitive environment. We expect a similar scenario with the aggregation industry. Unless competition develops more rigorously, Canadian banks would not improve their offer of account aggregation simply because the costs for implementing advanced aggregation technologies are high and Canadian banks do not know how to make their aggregation services profitable3. In Canada there are seven account aggregators, all of them established between 1999 and 2007. They are subsidiaries of foreign aggregators and most of them offer the services only in English. Canadian banks do not allow financial aggregators to have access to their customers’ accounts and refuse to share their customers’ financial information. In case of fraud, Canadians banks are not obliged to refund their customers since the customers are responsible for giving sensitive information to financial aggregators.

# Compan

y Software Year of

establishment C Web site

1 Mint Mint.com 2006 X https://www.mint.com/ 2 Check Check 2007 X https://check.me/ 3 Fiserv Cash Edge Online 2007 X http://www.fiserv.com/about/brand

s/cashedge.htm 4 Manilla Manilla N-A X https://www.manilla.com/ 5 Money

Strands Money Strands

2009 X https://money.strands.com/

6 Yodlee Money Center

1999 X http://www.yodlee.com/consumers/

7 Mvelopes

Mvelopes 2000 X http://www.mvelopes.com/

Table 3.1. Major players in the Canadian aggregation industry

3 The cost of installing aggregation technology is quite high. An executive said it would cost his company more than $2 million to install aggregation technology. That's a large investment considering that customers wouldn’t pay for this service and the return of investment is thus unclear.


16

The seven account aggregators compete with the established Canadian banks to offer financial aggregation services but the two services are not exactly the same. The Canadian banks offer personal finance, budgeting and banking savings services for the accounts a customer has in a specific bank. By contrast, financial aggregators, like Mint Canada, give customers a total visibility of what is happening in the customers’ accounts irrespectively where these accounts reside – in TD, RBC, BMO, HSBC, etc. Customers can see what is happening with their accounts at any moment of the day online or with mobile applications.

# Company Software C Official Web site 1 BMO BMO Money

Logic X http://www.bmo.com/moneylogic/

2 EastWest Bank

Financial Aggregation

Service

X http://www.eastwestbank.com/english/pb_obanking.asp

3 RBC MyFinanceTracker X http://www.rbcroyalbank.com/online-services/my-finance-tracker.html

4 Postes Canada

Post

epost/Postel X https://www.epost.ca/service/landingPageFr.a

5 CIBC CIBC Online Banking

X https://www.cibc.com/ca/demos/welcome.html

6 TD TD Online Banking

X https://www.tdcanadatrust.com/products-services/banking/electronic-banking/ways-to-

pay/viewbills.jsp 7 National

Bank NB Internet

Banking X http://www.nbc.ca/bnc/cda/productfamily/0,2664,divId-

2_langId-1_navCode-10749,00.html 8 ING Direct ING Direct

Table 3.2. Major Canadian banks and non-banks offering aggregation services The security concerns are very important in this industry. Customers are mainly concerned because financial aggregators may use their personal information for purposes other than the ones for which this information has been initially provided. Further, there are risks for identity theft and malwares from unscrupulous individuals who search the internet to get information and commit frauds. Both types of risks are real and they cannot be eliminated. But the probability of their occurrence may be reduced if financial aggregators invest in advanced technologies and apply a vigorous privacy policy and develop monitoring and internal control mechanisms that safeguard safety. It is notoriously known that financial aggregators use “cookies” – a text file that resides on a customer’s computer while online – to provide financial information online. There are two types


17

of cookies, persistent and per-session cookies. A persistent cookie is used by financial aggregators to provide usage information on specific functions residing in provider’s online banking application. Normally, there is no customer related information associated with this type of cookies. A per-session cookie is stored temporarily in customer’s PC temporary memory (RAM) and assigns an ID per session whenever a customer logs on the site. This cookie is important to validate a customer’s device (PC, tablet, or smart phone) and allow customers to complete their online transactions. As for the persistent cookies, the per-session cookies do not contain any customer-related information. Cookies are site specific and only a single aggregation provider can access, decode and make use of the information. Online banking has become widespread and still growing. Pew Research Center, Federal Reserve (2014) defines “online banking or Internet banking or e-banking “the use of a web site that allows” customers of a financial institution to conduct financial transactions on a secured website operated by the institution, which can be a retail bank, virtual bank, credit union or building society”. Recent statistics by Pew Research Center, Federal Reserve (2014) indicates that 69 million of Americans transact online while 56% of them pay a bill online. Table 3.2 gives some key summary statistics about the attitudes Americans have towards mobile banking. Online / Mobile Banking Statistics Data Percent of those who managed household finances who banked online at least once in the past 12 months 81 %

Percent of people who used mobile phone banking within the past 12 months 19 % Number of Americans who bank online 69 Million Online banking customer satisfaction 78 % Percent of consumers who receive electronic checking account statements 42 % Percent of consumers who paid a bill online through their bank in the past month 56 %

Statistics on Mobile Banking Users Percent Using your mobile phone, have you done any of the following in the past 12 months? Checked an account balance or recent transaction 90 % Downloaded your bank’s mobile banking application 48 % Transferred money between two accounts 42 % Received a text message alert from your bank 33 % Made a bill payment using your bank’s website or application 26 % Located the closest in-network ATM for you bank 21 % Deposited a check to your account using your phone’s camera 11 % Statistics on Non Mobile Banking Users Percent What are the main reasons you have decided not to use mobile banking? My banking needs are being met without mobile banking 57 %


18

I’m concerned about the security of mobile banking 48 % I don’t trust the technology to properly process my banking transactions 22 % The cost of data access on my wireless plan is too high 18 % It is too difficult to see on my mobile phone’s screen 17 % It’s difficult and time consuming to set up mobile banking 10 % Table 3.3. Online banking statistics and customers’ attitudes.4 Canadian account aggregators make use of cookies and advanced encryption technologies to provide their financial aggregation services. As the table 2.4 indicates less than half of financial aggregators offer services using a better technology than the 128-bit SSL technology. There are therefore risks for fraud and breach of security in the financial sector of Canada. Canadian financial aggregators have to adopt stringent encryption technologies to offer their services securely and inspire more confidence to users. Unless such measures become more concrete and visible, customers would not use the financial aggregation services heartedly. Table 2.4 indicates the encryption technologies used by Canadian aggregators and the level of security they could provide.

# Company Program used

Encryption technology

Security – information storage

1 Mint Mint.com 128-bit SSL 2 Check* Check 128-bit SSL 3 Fiserv Cash Edge 128-bit SSL 4 Manilla Manilla 128-bit SSL Verification - biometrical

authenticity (Main) 256-bit AES Data encryption

5 Money Strands

Money Strands

128-bit SSL 256-bit Encryption for storage

6 Yodlee Money Center

--- http://www.yodlee.com/yodlee-security/

7 Mvelopes Mvelopes 128-bit SSL Access to the servers is done through a biometric authentication (Main)

*Possibility to destroy personal data and other sensitive information by entering a PIN number to a smart phone. Table 3.4. Security and encryption technology used by major aggregators in Canada. 4 Source: Pew Research Center, Federal Reserve (January 1, 2014) http://www.statisticbrain.com/online-mobile-banking-statistics/


19

It is important to distinguish two essential elements which refer to the security of data; the transfer of personal data and the save of data. All the banks use the same encryption technology SSL 128-bit to make transfers of data. Currently, this is the best encryption technology and it is widely used by many firms and public organization such as Revenue Canada. With respect to where the data are saved, each bank and financial aggregator uses its own technology and place to store them. The data are normally saved in highly secured places and most firms mention it in their web sites to diminish the fears of their customers. Table 2.5 shows the gamut of services offered by the Canadian aggregation banks. As it was mentioned above, some Canadian banks offer aggregation service and personal finance to their own customers, so only the customers of the specific bank can have access to this service. There are banks as well which offer the service to everyone being client or not of the particular bank. Both approaches use technologies that allow for bill downloading either manually or automatically.

Table 3.5. Account aggregation services offered by Canadian banks. The programs used to offer the services are mostly proprietary and work only with the interface of the bank that has developed it. They use the same programs for individual and large institutional customers. When Canadian banks offer aggregation services, they limit the service


20

to the accounts owned by the individual depositors, such as term deposits, saving and checking accounts, mortgages, line of credit, etc. It is also possible to use the bank’s site to pay bills for utilities and other Canadian companies. Also, many Canadian banks have an interface which is compatible with epost service offered by Canada Post. This may be viewed as a compromise or at least as a solution to the problem which concerns the lack of ability of users to download their bills using their bank web site. In order to find out the level of satisfaction of customers with the service, we went through the comments reported in various Forums. Although some problems are reported, particularly with respect to downloading data, globally we did not find any major problem related either to security, privacy or fraud. Admitting that people tend to report bad service or major problems more often than good service, it is safe to say that Canadian banks and financial aggregators perform quite well on this matter. Canadian banks have adopted a strategy to thwart competition from financial aggregators by refusing access to their network. By developing their own programs and by alerting clients that they are not responsible for fraud or theft in case clients give details of their accounts to third parties (financial aggregators), the banks want to safeguard their market shares and profitability. There is an exception to this strategy. Without going as far as to allow full access, the bank ING Canada, provides a code which allows the downloading of data (bills) but this function is limited to “read-only” and clients cannot make any transactions based on the information they see unless they use the web site of each provider. As far as the “pure” Canadian account aggregators are concerned, the best well-known is Mint with 1.5 million clients in 2009, according to an article in the Globe and Mail. The most serious Mint’s competitor is Check. The latter offers the possibility to clients to destroy the data and other sensitive information stored in their smartphones and other mobiles. With respect to the Canadian banks, it seems that myFinanceTracker offered by RBC gives the possibility to its clients to manage their accounts, while the extra service offered by myTaxCentre provides the possibility for a client to prepare its income tax report. In summary, we recommend three general policy initiatives for the OPC:

• Conduct survey research to learn about the benefits of financial aggregation to consumers and businesses, and thus estimate potential social welfare gains.

• Promote and participate in establishment of appropriate regulatory oversight for account aggregation services.

• Facilitate coordination among private industry stakeholders to help them establish common industry standards (technical, institutional, governance and internal monitoring and control).

4. Technology and innovation


21

4.1. Technology and innovation issues in financial aggregation industry Technological changes dramatically affect the structure of an industry, the behavior of existing firms and potential entrants and the whole performance of an industrial sector. These effects are even starker when technological changes are disruptive and not evolutionary. The latter allow firms to adjust themselves and provide sufficient time for firms to adopt strategies that would increase their competitiveness. The former are more sweeping and generally not very well understood by incumbents, at least at the initial stages of their appearance. They are normally introduced by start-ups and small size firms, which are capable of creating niche markets and even penetrating the well-established ones traditionally dominated by large sized incumbents. Competition is developing as new entrants enter the industry providing entirely new services and services similar to the ones of established forms. Normally, new entrants are facing less regulation and other institutional constraints as government and regulatory organizations are slow to react given their limited technological knowledge. This asymmetry in information and technological competence plays at the benefit of new entrants. The latter have the so-called “first-mover advantage” which if well exploited and if the regulatory structure is neutral may confer a benefit and contribute in establishing new entrants as major players in the industry. However, incumbents are not powerless. They would first call for an even-leveled competitive field by asking for a tougher regulation and entry barriers. Unable to react rapidly, given their sheer size and their long-lived experience functioning in a rather stable and well-defined business, incumbents would even raise issues of security and increase users’ awareness concerning the dangers that exist in switching providers and in trusting their businesses in newly created entities. This is precisely what happens in the financial aggregation industry. The current technologies used by new entrants to provide aggregation services are indeed disruptive and far-reaching. Incumbents, large banks and other financial institutions launch a far-cry to customers alerting them that they are no longer obligated to offer protection of their accounts should customers give their PINs and other sensitive information to third party providers. Such an attitude is legitimate and by all means justifiable but as long as incumbents do not offer the aggregation service and this is a need not satisfied by incumbents, customers would, nonetheless, use the service offered by new entrants. So at the early stages, when technology is mastered by new entrants only and the financial aggregation service is offered exclusively by them, customers who high reservation prices – the ones who value the service most – would be willing to use the service. There is, initially an erosion of the market shares of incumbents but the erosion is initially negligible. As entrants become firmly entrenched and expand the gamut of their services, incumbents’ market shares are threatened further and their strategies to thwart entry and expansion of newcomers are intensified. The competition process may continue as long as no new regulation is introduced to stop the growth of new entrants and determine the fair play. This life cycle of competition may be stylized and illustrated by the following familiar graph.


22

Figure 4.1. Life cycle of competition introduced by technological changes and innovation in the financial aggregation industry For the Canadian financial aggregation industry, the level of competition is at the early stages and is situated in Zone I. The industry is neither mature in terms of competition nor fully competitive yet. From a technological point of view and with regards to innovation, the Canadian industry is at its infancy. Should one think of the applications with respect to mobile banking, the Canadian banking industry is still at its earlier stages. This is the most rapidly developing market segment but the adoption of new technologies by the banking industry is slow to develop. CIBC is the first one to adopt the electronic deposit while TD is about to introduce this application soon. This strategy would help the banking industry to diversify itself from the emerging competition that arises from financial aggregators but the industry should make more efforts to become more competitive and innovative. To be sure, the banking industry is not the same thing as some other industries which experience high rates of adoption of innovations, given that the issues of privacy, fraud and other security breaches are not as serious as in the banking industry. It is normal to observe longer time periods for innovation adoption in the financial industry since the issues of privacy and fraud are extremely important for preserving the credibility of the industry. As a matter of fact, the financial industry is based on trust and a breach of trust may have important repercussions on the evolution of the industry and the economy as a whole. It is quite important for financial firms to fully test the new technologies and make sure that they are bullet-proofed and “immune” from violation of privacy, possible security breaches and fraudulent behavior. It is true that there is no any technology to be “impenetrable” by malicious individuals. Every time a new technology is introduced and used to identify fraudsters, the latter are always capable of defrauding financial


23

institutions, after an initial period of its application. Fighting fraud, financial crimes, and security breaches are very costly challenges for all firms in the financial industry. Big data5 – defined as the increasing availability of structured and unstructured data and their exponential growth – created by the use of new technologies and clickstream analysis are increasingly used to generate platforms which are able to prevent more quickly, detect and mitigate internal and external frauds. Big data technologies are thus efficient means for real time fraud detection and mitigation, allow financial firms to reduce the costs associated with fraud screening and monitoring and reduce fraud losses. By reducing the cost of fraud investigation and the number of security breaches, not only increases efficiency of the industry but also increases trust and growth prospects.

Time / Cumulative R&D Investment

Perf

orm

ance

emergingpacing

key

mature

discontinuity

“inferior” technology

“superior” technology

Figure 4.2. Dynamic performance of the account aggregation industry 5 Big data term first appeared in 2001 and it was defined as the three Vs: volume, velocity and variety by Doug Laney, an industry analyst. The high increase in data volume, the speed with which data is generated and their variety (structured numeric data, information created from line-of-business applications, unstructured text documents, email, video, audio, stock ticker data and financial transactions) provide an opportunity for firms to exploit them through the use of high-powered analytics to develop strategies which would allow to identify the most lucrative customers. Using clickstream analysis and data mining it is possible to detect fraudulent behavior and security b reaches. (http://www.sas.com/en_us/insights/big-data/what-is-big-data.html)


24

Financial aggregators may use Ansoff’s Opportunity Matrix to identify an entrant’s and incumbent’s growth opportunities with current and expanding new markets and new aggregation services. 4.2. Regulation of the financial aggregation industry: technology to the rescue of innovators Financial service firms, by their very nature and business activities, are vulnerable and prone to higher risks of fraud, identity theft and security breaches in general. Customers are particularly concerned with these issues and because of the competitive nature of financial services and high profit margins for the firms offering these services, the risks for violation of privacy and privacy corporate policies are also higher. Customers are aware of these risks and demand from financial service firms to set standards that will provide the insurance that the risks for privacy violation and other security breaches would be minimized. Customers demand rules and regulations from the government and government agencies that would create a stable and safe business environment and that they would be able to make their transactions with the least risk possible. Although regulation is sought by consumers and users of services, there are circumstances where regulation is highly appreciated and even demanded by the industry (Stigler, 1974). Generally, an industry is against any rules and regulations imposed by the government. Every business prefers functioning in a market without government regulation. The forces of supply and demand are deemed as sufficient to discipline the market and this discipline is self-compelling and quite effective. Nonetheless, when the expected results are not as they have been anticipated, because some firms behave in an anticompetitive and at times in an abusive way, customers ask for regulation. Under such a pressure, the industry reacts and proposes a self-regulation. The latter are rules and regulations created by the industry for its members. This is normally the case when the industry is mature and growth prospects rather limited. As competition becomes fiercer because of low growth prospects in the market, so the number of cases with bad behavior of behalf of some members of the industry increases. Self-regulation is not sustainable anymore and government intervenes to enact regulations which are normally tougher than the self-regulation. This type of regulation is accepted by the industry since it enhances the credibility of the members and provides more opportunities for growth of their business. As the industry evolves and new technologies emerge, and with them new competitors, so is threatened the established position of incumbents. Gradually, as the threat becomes higher so is the demand for tougher regulation by the industry. Although in many industries the demand for regulation may be construed as a demand for producer-protection regulation, in the financial service industry such a demand may be both producer- and consumer-protection regulation. Given the particularity of this industry and the need to have strong and sound financial institutions (to minimize systemic risk), a regulation that protects the industry (producer) offers


25

protection to customers and to the economy as a whole. As a matter of fact, it is rather rare the situations where the benefits of a regulation are shared between customers and producers. Being attacked by new entrants and the introduction of new aggregation services, the financial service industry has launched a far-cry for further regulation of the industry. It demands entry barriers and new rules which would make the penetration of their traditional markets by new entrants difficult or even impossible. This would give them some time to adjust themselves to the new reality and develop strategies to enter the emerging market of aggregation services. For sure, regulators are concerned about privacy and fraud and an industry, like the financial service industry, experiencing dramatic changes in its structure would be more prone to irregularities and in some occasions to unethical and fraudulent behavior on the part of its established and new members. Online customer authentication has become the target of fraudsters. The risks are high because criminals can use sophisticated lures like hacking, “fishing” “vishing” “smishing” or even “dumpster diving” techniques to extract large amounts of money from innocent individuals making transactions over the cyberspace (PatriotBank, 2014). Stealing customer credentials has become quite widespread and financial service institutions are truly concerned with identity theft and other serious security threats. Financial service institutions are actually facing the dilemma to offer customers a more convenient online service without providing the opportunity to criminals to intrude into customers’ privacy. Recognizing that new technologies not only offer customers better and more convenient online financial services but the possibility to better control their interests the FFIEC (Federal Financial Institutions Examination Council) in the United States mandates the use of a layered security by financial service providers as a means of protecting their customers’ security and minimize the likelihood of fraudulent behavior.6 A layered security approach does not degrade customers’ online experience and keeps at bay or at least minimizes the risk of fraudulent transactions. There always exists a tradeoff since there isn’t any bullet-proof approach that guarantees privacy and cyber security. But these technologies are very new and evolving quite rapidly. As a result, little is known with certainty about what is meant by “layered security approach” and this confusion is also prevailing not only with the layman but with pundits too. If specialists have difficulties in making the distinction between layered security and let’s say “defense in depth” approach, then financial service firms would be uncertain as to which technology is installed and the efficiency of each one to thwart fraudulent transactions. Financial service firms by adopting the FFIEC’s standard of layered security comply with the existing regulation but the latter is actually a minimum requirement. As a matter of fact, layered security is just a component of defense in depth security approach.

6 Source: https://www.ffiec.gov/pdf/authentication_guidance.pdf


26

Indeed, layered security refers to multiple types of security measures which protect the internet user against different type of cyber-attacks, as for instance the installation of AVG and ClamWin programs. So, when the term-layered security is used, it does not refer to the same security tool implemented many times to protect the user from the same threat. It is rather used to describe the implementation of different tools each one conceived to protect the user from various attacks. To better understand the distinction, it is worthwhile to present the example of the well-known software Norton Internet Security suite for home use. This is the so-called “vertically integrated vendor stack solutions for layered security” and provides (among other capabilities):

• an antivirus application • a firewall application • an anti-spam application • parental controls • privacy controls

The defense in depth approach is more comprehensive than the layered security approach. As a matter of fact, the latter is only a single component of the former. The philosophy of these two approaches is completely different though. While the layered security approach combines various components into a single comprehensive strategy aiming at securing the entire system against malicious threats, the defense in depth approach admits that there is no possibility to achieve complete security against threats by implementing a bunch of security solutions using single software. Defense in depth allows for a number of possibilities which may be viewed as possible dangers for cyber security. For instance, it identifies known and less well-known threats like van Eck phreaking and even incidental threats which do not necessarily target the protected system. Defense in depth can also identify physical theft and unauthorized persons who use forensic recovery of data.7 According to SANS Institute (2004), defense in depth is not only addressing direct threats but also potential threats or possible attacks. It is concerned with the following:

• monitoring, alerting, and emergency response • authorized personnel activity accounting • disaster recovery • criminal activity reporting • forensic analysis

In a well-planned defense in depth strategy “threat delay” is used as a means for limiting the propagation of malicious attacks. When attacks and unusual activity are underway, by delaying their effects and activating the early notification and response systems, the damages are managed 7 More information is at: http://www.sans.org/event/cyber-defense-initiative-2013/course/windows-memory-forensics-in-depth


27

before threats are realized. Although the use of honeypot system – a system installed in a computer which, when on the internet, is able to attract and "trap" malicious or fraudulent activities –, is generally viewed as a means to stop a malicious security crackers, in reality it can only alert network security specialists that there is a breach in the system and the specialists could intervene on time to eject the intruder before damages create havoc. 5. Conclusions and recommendations With the advent of tablets and smart phones, mobile banking is getting popular in the USA, Canada and elsewhere (Gentzoglanis, 2012). Likewise, online shopping is on the rise. Statistics Canada (http://www.statcan.gc.ca/daily-quotidien/131028/dq131028a-eng.htm) report that Canadians spent online $18.9 billion in 2012, up 24% from 2010, when the survey was last conducted. Also, the use of internet for personal purposes increased in 2012 reaching 83% of Canadians aged 16 or over. Similarly, the use of internet and social media increases year after year at high rates. Thus, in 2012 more than 67% of Canadians who used the internet visited sites like Facebook, Twitter, LinkedIn and others. A great jump was also observed in the use of Skype and Facetime to make phone calls and video calls over the internet (from 24% in 2010 to 43% in 2012). Furthermore, downloading or watching films or video clips on line has increased dramatically. Also, internet intensity, measured by the number of hours a user spends on the internet per week (10 or more hours), is also on the rise, reaching 31% in 2010. Most internet users use a Canadian firm or site to make purchases (82%). Although the use of internet is increasing either for pleasure, businesses or for personal financial planning and budgeting, Canadians do not take the necessary precautions to reduce the risks with respect to violation of privacy, fraud, data breach and security. As a matter of fact, only 28% of Canadians who use the internet never erase their browser history (2012 data) and only 16% does it after use. The percentage of young (16 to 24 years old) internet users who do not use a security software on their computers is quite high (71%). As the number of internet sites and users increases there is an ever-increasing need to group all the accounts in one place and ease their access by using a single user name and password. Dealing with all the financial and utility accounts is not only tedious (remembering and frequently updating user names and passwords, responding to soliciting advertisement and surveys, etc.) but also time consuming. Monitor multiple accounts may be frustrating and even waste of time. Financial aggregation not only reduces search costs (costs of monitoring and tracking specific accounts) but also frees time of busy individuals who could make better use of it and increase their well-being. There are a limited number of financial aggregators in Canada, most of them being subsidiaries of foreign firms. They have been established during the past five years or so and therefore their


28

names are yet not very familiar with the general public. The most important financial aggregator in Canada is undoubtedly Mint with over 1.5 million customers. The other financial aggregator, the firm Check follows closely and its parent company in the US (formerly known as Pageonce) is currently developing aggressive expansion strategies. Its immediate plan is to expand and become the Mint.com in the mobile market. Check offers various tools that enable users to manage their bills from their smartphone. It has more than 10 million users for its free Android and iOS applications. Although currently competition is not very keen in the Canadian financial aggregation market, we anticipate that it will grow slowly over the coming years. Contrary to the US, the Canadian financial industry is very concentrated and competition de novo (coming from account aggregators) is more difficult to develop. The Canadian financial industry is dominated by six big banks, which control the market. Financial aggregators cannot easily access the big banks’ network and they cannot offer therefore the same type of services offered in the US (their home country). Canadian banks spread fear to their customers who will attempt to use financial aggregators and give their user name and password to them. These strategies bear fruits since none of the financial aggregators in Canada have made major inroads in the Canadian banks’ market. Yet, the Canadian banks develop their own programs and internet interfaces with the goal to offer account aggregation services uniquely to their own customers. Clients without accounts with a specific bank cannot use the banks’ aggregation services. So, for the time being, the account aggregation industry is essentially divided between the Canadian banks and the “pure” account aggregators, mostly foreign firms established in Canada. But the growth prospects of this industry in Canada, albeit promising, may not be realized immediately, given the particular circumstances prevailing in Canada (high levels of concentration of banks, stringent banking regulations, smallness of the Canadian market, etc.). Additionally, there are serious questions related to privacy and the issues of identity theft, fraud and misuse of data and other sensitive information. These problems may hamper growth potential of the account aggregation industry. Further, the ever increasing use of cloud computing and storage by financial aggregators and the banking industry may increase the risks of fraud and hacking. The growth of the Canadian financial aggregation industry thus depends on its capacity to offer the service in a secure and fraudulent-free environment. Moreover, competition, being the driving force of change, should be encouraged in this industry and should be used as a means to introduce successfully to the Canadian consumers account aggregation and other innovative financial services offered. As the account aggregation industry becomes more mature in Canada, either by means of the US subsidiaries or the creation of new Canadian and foreign start-ups, the need for monitoring the expansion of this industry will become very important. For the time being, the industry is in its


29

infancy. Therefore, there is no need to regulate this industry. Nonetheless, overseeing and monitoring this industry may contribute to the creation of a business environment where Canadians feel more secure and eventually ready to further use the account aggregation services. Canadian regulators overseeing financial and personal information should warn customers about the risks of privacy violation while consult their bills and other financial accounts online. This research used a modified version of the so-called SCP paradigm in order to identify the main issues, particularly the ones related to privacy, fraud and the risks of security breach in the Canadian account aggregation industry. To this end, we made a survey and developed a questionnaire which was distributed to two groups of Canadian users, French- and English-speaking (Quebec and Ontario). The idea was to investigate the behavior of the Canadian consumers with respect to the financial aggregation services and analyze the similarities and differences in such a behavior. It appears that the two groups have some behavioral characteristics in common but important differences about perceptions concerning the financial aggregation industry. The main differences concern their believes with respect to the trustworthiness of financial aggregators, their attitude towards the risks concerning fraud, violation of privacy and the level of security of the technologies used by financial aggregators. These differences are also reflected to their willingness to pay a premium to get a safer service. Although French-speaking customers are more risk-averse, they do use more often the financial aggregation services than their English-speaking counterparts. This last difference may be attributed to the demographic and social-economic differences in the two samples investigated. As far as the regulation of this industry is concerned, it is concluded that regulation may not be appropriate at this stage of development of the financial aggregation industry. Financial aggregators are striving to find the most appropriate business model to penetrate the Canadian market. Although some aggregators use a fee-for-service model, some others offer the service for free. Further, the technologies used by the industry are changing drastically and there is no, as yet, a dominant secure technology. Disruptive technologies make competition between traditional banking firms and new non-financial firms possible by blurring their boundaries. At this stage of technological convergence and development of the financial aggregation industry regulation as prevention mechanism is rather inappropriate.


30

References

Albrechtslund, A. (2008). Online Social Networking as Participatory Surveillance. First Monday, 13(3). Retrieved from http://www.uic.edu/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/2142/1949

Australia (2001). Account aggregation in the financial services sector, Consultation Paper 20, May.

Baloun, K. M. (2007). Inside Facebook: Life, Work and Visions of Greatness. Victoria, BC: Trafford.

Banks, E. (2011). Eric Schmidt: If You Don’t Want To Use Your Real Name, Don’t Use Google+. Retrieved August 28, 2011 from http://mashable.com/2011/08/28/google-plus-identity-service/

Barbrook, R., & Cameron, A. (1995). The Californian Ideology. Retrieved from http://www.alamut.com/subj/ideologies/pessimism/califIdeo_I.html

Barnes, S. B. (2006). A privacy paradox: Social Networking in the United States. First Monday, 11(9). Retrieved from http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/1394/1312

Baym, N. K. (2010). Personal Connections in the Digital Age. Beer, D. D. (2008). Social network (ing) sites… revisiting the story so far: A response

to danah boyd & Nicole Ellison. Journal of Computer–Mediated Communication, 13(2), 516-529.

Bigge, R. (2006). The cost of (anti-)social networks: Identity, agency and neo-luddites. First Monday, 11(12). Retrieved from http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/1421/1339

Boyd, d. (2007). Why youth heart social network sites: The role of networked publics in teenage social life. In D. Buckingham (Ed.), Youth, Identity, and Digital Media (pp. 119-142). Cambridge: MIT Press. Retrieved from http://www.mitpressjournals.org/doi/abs/10.1162/dmal.9780262524834.119

Boyd, d., & Hargittai, E. (2010). Facebook privacy settings: Who cares? First Monday, 15(8). Retrieved from http://www.uic.edu/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/3086/2589

boyd, d., & Jenkins, H. (2006). MySpace and Deleting Online Predators Act (DOPA). Proceedings from MIT Tech Talk.

Brandtzæg, P. B., Lüders, M., & Skjetne, J. H. (2010). Too Many Facebook “Friends”? Content Sharing and Sociability Versus the Need for Privacy in Social Network Sites. Journal of Human-Computer Interaction, 26(11-12), 1006-1030.

CDT (2012). Online Banking Privacy: A Slow, Confusing Start to Giving Customers Control Over their Information, Washington, DC.

Edge and Sampaio (2009). A survey of signature based methods for financial fraud detection


31

Fujii, H., T. Okano, S. Madnick and M. Siegel (2012). E-Aggregation: The Present and Future of Online Financial Services in Asia-Pacific, Sloan School of Management, Massachusetts Institute of Technology, Cambridge, MA 02139.

Gentzoglanis, A. (2010). “Risk and Regulatory Reforms in the Securities Industry: A Need for a Paradigm Shift?”, in the International Journal of Financial Markets and Derivatives (IJFMD), Vol. 1, N0 4.

Gentzoglanis, A. (2011). “EVATM and the Cloud: An Integrated Approach to Modeling of Cloud Computing”, International Journal of Modeling and Optimization (IJMO), Vol. 1, No. 4, pp. 321-326, 2011.

Gentzoglanis, A. (2011). “Risk, Financial Modeling and Cloud Computing: A New Approach”, IPCSIT 9, pp. 147-151.

Gentzoglanis, A. (2012). “Evolving Cloud Ecosystems: Risk, Competition and Regulation”, Communications and Strategies Review, Digiworld Economic Journal, no. 85, 1st Q., pp. 87 -107.

Gentzoglanis, A. (2012). “Quality Regulation and the Changing Structure of the Securities Industry”, The Macrotheme Review, Vol. 1, N0. 1. pp.23-50, Fall (October).

Greenfield, R. (2011). The Case For and Against Google+’s Real-Name Policy. Retrieved September 15, 2011 from http://www.theatlanticwire.com/technology/2011/07/cases-and-against-googles-real-name-policy/40346/

Gross, R., & Acquisti, A. (2005). Information Revelation and Privacy in Online Social Networks (The Facebook case). Proceedings from ACM Workshop on Privacy and the Electronic Society (WPES), 2005, Alexandria, Virginia.

Kirkpatrick, D. (2010). The Facebook Effect: The Inside Story of the Company That Is Connecting the World. New York: Simon & Schuster.

Korff, D. (2008). The difficulties in Meeting the Challenges Posed by Global Social and Technical Developments, London Metropolitan University, European Commission Comparative Study, Working paper, N0. 2.

Lampe, C., Ellison, N. B., & Steinfield, C. (2008). Changes in use and perception of facebook. Proceedings from Proceedings of the ACM 2008 Conference on Computer Supported Cooperative Work.

Langlois, G., Elmer, G., McKelvey, F., & Devereaux, Z. (2009). Networked Publics: The Double Articulation of Code and Politics on Facebook. Canadian Journal of Communication, 34(3). Retrieved from http://www.cjc-online.ca/index.php/journal/article/viewArticle/2114

Lanier, J. (2010). You Are Not a Gadget: a Manifesto. New York: Alfred A. Knopf. Lenhart, A. (2009). Adults and Social Network Websites. Retrieved from

http://www.pewinternet.org/Reports/2009/Adults-and-Social-Network-Websites.aspx Levin A., Foster M., Nicholson M. J., & Hernandez, T. “Under the Radar? The

Employer Perspective on Workplace Privacy”, Centre for Study of Commercial Activities Research Report (2006), available at http://ryerson.ca/faculties/business/news/archive/UnderTheRadar.pdf


32

Livingstone, S. (2008). Taking risky opportunities in youthful content creation: teenagers’ use of social networking sites for intimacy, privacy and self-expression. New Media & Society, 10(3), 393. Retrieved from http://nms.sagepub.com/content/10/3/393.short

Marwick, A. (2011). “If you don’t like it, don’t use it. It’s that simple.” ORLY? Retrieved September 19, 2011 from http://socialmediacollective.org/2011/08/11/if-you-dont-like-it-dont-use-it-its-that-simple-orly/

Marwick, A. E. (2008). To catch a predator? The MySpace moral panic. First Monday, 13(6). Retrieved from http://www.uic.edu/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/2152/1966

Mearian, L. (2001), “Banks See Online Account Aggregation as Necessary Evil”, http://www.telegraph.co.uk/finance/personalfinance/2732394/Citibank-My-Accounts.html

Nolan, J., Raynes-Goldie, K., & McBride, M. (In Press). The stranger danger: exploring surveillance, autonomy and privacy in children’s use of social media. Canadian Children: Journal of the Association for Young Children.

Ontario, Ministry of Economic Development and Trade, (2010). E-Commerce: Purchasing and Selling Online – What You Need to Consider, Ontario, Queen’s Printer for Ontario.

PatriotBank (2014) Retrieved from http://www.patriotbankusa.com/customer-service/protect-yourself-and-your-account/

Raynes-Goldie, K. (2010). Aliases, creeping, and wall cleaning: Understanding privacy in the age of Facebook. First Monday, 15(1-4). Retrieved from http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/viewArticle/2775/2432

Raynes-Goldie, K. (2011). Annotated bibliography: Digitally mediated surveillance, privacy and social network sites. Proceedings from Cybersurveillance and Everyday Life: An International Workshop, Toronto.

Raynes-Goldie, K. (Forthcoming). Privacy in the Age of Facebook: ideology, architecture, consequences. PhD. Curtin University, Perth, Australia.

Samuelson, R. J. (2006). A Web of Exhibitionists. The Washington Post,. Retrieved from http://www.washingtonpost.com/wp-dyn/content/article/2006/09/19/AR2006091901439.html

Sans Institute (2004). Understanding IPS and IDS: Using IPS and IDS together for Defense in Depth. Retrieved from https://www.sans.org/reading-room/whitepapers/detection/understanding-ips-ids-ips-ids-defense-in-depth-1381

Shade, L. R. (2008). Internet Social Networking in Young Women’s Everyday Lives: Some Insights from Focus Groups. Our Schools, Our Selves, 65-73. Retrieved from http://ww.policyalternatives.ca/sites/default/files/uploads/publications/ Our_Schools_Ourselve/8_Shade_internet_social_networking.pdf

Smith, J. (2008). Live Notes From Mark Zuckerberg’s Keynote at f8 Developer Conference. Retrieved 5 September, 2008 from http://www.insidefacebook.com/2008/07/23/live-notes-from-mark-zuckerbergs-keynote-at-f8-developer-conference/


33

Sprenger, P. (1999). Sun on Privacy: ‘Get Over It’. Retrieved October 5, 2011 from http://www.wired.com/politics/law/news/1999/01/17538

Steeves, V., Milford, T., & Butts, A. (2010). Summary of Research on Youth Online Privacy. The Office of the Privacy Commissioner of Canada.

Stutzman, F., & Kramer-Duffield, J. (2010). Friends only: examining a privacy-enhancing behavior in facebook. Proceedings from Proceedings of the 28th International Conference on Human Factors in Computing Systems.

Tufekci, Z. (2008). Can You See Me Now? Audience and Disclosure Regulation in Online Social Network Sites. Bulletin of Science, Technology & Society, 28(1), 20-36.

Utz, S., & Krämer, N. (2009). The privacy paradox on social network sites revisited: the role of individual characteristics and group norms. Cyberpsychology: Journal of Psychosocial Research on Cyberspace, 3(2). Retrieved from http://www.cyberpsychology.eu/view.php?cisloclanku=2009111001&article=1

Warren, S. D., & Brandeis, L. D. (1890). The Right to Privacy. Harvard Law Review, 4(5), 193–220. Retrieved from http://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html

Zuckerberg, M. (2009). Improving Your Ability to Share and Connect. Retrieved from http://blog.facebook.com/blog.php?post=57822962130


34

Appendices Appendix 1: Comparisons between Quebec and Ontario 5.1 Usability and Financial Aggregator

5.2 Privacy awareness and online transactions


35

5.3 Technology and trust beliefs

5.4 Frequency of financial transactions online


36

5.5 Financial Aggregator and various platforms

5.6 Attitude and level of concerns


37

5.7 Willingness to use a virtual financial aggregator


38

5.8 Willingness to pay in compensation of a guarantee


39

5.9 Education


40

Variable Coefficient Std. Error t-Statistic Prob. C 0.586483 0.445674 1.315948 0.1921 READPPOLICY -0.504807 0.130258 -3.875439 0.0002 AGE 0.066144 0.216882 0.304978 0.7612 SEXE -0.186360 0.208744 -0.892765 0.3748 ANNUALWAGE 0.061777 0.100565 0.614299 0.5409 HIGHESTDIPL -0.125088 0.150156 -0.833051 0.4074 KNOWLEDGE1 0.041788 0.163639 0.255365 0.7991 INTERESTEDTOKNOW1 -0.109649 0.282270 -0.388455 0.6988 LEVELOFCONCERNS 0.268088 0.104141 2.574281 0.0120 R-squared 0.304192 Mean dependent var 0.482353 Adjusted R-squared 0.230949 S.D. dependent var 0.920814 S.E. of regression 0.807513 Akaike info criterion 2.510133 Sum squared resid 49.55793 Schwarz criterion 2.768766 Log likelihood -97.68064 Hannan-Quinn criter. 2.614162 F-statistic 4.153185 Durbin-Watson stat 2.076344 Prob(F-statistic) 0.000372


41

0

4

8

12

16

20

24

-2.5 -2.0 -1.5 -1.0 -0.5 0.0 0.5 1.0 1.5 2.0

Series: ResidualsSample 1 87Observations 85

Mean -2.87e-17Median 0.151179Maximum 1.777437Minimum -2.251373Std. Dev. 0.768099Skewness -0.961871Kurtosis 3.975656

Jarque-Bera 16.47828Probability 0.000264

Cumulative Cumulative Value Count Percent Count Percent France 4 3.64 4 3.64 International (Autre pays) 11 10.00 15 13.64 Province de l'Ontario 2 1.82 17 15.45 Province du Qébec 2 1.82 19 17.27 Province du Québec 91 82.73 110 100.00 Total 110 100.00 110 100.00 Profession Cumulative Cumulative Value Count Percent Count Percent Analyste financier 1 0.94 1 0.94 Bancaire 1 0.94 2 1.89 Comptable 1 0.94 3 2.83 En recherche d'un emploi 2 1.89 5 4.72 Entrepreneur 2 1.89 7 6.60 Étudiant 19 17.92 26 24.53 Étudiant(e) 65 61.32 91 85.85 Étudiante 1 0.94 92 86.79 Financier 2 1.89 94 88.68 Manager 1 0.94 95 89.62 Professionnel de service 1 0.94 96 90.57


42

Professionnel des technologies de l'information 1 0.94 97 91.51 Représentant en services financiers 1 0.94 98 92.45 Responsable du développement des affaires dans une agence de communication 1 0.94 99 93.40 Secrétariat 1 0.94 100 94.34 Stagiaire 1 0.94 101 95.28 Trader 1 0.94 102 96.23 Traductrice 1 0.94 103 97.17 Travailleur social 1 0.94 104 98.11 Vendeur 2 1.89 106 100.00 Total 106 100.00 106 100.00


43

Appendix 2: Principal investigator’s contact

Fraud and Privacy Violation Risks in the Financial ... › content › dam › tedrogersschool ›...

Documents

Transcript of Fraud and Privacy Violation Risks in the Financial ... › content › dam › tedrogersschool ›...