22seven is a personal financial management (PFM) service that automatically retrieves a user’s transaction information from their bank through its third-party aggregation provider, Yodlee.
Yodlee requires users to provide their full login credentials: username (which is an account number with some banks), and a password (which for some banks is a PIN and password combination). This is used to log into your Internet banking from which Yodlee gathers the transaction data on your accounts.
Other PFM tools allow users to manually import statements rather than linking to their bank accounts, but 22seven said that they first wanted to focus on automatically getting that data for the user.
When Absa prevented Yodlee from accessing the Internet banking of its customers earlier this year it meant that Absa account holders weren’t able to get their transaction data into 22seven.
Yodlee’s access appeared to be restored some weeks after Absa cut them off, with users reporting that their data was being updated again.
However, according to Absa they didn’t restore or enable access to Yodlee.
“We are aware of the varying tactics being employed by third party aggregation sites that pose a clear risk to our customers’ security, and we continue to work to close any gaps that could potentially allow a third party access to our customers’ personal details,” Absa said.
An Absa spokesperson explained to MyBroadband that the bank would cut off Yodlee in future if it discovered a security hole that needed to be closed.
22seven in discussions with banks, reserve bank
At a press event where 22seven announced its exit from beta, founder Christo Davel told journalists that in meetings with Absa, the bank had told them that they can’t stand in the way of customer demands and just have to find a way to manage the risk.
Davel also said that they met with the regulator, the South African Reserve Bank. After Yodlee’s presentation the discussion shifted from concerns about security to one around messaging, Davel said.
“Our task is to find ways of linking with banks so that users don’t have to breach their bank’s terms and conditions to use 22seven,” Davel said.
He went on to say that he believes banks will provide secure interfaces (or APIs) which companies like 22seven could use to offer its services. “It’s just a question of when,” Davel said.
According to Davel, the situation in South Africa’s PFM space mirrors what happened in the United States 11 years ago.
Davel said the first company to launch a tool that made use of financial aggregation services was actually sued by a bank.
According to reports, First Union Corp. sued Paytrust Inc. towards the end of 1999 for using screen scraping technology to access users’ account data (with permission from the user).
First Union posted warnings about not being able to “guarantee the security of your account” on its site similar to those issued by South African banks when 22seven announced its public beta.
It is interesting to note that some months later, First Union reportedly struck a deal with Yodlee after dropping the case against Paytrust.