Account Aggregation

January 1, 2002

Account aggregation is a hot new Internet financial service offering that is spawning interest and controversy in the domain of customer data in the United Kingdom. This service offering presents content from a multitude of sources at a single Web location that can be accessed by the customer. The convenience of being able to manage different financial relationships from one page is proving highly attractive to today’s money-rich, time-poor consumers. Information such as frequent flyer miles, bill data and financial information is pulled from multiple, often competing, entries and consolidated at one page.

There are really only two ways that the aggregator can pull all this information together. The first technique is known as screen scraping. The aggregator must electronically visit various sites, access the consumer’s account using the passwords provided and pull all of the customer’s account information to one site. The second method of collecting customer information is far less controversial. The institution sends a direct feed of its customer’s information, thereby blocking the aggregator from access to its site. It is the first technique used by aggregators that presents greater legal pitfalls.

Whilst account aggregation has been eagerly embraced across the Atlantic by US banks, British financial institutions have continued along a much more cautious path. There are various reasons for this, but a substantial factor is the different UK laws that apply to the electronic collection of data required by the aggregator.

This article examines legal problems flowing from contractual terms and legislative provisions that present challenges to be overcome by the aggregator, namely the Computer Misuse Act 1990, database right infringement and the Data Protection Act 1998.

Contractual Hurdles

Potential liability is faced when the aggregator employs the technique of ‘screen scraping’ to gather a client’s information and records. By asking for pin numbers from the customer the aggregator can be guilty of wrongfully inducing a breach of contract.

The same breach also affects customers who give out their pin numbers. A recent move by Barclays, Abbey National and the Royal Bank of Scotland saw them request to be removed from Citibank’s My Account service. Defending their actions, they cited concerns over security and claimed that by passing on passwords to a third party, customers were breaching the terms and conditions of their accounts.

Obviously, the lowest risk solution for data aggregation is to obtain consent from the content-providing sites before aggregating information from these sites. Practically, however, it is unlikely that the site being entered would be forthcoming with consent without some financial incentive or would be unwilling due to the potential that it may lose customers to the aggregator.

Computer Misuse Act 1990

Under the Computer Misuse Act 1990 (the CMA), there is an offence referred to as unauthorised access to computer material. It is an offence to cause a computer to perform a function with the intent of knowingly gaining unauthorised access to any program or data held in the computer. Access of any kind by any person to any program or data held in a computer is unauthorised if that person is not himself entitled to control access of the kind in question to the program or data. In addition, that person does not have consent to access from any person who is entitled to give that access.

The question therefore arises as to whether the customer is entitled to control access to his accounts (and therefore grant the aggregator authorisation to access his accounts) rather than only being entitled to access those accounts. This may depend on whether the customer is permitted to disclose his PINs to any third party. Typical privacy statements state that it is an offence to use another person’s password to access data held by that financial institution. In circumstances where the relevant customer terms and conditions prohibit the disclosure of PINs or other account information to third parties, it is possible that a court may construe that the only person entitled to control access to the data in question is the financial institution and not the customer.

Although the offence was originally aimed at malicious hackers, it is sufficiently widely drawn that it could be applied to data harvesting by an account aggregator. Although technically correct in terms of the CMA, it is unlikely in practice that the police or prosecuting authorities would take action against customers. Financial institutions would also be extremely wary of potential damage to customer relations by bringing an action.

Although a number of cases have been brought under the CMA, the majority of convictions have related to incidents where a party has supplied equipment to gain access. Other cases have dealt with access to data by parties without authorisation, usually with criminal intent.

In the case of R v Farquharson, a prosecution was brought under s1 of the CMA, which relates to the unauthorised removal of information. The case is significant as it reinforces two important points. The first point is the hacker is not required to have any direct connection, electronic or otherwise, to the computer illegally accessed. The second is that the hacker is not required to be doing anything that he is not permitted to do as long as the overall purpose is not permitted.

Whilst the actions in this case do not directly reflect the types of activities in account aggregation, it follows that an account holder could give express permission to the aggregator to access his account. Whether the account holder can actually give permission in this way to the aggregator and not fall foul of the CMA is debatable.

The question remains as to whether the activities of an aggregator are worthy of criminal sanction under the CMA, although it is hard to say with certainty that aggregators would be able to avoid prosecution. The reality is that the only way an aggregator could completely avoid the possibility of the commission of an offence under the CMA would be to obtain the consent of each financial institution that is to be subjected to data harvesting. The Financial Services Authority’s view is that any financial institution contemplating the provision of an aggregation service must seek expert legal advice as to whether their business model would breach criminal law.

A great disadvantage of the CMA is that it did not address criminal intent. If it had, it would not create such ambiguities for account aggregators. As it stands, it fails to ensure that the law copes with changes in technology and that those undeserving of criminal sanction will not be caught unexpectedly by the criminal law.

Database Directive

The propensity for both access to and copying of data held on computer has created problems for the law and now impinge on the successful operation of account aggregators. The Copyright and Rights in Databases Regulations 1997 brought the Database Directive into force in the United Kingdom. The Legal Protection of Databases Directive created new rights protecting commercial databases. The Database Directive sought to find a solution to the problem of protecting intellectual property rights in databases by creating a two-tier system, capable of rewarding both creativity and investment. Balanced against this was the need to balance database protection with fair licensing and other promotion for competition on the grounds of public interest. The account aggregator can fall foul of the Database Directive in copying information from databases for its Web site. It is arguable whether this is justifiable, as the protection it offers has to be balanced against the need to promote fair competition in the market-place.

While the aim of the Database Directive is to protect databases, it does not apply uniformly to all. Tables and compilations, which do not fall within that definition, are not protected under the new sui generis right. These tables and compilations remain protected by copyright under the existing copyright law. Mere random collections of information not involving any real exercise of labour, judgement or experience are not protected.

The UK Database Right

Under the Regulations, third parties with access to databases are prevented from extracting and reusing the contents of databases for commercial purposes. The effect of this to the aggregator is that it may be prohibited from extracting information even though it can access it.

The sui generis right under the Regulations is called the database right and is similar to copyright in that it protects investment in databases. The rightful holder may prevent two forms of extraction:

  • permanent or temporary transfer of all or a substantial part of the contents of a database
  • extraction in circumstances where the third party makes available to the public all or a substantial part of the contents of the database, in any form.

However, the aggregator has a right to use a database, or part of a database, which has been made available to the public in any manner. It is unclear as to when and in what circumstances a ‘database is made available to the public in any manner’, as stated in the Regulations, which then triggers the lawful user rights under the sui generis right.

There is further uncertainty created by conflicting provisions of the Regulations and the Database Directive. Repeated and systematic extraction and/or utilisation of insubstantial parts of the contents of a database is prohibited as doing this goes against the normal use of the database and unreasonably prejudices the interests of the database creator. However, this conflicts with another provision that restricts the database creator, who makes the database available to the public, from preventing a lawful user from extracting and/or re-utilising insubstantial parts of its contents for any purposes whatsoever.

It is not clear which provision takes priority. Interpretation of the Regulations and the Database Directive suggests that the Database Directive indirectly protects the contents of an electronic database, whether or not those contents are themselves able to be protected by copyright. It does so by restricting access to the contents by persons who are not lawful users of the database where access necessarily requires temporary reproduction of the contents of the database in machine memory in order to make a search of that database.

Database Rights and Account Aggregation

Given the incredible power of computers and the Internet to create new value by ‘reformatting, filtering and hot-linking existing data’, how does the concept of account aggregation fit with the rights afforded to the creator of a database under the Database Directive? The Database Directive would certainly allow the creator of the database to quash the account aggregator. Returning to the arguments cited by the United States’ critics, any legal initiative that weakens the ability of newcomers to enter and compete effectively in markets for products that add value to existing data should be carefully scrutinised, lest they impede competition without adding benefits to the public. Perhaps companies in the financial services industries should be more concerned about the free-flow of information than in building fences around the information they hold.

The removal of information from a Web site by an account aggregator quite clearly might breach the database right of the database creator. There is no conclusive authority to suggest that the database right will protect a database that stores customers’ details and account transactions. Is there enough effort in the creation of the database and in keeping the database up-to-date?

It could be argued that the withdrawal of the information from the database relating to one customer is not substantial as, relatively speaking, the details of one customer are extremely minor compared to the number of customers held on the database in question. The database creator could fall back on the argument that repeated extraction of a number of different customers’ details on a regular basis could amount to a substantial extraction from the database.

Data Protection and Account Aggregation

Data protection, as driven by the Data Protection Act 1988, governs what may and what may not be done with personal information, which definition includes electronic data.

An account aggregator will obtain a vast amount of data about individuals who have chosen to use its service. Under the DPA, an account aggregator has an obligation to comply with the eight data protection principles in respect of the processing of personal data belonging to those individuals.

The first principle imposes an absolute prohibition on the processing of personal data unless it can be justified in terms of one of the conditions set out in sch2. There is really only one condition in sch2 that an aggregator can use to justify the processing of personal data – that the individual has given consent to the processing of his personal data. If the aggregator were processing personal sensitive data, for example health information, in terms of sch3 the individual would require to give his explicit consent. This is due to the fact that the value of that data lies in the aggregator being able to use the data for various purposes, such as advising the customer on financial affairs and marketing alternative or additional products or services.

UK banks must provide the account holders with a data protection notice. The data protection notice must be given at the time of collection of the personal data. It is relatively easy to comply with this requirement of the DPA, as the aggregator can provide a notice when the account holder enters his details on the Web site. The notice need only be displayed prior to the individual entering his information.

There is also a requirement that appropriate technical and organisational measures be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. These measures must be appropriate to the type of personal data processed by the aggregator. A dubious point is that if a financial institution were to allow its data to be aggregated, it would have to concede that the aggregation was neither ‘unlawful’ nor ‘unauthorised’, otherwise it would be seen to be in breach of this requirement leading to the likelihood of enforcement action from the Commissioner.

A financial institution may sub-contract the provision of an aggregation service to a technology company. If this is the case then the financial institution must have a written contract in place imposing security obligations on the aggregator and must also have carried out the necessary due diligence to ensure that the aggregator can, in practice, keep the data secure.

One further point to take into consideration is the scope of s55 of the DPA. Under this section, it is an offence for a person, knowingly or recklessly, and without the consent of the data controller, to obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in the personal data. This gives the financial institution leverage against an aggregator in terms of the DPA if the aggregator accesses personal data of an account holder, as there is obviously no consent from the financial institution in question.

Conclusion

The popularity of Internet banking in the UK is perhaps the first indication that consumers in Britain are becoming increasingly confident in using the Internet to control finances. If account aggregation is to become accepted in Britain, it will be of paramount importance that the legal community is able to give the green light to account aggregators. Currently the financial services authority has warned that, if there is the slightest chance that the account aggregation model breaks the law, the service should not be offered to consumers. Effective lobbying to clarify current legislation will ensure that all parties involved are protected, helping to encourage enterprise and commercial activity.

Emily Wiewiorka is head of IP/IT Law at Boyds Solicitors.