Lee: Repair Inadequate Aggregation Regs

Article excerpt

John Jin Lee, Wells Fargo Bank's legal eagle on Web aggregation, recently discussed the implications of outdated decades-old regulations governing the booming new business of account aggregation with reporter Michele Heller.

Aggregation involves consolidating an individual's financial account information from a variety of institutions onto one Web site, enabling customers to view and manipulate multiple accounts on a single site.

A number of large banks and brokerages - including Mr. Lee's employer, Wells - are revving their engines to get into the business currently dominated by nine nonbank aggregators. But until they do so, banks remain liable when should their customers become victims of fraud or errors caused by the a nonbank aggregator.

Mr. Lee is vice president and assistant general counsel at Wells Fargo Bank, and the legal adviser to the San Francisco-based institution's consumer Internet services team. He also heads the retail credit side of Wells' legal department.

What laws and regulations govern Web aggregation?

Lee: The rules covering aggregation, to the extent that they exist, are very few. They are based on Regulation E, which implements the Electronic Fund Transfer Act of 1978.

Regulation E applies when a fund transfer occurs electronically. For an aggregator to become subject to Regulation E once an electronic funds transfer occurs, it has to be involved in activities that fall into one of two categories. One, The institution has to maintain the customer account or issue an access device to the account.

By definition a nonbank aggregator clearly is not a bank, so therefore it does not have customer accounts. So it can't fall under the first category.

So the nonbank aggregator has to fall under the second category - the category involving institutions that issue an access device. When you're talking about aggregation, you have to ask: Has this nonbank aggregator issued an access device? Did the nonbank aggregator issue some kind of PIN (personal identification number) for customers to get into its Web site?

Under Regulation E, it's generally accepted that a PIN or some kind of password access to a Web site constitutes an access device. So we would argue that if there is an electronic funds transfer that takes place involving a nonbank aggregator and you have to go through a PIN or password access in order to conduct that transaction, that seems to be enough to bring it under Regulation E coverage.

Often, though, nonbank aggregators do not issue their own PIN and thus avoid triggering Regulation E. Instead they use their customers' bank-issued PINs, and therefore seem to be exempt from Regulation E liability.

Regulation E provides a basic framework of bank responsibilities and liabilities when customers are transferring funds electronically. Why does the cutting-edge business of aggregation fall under the old regulation, which was written in 1978, when the only way to transfer money electronically was through an automated teller machine?

The situation we are faced with is trying to apply Regulation E in the context of a development that probably was not anticipated at the time Regulation E came into being. That is, more than one institution playing a role in the electronic funds transfer, as is the case with aggregation.

Aggregation is the process by which a third party - usually a nonbank - takes account data from various parties - usually financial institutions - and places that information on its Web site to provide the customer with a one-stop shop. The customer can get information on those various accounts and undertake transactions involving those accounts.

When we were just doing electronic funds transfers through brick-and-mortar automated teller machines, they were initiated by someone with an ATM card and a personal identification number. The transaction took place through the initiative of the institution that maintained the ATM. …