22seven: the real story
In late January, a firestorm of controversy erupted after the launch of 22seven, a Web service promising to help users manage their finances and save money.
The story didn't start there, though. In fact, the banks' relationships with Yodlee (the US service which drives 22seven) extends back a decade. And it won't end there either - the shape of South African online banking is going to fundamentally change this year.
As we pick up the thread in March 2012, 22seven is still in beta; one bank (FNB) is letting customers access some data through the aggregator, and another (Absa) is actively blocking all its connections.
22seven has historic roots embedded in the banking industry. Those roots, and the history, paint the backdrop for everything that happened around the service's launch.
22seven is the brainchild of Christo Davel, a man with a track record of shaking up online banking in SA. In 2001, he headed up 20twenty, a Saambou joint venture which disappeared in 2005. 20twenty was shackled by its parents (and step-parents, after changing hands a couple of times) and ultimately foundered, but not before gaining a cult following with its focus on user experience and no-nonsense banking.
Now Davel's back, this time at the helm of similarly-named 22seven, with much the same aim: making banking easier and more accessible to users. Davel was approached by Gidon Novick, the co-founder of Kulula and ex-CEO of Comair, to launch Kulula Wealth, with similar ideas. That didn't take off, but the idea stuck, and 22seven includes Comair among its stakeholders (other investors include Hollard and Hasso Plattner Ventures, as well as some angel funding).
22seven is a portal to Yodlee, an international financial aggregation service. Yodlee has been on the scene for over a decade, and is well known to the local banks, many of which have had discussions with the aggregator about their service, and some are still in the process of actively discussing potential business.
In fact, Davel's relationship with Yodlee dates back to his days at 20twenty. He opened discussions with Yodlee in 2001 as the financial aggregator market started to grow in the US. “We were so keen on doing aggregation even back then,” he says. Unfortunately, the Saambou relationship made it impossible - conservative South African banking was struggling enough to adapt to an online model without adding a third party to the mix.
Yodlee's history with South African banks
Davel wasn't the only one talking to Yodlee, or similar providers - the market for aggregators boomed in the 90s. Christo Vrey, managing executive, retail bank digital channels at Absa, knows them well. “I've had dealings with Yodlee since 2002,” he says. “Me and Yodlee go way back. Barclays [Absa's parent company] knows them well too. And we're still in contact.”
There are also offline aggregation services in SA, such as Moneysmart.co.za, which performs similar analysis for users who upload spreadsheets of their transactions.
So, financial aggregation services are very much a known quantity to local banks. While 22seven's launch may have caught them by surprise, the product on offer, and the entities involved, was already well understood.
The banks knew all about aggregation, then, but no service was available in SA. Was the banking public in the dark? No, not at all, thanks to social media.
Why we love aggregation
In the 90s, when the loyalty card and frequent-flyer programmes really took off in the US, it quickly became impossible for people to keep track of their relationships with multiple providers. Aggregation services came along, working by screen-scraping data from individual services, and presenting it in a consolidated view.
As multiple credit cards became the norm, aggregating financial data was a logical step, and the stage was set for personal financial management services to collate loyalty schemes, bank accounts, investments, bill payment and more into a unified customer view.
As e-crime started to rise, the banks started to push back against screen scraping, and the aggregators moved to develop APIs which could interact securely with the banks, and today many overseas banks license Yodlee's technology to sit inside their data centres.
Although this sort of service has not been widely available to SA customers, another form of aggregation is as common here as it is anywhere in the world: social media. Services like Seesmic allow users to manage multiple social networks through unified interfaces. Similar to the evolution of financial aggregators, this was initially facilitated by requesting the user's credentials for each service, but is now more commonly achieved through APIs offered by the social networks.
A key point here is that South Africans, even without previous experience of financial aggregation services, were already accepting of the idea of giving up service credentials to third parties, for the benefits of consolidated services. 22seven had a receptive audience prior to launch.
Permission to launch
“There's a shift happening, with consumers expecting to have access to their own data,” Davel says. “People are smart. They want the right to decide where to go and what to do.”
The banks, without exception, are aware of this trend already: they all have personal financial management tools under development. 22seven may not have catalysed that development, but it pulled back the curtain sooner than the banks would have liked, and that may hasten products to market.
22seven's launch took the banks by surprise. Without prior notice, or warning of any sort, the service opened its doors and began soliciting customers, relying on word of mouth, viral marketing, and hoping for the sort of cult following that 20twenty gained.
“There was no awareness pre-launch, no warning at all,” says Lee-Anne van Zyl, CEO of online banking at FNB. “I did wonder why they didn't try to partner with us sooner.”
Early warning probably wouldn't have made any difference, for reasons I'll discuss in more detail shortly. “There was no collaboration, no forewarning,” says Absa's Vrey. “But the response would have been the same.”
22seven hasn't published any numbers, but Davel boasts that the interest from the market was overwhelming. Literally overwhelming, since the cloud-based servers running the service struggled to cope with demand, and had to be upgraded to cope. “We were embarrassingly successful at launch,” he admits. “Honestly embarrassing, because we couldn't handle the load. People are really picky about online services, and if yours isn't available or they get an error, you can lose a customer just like that.”
From their end, Absa and FNB both told us that only a few hundred clients apiece actually took the process far enough to initiate connections with their servers. Vrey still tracks the numbers even though the connections are being blocked before they ever reach the Absa site. “I'm not seeing a groundswell of support,” he says. But he's watching for one, because he thinks he can quantify demand, by tracking how many customers download their transaction data for offline analysis. Downloaded files can be imported into personal finance software, or services like Moneysmart. “About 23 000 customers download their data monthly, out of 1.32 million online banking users.” Not a high percentage perhaps, but a big enough number to excite Christo Davel.
The sign-ups confirmed what Van Zyl already knew: demand was there, and growing. “We knew clients wanted something like this. People coming into e-banking expect a lot more nowadays.” But she questions how many people will stay with a third-party aggregator, especially when the banks are actively building competing services, which may be cheaper or free compared to 22seven's proposed R70/month fee. “We're seeing a lot of curiosity. That might change when it's no longer free. And I question the commercial model of 22seven when all the banks are building the same functionality.”
There will be a shift in banking, Van Zyl says, and the banks will be aggressive about delivering services to attract customers. “People shouldn't see banking as a grudge purchase. It's a competitive market, and we're constantly being challenged to offer more to retain clients.”
Davel, for his part, is confident 22seven will be able to remain competitive. He has one clear advantage: 22seven offers aggregation across multiple institutions, where the banks will focus on their own data. Van Zyl is blunt about that: “We won't do aggregation. We want to focus on switching clients from other banks.”
Any aggregator, Vrey says, faces an uphill struggle with users when they realise that categorising their spend is very time-consuming. “Understanding where your money goes is fantastic, but it's hard work. You can automate maybe 60% if you're lucky.” Any PFM (personal financial management) - even one internal to a bank - has to overcome that, he acknowledges.
It goes without saying that banks take security very seriously, and that focus made their responses to 22seven very predictable.
There's plenty at stake. Susan Potgieter, GM of commercial crime at the South African Banking Risk Information Centre (Sabric), reported that electronic banking fraud topped R180 million in 2010, driven by phishing and 419 scams.
Banking security in SA was propelled into the global headlines in 2003, when a number of Absa customers were targeted by a keylogger Trojan, which captured their online banking credentials. In the wake of that incident, all South African banks stepped up security, evolving to the model we have today, with stronger authentication, SMS notifications, and one-time passwords required to add new beneficiaries and some transactions.
With aggregator services, there are several additional risks. First, suggesting it's okay to give up your credentials to a third-party immediately raises eyebrows. The banks have spent a fortune over several years educating customers, building the consistent message that you should never, under any circumstances, disclose your login details, no matter how trustworthy the recipient seems.
22seven, regardless of its merits, rather neatly embodies the threat banks have warned us about. As such, their response was therefore completely predictable:
Banks to 22seven: no, no, and heck no
Within hours of 22seven launching, all the banks had issued strongly worded statements discouraging their customers from signing up, citing those security concerns. Although the language varied, they all covered the same basic points: Don't give your credentials to anyone. If you do, they will effectively be you if they transact. Because they're you, you may not be covered against fraud.
Web and digital media lawyer Paul Jacobson notes that the banks were driven by limiting exposure, and shifting liability for losses to users who act irresponsibly. “By emphasising how risky certain activities are and that the banks don't condone (or even prohibit) those activities, they seek to shift responsibility to customers if they ignore the warnings anyway. Where there are warnings about risks and customers ignore them, the banks have arguably done what is reasonably required of them to protect their customers and the customers themselves are negligent in ignoring the warnings. Negligence is a reasonableness test which takes into account what an objective reasonable party would do in the specific circumstances. It's basically about shifting that responsibility in the event something goes wrong.”
You can read Webtechlaw's interpretation of banks' terms of service, and how 22seven affects liability, here.
The vocal denouncement of third-party services was enough for most banks, but not all. Connections from Yodlee are easily identifiable at the gateway, so Absa took immediate action to block connections completely. Capitec did the same. “We do not support any practice in which a third-party service provider accesses clients' banking information by using their sign-in details,” says Charl Nel, head of strategic communication at Capitec. “We apply this approach consistently to any such PFM product practices, including those of 22seven.” Nel says the bank blocks connections from third-party sites in line with that policy.
22seven to banks: you're so predictable
“Of course, we anticipated the reactions from the banks,” laughs Davel. “FNB is a definite outlier - they weren't as defensive. The other banks were a lot more suspicious, even though they understand the issues and the international trends.”
The banks describe that predictability as consistency. They have, after all, spent all that time and money educating users not to give up credentials. “Once you let that go, and create precedence [to the contrary], you're doomed,” says Vrey. “Your customers are confused. The industry has spent R150 million in communication and education - you can undo 12 years of work in an instant.”
The banks have stuck steadfastly to that line, as they must. “We will not support the disclosing of any banking logon credentials to third parties, especially in the case where those third parties have not engaged with the bank in detail to ensure alignment of security standards,” says Itumeleng Monale, director of self-service banking at Standard Bank. “In the event that a third party is allowed to store or intercept a customer's banking logon credentials, the security of their account cannot be guaranteed.”
Davel points out that the education has worked, and most users (especially the technically savvy ones likely to use a service like 22seven) know the risks and can look after themselves. “The early adopters and tech-savvy people understand the risks of sharing information. They aren't stupid.” Customers expect better access to their data, he says, and banks have to provide secure frameworks to meet those expectations, not stonewall them.
FNB to 22seven: ok, maybe yes
FNB was the first to offer an olive branch, and showed its customers a way to use 22seven in a less risky fashion, after close discussion with Davel and his team. Although the bank has remained firm in its messaging that primary login data must remain sacrosanct, it demonstrated how to use locked-down profiles to interact with 22seven.
The bank has offered secondary profiles for some time, which customers can use to offer other people (business partners, family members, and so on) limited access to the banking interface. Those secondary profiles are limited to the facilities which be accessed, and can be limited still further, into a view-only mode.
FNB found a clever line to walk, sticking to the mantra of never divulging login details, but showing that view-only profiles could be a less risky way to access a third-party service.
The bank also enforces that policy, by tracking connections from Yodlee, and blocking any which may be unsafe. “We use a unique identifier to spot Yodlee activity,” Van Zyl says. “If it's a primary account, we block it. If it's a secondary with transaction permissions, we block that too. Only if it's a secondary in view-only mode do we allow it.”
Van Zyl says the bank wanted to be seen to be helpful. “Saying 'no' seemed like the easy way out. We wanted to see if we could make it work. I think there's an expectation in the market that banks will say 'no'.”
Slippery slopes, copycats, worst case scenarios
With the banks' positions and motivations clear, let's look at the worst case scenarios and the risks 22seven brings to the market. While 22seven adds very few new threats to the mix, it does extend the surface area, and therefore the risk.
A major fear for banks is that once the “never tell” message is diluted, customers may more easily be led astray. This is a standard practice in social engineering: the hacker won't ask for your password straight away, he's more likely to ask you an innocuous question to build trust, a process familiar to conmen of all sorts.
It also opens the door for similar services to make the same demands. If 22seven becomes popular, copycats will inevitably follow, and having endorsed 22seven, it would be much more difficult for the banks to dissuade customers from avoiding a similar service with less trustworthy credentials. Copycats could be either outright frauds, or they could be well-meaning but incompetent at security. Either way, customers would be at higher risk.
Several phishing scenarios are also easy to describe in a 22seven world. The most obvious is a fake e-mail purporting to be from 22seven: “The banks have updated their interfaces and we have disabled your account until you re-authenticate. Go here and repeat the sign-up process...”
Another blends phishing and copycat tactics: “We're a new service just like 22seven, and we're completely read-only just like FNB to keep everything secure. We just need your primary login details for the initial sign-up...”
Another, more dangerous scenario, goes like this: in social engineering circles, the groundwork for an attack is known as pretexting. In pretexting, you establish something about your victim, so that you can gain their trust. And knowing their purchasing history is, in a pretexting context, pure gold. “Hi, this is John from Mercedes Sandton. You had your car with us for a service two weeks ago, and there seems to have been a billing mix-up...” 22seven, even with FNB's view-only approach, increases this risk slightly.
Of course, this risk applies equally to offline aggregators like Moneysmart - anyone who can access your transaction data, or who can lead you to giving it up, runs the same risk. And even Absa's Vrey doesn't think it's much of a worry. “I have no concern about that. It's just transactional data, and I have no issue with it.”
Lastly, an uncomfortable (but luckily, highly unlikely) possibility is that 22seven may in fact be an elaborate scam. Davel is a great guy with many friends. He's likeable, approachable, and enthusiastic about his products. But Bernie Madoff's victims probably thought the same. Realistically, it is extremely unlikely that Davel is South Africa's next Barry Tannenbaum, but we do have only his word for it.
22seven's security... not as important as you think
22seven's security is mostly irrelevant here, other than as a phishing target or if the company had made beginner mistakes in securing its Web site. 22seven is a portal to Yodlee, so it is that company's security which is pertinent.
Fact: Yodlee is not as secure as your bank in at least one respect.
Fact: It doesn't matter and the banks don't care anyway.
Yodlee, as a financial services company with deep integration with many of the largest banks in the world, takes its security very seriously. Even Vrey, who knows the Yodlee operation intimately, describes the Yodlee data centre as “world-class”. But without access to a secure API, the screen-scraping approach requires that the company logs in to banking interfaces and enters passwords and PINs in cleartext.
Yodlee, therefore, must be able to process your credentials in cleartext, where your bank needs store only encrypted data. Yodlee's databases are encrypted of course, and its chain of custody is probably as secure as any service on the planet, but in a pure bullet-point comparison of security practices, that would count against them.
But that sort of point-scoring does not trouble the banks, even the most cautious of them. “We can't fault their facilities,” Vrey says. “Our decision to limit access had nothing to with security.” It was motivated, he says, by the need for unwavering consistency in the security messaging to customers.
Where to from here?
The future for 22seven is unclear, though Davel is bullish about its chances. In a world dominated by “free” services that monetise their users through upselling or advertising, 22seven has been clear from the start that it will be a paid-for service, costing R70 per month. Once the sunk cost of the Yodlee software licence is paid, Davel says, it doesn't need many users to become profitable. “Obviously we'd like to get millions of sign-ups, but we don't need it. There is plenty of demand, and plenty of room for us to co-exist with the banks, not compete with them.”
A question which remains hanging, of course, is what about Absa? “The main requirement to get out of beta is stability,” Davel says. “We have to be able to connect with most of the big banks most of the time. There's that question of whether we should wait until all the big banks are on board, or whether we should come out of beta with one still closed off, and let the market decide.”
Can Absa's Vrey imagine a scenario in which the bank changes its tune, and allows customers to access their data through a Yodlee screen-scraping service? “Honest answer: no. I can't envisage a way that would allow us to take a step and allow 22seven access. Even view-only would require us to say it was okay to give some credentials away.”
The future for the banks is clearer. Every bank has had PFM-style projects under development since well before 22seven came on the scene, with some already in trial and expected to launch in the next few months. Offering better visualisation tools may become as big a differentiator as online banking itself did many years ago. Those services will compete with 22seven, but will have a key shortcoming: they will be limited to transactional data from the host bank, where 22seven's value proposition centres on its ability to source data from multiple institutions.
The banks downplay this as a factor, but admit it could play a role. Van Zyl points out that very few customers use more than one bank, though Vrey notes a lot of people do maintain multiple credit cards, and aggregating data across them is a valuable service.
The future for banking customers, risks aside, is bright. Aggregation services, in any field, are popular because they directly address a core frustration of many users: managing too much data and the sense that some value (whether that's air miles, too much spending or not enough social media interaction) is being lost in the confusion. People want it, and they are willing to take risks to get it.
I can't envisage a way that would allow 22seven access. Even view-only would require us to say it was okay to give some credentials away. Christo Vrey says Absa will continue to block access from Yodlee and 22sevenChristo Vrey, Absa
Don't expect the banks to openly support third-party services. The primary motivator in any security-related communication from a bank will be consistency, and they will remain steadfast in the message that working with a third-party is dangerous and may expose you to the risk of fraud. FNB's view-only option is clever, but already a step further than some banks will take. That probably establishes the boundary within which third-party services will have to operate.
But do expect much better personal finance tools, both from your bank and from third-party providers. Everyone involved in this saga acknowledged that customers are becoming more demanding about tools to visualise and manage their financial matters.
22seven may take off. It may not survive. It wouldn't be the first financial service Davel has brought to the South African market, only to see it fold despite its popularity. But the PFM genie is out of the bottle, and over the course of 2012, it will change the shape of South Africa's online banking.
UPDATE: May 11, 2012
22seven is now officially out of beta, with a revamped user interface, much broader access to financial institutions (including ABSA, whether they like it or not), a bigger team, but roughly the same level of chutzpah.
Users will start to receive reminders to pay the R70/month fee, and any who choose not to will have their data completely purged as a security measure: at this stage there's no option to put the service on hold and come back later with your historic data intact, says Chris Tisdall, 22seven's COO.
Davel admits he has “no clue” what rate of attrition to expect from the user-base, but says he is still confident that the service will meet its targets to be profitable.
Davel also suggested that he may open the door to third-party products. Although he said he remains strongly committed to independence, Davel says that if there are obvious ways where choice can lead to savings, or where users' experiences could be shared to evaluate products, it could be “worth considering”.
“For example, most people don't realise they can save a fortune on short-term insurance,” Davel said. Hollard Insurance is one of 22seven's backers.