Delaware DOJ alerts investors to protect financial information 

The Investor Protection Unit of the Delaware Department of Justice cautions investors to carefully review the terms of any agreements with data aggregators or third-party platforms used by financial professionals they do business with.

Data aggregators (which collect and organize data from multiple sources) and third-party platforms are utilized by financial professionals to put all their clients’ financial information online and in one place. This can help investors and their financial professionals organize and manage finances in once place.

Before making the decision to use a data aggregator or third-party platform, it pays for investors to know how these services operate and how to be protected from potential privacy and security risks. 

When using a financial data aggregator, an investor’s dashboard, sometimes called a personal financial management hub or portal, can display an individual’s investments, checking accounts, savings, insurance policies and credit balances. In addition to a snapshot of the investor’s overall finances, depending on the provider, the investor could receive services such as financial and tax planning, financial advice, budgeting, and the ability to track home value and mortgage information. There could be fees and costs associated with some data aggregation services.  

Many customers value the convenience of financial data aggregation and appreciate having a single snapshot of multiple accounts. However, providing access to one’s detailed financial information can come with some risks.

Following certain tips can help investors protect themselves if they decide to share  their financial information with a data aggregator or third-party platform, or service providers who use them.

It’s important to weigh the benefits of aggregation against the risks of sharing access to accounts. This is especially vital when an investor authorizes a third party to facilitate payments, trades or withdrawals of securities or funds on their behalf. 

Understand whether the data aggregator’s connections to one’s financial institutions come from screen scraping, in which the aggregator uses the investor’s credentials to sign in to accounts and collect information, or application programming interface, which transfers data from the financial institution to the aggregator without sharing credentials, or both. 

Investors should read the terms and conditions of any user agreement or contract before signing, to know what rights and access they are granting to their financial accounts and data. Always read the terms of use, privacy and security information.

Investors should also verify that the aggregator or the third-party platform will only access the information it needs to provide the desired service, be aware that there might be charges for certain transactions and services they elect to use, and ask what privacy and data security measures are used.   

If the aggregator or third-party platform uses scraping algorithms to collect data from investors’ financial accounts, does it store their credentials?

It’s vital to know whether supplemental or authorized users can withdraw funds or securities from investor accounts. Be cautious of granting a power of attorney to third-party platforms. Investors must know what powers they are granting. 

Investors should do their own online research and due diligence. They should look up reviews, complaints or lawsuits against the data aggregator or the third-party service provider they are considering using. 

Another key point is what type of liability, if any, does the aggregator or third-party platform bear in the event of a consumer loss due to a data breach or unauthorized access? Does the aggregator or third-party platform have the financial capacity or insurance coverage to compensate an investor for loss? What kind of dispute mechanism is in place to resolve any issues related to data breaches or unauthorized access? Investors must keep in mind that if they share log-in information with an investment adviser and suffer a loss in the account, the custodian may be able to disclaim liability.    

In the event of discontinuing a service, investors must make sure to cancel their account, and terminate the access and rights they have granted to the aggregator or third-party platform, and prevent them from having ongoing access to the account(s). 

To learn more, go to brokercheck.finra.org and adviserinfo.sec.gov. To file a complaint, email Investor.Protection@delaware.gov.