About Data Aggregators

Data Aggregators are companies that facilitate data exchange by connecting a consumer or business’ financial accounts to authorized fintech partners, providing information the companies need to power their services.

For example, the person-to-person payment service Venmo uses Plaid to connect with banks and credit unions to transfer funds. Betterfin uses Envestnet Yodlee to get access to cash flow data and facilitate small business loans. When someone signs up for Venmo or Betterfin, they give those fintech companies access to their bank accounts using data aggregators.

Financial institutions can use the information from data aggregators to provide customers a complete view of their financial lives and manage a variety of accounts, or to suggest products and services and target customers for specific offers. But like any technology, data aggregators come with the potential for risk. Since aggregators connect with many institutions, they are attractive targets for cyber attacks. Also, some aggregators rely on screen-scraping, which is obtaining a customer’s login and password and using that to unlock the digital account. Aggregators that use screen-scraping rather than API access via OAuth are not only more susceptible to security issues, but also compliance issues, as data is obtained without explicit permission.

For more information on the risks and benefits of data aggregators, refer to this article on the Narmi Insights blog.

Narmi and Data Aggregators

For security reasons, Narmi does not allow data aggregators to bypass two-factor authentication (2FA) unlike some other digital banking providers. Data aggregators will fail if they cannot provide the 2FA for a user. For example, a customer may want to link their Digital Banking account with a third party fintech app, such as a cryptocurrency exchange app. If the end-user successfully provides the username, password, and 2FA code, the data aggregator will only be able to access the banking data for the length of the session (which is configurable by the financial institution). On subsequent uses of the fintech app, the aggregator will attempt to refresh the connection on behalf of the user. If the session has expired, the customer will need to manually re-link the app to their Digital Banking account by providing an updated 2FA. Third-party integration via our NAF apps or API via OAuth are more secure ways to pass or handle user credentials. 

Narmi cannot explicitly support specific data aggregators, as it is the aggregators that have the sole control in determining which financial institutions they support. Therefore, we cannot provide a list of our supported data aggregators. In order for a customer to find out if the data aggregator supports Narmi, they should contact the support team for the third-party app. For example, if the customer uses a third-party cash advance app, they should reach out to the cash advance app's support team to inquire which data aggregator they use. It's possible that the aggregator or app will need to make updates on their end to support Narmi.

For more information on financial data aggregators, refer to this article on the MX blog.

Unprompted Two-Factor Authentication Code

Some data aggregators routinely attempt to log in to users' Digital Banking accounts. If a user receives a 2FA code and is not attempting to log in, it is likely the case that a data aggregator is attempting to retrieve data. This is possible because if a data aggregator does not use OAuth, they will retain the end-user’s  username and password. An end-user should simply reset their password if they no longer wish for the data aggregator to have access. Go to Unprompted Two-factor Authentication Code for more information on data aggregator IP's recognized by Narmi and how to view these in the Admin Platform.