EWC+ Mandated by US Govt to make Bank Connections More Secure

denmarfl · December 2022

Hate EWC+...unstable, SLOW, only downloads now...all input must be done at banks Online Banking. Quicken is simply a depository of cleared transactions.

I have discovered Banks were Mandated by US Gov't to implement a more secure Security processed...and the banks that I use...went with or will be going with EWC+. There may have been other connection methods the banks could have chosen to implement...but so far, EWC+ is the one the banks I use decided to implement (Chase & BofA). I thought this was done by the banks...which it was...but indirectly as the Banks were Mandated to create a better Online Security process..and we are stuck with EWC+. I would like to think in the future a better more secure DirectConnect will be developed...but that does not appear to be promising.

splasher · December 2022

Can you cite an official source of this US Gov't mandate?

denmarfl · December 2022

Info from extremely Reliable source...I should have asked for details and failed to do so, it was said the Mandate took place in 2021...did not ask what the deadline implementation date is. I Sure would not make for a good news reporter..failing to get ALL the facts. Perhaps others that read this Post may provide the details on this Gov't Mandate. It does seem to be so...given all Financial Institutions have implemented the Call Back with Verification Numbers, and or, the 2 -step verification process...all these security measures coming into place over the Last 12 mos or so.

NotACPA · December 2022

@denmarfl Again, cite your source. Because, like @splasher, I'm another SuperUser that hasn't heard of this "mandate".

What's questionable about this mandate is the EWC+ is NOT more secure than Direct Connect.

Rocket J Squirrel · December 2022

I see no evidence of a government mandate in the FDX white paper. More like a recommendation.

Treasury sees a need to remove legal and regulatory uncertainties currently holding back financial services
companies and data aggregators from establishing data sharing agreements that effectively move firms
away from screen-scraping to more secure and efficient methods of data access. Treasury believes that
the U.S. market would be best served by a solution developed by the private sector, with appropriate
involvement of federal and state financial regulators. A potential solution should address data sharing,
security, and liability.

https://financialdataexchange.org/common/Uploaded files/10.3_FDX_WhitePaper_Final.pdf

Chris_QPW · December 2022

If people would stop using the “Quicken perspective” you would quickly see where this is coming from (even though the same does apply to Express Web Connect).

Intuit isn’t the only aggregator out there, and if we want to be precise, Web Connect and Direct Connect isn’t aggregation!

Aggregation would be defined as a service that logs into a site, grabs the information and stores it on a server for their clients to pick it up. Neither Web Connect or Direct Connect fit this definition.

If you step back and realize that Direct Connect/Web Connect is only supported on about 2,000 financial institutions and there are more than 35,000 financial institutions, clearly these aren’t the standard.

Aggregation is the “hack” because of the lack of a standard. The same “stand off and suggest, and let the private industry handle it” is the whole reason this problem exists. Instead of mandating a standardized protocol to begin with.

And I believe that aggregation has gotten a bad rap, which is even stated in this message from the government.
Everyone talks about “screen scraping”, but in reality I bet that the information is almost never actually downloaded like that.

When a standard protocol for logging in and requesting data and getting it back in a standard form isn’t available, then you get “screen scraping”, but most likely not in the way most people think of it. I’m guessing that most of the “logging in’ and getting to the right page is “screen scraping”, but when it comes to the actual data it is most likely in QFX, OFX, or CSV format. They aren’t actually reading the transactions directly from the webpages.

That is why it would have been called Express Web Connect in the beginning. It was nothing more than logging in as the user and downloading the QFX file, but of course not all the financial institutions created QFX files and so they had to get in different formats and convert it.

Now back to how logging in works. Since nothing else is provided for most sites they would do it as if they are the user, that is why they are subject to all the same security requirements like MFA.

The very fact that they are logging in as the user means that they have to store the same information to get it down. And if one is wondering why the couldn’t just do this on request from Quicken one has to realize that the financial institutions wanted to limit this kind of access to when their servers weren’t busy, and that is the reason for “storing the result”.

The concerns are legitimate, here you have multiple aggregators all storing usernames and passwords that give the same access to accounts as if they were the user. First off you have to trust the aggregators to do a proper job of securing the usernames and passwords, but you also have to trust that software not to do “the wrong thing” either on purpose or by accident. The financial institution can’t changed what is being accessed if they can’t tell the user from the aggregator.

In a nutshell the real target is Express Web Connect and other aggregators like Mint, and Direct Connect just gets kicked to the ground because it lost the “standards war” and no one hardly even thinks about it when making such decisions except to note getting rid of it means only supporting one protocol and saving money in the process.

EWC+ Mandated by US Govt to make Bank Connections More Secure

Comments

Categories