The Truth About Xero Yodlee Bank Feeds

What are Yodlee Third Party Bank Feeds

A bank feed is a stream of transactional data from your bank. Xero has integrations with a number of banks, whereby the bank will securely deliver your transactional data directly to your Xero account. However, there's still many banks for which this type of integration doesn't exist, so there's a second option offered by a third party called Yodlee.

Yodlee feeds involve a bot from a Yodlee actually logging into your internet banking, and "scraping" your transactional data from the web page you'd be looking at if you logged in yourself. To do this of course, you need to provide yodlee with your internet banking password.

Bank's Role and Responsibilities

Many people don't realise that legislatively, it's a bank's responsibility to secure financial transactions. That means that if a scammer gets access to my internet banking, and transfers away my life's savings, the bank is responsible for my loss. This is the case even if I've inadvertently given the scammer access, maybe through a phishing email or an easily guessable password.

In the course of my role as an accountant I've seen a number of circumstances in which clients have inadvertently given their password to an attacker, usually through phishing email, and the attacker has gotten access to the client's funds. In some cases tens of thousands of dollars were transferred out. In all cases the bank has reimbursed the client. It's not clear whether the banks were actually able to claw back the funds. The point is, if someone steals your money from the bank, even if you've inadvertently provided the password, the bank is responsible for your loss.

However, if you knowingly provide your password to a third party, that changes this dynamic dramatically. Buried in your bank's internet banking terms and conditions will be a requirement not to provide your password to a third party. Once you contravene that condition, you diminish the bank's responsibility in this sort of circumstance.

It's Not a Question of Trusting Yodlee

When most people are considering using Yodlee feeds, the trustworthiness of Yodlee is a factor. The point is though, if you've provided your password to another third party, then you've contravened your banks conditions. It doesn't matter whether an attacker gets your password from Yodlee, or from you in a phishing attempt, you've essentially waived your protections.

As an aside, you might trust Yodlee to ensure their employees don't use your password to log into your internet banking, but the real question is whether you trust them not to be hacked. If we've learned anything in this internet age, it's that no firm's security is impervious. The real question in most cases is not whether some service can be hacked, but what your exposure will be when they are hacked.

The Workaround

If you don't wish to use Yodlee feeds you have two options. You can manually download the data yourself, or you can change banks.

Manually downloading the data is usually less arduous than it might seem. Xero's direct bank feed integration coverage is very good. It's usually only bank loans or credit cards from smaller banks that don't have direct feeds. In these accounts there's usually less transactions, and it's less critical to have the data come through every day. Logging into your internet banking and downloading the data will take less than a minute each month. It's not automatic, but it's still saving a lot of time vs manually entering each transaction.

If your business trading account is with a bank that doesn't have a direct xero integration then you should probably consider moving the account to another bank. I've seen clients end up in this circumstance where they have a home loan or mortgage with a more obscure bank, and open a trading account with the same bank hoping to keep their banking "all together". However, if it's the difference between having or not having direct bank feeds for your trading account, you'll be better off in the long run with the bank feeds.