I recently posted an article about Outright (a GoDaddy.com company), which imports your business sales and expense transactions from accounts you link turning the transactional data into bookkeeping reports to help you keep a handle on how your business is performing. I raised a few concerns in the article about the potential for disclosure.
Since I ended my test of Outright when asked for my bank log in and password, I wasn't able to see how their linking process worked. Laura Messerschmitt, Vice President of Marketing, Outright.com, was nice enough to take the time to explain the technology and controls associated with Outright.Explaining the Linking Technology
Per Ms. Messerschmitt, "We use a technology called OAuth for the majority of our links to financial accounts and marketplaces, such as Etsy, eBay, and Amazon. OAuth is a technology that allows us to get and store a token that allows us to access your account through a read-only link without storing your account number and password.
For example, if you click that you want to add a PayPal account to Outright, we will take you to PayPal's site to log in. When you log in, you are logging into PayPal. Then, PayPal will ask you if you want to grant read-only access to Outright. When you click yes, you are redirected back to Outright. Thus, we don't need to store (or ever see) your account number. We just see and store that token."
As some banks don't allow for OAuth, Ms. Messerschmitt advises in those cases, Outright works with a company called Yodlee. Yodlee works with just about all major banks. And you are probably familiar with Yodlee without even knowing it. If you've ever transferred money online to say, savings from checkings, it was probably Yodlee providing your bank the transactional technology.
Reviewing Outright Internal Controls
A thorny issue I addressed with Ms. Messerschmitt was the potential for unauthorized browsing by Outright employees through your transactions:Per Messerschmitt, "We have system access control, such that only people designated as Administrators have system access to see transaction level detail for a customer. For people who have this Administrator access, the Company Policy is that they can only access transactional data by customer request. Thus, if a customer specifically asks us to look into a transaction, an Administrator would be allowed to do so.
We do log all of the activity of the admins, so that we can monitor and identify problems. We have not had an instance of an employee breaching protocol and all of our admins have had background checks run on them."
Many thanks to Laura at Outright for addressing the above issues!