Interview with Brian Costello, Vice President of Data Strategy with Envestnet | Yodlee

Envestnet | Yodlee is a giant in the financial world, started up in 1999 in Redwood City, California, it is the leading data aggregation and data analytics platform for financial service providers. With offices in the US,Australia, India and the UK, it is expanding its global presence; with a particular focus on Europe and the UK.

For the consumer, financial data aggregation means the ability to bring together information from multiple accounts, tools, and institutions in order to get a 360-degree view of their finances and make better spending, borrowing and saving decisions. For companies, data aggregations enables key aspects of business intelligence such as detailed analysis and critical insights of customer behaviours.

Envestnet | Yodlee have created innovative products and services, used by more than 1400 financial institutions and FinTech companies, which adhere to leading industry practices for data security, regulatory compliance and privacy. They are proud to operate at the forefront of customer protection.

In January this year, IASME launched a brand new Counter Fraud Fundamentals scheme which was developed in partnership with The Open Banking Implementation Entity. Aimed at raising the standard of counter fraud best practices across the spectrum in the banking, payment services and other financial and retail sectors, the new certification will help protect and prepare a wide range of companies.

Vice President of Data Strategy at Envestnet | Yodlee, Brian Costello is responsible for data access strategy and solutions as well as being a tireless advocate for responsible innovation in financial services. Brian was introduced to the new Counter Fraud Fundamentals (CFF) scheme through the Open Banking Security and Fraud Working Group, who asked him to take a look at the scheme and participate in the pilot.

We caught up with Brian who gave us his positive impressions about the CFF scheme and talked about the role such a scheme could provide to give assurance and safety throughout a financial ecosystem.

Envestnet | Yodlee continues to operate at the forefront of the financial services innovation and customer protection, what is the story behind your success?

Envestnet | Yodlee started because our founders realised that consumers needed help managing their financial lives, and what is now widely known as ‘financial wellbeing’. There was a gap between their needs and their capabilities. The big idea started in 1999 with access to data, as it was assumed that once a customer could see all their accounts, their transactions and behaviours in one place, they would be able to make better financial decisions. A whole market sprung up called Personal Finance Management (PFM). It was offered by banks as part of the online banking experience, and then the mobile banking experience, so that customers were empowered with this consolidated view of their data to make better financial decisions. Sound familiar? It’s essentially what open banking is doing today. However, what the industry learned, is when customers saw their data in one place, it wasn’t always helpful, and in some cases, it was depressing, but most importantly, it didn’t necessarily translate into action. So, at this time, PFM never realised its full potential.

What we needed to add was a call to action, here’s your data, here’s what it means about your financial behaviours and here’s what needs to change in your financial behaviours for you to achieve the goals that you yourself have identified. Technology evolved in the interim and we now have machine learning and artificial intelligence which facilitated lots of research and development of algorithms by very reputable organisations. Envestnet | Yodlee now is able to put together the data with the algorithms to deliver hyper-personalised financial solutions. In 2015, we were purchased by Envestnet who said they thought the missing component for advisors was this broader view of investors’ financial behaviours; and they were right. Everybody could use some level of financial advice, whether it’s a text message to say you’re dangerously close to your credit card balance and you have two weeks until payday, or a fiduciary advisor looking over your portfolio. Envestnet | Yodlee was ahead of its time, we operated a commercial mechanism for open banking before there was open banking, and that was in a time before there were regulatory stamps of approval. We have evolved a world class platform for financial wellbeing, a key part of which is consumer protection and that leads us to talk about why the CFF is important.

What was your experience of the Counter Fraud Fundamentals (CFF) scheme and what kind of role do you see for it within the industry?

We are a very mature global company, and we’ve been in business for over 20 years, as a regulated actor in the financial services space. For many years, the pre-cursor to open banking around the globe was entirely commercial as it was based on contract with only a few very fragmented regulations. So for a commercial player like Envestnet | Yodlee, it was challenging to demonstrate our capabilities with the services that we provide. Our philosophy and practice has always been to participate in whatever third-party certification schemes are available. This allows us to demonstrate via an independent assessment that we meet the requirements of our clients and of their customers. We’ve been very interested in Cyber Essentials for this reason, and I think the Cyber Essentials program has had a line of growth where it has almost become the de-facto requirement or actual requirement for businesses in the UK.

We’ve been a UK operation since 2003, participating in Open Banking and when the CFF pilot came along, it was a no brainer for us, we wanted that independent stamp of approval. Our philosophy is, if we are going to do something, we are going to learn from it as well. So, we used the CFF as an opportunity to check our current operations, to re-visit our programs, our biases and see what we can learn from it, based on the questions of the requirements.

As I worked through the questionnaire, it became very clear to me that for some of my clients who are very innovative, but never-the-less, new entrants to open banking and to account information services, the CFF is a very accessible tool. Any organisation needing to understand the requirements could use the CFF as a lens for their current state and subsequently, their road map. For Envestnet | Yodlee, I’m very interested in using the CFF, as a requirement for my clients. I’ve got certain liabilities and obligations to maintain the safety of the downstream part of the eco-system. To me, the CFF me assurance that once obtained by my client, it gives a trust mark to help them build an adoption on their platform.

Ultimately, a safer and more symmetric ecosystem, in terms of customer protection, benefits us all. That’s a big part of why we do these things and we are thrilled that we have added the CFF to our customer protection toolkit.

You have branches all over the world, is there anything like the CFF scheme going on in any other countries?

No, I’ve not seen anything that has the level of awareness, energy and support behind it, certainly nothing that goes cross sector.

Can you tell us more about how you are using technology to tackle large scale fraud?

In our fraud threat assessment, the primary fraud vector is that an unauthorised person gains access to a customer account credentials. Where they’ve got access to the credentials, what do they do? Do they log on directly to the bank and start setting themselves as a payee and move the money out? No, because the current state of technology demands multi factor authentication. So what they’ll do is take those credentials and they’ll sign up for a pre-open banking service and try and use those credentials there to get access to the account information. The fraudster will want to find out if they can get access to the account, if so, is there a lot of money in this account? Is this a high net worth person? Is there something there that is worth continued efforts to target this account? What we saw, and what really drove our fraud capabilities, is that the bad actors were acquiring large collections of credentials (from one of those places you can get a credentials dump because generally consumers still use the same password everywhere). Then they were attempting to try out those credentials on Envestnet | Yodlee’s clients, to build a profile of who they belong to, and they were doing this in a very systematic, programmatic way.

We started seeing large volumes of attempted fraud on our platform, and we could tell that these credentials were not being used by legitimate people for legitimate purposes, so we started building on our fraud detection to identify patterns associated with this type of abuse. We put in first response controls, then preventative controls. The responsive controls communicated with our clients, allowing us help them with their own fraud programs. We have built up the technical controls for ourselves and we have built up advisory guidance for our clients to implement the fraud controls themselves, however, that’s a bit of a sticky situation because we can’t get too close to providing advice, because if we do, we lose our independence. Now I am able to evolve my FAQ that I give to clients on fraud control with a request for them to get CFF certified. It’s going to be huge for me and it’s going to be huge for my clients.

What is your advice to businesses in the financial sector?

Operating in the financial services space, interacting with customers data or enabling them to make payments requires an organisation to understand and protect its entire threat fraud attack surface. Fraudsters only have to exploit one aspect to commit their crimes. To reduce the risk of fraud on your platform, requires not just technical controls, but a fraud risk program that is integrated into your business-as-usual operations. That is where a program like the CFF really helps because if you’ve got it all, the CFF gives you the stamp of approval, if you’re missing something, going through the CFF highlights where you need to mature your defences and where you need to mature your program. That helps you build that business-as-usual fraud risk management program.

Envestnet Yodlee Logo

For more information on Envestnet | Yodlee

For more information on the Counter Fraud Fundamentals scheme