Is Yodell really secure and private? I have read the privacy policy for Tiller, and it looks great, but what about Yodell? I went to their website and could not find their policy. Does Yodell see my transactions and account balances? Do they store this? Do they share it with anyone other than Tiller?
Also, I have heard that Yodell screenscapes and stores your username and password. This would seem to be a major security vulnerability over using tokens like Plaid? Does anyone have thoughts?
Good questions, @bruceE. I’d also like to know the answers.
Rebecca
I asked Ai about it. Here is its answers
I’ll search for Yodlee’s current privacy policy for you.
Let me get more details from Yodlee’s official privacy policy page.
Based on the information I found, here are the key points of Yodlee’s (now Envestnet | Yodlee) privacy policy:
Key Privacy Commitments:
Your personal information will not be sold, shared, rented or traded with third parties, except to provide you with Yodlee Services, pursuant to joint marketing arrangements, or as required by law .
Yodlee does not sell personally identifiable data to third parties, will not contact you without explicit permission unless required for support, and employees cannot view or retrieve your passwords or other personal information .
Yodlee is not a personal information broker and does not sell information that identifies consumers or advisor-derived consumer data .
Security Measures:
Passwords and account data are stored and transmitted in encrypted format at all times, and data is securely housed in servers with enhanced physical security, fire protection and electronic shielding .
Important Context:
It’s worth noting that Yodlee has faced privacy-related lawsuits and scrutiny in the past, particularly around data collection practices and transparency about how consumer financial data is used.
For the most complete and current privacy policy details, I’d recommend visiting their official privacy notice page at yodlee.com/legal/privacy-notice directly, as privacy policies can be updated over time.
I then asked about storing usernames and passwords
Let me search for more specific information about Yodlee’s username and password storage practices.
Yes, Yodlee’s policy does address username and password storage. Here are the key points:
Password Storage:
Passwords and account data are stored and transmitted in encrypted format at all times, and all data is securely housed in servers with enhanced physical security, fire protection and electronic shielding .
The credentials stored are hardware encrypted using FIPS 140-2 level 2 HSM (Hardware Security Module), and the keys used for encryption cannot be accessed by anyone, including Yodlee employees .
Employee Access:
No Yodlee employee can view or retrieve your passwords or other personal information .
Credential Sharing:
Yodlee may disclose your username and passwords to third party websites, such as websites operated by credit card companies or banks, in order to obtain the information that you requested be collected and displayed through their services .
Important Technical Detail:
Yodlee stores consumer credentials in a reversible format so they can use those credentials on behalf of, and as authorized by, the consumer to retrieve their data . This means the passwords must be decryptable (not just hashed) so Yodlee can log into your bank accounts on your behalf to aggregate your financial data.
This is a key aspect of how account aggregation services like Yodlee work - they need to be able to use your actual credentials to access your accounts.
I then asked it about storing transactions and balances.
Let me search for information about what data Yodlee stores beyond just credentials.
Yes, Yodlee does store your financial data including account balances and transaction details. Here’s what they store:
What Data They Store:
Yodlee retrieves transactional data from banking institutions and makes it available to customers in the form of electronic statements . This includes:
Where It’s Stored:
Your information is stored on servers which are securely housed in Internet server hosting spaces that provide enhanced physical security, fire protection and electronic shielding, with security personnel monitoring the system 24/7 .
Important Context:
Transaction data is multi-faceted to facilitate data analysis and derivation of consumer insights to serve targeted advertising and user experience personalization . While Yodlee states they never sell data that identifies people , they do offer de-identified U.S. consumer credit/debit/ACH transaction level data for analytics purposes.
So yes, Yodlee stores your complete financial picture - not just credentials, but all the transaction and balance data they retrieve from your accounts. This data is used to provide the aggregation service and can also be de-identified and used for broader market analytics.
Hey Richl, thanks for all the replys. I really appreciate you finding the privacy policy for Yodlee. I’m your first explain that I am definitely not an expert, but it appears to me that plaid does a better job of protecting your privacy then Yodlee.
Specificaly in the Yodlee Privacy Policy
For example, Yodlee may share your personal information with a non-affiliated third party to offer you a new service on the Yodlee Services web sites that is provided jointly by Yodlee and an unaffiliated company.
I find this to be pretty unfortunate. In addition based on the description that the AI used, it seems like.Yodlee uses a much less secure architecture for making the connection to your bank. In the case of plaid, I believe they use the username and password that you login with to get it token and then they never store your username and password. But Yodlee is storing your username and password in a way that can be decrypted. And I’m sure they use a very secure encryption algorithm, but given that these are your banking credentials this is sub optimal.
It would be nice if somebody from Tiller could weigh in on this. I have not had much luck going through the tiller help system to get support on these questions. So thank you very much for your replies here.
Lastly I asked how does this compare with Plaids
Let me search for Plaid’s privacy policy to compare it with Yodlee’s.
Here’s how Plaid’s privacy policy compares to Yodlee’s:
Credential Storage:
Data Sharing:
User Control:
Bottom Line:
Plaid appears to have a more privacy-forward approach, particularly with its token-based authentication system that avoids storing credentials when possible, and its emphasis on not selling data. However, both services still collect and store your financial transaction data to provide their account aggregation services.
Yodlee wouldn’t store credentials for their open banking institutions, since those are entered on the institution website and not Yodlee’s.
Correct in that case they use the auth tokens. Just like Plaid
Hi folks! Thanks for your questions and comments. I apologize for the delay in hearing from the Tiller team directly, we were away for a company retreat last week.
Tiller values privacy, and this has been front and center in our choice of aggregators.
Yodlee’s security practices were a significant factor in our choice to trust them as a partner to access bank data. Yodlee’s customers include 15 of the 20 largest U.S. banks who rely on Yodlee in the same way we do here at Tiller: to securely aggregate data from other banks and institutions.
In other cases, Yodlee shares de-identified transaction data for market analytics and insights with third parties, but Tiller has specifically negotiated with them to exclude our customers from that data sharing. We do not want our customer data shared for their analytics, even if de-identified, as this is in conflict with our position around privacy and security.
Yodlee does not use Tiller customer data to offer new services. This may be true if you sign up for Yodlee services directly from the Yodlee website, but it does not happen when using Yodlee as an aggregator with Tiller.
As for credentials, Yodlee and Plaid store credentials for banks that don’t support open banking. Tiller was proud to be Yodlee’s first deployment of open banking in the United States, and we’re thrilled major banks have embraced it. Plaid similarly has a strong position around privacy and security, and it too has embraced open banking with the major banks.
When using Yodlee or Plaid with an open banking institution, customers authenticate with their bank on their bank website and grant read-only access to Tiller. No credentials are shared or stored because the customer is authenticating on their bank website directly.
We continue to monitor both Yodlee and Plaid for their postures around privacy and security. Thanks too for your careful review. We love customers who pay attention to these details.
Regards,
Nathan
Thank you Nate. This is very helpful. The fact that Yodlee uses the open bank standard when possible and does not use our data to market new services would seem to make it comparable to the Plaid security and privacy policy.
