In late March, a payments processor called Global Payments experienced an enormous security breach, and 1.5 million credit and debit cards from Visa and MasterCard were compromised in the process. As a consumer, this must be at least a little bewildering. Your bank’s name is on the card. Visa or MasterCard’s logo is on it. Who the hell is Global Payments and why did they get to build the sloppy security protocols that led to my data being compromised?
It’s not a bad question, after all. You enter into a cardholder’s agreement with Visa or MasterCard, mediated by your bank. The company processing your payments is determined by where you choose to swipe your card. Merchants sign up with payments processors — you don’t get to.
So your financial information’s security is in the hands of corporations that you don’t know the first thing about. Global Payments makes up a small minority of the payments processing space, but it was still able to compromise more than a million accounts. Doesn’t it make you wonder what other companies you’ve never heard of are handing your money and sensitive financial information on a daily basis?
What do you even know about these firms? Do you want them to handle your info? And do you have any choice? The short answer to that question is no — short of hopping off the grid entirely. And you don’t want that. What would come of that Klout score you’ve been working so hard to improve?
1. First Data
Because payments processors are so top-of-mind lately, it would only be right that we start with First Data, perhaps the biggest payments processor you’ve (maybe) never heard of. This Atlanta-based, 24,000-employee behemoth processes an estimated 60 billion transactions a year, totaling $1.4 trillion in volume. They operate in 34 different countries.
Perhaps you’ve noticed the Star Network logo at your supermarket’s checkout aisle and didn’t know what it meant. Now you do. That’s First Data’s debit payments processing network. This is First Data’s only real hint to the public that it exists. Indeed, it isn’t even publicly traded despite being so large. KKR, the private equity giant, bought the payments processor in a leveraged buyout in 2007.
Were First Data to experience a security breach on par with what Global Payments did, one suspects it would be slightly more damaging to the credit and debit card industry as a whole. Do what you want to keep yourself safe — don’t use your card online, never use it at Bulgarian restaurants, whatever — but even swiping your card at the safest of locations puts your information into their system. And these systems can be compromised, as we learn again and again.
Just what FiServ does to make money isn’t immediately apparent, but whatever they do, they do it well: they have 20,000 employees and 16,000 clients. The Wisconsin-based company has been in business since 1984, and brought in $4.3 billion in revenue in 2011. In their own words, FiServ “helps [their] clients solve complex business challenges.”
What that translates to is payments processing, like First Data, and core banking — helping banks manage account transactions across many different platforms. FiServ moved $1 trillion around last year alone — that’s 1/15th of the U.S. GDP, roughly. It processed more than 4 billion mobile deposits last year. It’s huge and it’s everywhere: last year, it won an award for its core banking solutions in China, from The Asian Banker.
It’s the biggest FinTech company out there, and you probably interact with them hundreds of times a year. You just don’t know it, and FiServ doesn’t stand to gain anything from you knowing more about what they do. What does FiServ do? FiServ provides solutions. What sort of solutions? Business solutions — don’t worry about it.
This question-begging logic extends even to their address, which even has a (presumably intentional) internal rhyme scheme — 225 Fiserv Drive.
While the credit ratings agencies that determine your creditworthiness are likely well known to most Americans for how forcefully they can insert themselves into your everyday affairs, ChexSystems, the company that essentially does for checking accounts what FICO does for credit cards, stays relatively opaque. What ChexSystems does is keep tabs on any missteps in your checking history — problems with overdrafts, or bounced checks, to name a couple. And when you want to open a new account, the bank will do a quick look at your ChexSystems record to see if you’ve behaved well. ChexSystems will tell your bank whether to accept or decline your business. If you’re blacklisted, about 4 in 5 U.S. banks will deny you a checking account.
Blacklisting can happen to otherwise responsible customers who have just made a simple error. In 2005, a Consumer Affairs story documented how ChexSystems’ domination of this part of the checking industry leads to poor consumer outcomes. It told the story, briefly, of a woman who moved to a new town and forgot to cancel her gym membership — this led to her overdrawing her account, and she was unable to open a new account, anywhere.
Bad as that is, ChexSystems’ opacity is one of its most frustrating features. Consumer Affairs compared the difficultly of researching the company to “oil-wrestling a contortionist in a frictionless body stocking.”
But with so many Americans being pushed out traditional checking, either because of fees or bad checking history, it’s worth wondering how fair ChexSystems’ nearly monopolistic control over this data really is. Say what you will about credit ratings agencies, at least there’s more than one!
Not all banks use ChexSystems, however, and you can find a list of them here, at PassChecking. Furthermore, many banks offer “second chance” checking accounts, which can help repair your relationship with a bank, regardless of your ChexSystems records.
It’s odd to think that a third party Personal Finance Manager that mediates your interactions with your bank might require still another third party to help them work things out, but that’s more or less the case with Mint . Before rival Intuit bought Mint, it was powered by Yodlee, a data company that helps power these PFMs with their account aggregation softfware. Today Yodlee powers Manilla, BillShrink and others.
Yodlee is based in Redwood City, Calif., but has offices in London and Bangalore. It offers PFM and online payment technology services for banks, and in the case of Mint — it offers these services to people who offer these services, too. Same is the case with SpringCoin, the debt-management PFM that launched recently.
But it’s not all start-ups for Yodlee. Bank of America announced a partnership with Yodlee last fall, to improve its online banking services. Citibank’s Citi Financial Tools is powered by Yodlee. PNC Bank uses Yodlee, too.
This company has been around for just over a decade, and already they’re helping banks navigate the relatively uncharted territory of online personal finance management. It’s likely safer than most everything else on this list, simply because it doesn’t process transactions — yet. But privacy concerns are real — the reason these PFMs exist is, in part, to sell more financial products. They mine your information to find out what you might need most. Helpful or invasive, you be the judge. Just know that it might not have even been designed by your bank.
If you’ve ever opened a checking account online, there’s a decent chance you’ve dealt with Andera, the self-styled “pioneers of online account opening.” More than 500 banks and credit unions use Andera’s account opening services for their websites. Among them are some massive credit unions, like Alliant, and large corporate credit unions for Tyco, General Mills and American Airlines.
And you better believe that when you open a checking account online Andera contacts #3, ChexSystems. According to Andera’s Partners page: “Andera integrates the ChexSystems and QualiFile solutions with Andera’s proven online account opening solutions, to help you turn away risky applicants and avoid incidences of fraud, while retaining your profitable customers.”
See, you can be rejected from opening a checking account with a credit union or bank without ever really dealing with them directly, so long as you do so online. Isn’t technology incredible?
We’re realistic here, and understand that technology advances at a clip that banks couldn’t reasonably hope to keep up with. And, banks, when they were created, weren’t originally supposed to be involved in all of our cash transactions — that’s a product of technological advances, too. So it makes sense that banks lean on those with more knowledge about all things high-tech. It’s not a bad thing, but just because a company is a leader in technology, it doesn’t mean they’re infallible — only the Pope is infallible. As we rely more and more on devices and software to make our money go to the people and companies we want it to (or need it to), more and more startups and faceless corporations will get in the game.
Regardless of how we feel about the big banks, at least they’ve been around the block. And more importantly, at least you know who you’re doing business with when you do business with them — well, sort of, and this is the point of the story. They’re publicly traded, and subject to regulations, and have press contacts, and are covered by countless publications. Even if it’s just faux-transparency, these institutions have to answer to shareholders, regulators, customers and journalists (sort of). When they farm services out to third parties, the chain of culpability and accountability is somewhat broken, or i’ts obfuscated. And that is, at least, a little worrisome.