Earlier today, Alan Wright, CEO Liberty Accounts sent me a note pointing to a piece he contributed to AccountingWeb on the topic du jour: third party application security, specifically bank feeds and its potential threats.
Alan puts up a spirited argument that is technical in nature. He tacitly acknowledges the underlying industry problem by suggesting:
Liberty Accounts will be happy to host a meeting of accounting software vendors in London where it ought to be possible to agree a simple specification and some next steps to take our proposal forward. Perhaps we could seek an independent and knowledgeable individual in this area to chair the meeting, perhaps Dennis Howlett if he is in the UK and willing?
That’s very generous of the company and I am flattered. The problem is that it wont happen and it wont work. At least not now. Commenters have made alternative suggestions like getting BASDA on board. David Terrar of D2C/Twinfield gets to the heart of the matter:
BASDA, EuroCloud and the Intellect SaaS Group have coordinated in the past and all support what the Cloud Industry Forum is doing on standards and the self certified Code of Practice to help buyers pick a good provider from a bad one…. but this kind of initiative needs more than the cloud vendor community getting together. We need the banks, and I can’t see them being motivated to get together with us on this.
I’m happy to join any meeting on the topic, but I don’t think software vendors agreeing a specification is item one on the agenda.
There are two fundamental problems with this kind of activity that are paradoxically interlinked. The first is that the banks have issues.
As David says and which echoes comments from Gary Turner, MD Xero UK yesterday, UK banks are woefully behind the development curve when it comes to providing bank feeds. The message has not percolated through to them that offering common standards is good for them. In this context I am reminded of the work Twinfield did around XBRL in Holland where certain banks offer preferential rates for those that use XBRL formatted accounts. XBRL data in turn gets fed into the bank’s risk assessment programs and helps bank personnel make better informed decisions. Everyone wins.
In order to get the banks to come to the table, the vendors need the active support and evidence based data from users who talk to this issue. Banks need to feel there is something in it for them. This is known as WIIFM (What’s In It For Me.) Right now what we have are different sets of anecdotal evidence spread around different vendor websites and elsewhere. That in turn needs the active support of accountants willing to stand up and explain how cloud systems benefit both them and clients and especially in the area of real time data. The closest we’ve come in my view is contained in the edited video shoot I conducted last year with Xero customers and their accountants.
The second problem is with the industry.
I admire the efforts of the industry banding together to try move topics like this along but they suffer from the same problems all efforts of this kind suffer. The trade bodies can come up with all sorts of specifications but if the vendors dont develop for them then it’s all a waste of time. BASDA’s eBIZ-XML which goes back at least 10 years only ever achieved very limited success, despite its obvious utility for end user organisations. To this date I believe eBIZ-XML is one of the finest examples of what is possible but which went nowhere. This story is repeated many times in other parts of the IT industry. Ask Naomi Bloom about her life’s work on standards for HR solutions. Great idea, fantastic amount of work over many years but the vendors didn’t play ball. Other BASDA initiatives have suffered a similar fate, only ever achieving limited, and therefore niche uptake.
If the industry is serious about this kind of thing then it has to abandon its ‘winner takes all’ position. It wont. Despite the public talk about collaboration, the players all see themselves as in aggressive competition for business. It’s a fair point when you have investors to which you are accountable. However, it misses the wider problem of convincing customers that you really are doing the right thing for them. It also misses the point that the UK market alone is sufficiently large enough for all main players to have a credible and profitable stake. The sins of the past do not need to be repeated but I sense they will.
Certain vendors respond by saying that with all the difficulties, they are not hanging about. They are getting on with the heavy lifting necessary to solve the issue for their customers. This provides a competitive advantage but one which is only sustainable for as long as all other competitors are not doing the same. The end game is that all surviving players will offer automated feeds. They won’t have a choice because it will be table stakes for the selection process. I have no insight into the timeline for this but it will certainly happen in this decade.
The industry as a whole has to decide whether it really wants to work together in a cohesive manner or whether it wishes to maintain competitive posturing upon issues that are not going to matter in a few years time.
One point I will pick up upon from Alan’s post:
…no matter what level of PCI compliance has been achieved, a degree of risk remains…a provable risk free solution is simple to achieve
This is a logical fallacy not based upon fact. I will repeat what I have said before: Anything that connects to a network is vulnerable. That includes EVERY cloud player, regardless of the service they offer. What matters is the extent to which vulnerabilities exist AND are capable of exploitation.
While we can never predict the future with certainty we can look back at track record and assess outcomes based upon those cases where a vulnerability has been exploited. The available evidence is unequivocal: Over a 13 year period, Yodlee, (the subject of the initial critique) has never had to report a security breach that resulted in the loss of money from its customers’ bank accounts. That’s a 100% record of success. There are many other examples both in the accounting market and elsewhere. From my analysis on this topic, the cloud is demonstrably better and safer than on-premise at offering secure services that might entail the physical loss of funds. I’ll bet on that any day in a world where the degree of sophistication underpinning some of these services is mind boggling to even those of expert status.
What Alan is proposing is not proven but a theory. It may be a very good theory building as it does on ideas around EDI, but it is not something that has been proven in this form. And by the way, machine to machine EDI links have been in existence for many years but like all efforts of this kind have been notoriously difficult to standardise and distil down to a singularity.
When the industry as a whole starts to consider how to seriously address these issues i.e. stops bickering and starts making a good case to the banks and which places customer interests at the centre of discussions, then I am more than willing to help with that endeavour should the parties so wish. We’re nowhere near that nirvana.