Account aggregation: why linking every account is the wrong default

Account aggregation is the quiet engine behind most net worth apps: you hand over your banking and brokerage logins, and the service signs in as you to pull balances and transactions into one view. It's convenient, it's everywhere, and it's been normalized to the point that "just link your accounts" sounds like the only option. It isn't — and it shouldn't be the default.

What aggregation actually does

There are two flavors. Credential-based aggregation stores or relays your username and password and logs in on your behalf, often scraping the page like an automated browser. API-based aggregation (the newer, better kind) uses a bank-sanctioned connection and a revocable token instead of your raw password. The second is a real improvement — but in both cases you are granting a third party standing access to your financial accounts, and that access has to live somewhere.

Three problems with making it the default

1. It breaks

Credential-based connections are brittle. A bank redesigns a login page, adds a multi-factor prompt, or flags the robotic sign-in, and the feed silently goes stale. Most people discover the breakage weeks later, when a number looks wrong.

2. It can't see everything

Aggregators only reach institutions they support. The held-away employer 401(k), the credit union, the foreign brokerage — and certainly your house, your cars, and your art — fall outside the net. The "complete" picture quietly isn't.

3. It concentrates risk

This is the one that matters most. Linking every account gathers the keys to your financial life in one third party. Even done well, it widens the attack surface; done with stored credentials, it creates a target whose whole value is access to your money.

The safest credential is the one that was never collected. You can't leak what you never held.

The document-based alternative

There's an older, sturdier idea hiding in plain sight: you already receive statements and confirmations from every institution you deal with. A document-based tracker reads those instead of logging into your accounts. Nothing to link, nothing to scrape, nothing to break when a bank changes its site — and no supported-institution list, because anything that produces a statement qualifies.

That's the approach we took with Clarity. You forward an email or drop a PDF; the AI does the data entry; and crucially, everything it extracts arrives as pending and counts toward nothing until you approve it. Because there's no login in the system, our worst day still doesn't hand an attacker a credential that can move your money — there's simply no such credential to take. You can read the full security model, see how it handles multiple brokerage accounts, or compare it to the tools built on aggregation, like Empower and the discontinued Mint.

When aggregation is fine

None of this means aggregation is illegitimate — API-based connections are reasonable, and for some uses the convenience genuinely wins. The argument is narrower: it shouldn't be the automatic price of seeing your own net worth. Handing over every login is a choice, and you should get to decline it.

---

This is general information, not security or financial advice.