I didn't realise the bank feeds into Xero are via an external service. (I do have one client using Xero, unfortunately, and they do use the bank feeds function, but it was all set up at their end with no input from me.)
TBH, even if Xero did provide that service themselves, you'd still be providing the bank details to a third party: Xero.
The question, at least in part, hinges on the nature of the set up. I would hope that the banks themselves are aware of Yodlee and the service it provides, and when it is given access it is purely read-only for the bank feeds. And, very importantly, that Yodlee is given its own log-in credentials, and not those used by the account holders, with full access.
If all of that is so, then even if Yodlee is hacked in some way, or has a rogue employee, there should be no way for those log-in credentials to be used to pilfer any money.
If Yodlee is given the account holders' credentials then, quite frankly, all bets are off. There may be some mitigation, depending on the bank's online banking set up (e.g. what level of two factor authorisation it uses to deal with payments, etc.)
I suspect Yodlee is supposed to be set up as another user, with limited/read-only access - but based on my experience of how silly some business owners are, it wouldn't surprise me if plenty have given Yodlee full access using their own log-in credentials, especially if adding users costs anything.
But I am making lots of assumptions, because as I said at the start, I don't actually know how this works other than that when I use Xero for one particular client, the feed is there.
__________________
Vince M Hudd - Soft Rock Software
(I only came here looking for fellow apiarists...)
Thanks, Vince, for the informative reply. As I now know Lloyds does not use Direct feeds, I am going to consult
with our Customer Service Manager to find out exactly what access Yodlee does have, and where we stand in the
event of things going belly up.
