This is not how we had originally designed it. We wanted the vendors to force the user to log in. To the best of my knowledge all of the vendors have written the real-time transfer as you have mentioned. If you are going to send the information this way then the user id owner must realize that he/she is taking the responsibility and if there is any breach of security then the user id owner will be the person that is contacted.