As fintech companies continue to innovate and develop new products, focus on data access and aggregation remains top of mind for many of the financial regulators, namely the Consumer Financial Protection Bureau (CFPB), Office of the Comptroller of the Currency (OCC), the Federal Reserve (The Fed) and of course the NCUA and FDIC.
The CFPB recently released its Consumer Protection Principles around financial data sharing and aggregation. This piece outlines guidelines for all parties involved: financial institutions, fintech companies and data-aggregators.
For quite some time now, a range of companies - mainly fintech companies - have been accessing financial data with consumers’ authorization and also providing services to consumers using this data.
Some examples of these “data-aggregation” based services include the provision of financial guidance or financial management tools, the verification of accounts and transactions, the facilitation of underwriting or fraud-screening, and a range of other functions.
Specifically, here are a few real-world examples that use financial data today:
- When a consumer links their checking account to personal financial management applications like Mint.com, Clarity Money, or You Need a Budget (YNAB)
- When a consumer links a third-party application for the purposes of sending ACH payments - a data-aggregator may be used to authenticate accounts before making bank payment transfers. This completely avoids the use of micro-deposits (i.e.sending two deposits of a few cents for verification).
- When a consumer uses an application which aggregates balances and transactions from other financial institutions (many financial institutions are doing this today)
As stated by the CFPB, “This type of consumer-authorized data access and aggregation holds the promise of improved and innovative consumer financial products and services, enhanced control for consumers over their financial lives, and increased competition in the provision of financial services to consumers.”
Currently, most aggregators are “screen-scraping” a consumer’s online banking account and capturing the relevant data. This process involves a programmatically written script that logs into the consumer’s online banking using their credentials, and proceeds to analyze code and extract relevant information (balances, transactions, etc.). This method also requires the aggregator to store the login credentials of a consumer so that updates to the third-party application can be made without consumer intervention.
Needless to say, this is a very fragile way of obtaining this data. When a consumer provides their login credentials to a data aggregator, this situation is akin to handing over your house keys to a stranger. Instead of limiting access with reduced permissions (like read-only access), these login credentials can be used for unauthorized transfers or changes to the account.
A much more secure and reliable way to achieve this is by adopting an Open Banking Application Programming Interface (Open Banking API). This API would service data requests from aggregators and not require a consumer’s login credentials to be saved. Instead, a secret token would be used that provides a unique ID per consumer. Additionally, the financial institution would have more control over data access permissions (i.e. making all access read only) thereby substantially increasing security.
Lastly, the user experience would be improved for the consumer and financial institution loyalty would increase. Consumers expect their financial institutions to embrace their banking needs. By adopting an API, end-users are provided a much more seamless environment to interact with the data. Naturally, they will take advantage of this and look to utilize other financial applications that complement their relationship with your institution. By integrating these solutions to your API, your financial institution has suddenly created a “banking ecosystem” for the consumer and has solidified itself as the most “sticky” part of the banking relationship.
Consumer data access should be top-of-mind for any executive team at banks and credit unions. Since consumers are not calling financial institutions and inquiring about data sharing methods, this falls into the hands of management and the institution’s technology team. Below are some discussion points
- Security - Is the financial institution (“FI”) providing a secure method of data exchange between the FI and other consumer-authorized applications?
- Access - Is the FI empowering the consumer’s full financial ecosystem by allowing secure and reliable access to financial data when appropriate?
- Education - Is the FI taking steps to educate consumers on what data sharing means?
The CFPB outlines a much more exhaustive set of principles (below), but the above should spark good, initial conversation amongst FI leadership.
As mentioned above, the CFPB has outlined nine principles to responsibly share consumer financial data. We have summarized them below:
Authorized and trusted third parties obtain financial information for the benefit of consumers in a safe and timely manner. Consumers are never required to share account credentials with third parties.
2). Data Scope and Usability
Financial data such as account information, transactions or series of transactions are accessible and available to consumers and authorized third parties. Third parties are expected to use consumer data necessary to provide their product or service and dispose of data which does not.
3). Control and Informed Consent
Third parties are required to disclose their terms of consumer data access, storage, use and disposal. Those terms are understood and consistent with consumer expectations. Consumers have the right to revoke authorizations for third-party access, usage, or storage.
4). Authorizing Payments
Third parties are required to obtain separate and distinct consumer authorizations for data access and payments. Authorized data access credentials may not be used for payment authorizations and vice versa.
Consumer data is accessed, stored, used, and distributed securely. Third-party access credentials are secure and protocols are in place to respond to data breaches and the possibility of future threats.
6). Access Transparency
Consumers are informed of the identity and security of the third-party accessing their data, the frequency and their use of account information. All of this information is easily ascertainable by the consumer.
Consumers can expect the data they access or allow third parties to access to be current and accurate. Consumers have the ability to dispute and resolve data inaccuracies.
8). Ability to Dispute and Resolve Unauthorized Access
Third parties provide consumers with reasonable and practical means to dispute and resolve any instances of unauthorized data access, sharing or payment. Third parties are held responsible and accountable for the consequences of such access.
9). Efficient and Effective Accountability Mechanisms
Account providers and third parties are accountable for any risk, harm or cost they introduce to the consumer. The goals and incentives of account providers and third parties should align to enable safe consumer access and deter misuse.
Mega-banks in the United States have already adopted APIs (https://developer.citi.com/) and it is clear the banking industry is moving toward a more open-banking environment. Responsible financial data sharing should be top of mind for all financial institutions and a move towards API-based data sharing is inevitable.