We invite all participants in the financial services ecosystem – including FinTechs, data aggregator intermediaries, financial institutions, regulators, consumer associations, and bank associations – to take part.
In countless areas of American life, a move toward digitization has taken hold, offering consumers unprecedented levels of convenience. The financial services sector is no exception. A growing number of Americans now manage their money online, and many are using financial technology (FinTech) applications. These solutions offer simple, fast, and accessible services via the web, smartphones, and tablets.
A 2018 survey conducted by The Clearing House (TCH) highlighted that nearly one-third of U.S. banking consumers said they use at least one online or mobile FinTech app to help manage their finances (Figure 1). Apps for personal financial management and budgeting/saving were cited as the most popular services, followed by investment services and robo-advisers as well as lending services.
FinTech apps have grown in popularity because they simplify and/or automate financial management tasks that consumers often find time-consuming or confusing. Whether users want to regularly transfer money into a savings account, track expenses, invest in the stock market, or apply for a loan – now there is an app for it. While these solutions undoubtedly offer convenience, they can also carry risk. To perform their services, FinTech apps typically need to access consumers’ most sensitive personal and financial information, including their bank account login credentials. Although the number of FinTech apps has surged into the thousands in recent years, the security protocols, best practices, and consumer protections for data sharing in the financial services space have not kept pace.
Security Vulnerabilities and Consumer Awareness
As a result, the current system of data sharing between financial institutions and FinTech apps has some drawbacks and vulnerabilities:
- Consumers often have limited control over how their data is being used and/or shared by FinTech apps and other third parties.
- Many FinTech apps leverage consumers’ bank account login credentials and, with them, gain access to their accounts. There is typically no way for a consumer to monitor or control how or when this access is used.
- Consumer-permissioned parties and aggregators may store consumers’ bank account log-in credentials, creating the potential for harm in the event of a data breach.
- There are no best practices, guidelines, or agreements that govern how FinTech apps and data aggregator intermediaries share and resell consumer data to other third parties.
Recent events, such as the Facebook-Cambridge Analytica incident, have also raised consumer awareness of data sharing and heightened concerns over the collection and use of personal information. In fact, the survey mentioned earlier showed that two-thirds of respondents said they are very or extremely concerned about data privacy when they use FinTech apps (Figure 2). The poll also indicated that many consumers are not familiar with the details of how their data is being accessed, used, and shared by these apps. For instance, nearly a quarter of respondents said that they would not use an app that stores their bank account credentials, yet that is precisely what many FinTech apps do to access information quickly and easily. After being told that many FinTech app providers, as part of their terms and conditions, gain consent from consumers to use their data for purposes other than operating the app itself, nearly half of FinTech users said they are now less likely to use these services.
Key Priorities to Address Consumer Financial Data-Sharing Concerns
In response to consumers’ concerns and lack of awareness, some government agencies, including the Bureau of Consumer Financial Protection (BCFP), have begun to tackle vulnerabilities in the current system of financial data sharing. TCH is similarly positioned to increase awareness and facilitate solutions to address data-sharing issues. As the nation’s first banking association, we have long supported financial institutions in their role as custodians of the payments system through education, advocacy, and measures that promote safety and soundness.
TCH currently is working with our member banks and other industry stakeholders on a series of activities to provide financial institutions, FinTechs, and data brokers with recommended solutions for enhancing the security, efficiency, and convenience of consumer financial data sharing. These priorities build upon the BCFP’s October 2017 consumer protection principles. Its goal is to outline secure methods for accessing sensitive financial information; to enhance the security of third-party data collection, access, and use; and to develop a consensus within the FinTech and financial services industries on best practices for data aggregation and sharing.
In our work, TCH and our industry partners follow three guiding principles:
- Act in the best interest of consumers to help them better manage their finances while protecting their data privacy and security.
- Protect and enhance the stability and safety of the financial services industry to reduce overall risks and create resilience.
- Foster efficiency by helping all parties interact and share data in faster, less burdensome and less costly ways, and provide consumers better access to their data.
TCH’s Priorities for Improved Consumer Financial Data Sharing
With the guiding principles in mind, TCH and other stakeholders are working on a number of priorities that will contribute to a more secure, efficient, and convenient financial services ecosystem (Figure 3).
Support for Application Programming Interfaces (APIs)
One of the key vulnerabilities in the current system is that many FinTech apps require access to consumers’ bank account login credentials to perform their services. After a third party has obtained a consumer’s credentials, it can theoretically access any information on the consumer’s bank account(s), perform any activity the consumer could, and share or sell the consumer’s bank account information. There is also the risk of login credentials being compromised if a FinTech app experiences a data breach.
Fortunately, there is a secure and flexible alternative mechanism for third parties to access consumer data. “Application programming interfaces allow consumers to share information with FinTech apps and other third parties without giving away their bank account login credentials,” says Lila Fakhraie, co-chair of the Financial Data Exchange (FDX) and manager of the Digital Banking API team at Wells Fargo. “APIs enable consumers to enjoy the advantages of FinTech apps while providing them with greater control over the sharing of their data and maintaining the security of their account relationship.” TCH and our member banks strongly support broader adoption of APIs within the financial services ecosystem.
API Technical and Security Standards
Just as the financial services sector has yet to reach consensus on a preferred method for consumer data sharing, there are also no universally accepted standards to which data aggregation and security efforts should adhere. This status quo creates a number of challenges for the industry. For example, new FinTech startups may have a harder time getting their products to market if they need to meet different technical requirements for every financial institution with which they seek to partner.
The financial services sector should come together and adopt a common set of data aggregation standards and data security standards. To advance this goal, TCH became a founding member of Financial Data Exchange, a nonprofit organization that aims to unify the industry around secure financial data sharing. FDX is promoting the widespread adoption of an API called the Durable Data API or DDA, which has significant benefits for financial institutions, FinTechs, and consumers alike. The organization has also developed an operating framework, policies, membership, auditing processes, and developer support to expand the use of DDA.
“FDX’s work is an important element in the move toward more secure, seamless and consumer-controlled data sharing in financial services,” said Steve Smith, co-chair of FDX. “A common and interoperable standard will enhance data security, make it easier for financial institutions and third parties to share data and speed up innovation with new financial services products to come to market.”
TCH and our member banks are developing a model agreement that can be leveraged as a starting point for financial institutions, FinTechs, and other third-party data aggregators as they consider establishing relationships with each other. The agreement outlines suggested terms in key areas that parties should consider as they enter into agreements for providing permissioned sharing of customer data. These key areas include customer permissions and informed consent for data aggregation and sharing; questions of legal liability; service-level agreements; data access methods and minimum security requirements; data access for other parties with whom the third party may share consumer information; and dispute resolution.
It is important to note that the agreement will be entirely voluntary; its provisions will serve as guidelines rather than requirements. Parties may use and modify terms as they see fit during their negotiations. The goal of the model agreement is to provide comprehensive guidelines that save time and resources in the negotiating process and lead to agreements with strong data security provisions. TCH and our member banks are currently soliciting input from FinTechs and other data aggregators on the model agreement. We value their feedback and view the agreement as a template that will continually evolve over time to meet the needs of both FinTechs and financial institutions.
Guidelines for Consumer Permissions and Control Mechanisms
To maintain consumers’ trust in the data sharing process, it is important that financial institutions and FinTech apps offer mechanisms through which consumers can grant permissions and control how their information is being accessed, used, stored, and shared. TCH and our member banks have outlined six elements that such mechanisms should cover:
- Consumer disclosures: Financial institutions and FinTech apps should disclose to consumers the accounts and data types that a third party needs to access to perform its services, and alert consumers if other entities will or may access their information. The extent of the disclosure should be informed by the sensitivity of the data.
- Consumer consent: Consumers should be given the opportunity to provide explicit consent to each third party that wishes to access their data. The consent should cover which data type(s) the third party can access, how that data is used, which other parties may receive it, and the frequency and duration of data access.
- Access permissions: Once data access has been granted, consumers should have the ability to manage their permissions, including by modifying permissions, revoking consent and having “the right to be forgotten” (i.e., the ability to revoke data access in such a way that the data is no longer stored by the third party).
- Opt-in principles: FinTech apps and other third parties should create transparent opt-in mechanisms to obtain consumer consent for all instances of data collection. Opt-ins should happen when a consumer first starts using a FinTech app, whenever the app is updated, and if the consumer permission expires.
- Permissions expiry protocols: Financial institutions should consider establishing guidelines for when consumer permissions for data access expire. There are different approaches financial institutions could take. They may require third parties to renew consumer consent if a consumer has been inactive on an app for a certain period of time, or they may require renewed consent when certain events, such as a data breach, occur.
- Proposed customer permissions experience flow: TCH and our member banks developed a proposed step-by-step process for obtaining consumer permissions for data access after a consumer chooses to sign up for a FinTech app.
Trusted Third Parties
Under current data sharing practices, security protocols often lead financial institutions to investigate data requests from FinTech apps with the same scrutiny as requests from other, less trustworthy third parties. This creates significant inefficiencies in the system, consuming financial institutions’ IT resources and delaying FinTech apps’ access to consumer information. A registration and assessment process could offer much-needed relief in this regard.
Through such a process, a FinTech app would have the opportunity to become a trusted third party with a financial institution. The process would be managed by an independent consortium or standards body. That organization would evaluate FinTech apps and other third parties based on a set of predetermined criteria, such as whether they use acceptable authentication protocols, adhere to recommended security standards, and meet consumer transparency and permissions standards. Third parties that pass the assessment would receive a credential, which financial institutions could use as an indicator that a third party is trustworthy and its data requests require less scrutiny.
A Call for a Collaborative, Cross-Industry Effort to Maintain Consumer Trust
These consumer financial data sharing activities are part of a series of steps that TCH will be taking to support safe and secure consumer data access, and more information about the priorities will be available in the future. There are also already examples of industry stakeholders spearheading efforts, such as FDX, that fulfill various focus areas.
We invite all participants in the financial services ecosystem – including FinTechs, data aggregator intermediaries, financial institutions, regulators, consumer associations, and bank associations – to take part. Through a collaborative, cross-industry effort by all stakeholders, the financial services sector can ensure that consumers’ expectations for data security are being met and consumer trust – the foundation of our industry –