Data Aggregation

What Can You Do?

We’ve looked at how financial data aggregator services become popular financial management tools, as well as some of the potential risks those services may present to the security of customers’ personal information.

The next question is: What is being done to address those potential risks and vulnerabilities to better protect customers and the financial system?

Expert Insights: What can you do
from Stuart Rubinstein, Fidelity Investments

Through the Securities Industry and Financial Markets Association (SIFMA), financial industry leaders have developed a framework for making customer data security a top-level priority.

SIFMA developed a set of four fundamental principles to guide member firms as they work with and forge relationships with data aggregator services. The principles are aimed at ensuring that both customers and financial institutions are protected against potential security breaches and misuse of data, as well as encouraging aggregators to clearly disclose how the data they collect will be stored and used.

The four data aggregation principles are as follows:

Access

  • Customers may use third-parties to access their financial account data and SIFMA member firms believe that such access should be safe and secure.

Security and Responsibility

  • Customers should not have to share their confidential financial account credentials (personal IDs and passwords) with third-parties.
  • Customers deserve assurances that anyone accessing their financial account data will keep it safe and secure, adopt the same data and security standards followed by regulated financial institutions, and take full responsibility for any data that they receive and provide to others.

Transparency and Permission

  • Customers should first receive a clear and conspicuous explanation of how third-parties will access and use their financial account data, and then be able to consent affirmatively to this activity before it begins.
  • Customers should be able to withdraw their consent easily and at any time with confidence that third-parties will delete and stop collecting their financial account data and delete any access credentials or tokens.

Scope of Access and Use

  • Customer information available to share with third-parties typically includes financial account data such as holdings, balances, and transaction information, and does not include other non-public and confidential personal information.
  • For customer protection, account activities such as third-party trading, money or asset movement, client verification, and other services that go beyond financial account data aggregation should be subject to separate agreements and require separate informed affirmative consent.

The principles are a first step in a broader campaign to raise awareness of the need for greater data security standards, and to ensure that users receive clear and conspicuous explanations when it comes to how their financial data is used.

Toward more secure technology for sharing data

The industry is also encouraging all aggregators to move toward more secure technologies for gathering customer data, such as the use of application programming interfaces (APIs). Unlike “screen scraping”, an API allows aggregators to access data directly and more securely from financial institution sites without collecting and storing customers’ log-in credentials.

“We can eliminate password-sharing…and we can define better the data fields that clients want to share.” Stuart Rubinstein, Fidelity Investments

With this method, a customer may authorize their financial institution to make their information available for the aggregator to access through an agreed upon secure business-to-business connection (instead of the aggregator “pulling” the information when they screen scrape). Since an API can be set up without requiring users to share their log-in credentials, it would improve security in communications between aggregators and financial institutions.

APIs are not the only possible technological answer but are a good example of a more secure communication channel that will better protect customers’ financial data. Aggregator services and financial institutions need to continue exploring new ways to work together to meet that obligation to users. One financial industry technical group, FS-ISAC, has developed a model API for open use by both aggregators and financial institutions.

Aggregators offer powerful tools that allow customers to manage their complex financial lives more effectively, but personal financial data must continue to be collected, stored, used and shared safely and securely. The financial industry and the fintech sector must work together now to implement higher standards for data security and transparency on personal financial data regardless of where it is held and how it is used.

SIFMA’s data aggregation principles are a good place to start.

“At the end of the day, we are about providing great financial services to the end-client.” Lisa Kidd Hunt – Chair, SIFMA – Executive Vice President, Business Initiatives, Charles Schwab & Co., Inc.