Washington, D.C., April 12, 2018 – SIFMA today released its Data Aggregation Principles (Principles), a proactive industry-wide initiative designed to help ensure customers’ information is safe when they give third parties access to their data.  The Principles provide a path to a more secure chain that will help to better protect consumers’ private financial data, while still providing the holistic experience they are looking for today.

“The framework underlying the Principles was designed through a collaborative effort with leading financial services firms over the course of months of input and the sharing of best practices.  I am proud to be a part of an industry that makes client data security a top priority and works proactively to improve our ability to protect clients,” said Lisa Kidd Hunt, executive vice president, business initiatives at Charles Schwab & Co., Inc. and chair of SIFMA.  “As we continue to grow the digital economy, personal data is becoming the most important currency there is, and as an industry we have a responsibility and obligation to protect our clients’ data.  Our ability to capture information and data has never been easier, and our responsibility to protect it has never been more essential.”

Data aggregation applications—some of which are controlled by entities not subject to bank or broker-dealer regulation and standards—compile customer financial information from multiple accounts and institutions onto a single platform.  These applications can help investors better understand their overall financial situation and make more informed investment and financial decisions.  But, they may also create security risks for the individual investor’s information they access, harvest, store and use. The Principles offer guidance for SIFMA members while working with data aggregation applications.

“Data has never been more important, more available or more at risk.  Keeping our customers’ data safe is of paramount importance to our industry,” said Kenneth E. Bentsen, Jr., president and CEO of SIFMA.  “The goal of the principles is to provide customers with safe and secure access to their data and protection of their confidential account information, along with assurances that data aggregators adhere to the same data and security standards followed by regulated financial institutions.”

SIFMA’s Data Aggregation Principles cover four areas:

1. Access: Customers may use third parties to access their financial account data and SIFMA member firms believe such access should be safe and secure.
2. Security and Responsibility: Customers should not have to share their confidential financial account credentials (personal IDs and passwords) with third parties.  Customers deserve assurances that anyone accessing their financial account data will keep it safe and secure, adopt the same data and security standards followed by regulated financial institutions, and take full responsibility for any data that they receive and provide to others.
3. Transparency and Permission: Customers should first receive a clear and conspicuous explanation of how third parties will access and use their financial account data, and then be able to consent affirmatively to this activity before it begins.  Customers should be able to withdraw their consent easily and at any time with confidence that third parties will delete and stop collecting their financial account data and delete any access credentials or tokens.
4. Scope of Access and Use: Customer information available to share with third parties typically includes financial account data such as holdings, balances, and transaction information, and does not include other non-public and confidential personal information.  For customer protection, account activities such as third-party trading, money or asset movement, client verification, and other services that go beyond financial account data aggregation should be subject to separate agreements and require separate informed affirmative consent.

In addition to the Principles, SIFMA is encouraging member firms and aggregators to move toward more secure technologies for gathering customer data, such as the use of application programming interfaces (API).

Many third-party aggregators use so-called “screen scraping” technology that requires users to submit their log-in credentials for their financial accounts at their various financial institutions. The aggregator then uses those log-in credentials to gain access to the user’s account data–and potentially other personal data–at the financial institutions, using automated software to “scrape” the data from the financial institution’s site. This process may put investors’ financial information at risk.

An API would allow aggregators to access data directly, and more securely, from financial institution sites. With this method, a customer may grant an aggregator permission to access his or her account data held at their financial institution, and the financial institution is able to see that the customer has provided informed consent. The financial institution then makes the information available for the aggregator to access through an agreed upon portal (instead of the aggregator “pulling” the information when they screen scrape). Since an API could be set up without requiring users to share their log-in credentials, it would improve security in communications between aggregators and financial institutions.

For more resources, please visit Project Invested at http://www.projectinvested.com/data-aggregation/

-30-

SIFMA is the voice of the U.S. securities industry. We represent the broker-dealers, banks and asset managers whose nearly 1 million employees provide access to the capital markets, raising over $2.5 trillion for businesses and municipalities in the U.S., serving clients with over $18.5 trillion in assets and managing more than $67 trillion in assets for individual and institutional clients including mutual funds and retirement plans. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA). For more information, visit http://www.sifma.org.