WealthManagement.com: Industry-wide Data Aggregation Principles Will Help Keep Client Data Secure

The following oped was originally published on wealthmanagement.com on April 12, 2018.

We are a customer-focused industry; an industry that has proven time and time again that we evolve to meet our customers’ changing expectations.  Take, for example, the growing demand among our customers for easy access to their financial information in one place. Today, many of our customers use applications to aggregate all of that information into one picture, and we respect that desire for greater information sharing and applaud how it simplifies our customers’ lives.

It’s also just one example of how our ability to capture information and data has never been easier.  And, at the same time, our responsibility to protect customer data has never been more important.

According to the 2017 Bank of America Trends in Consumer Mobility Report, 62 percent of Americans use a mobile banking app, up from 54 percent in 2016. Adoption is strong across all generations.  As confident as we are in the security of those banking apps, overall losses from identity fraud are nevertheless rising. The Insurance Information Institute’s 2017 Identity Fraud Study found that financial losses from identify fraud had risen by nearly $1 billion to $16 billion, with a record number of people victimized by unauthorized access to their personal information.

What are the best steps to take when it comes to the protection of investor data?  First, it is something that needs to be done together, proactively and collectively as an industry working with financial technology companies that access and use our customers’ data.  As an industry we need to lead with standards and technology that can help ensure customers’ information is safe when they allow third parties access to take their data. We have a huge responsibility to educate our customers, so they understand the potential risks that accompany any sharing of their personal information.  To that end, SIFMA today released its Data Aggregation Principles.  The Principles cover four areas:  Access, Security and Responsibility, Transparency and Permission, and Scope of Access and Use.  Taken together, the Principles provide a path to create a more secure chain that will help to better protect consumers’ financial data while still providing the holistic experience they are looking for.

Data aggregation applications – some of which are controlled by entities not subject to bank or broker-dealer regulation and standards – compile customer financial information from multiple accounts and institutions onto a single platform.  These applications may help investors better understand their overall financial situation and make more informed investment and financial decisions.  But, they may also create security risks for the individual investor’s information they access, harvest, store and use, and by extension their financial institution.

Many third-party aggregators use so-called “screen scraping” technology that requires users to submit their log-in credentials for their financial accounts at their various financial institutions. The aggregator then uses those log-in credentials to gain access to the user’s account data–and potentially other personal data–at the financial institutions, using automated software to “scrape” the data from the financial institution’s site. This process may put investors’ financial information at risk.

An application programming interface, or API, is an example of a technology that would allow aggregators to access data directly, and more securely, from financial institution sites. With this method, a customer may grant an aggregator permission to access his or her account data held at their financial institution, and the financial institution is able to see that the customer has provided informed consent. The financial institution then makes the information available for the aggregator to access through an agreed upon portal (instead of the aggregator “pulling” the information when they screen scrape). Since an API could be set up without requiring users to share their log-in credentials, it would improve security in communications between aggregators and financial institutions.

APIs aren’t the only possible technological answer.  Aggregators and financial institutions need to continue exploring new ways to work together to meet that obligation to users. One financial industry technical group, FS-ISAC, has developed a model API for open use by both aggregators and financial institutions, and SIFMA applauds that effort.

Our objective is to provide customers with the same ability to allow aggregators to access the relevant data needed to provide a holistic view of the customer’s financial situation while improving customer protection. As the digital economy grows, personal data is the most important asset there is, and as an industry we have a responsibility to work together proactively to protect it and to take steps to help make sure others do too.

Lisa Kidd Hunt is Executive Vice President, Business Initiatives for Charles Schwab & Co., Inc. and Chair of SIFMA. Kenneth E. Bentsen, Jr. is President and CEO of SIFMA.

For more, visit SIFMA’s Personal Data Aggregation Resource Center.