March 3, 2022
National Institute of Standards and Technology
Computer Security Division, Information Technology Laboratory
100 Bureau Drive (Mail Stop 8930)
Gaithersburg, MD 20899-8930
Re: National Institute of Standards and Technology – Draft Report 8389 Cybersecurity Considerations for Open Banking Technology and Emerging Standards
Ladies and Gentlemen:
The undersigned trade associations1 appreciate the opportunity to comment on the National Institute of Standards and Technology’s (“NIST”) internal report on Cybersecurity Considerations for Open Banking Technology and Emerging Standards.2 The associations commend NIST for identifying the importance of cybersecurity and privacy safeguards in the consumer financial data sharing ecosystem. The report, however, does not adequately address these important considerations or acknowledge the evolution in data sharing that has occurred in the United States in recent years and that continues apace.
In the United States, shifts in consumer demand for more digital and interactive financial products and services have dramatically changed the marketplace, which now includes an increasing number of fintechs and other companies not subject to the same comprehensive regulatory oversight as banks, but increasingly facilitating access to sensitive consumer data to provide such products and services.
This surge in adoption of digital products and services has accelerated banks’ efforts to leverage market-developed technological solutions to help meet customer demand while ensuring consumers’ sensitive financial data is kept private and secure. Unlike other jurisdictions in which consumer financial data sharing has been mandated by government action, this expansion of consumer data access in the United States has developed via innovation in the marketplace. Under an industry-driven approach, participants can innovate and adapt more quickly to market changes and develop safer solutions.
The associations support innovation and welcome competition in payments and other financial products and services when this innovation is conducted responsibly and in a way that ensures customers are protected through consistent regulation and oversight. In this regard, the associations support the ability of bank customers to securely connect their bank accounts to the third-party apps of their choice, which in some cases may involve the interposition of a data aggregator to collect the customer’s information from a financial institution and provide it to the app. It is critical, however, that consumers’ personal and financial information remains secure when it is shared between financial institutions and third parties. Ensuring the security of customer data is, and will remain, a top priority for the banking industry.3
1 Please see Annex A for a description of the associations.
2 Voas, et al., “Cybersecurity Considerations for Open Banking Technology and Emerging Standards,” National Institute of Standards and Technology draft report 8389 (Jan. 3, 2022) (available at: https://doi.org/10.6028/NIST.IR.8389-draft).
3 SIFMA notes that the concerns expressed in this letter generally are the same for all of its members, including those that are not banks or bank affiliates.