With digitization of financial services accelerated by the pandemic, the financial services industry is collecting and processing reams of sensitive customer financial data. Bank accounts, investment accounts, mortgage accounts, insurance policies, utility bills, even frequent flyer numbers and gift cards: all rely on usernames and passwords and contain valuable financial data. Every transaction is logged and captured, with firms hoping to gather insights on individual preferences, behaviors, and needs as well as aggregate trends that will help them better understand their markets.
This exploding trove of data is compounded by the growth of third-party financial services companies to which customers also grant access to their primary financial accounts. In fact, industry estimates suggest that anywhere from a quarter to a third of a financial institution’s customers are granting access and sharing their own financial data with one or more third parties such as investment advisers, tax preparers, or fintechs like budgeting and payment apps. What they may not realize when sharing their data via login credentials is that these third parties often receive far more data than they need to perform the service, and for far longer than necessary – maybe forever.
The way it has worked historically is a process known as screen scraping. Users grant (or permission, in industry jargon) access to their accounts by linking them, and then the company logs in as if they were the customer and gathers the customer’s data. While it is an automated process, it mimics the customer by logging into the exact same screens a customer sees, and “scraping” the data from those screens.
These third-party companies may store and secure the same data that the originating data source (i.e. the bank) does. This can compound the cyber risk for the individual in that their data might live in multiple places, which could give more opportunities for cyber criminals to get at it. It can also compound risk for the larger financial system by expanding its attack surface with duplicated data.
The second way third parties get primary customer data is through proprietary APIs. These APIs act as intermediaries between financial institutions and the third parties. While this is more efficient than screen scraping, it requires investment in development and maintenance by individual firms, as well as resources (such as sales, marketing, and support) to secure adoption by customers and partners. Competitors will have a variety of different APIs, so financial institutions and other firms that interface with many data aggregators and fintechs have to deal with different pipes with different requirements. It is akin to the days when we had a different cable for every piece of electronics.
Times are changing, for two reasons. First, consumers are beginning to realize that their data is currency in a digital world that aspires to maximize the match between what customers want and the products they are marketed. Regulators are acting to ensure data privacy with laws like Europe’s GDPR and California’s Consumer Privacy Act.
Second, with cyber threats exploding, the market is realizing that holding not only large amounts of customer data but also the keys to that data (i.e. usernames and passwords) amounts to more cyber risk and is therefore a liability. Why should a budgeting app need your address? Why would a bitcoin wallet need your credit card transaction history?
With data privacy standards and regulatory regimes varying by country and region, there is also a risk that financial data transmission goes the way of electric plugs, which never became standardized worldwide because of sunk costs – how hard it would have been for certain countries to change after adopting their own standards - and world wars, which halted attempts to harmonize with a global standards body.
Digitization of financial services is here to stay. Financial flows operate across borders. Institutions operate in multiple jurisdictions. The number of companies transmitting financial data back and forth will continue to grow. That data needs to be able to be transmitted seamlessly and safely.
We have an opportunity now, before the world is doomed to the equivalent of buying a clunky adapter at the airport for every international trip. The market needs a universal way to transmit financial data that both maximizes customer control and minimizes cyber risk.
Based on these principles, FDX convened a wide array of industry stakeholders and developed a free open standard for the “pipes,” e.g. the USB for how financial data will be shared back and forth. The basic idea is that instead of giving third parties the keys to their accounts (username and password), customers only open the door for them, with authentication happening on the bank or primary institution’s site. Then the third party receives a set of tokens that specify the institution, account, types of data they can access and for how long.
An open standard is more efficient. Filtering user-permissioned data through one standard API is cheaper than keeping up with many different proprietary APIs used by different parties and maintaining customer-facing infrastructure for automated transactions. In addition, a common API standard allows for interoperability with other international jurisdictions.
It is also more secure. An API reduces the noise for cybersecurity teams who are trying to distinguish between consumers and malicious actors by taking the legitimate screen-scraped transactions out of the regular data flow. Further, fewer usernames and passwords and financial data stored on multiple databases reduces the whole industry’s attack surface. And putting the customer in control of exactly who holds what data and for how long is not only getting ahead of regulatory demands; showing respect for customer privacy is increasingly good business.
With financial data flows between institutions, fintechs, and other parties on the rise, sharing more data than necessary for longer than necessary is both an extra cost and a cyber risk. The answer is an open standard based on the principle of data minimization that puts the customer in control of giving permission as to what data can be accessed and for how long.
© 2023 FS-ISAC, Inc. All rights reserved.
Don Cardinal is Managing Director of the Financial Data Exchange (FDX), a non-profit, industry led collaboration dedicated to unifying the financial industry around a secure, interoperable standard for the permissioned access of...Read More
consumer and business financial data. As Managing Director, Don works with a diverse board consisting of 24 organizations representing the top financial institutions, data aggregators and users of consumer-permissioned financial data globally to promote and expand implementation of the FDX API, grow FDX membership, and engage with stakeholders in the financial data ecosystem. Prior to this, Don spent more than 20 years with Bank of America, where he served in key leadership roles as the Privacy Officer of their Military Bank, the Digital Banking VP for Military Bank, VP in Digital Banking, and most recently as a Senior VP in Global Information Security, where he orchestrated the bank’s DMARC email security implementation, protecting over 3.5 billion outbound emails per year. From 2016 to 2018, Don also served as co-chair of the Financial Services Information Sharing and Analysis Center’s (FS-ISAC) Aggregation Working Group, which, in October 2018, launched as FDX –operating as an independent, non-profit subsidiary of FS-ISAC. Prior to his banking career Don worked for a small Fintech writing tax preparation software. Don is a Certified Public Accountant, Certified Information Systems Auditor, Certified Information Security Manager, and holds a Six Sigma green belt. He earned BBAs in Accounting and Finance from Texas A&M University and an MBA from Our Lady of the Lake University. He is a graduate of the FBI Citizens Academy, a member of the FBI’s InfraGard, a member of the American Institute of CPAs, the Texas Society of CPAs and the Information Systems and Control Association. He also holds ten U.S. patents. Don is a frequent speaker on data sharing, open banking, DMARC email security and other security topics, and has served as an adjunct faculty for the University of the Incarnate Word. His volunteer work has included leadership roles in the 500 Inc, Treasurer for pARTners supporting the North East School of the Arts, and Treasurer and President of the Alliance Française de Dallas. Don resides in far North Dallas with his wife, son, two dogs and two cats.