With digitization of financial services accelerated by the pandemic, the financial services industry is collecting and processing reams of sensitive customer financial data. Bank accounts, investment accounts, mortgage accounts, insurance policies, utility bills, even frequent flyer numbers and gift cards: all rely on usernames and passwords and contain valuable financial data. Every transaction is logged and captured, with firms hoping to gather insights on individual preferences, behaviors, and needs as well as aggregate trends that will help them better understand their markets.

This exploding trove of data is compounded by the growth of third-party financial services companies to which customers also grant access to their primary financial accounts. In fact, industry estimates suggest that anywhere from a quarter to a third of a financial institution’s customers are granting access and sharing their own financial data with one or more third parties such as investment advisers, tax preparers, or fintechs like budgeting and payment apps. What they may not realize when sharing their data via login credentials is that these third parties often receive far more data than they need to perform the service, and for far longer than necessary – maybe forever.

The Power of Compounding

The way it has worked historically is a process known as screen scraping. Users grant (or permission, in industry jargon) access to their accounts by linking them, and then the company logs in as if they were the customer and gathers the customer’s data. While it is an automated process, it mimics the customer by logging into the exact same screens a customer sees, and “scraping” the data from those screens.

These third-party companies may store and secure the same data that the originating data source (i.e. the bank) does. This can compound the cyber risk for the individual in that their data might live in multiple places, which could give more opportunities for cyber criminals to get at it. It can also compound risk for the larger financial system by expanding its attack surface with duplicated data.

The second way third parties get primary customer data is through proprietary APIs. These APIs act as intermediaries between financial institutions and the third parties. While this is more efficient than screen scraping, it requires investment in development and maintenance by individual firms, as well as resources (such as sales, marketing, and support) to secure adoption by customers and partners. Competitors will have a variety of different APIs, so financial institutions and other firms that interface with many data aggregators and fintechs have to deal with different pipes with different requirements. It is akin to the days when we had a different cable for every piece of electronics.

Big Data = Big Risk

Times are changing, for two reasons. First, consumers are beginning to realize that their data is currency in a digital world that aspires to maximize the match between what customers want and the products they are marketed. Regulators are acting to ensure data privacy with laws like Europe’s GDPR and California’s Consumer Privacy Act.

Second, with cyber threats exploding, the market is realizing that holding not only large amounts of customer data but also the keys to that data (i.e. usernames and passwords) amounts to more cyber risk and is therefore a liability. Why should a budgeting app need your address? Why would a bitcoin wallet need your credit card transaction history?

A Sea of Electric Plugs

With data privacy standards and regulatory regimes varying by country and region, there is also a risk that financial data transmission goes the way of electric plugs, which never became standardized worldwide because of sunk costs – how hard it would have been for certain countries to change after adopting their own standards - and world wars, which halted attempts to harmonize with a global standards body.

Digitization of financial services is here to stay. Financial flows operate across borders. Institutions operate in multiple jurisdictions. The number of companies transmitting financial data back and forth will continue to grow. That data needs to be able to be transmitted seamlessly and safely.

We have an opportunity now, before the world is doomed to the equivalent of buying a clunky adapter at the airport for every international trip. The market needs a universal way to transmit financial data that both maximizes customer control and minimizes cyber risk.

A Framework for Consumer-Permissioned Data Sharing
We believe there are five principles for the future of financial data transmission:
    • Control: Consumers should be able to permission their financial data for services or applications.
    • Access: Account owners should have access to their data and the ability to determine who will have access to their data. 
    • Transparency: Individuals using financial services should know how, when, and for what purpose their data is used. Only data that is required to provide such services should be shared with the organization providing the service.
    • Traceability: All data transfers should be traceable. Consumers should have a complete view of all entities within the user-permissioned financial data ecosystem that are involved in the data-sharing flow.
    • Security: Financial data parties should follow industry best cybersecurity practices across the whole of their organization for safety and privacy of data during access and transport and when that data is at rest.

Based on these principles, FDX convened a wide array of industry stakeholders and developed a free open standard for the “pipes,” e.g. the USB for how financial data will be shared back and forth. The basic idea is that instead of giving third parties the keys to their accounts (username and password), customers only open the door for them, with authentication happening on the bank or primary institution’s site. Then the third party receives a set of tokens that specify the institution, account, types of data they can access and for how long.

An open standard is more efficient. Filtering user-permissioned data through one standard API is cheaper than keeping up with many different proprietary APIs used by different parties and maintaining customer-facing infrastructure for automated transactions. In addition, a common API standard allows for interoperability with other international jurisdictions.

It is also more secure. An API reduces the noise for cybersecurity teams who are trying to distinguish between consumers and malicious actors by taking the legitimate screen-scraped transactions out of the regular data flow. Further, fewer usernames and passwords and financial data stored on multiple databases reduces the whole industry’s attack surface. And putting the customer in control of exactly who holds what data and for how long is not only getting ahead of regulatory demands; showing respect for customer privacy is increasingly good business.

 

The Insight

With financial data flows between institutions, fintechs, and other parties on the rise, sharing more data than necessary for longer than necessary is both an extra cost and a cyber risk. The answer is an open standard based on the principle of data minimization that puts the customer in control of giving permission as to what data can be accessed and for how long.

March 2021

© 2021 FS-ISAC, Inc. All rights reserved.

GIOReport-Sidebar-Article
NavigatingCyber2021_Twitter

As we've seen recently, even strong cybersecurity defenses can still be vulnerable, especially through third party suppliers. With nation-states and cyber criminals collaborating (wittingly or not), these new well-funded threats are impossible to tackle alone.

Download our latest FinCyber Report

FS-ISAC members around the world receive trusted and timely expert information that increases sector-wide knowledge of cybersecurity threats.

Learn More