CyberSecurity
financial data Maxiphoto/iStock/Getty Images Plus

Data Aggregators Develop “Open Data Access” Standards

Data aggregators and fintech firms are having their own “don't be evil” moment, as they try to balance the benefits of open data access with the risks posed by breaches and fraud.
Resources

The European Union’s General Data Protection Regulation, meant to ensure better protection of individuals’ personal data online, has gained plenty of attention lately, across the Atlantic as well as with U.S. firms that do business there.

Meanwhile, in the absence of comprehensive government regulations over consumer financial data here in the U.S., three major data aggregators and analytics firms are taking their own stand on defining principles around its use.

On Monday, Envestnet’s Yodlee, Quovo and Morningstar ByAllAccounts developed the Secure Open Data Access framework, so-called SODA, an initiative for promoting data access, transparency and security for U.S. firms and clients. Their effort is supported by Consumer Financial Data Rights Group members like Betterment, SoFi, Personal Capital and GoldBean.

Arguing that consumers should be able to grant applications access to their financial information if they find those apps to be “beneficial,” the framework provides guiding principles meant to balance consumer freedom over their financial data and security. The principles include:

  • Consumers must be able to access their financial account data for purposes of using any legitimate application;
  • Consumers must provide affirmative consent on the basis of clear and conspicuous disclosure regarding the use of their data;
  • All entities who handle consumer account information must adhere to best practices for security standards and implement traceability and transparency; and
  • The entity responsible for a consumer’s financial loss must make the consumer whole. All stakeholders in the ecosystem have shared responsibility—this will start with traceability in the United States and a move towards shared responsibility just like in Europe.

The move is partly a response to other industry proposals that the SODA framework developers see as too restrictive.

“Several financial institutions continue to demand, through proposed bilateral agreements with aggregators and other third-party providers, significant restrictions that would limit the types of data their customers would be permitted to access and the types of applications their customers would be permitted to use,” according to the group’s announcement. 

This framework provides some focus on which party should be responsible for “making the consumer whole” in the event of a data breach or an instance of fraud, spreading the responsibility across both financial institutions and aggregators.

“It would have been really easy for the aggregators to get together and make a bunch of pro-aggregator principles,” said Lowell Putnam, CEO of Quovo. “But if we’re going to make a series of principles that can be adopted by fintech apps and financial institutions, we had to put together rules that didn’t necessarily always work in our best interest, but they were in the best interest of the end customer and the overall industry ecosystem.”

As the financial technology industry incorporates more data, in more sophisticated ways, “finding a way to do it without credential-sharing (for instance, where some platforms use clients’ usernames and passwords for accounts to be aggregated) is an important part of adding more safety to the ecosystem,” Putnam said.

The framework also calls out policymakers for the lack of clarity in existing regulations, while stopping short of a call for new ones. “That’s really the mostly likely avenue for success,” said Putnam. “There's no regulator that truly owns all the rules around data sharing.” SODA stakeholders are hoping to create a starting point for conversations around the topic to, in part, avoid calling for additional government regulations.

 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish