Skip navigation

SIFMA: Industry-wide Data Aggregation Principles Will Help Keep Client Data Secure

Most clients expect to see all their financial data in one place, but some aggregation techniques—like “screen scraping” or requiring usernames and passwords for access to accounts—put them at risk. As an industry we need to lead with standards and technology that can help ensure clients’ information is safe when they allow third-party access.

By Lisa Kidd Hunt and Kenneth E. Bentsen, Jr.

We are a customer-focused industry; an industry that has proven time and time again that we evolve to meet our customers’ changing expectations.  Take, for example, the growing demand among our customers for easy access to their financial information in one place. Today, many of our customers use applications to aggregate all of that information into one picture, and we respect that desire for greater information sharing and applaud how it simplifies our customers’ lives.

It’s also just one example of how our ability to capture information and data has never been easier.  And, at the same time, our responsibility to protect client data has never been more important.

According to the 2017 Bank of America Trends in Consumer Mobility Report, 62 percent of Americans use a mobile banking app, up from 54 percent in 2016. Adoption is strong across all generations. As confident as we are in the security of those banking apps, overall losses from identity fraud are nevertheless rising. The Insurance Information Institute’s 2017 Identity Fraud Study found that financial losses from identify fraud had risen by nearly $1 billion to $16 billion, with a record number of people victimized by unauthorized access to their personal information.

What are the best steps to take when it comes to the protection of investor data? First, it’s something that needs to be done together, proactively and collectively, as an industry working with financial technology companies that access and use client data. As an industry we need to lead with standards and technology that can help ensure client information is safe when they allow third parties access to take their data. We have a huge responsibility to educate our clients, so they understand the potential risks that accompany any sharing of their personal information. To that end, SIFMA today released its Data Aggregation Principles. The Principles cover four areas: Access, Security and Responsibility, Transparency and Permission, and Scope of Access and Use. Taken together, the Principles provide a path to create a more secure chain that will help to better protect clients’ financial data while still providing the holistic experience they are looking for.


Data aggregation applications—some of which are controlled by entities not subject to bank or broker/dealer regulation and standards—compile client financial information from multiple accounts and institutions onto a single platform. These applications may help investors better understand their overall financial situation and make more informed investment and financial decisions. However, they may also create security risks for the individual investor’s information they access, harvest, store and use, and, by extension, their financial institution.

Many third-party aggregators use so-called “screen scraping” technology that requires users to submit their login credentials for their financial accounts at their various financial institutions. The aggregator then uses those login credentials to gain access to the user’s account data—and potentially other personal data—at the financial institutions, using automated software to “scrape” the data from the financial institution’s site. This process may put investors’ financial information at risk.

An application programming interface, or API, is an example of a technology that would allow aggregators to access data directly, and more securely, from financial institution sites. With this method, a client may grant an aggregator permission to access his or her account data held at their financial institution, and the financial institution is able to see that the customer has provided informed consent. The financial institution then makes the information available for the aggregator to access through an agreed-upon portal instead of the aggregator “pulling” the information when they screen scrape. Since an API could be set up without requiring users to share their login credentials, it would improve security in communications between aggregators and financial institutions.

APIs aren’t the only possible technological answer. Aggregators and financial institutions need to continue exploring new ways to work together to meet that obligation to users. One financial industry technical group, FS-ISAC, has developed a model API for open use by both aggregators and financial institutions, and SIFMA applauds that effort.

Our objective is to provide clients with the same ability to allow aggregators to access the relevant data needed to provide a holistic view of the client’s financial situation while improving client protection. As the digital economy grows, personal data is the most important asset there is, and as an industry we have a responsibility to work together proactively to protect it and to take steps to help make sure others do too

Lisa Kidd Hunt is Executive Vice President, Business Initiatives, Charles Schwab & Co., Inc. and Chair of SIFMA.

Kenneth E. Bentsen, Jr., is President and CEO, SIFMA.

TAGS: Industry
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.