Last week, the Securities Industry and Financial Markets Association ("SIFMA"), a trade group for the United States securities industry, issued a set of Data Aggregation Principles ("the Principles").1 In general, data aggregation applications are able to aggregate a customer's financial data across different accounts, from different institutions. While such applications provide customers with desired convenience, tools and analytics, they also pose security risks by virtue of their ability to access the accounts. The Principles are intended to provide guidance to organizations working with data aggregation applications on how to provide customers with secure access to their financial information.
The Principles are divided into four main areas: 1) Access; 2) Security and Responsibility; 3) Transparency and Permission; and 4) Scope of Access. Although brief, the Principles provide clear guidance.
With regard to Access, SIFMA member firms believe that "customers may use third-parties to access their financial account data" and "such
access should be safe and secure." As such, the Principles essentially confirm the utility of and ability to provide data aggregation services. Customers want to be able to allow financial data to be aggregated across multiple platforms and utilize related tools without compromising security.
As to Security and Responsibility, "Customers should not have to share their confidential financial account credentials (e.g., personal IDs and passwords) with third-parties" (i.e., those third parties providing data aggregation).
This Principle implicitly addresses acceptable technological implementations. Currently, "screen-scraping" technology is utilized by many data aggregators and requires the customer to share its login credentials to allow the aggregator access to the account data. Such sharing of credentials potentially places financial or other non-confidential information at risk. One alternative previously suggested by SIFMA is the use of application programming interfaces (APIs) or other software technologies that can allow the financial data to be shared through a secure gateway and that do not require the customer to reveal its credentials.
Also with regard to Security and Responsibility, the Principles provide that "customers deserve assurances that anyone accessing their financial account data will keep it safe and secure, adopt the same data and security standards followed by regulated financial institutions, and take full responsibility for any data that they receive and provide to others." Here, the Principles recognize that data aggregation providers are not always regulated member entities, but rather may be emerging FinTech providers. The expectation is clear: member firms working with such emerging providers should ensure adequate protections are in place at these providers.
As to Transparency and Permission, prior to access being granted, affirmative consent should be required from customers after they receive "a clear and conspicuous explanation of how third parties will access and use their financial account data." Additionally, withdrawal of consent should be easy and made available to customers "at any time with confidence that third parties will delete and stop collecting their financial account data and delete any access credentials or tokens."
These Principles reflect a basic premise that consumers should have more control over their personal data and how such data will be used. This is somewhat in line with the European General Data Protection Regulation (the "GDPR"), which becomes effective next month. Among other protections, under the GDPR, a user has a "right to be forgotten," a "right to restrict processing," a "right to data portability," and a "right to object." Consistent with these obligations under the GDPR, the Principles recognize that informed consent, an ability to withdraw such consent at any time and the ability to request deletion of information are all vital components to protecting a consumer's financial information.
Finally, with regard to Scope of Access and Use, the Principles delineate between "financial account data, such as holdings and account balances," and "non-public and confidential personal information." More specifically, the Principles set forth that customer information shared with third parties should not include "non-public and confidential personal information." The Principles also provide that for customer protection, services that go beyond financial account data aggregation, such as third-party trading or movement of money or assets, "should be subject to separate agreements and require separate informed affirmative consent." Here, the Principles echo the common privacy principle that collection and disclosure of personal data should be adequate, relevant and not excessive in relation to the purpose for which the data is processed.
With the number of high profile cybersecurity incidents continuing to rise each day, SIFMA has taken a first step to signal that it recognizes the potential issues inherent in data aggregation. Whether or not the Principles are the first step in a broader push that may include regulation or self-governance in the United States remains to be seen. However, it is clear that financial institutions and other companies that want access to financial data will need to prove to their customers that they have the procedures in place to make them worthy of receiving such access.
If you have any questions about data privacy, data aggregation, or any other question about how the Principles or GDPR may affect you, please contact one of the attorneys listed below.
Footnote
1 https://www.sifma.org/resources/general/data-aggregation-principles/
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
