What spurred FINRA's dire warning about data aggregators?
The Financial Industry Regulatory Authority recently issued a strongly worded warning to investment companies and investors about the dangers of sharing account data with aggregators so consumers can access third-party services, as Facebook has learned the hard way.
Letting data aggregators gather account information can expose consumers to privacy, security and other risks, the self-regulatory organization for securities brokers said.
“These include potential vulnerability to cyber fraud, unauthorized transactions and identity theft," FINRA said. "A key risk is that the aggregators could be storing all consumer financial information or security credentials in one place, creating a new and heightened security risk for consumers.”
In issuing the warning, FINRA waded into a debate that has been going on for more than two years among banks, fintechs, aggregators and regulators including the Consumer Financial Protection Bureau.
Al Pascual, senior vice president of research and head of fraud and security at Javelin Strategy & Research, thought the message was timely and echoes concerns banks have expressed.
“FINRA’s warning is prudent, especially as more and more fintechs have joined the wealth management and investment space,” he said. “These organizations are unregulated, but are being trusted with access to investors’ financial accounts. If these organizations are compromised in a breach, or if their apps are vulnerable, the credentials for a variety of investors’ accounts — including traditional bank accounts — could be misused and leave investors exposed to financial losses where they have limited recourse.”
U.S. Bank and other banks have argued that if consumers share their login information with a third party and fraud occurs, liability protections will no longer apply.
“Data breaches and leaky apps are very common, and until open and secure banking [application programming interfaces] proliferate, investors should be very careful about their use of aggregators,” Pascual said.
How risky are the data aggregators? And are they doing everything they need to do to protect against fraud, unauthorized transactions and identity theft? These are questions banks and financial advice firms must answer as they continue to work with these companies to provide third-party services customers want and to upgrade their own services.
Data aggregators were bewildered by the timing and wording of FINRA's notice.
“I don’t know who is whispering in their ear,” said an executive at one data aggregator who did not want to be identified by name. “They’re not one of the groups that have been going deep on this issue and that have a sophisticated understanding of the issues.”
A FINRA spokesman said "this is an emerging issue that has crossed our radar in light of increasing concerns about data security and privacy. Our educational goal whenever possible is to proactively inform investors so they can make smart decisions and avoid problems."
Steve Smith, CEO of the data aggregator Finicity, had a more positive reaction.
“Generally they made some good points, and I don’t think as an aggregator you can be cavalier and just assume you can jump into the market and start aggregating data without taking a mature approach to the services you’re providing,” he said.
Lowell Putnam, CEO at the data aggregator Quovo, said he liked the FINRA guidance. “It’s not overly conservative, just rational, reasonable and it shows a regulator paying attention to the issue,” he said.
He welcomed the attention being paid to the issue. “Our customers almost always give this same type of guidance and cautionary advice to their end clients before they aggregate their accounts,” Putnam said.
Kyle Marchini, senior analyst of fraud management at Javelin, pointed out that any time information is shared with a third party, that information can be compromised. The level of risk depends on the type of data being shared and the method used to share it.
The most dangerous form of information sharing, in Marchini’s view, is screen scraping, where the consumer gives her user name and password to the aggregator, which logs in as the consumer and extracts recent transaction information to populate its service. The aggregator has to store and maintain those credentials for the life of the relationship and often beyond.
“We all know that consumers who set up an account with an aggregator for some type of service will sometimes use it for a couple of months, forget about it, delete the app, and the aggregator will keep pulling the information from the banking site,” Marchini said.
Screen scraping can also interfere with a bank or wealth management firm’s ability to form robust risk-based profiles of its users, he pointed out.
“The aggregator, because it’s a bot, looks like a bot, so you see odd logins from different locations at different times,” Marchini said.
More recently, he noted, data aggregators have been creating formal agreements with banks through which data is shared through an API. Here, the user does not have to provide a user name and password to the aggregator. Where the OAuth authentication protocol is used, the user is directed to her bank website where she can log in directly. Some banks, like JPMorgan Chase and Wells Fargo, also have portals through which consumers can see what sites have access to their information through these APIs. If they have not used a personal financial management service like Mint in several months, they can turn data sharing off.
“That improves transparency and also means Mint doesn’t have to keep storing my user name and password,” Marchini said. “That decreases the risk.”
There is also a middle ground, in which aggregators leverage the APIs banks use to populate their own websites. Here they still use the customer’s credentials but they do not screen scrape.
The data aggregators say they're just as secure as banks.
A spokeswoman for the data aggregator Yodlee, a unit of Envestnet, said it adheres to, and in many cases exceeds, the security and risk management standards required to engage with consumers and their financial data.
“Yodlee is supervised and examined by the [Office of the Comptroller of the Currency] and all major regulators, including nearly 200 individual audits by financial institutions over a recent 24-month period,” she said. She also pointed to Yodlee’s data security and privacy standards page.
Finicity goes through SOC 2 audits, is PCI compliant and is audited by third parties, Smith said.
He does not see a need for data aggregators to go through the same regulatory scrutiny as banks, though. “I’m not holding assets, I’m a service provider. I’m not a bank,” he said. “It’s a little cavalier to say aggregators need to be held to the same regulatory standard.”
Putnam argued that Quovo is more secure than a bank because its technology is five years old, whereas many banks have 50-year-old legacy systems.
“My bank data inside Quovo is encrypted, tokenized and split across multiple regions in Amazon Web Services,” he said. “There’s no way to pull a single transaction of my bank data or my routing number and connect it to an individual. You’d have to steal the entirety of Quovo in order to piece together one person’s data. When I think about where is my data safer, is it with a professional organization that logs in through secure methods or from the existing banking infrastructure or me logging in from an unsecure Wi-Fi network in a coffee shop?”
Quovo is also working with several large banks to create OAuth-based APIs, he said.
The aggregators and Marchini also pointed to a security upside of using data aggregators: A consumer who can monitor all her accounts in one place is more likely to notice if something weird is happening.
“I would argue the system would be less safe if we weren’t in it,” one aggregator said. “I have a 401(k) — I generally don’t check it regularly, so if funds are missing, how are you going to know that as a consumer and fix that? We make that easier by allowing for the free flow of data.”
The FINRA warning advises consumers to vet data aggregators before allowing them to scrape their data.
For instance, it asks consumers to find out if the aggregators will share their security credentials and data with other data aggregators or service providers; sell their data to third-party entities; or use encryption when retrieving their data. Each consumer is expected to know how long the data will be retained, what the process is of purging or disposing the data once a contract has been terminated; what happens if there is a data breach or any unauthorized access to the account; what type of liability the aggregator bears in the event of a consumer loss due to a data breach or unauthorized access; how accurate the aggregator’s scraping algorithms are and more.
This is too much to ask of a consumer who in all likelihood barely knows what data aggregation is, firms argued.
“It’s absolutely not realistic,” Putnam said. “Aggregators are almost always a middleman. When you use an online service or app or even a service from a provider that uses aggregation under the hood, there are very few end customers that realize the aggregator is acting on their behalf as their agent.”
In his view, banks, fintechs and aggregators need to do a better job at disclosure.
“In the spirit of transparency, we need to make it more clear who touches their data at every step in the process,” Putnam said. “Asking the consumer to do research is excessive. Asking the apps and people like Quovo to make that communication process more clear and conspicuous at the time that consent is given is the solution.”
Banks could message consumers with something like: App X would like to see your current holdings and recent transactions in order to give better financial advice, or to help you pick a better allocation. The disclosure would make clear who the third party is that will receive the data.
“That screen, properly built and maintained, is something we can as an industry work to create,” Putnam said. “That’s something institutions, aggregators and apps to consumers are all very aligned on.”