A new type of vendor service aims to make life easier for bankers who want to assess the risks of working with certain data aggregators.
Several large banks, including Bank of America and JPMorgan Chase, have recently piloted the Streamlined Data Sharing Risk Assessment offered by The Clearing House and the risk-assessment providers TruSight and KY3P. The two companies collect responses from aggregators to hundreds of questions and review their internal documents as well as conduct on-site visits.
The service is intended to produce standard risk assessments of data aggregators like Plaid, Finicity, Envestnet Yodlee and Intuit, which banks can then reference before deciding to forge a data-sharing agreement with one of the firms. Helping banks complete that due diligence is crucial to unlock data securely, better enabling customers to use third-party fintech apps like Venmo and Betterment.
“The new service makes it easier for aggregators to provide information to banks and for banks to assess their risk,” said Paul LaRusso, managing director of digital platforms at JPMorgan Chase.
U.S. Bancorp, Truist Financial, PNC Financial Services Group, TD Bank and Wells Fargo also participated in the pilot. JPMorgan and some of the others have signed on to continue using the service beyond the pilot.
Such services are bound to be in demand as consumers continue to choose to use fintech apps that require their bank account data to work properly. But banks have objected to screen-scraping methods in which third parties log in to customers’ online banking profiles to feed account information to fintech services.
Banks can opt to work with aggregators to share data more securely through application programming interfaces. But working with data aggregators comes with risks as well.
The Clearing House wants to move the banking industry away from screen scraping and toward “an ecosystem where there are agreements in place for API-based data sharing, which we believe is more safe and secure as well as ultimately more transparent to consumers,” said Ben Isaacson, senior vice president at The Clearing House.
Up to now, the vendor risk assessment process has inhibited reaching this goal, he said.
“When you think about the hundreds of questions, documentation reviews and on-site visits, those are very cumbersome for all parties involved,” Isaacson said.
As banks consciously pass data from their own servers to the outside world, they have to ensure that that data is kept secure and private and that the data aggregator won’t do anything that violates customers’ trust. Banks also have to make sure the data aggregators meet basic vendor management risk guidelines set by the Federal Financial Institutions Examination Council.
Assessing the risk of aggregators “facilitates data-sharing agreements and APIs that allow banks to share only the type of information the app or institution needs, such as balances and transactions, and only from the accounts specified by the customer,” said LaRusso.
This has been a sore point for banks: data aggregators that screen-scrape customer data reportedly taken as much data as they want. Banks would like data aggregators to limit themselves to only taking data required by their fintech clients, and API agreements can facilitate that.
Another beef banks have had with data aggregators like Plaid is how long they hold on to customer data, when their assigned role is simply to pass the data to a fintech that needs it.
In an analyst call last week, JPMorgan CEO Jamie Dimon complained of “people who improperly use data that’s been given to them, like Plaid.” The bank and Plaid
“Agreements are always compromises,” Isaacson said. “One party wants one thing, one party wants another. Both sides don't get everything.”
The new assessment service does not delve into such issues, which Isaacson said need to be addressed in the contract between a data aggregator and a bank. The Clearing House created a model agreement last year that covers acceptable use of data and specific points such as how long data aggregators can store it.
Plaid and Finicity went through the recent pilot. The resulting assessments of the two aggregators — their answers to questions, documentation, reports onsite visits and information on how they are remediating any gaps — are stored at TruSight. Any bank that wants to access the reviews can sign up for TruSight’s service but must also get the aggregator’s permission.
The Clearing House, TruSight and KY3P are not liable if something goes wrong in the relationship between the bank and the data aggregator or fintech.
“The regulatory requirement is that the bank has to make its own risk decisions,” Isaacson said. “We can't make the risk decision for them. This has all the documents they need to make that decision.”
What the assessment will do is save the bank time, he said. Such vendor assessments typically take three to six months, he said. This also saves the data aggregator the time of dealing with hundreds of identical requests from potential bank partners.
“The reason why our banks wanted us to spin up this initiative is because they know that their customers want to use fintech apps,” Isaacson said. “The banks want to make it easier for customers to use these apps and this will ultimately help these banks get through these assessments a little quicker."