Who’s on the hook for a hack? Aggregators team up on answer

The decades-running debate on how consumers share bank data to use digital services like Betterment, Kabbage and Mint is evolving again.

The focus has shifted from criticizing banks for intentionally blocking apps from collecting someone’s data when a consumer puts the request in to establishing standards that find ways around those hurdles to create a new model for data-sharing.

Three leading data aggregators — Envestnet’s Yodlee, Quovo and Morningstar's ByAllAccounts — have united to create a data-sharing framework aimed at preserving innovation by providing the industry direction on transparency, traceability and accountability. As they see it, sharing data does not create a safety and soundness issue — both are permitted so long as standards are in place.

“It’s not either or,” said Anil Arora, chief executive of Envestnet’s Yodlee, which has been in the data aggregation business since 1999.

The framework is already backed by the Consumer Financial Data Rights Group, a consortium of fintech companies. They hope fintechs, banks and aggregators will uphold the framework’s principles at a time when other countries have made inroads on data-sharing collaboration.

The aggregators plan to publish the details of the “Secure Open Data Access” framework on Monday and provided an early preview to American Banker. Most strikingly, the so-called Soda framework answers a long-held question on liability in saying the entity responsible for a consumer’s financial loss must make that consumer whole.

To help realize this objective, the framework said aggregators will “reasonably establish that third-party customers have capacity, through capital, insurance, or any other means, to make whole any consumers who suffer a financial loss as a result of a breach at a third party.”

The framework also says that aggregators will “adhere to industry best practices on data security and privacy” and implement traceability and transparency onto their platforms so that consumers, regulators and others can have more clarity into who has access to what information and for what purpose. It did not detail how.

Third-party companies are also expected to ask a consumer for clear and conspicuous consent to provide access to data — a particularly salient point in the wake of the Facebook data scandal exposing the value of someone’s data.

In creating a framework, the aggregators are plunging even deeper into a debate that is only getting hotter as data breaches mount, ever-more apps are crunching bank data to deliver a product or service and questions of what company has what data are in the spotlight.

The Consumer Financial Protection Bureau published a set of data-sharing principles last year that affirmed consumers’ ownership rights over their financial data. Observers welcomed the sentiment but saw the non-binding principles as too vague — leaving the door open for more collaboration. The Center for Financial Services Innovation has also published a framework on data portability. And the Securities Industry and Financial Markets Association recently released guidelines.

Chief executives from Quovo and Yodlee see the Soda framework as balancing self-interests to make progress on something that is imperative for consumers and small businesses: the ability to securely share their data.

To be sure, the framework would benefit a data aggregator company that makes money on selling the technology. Yodlee has taken heat on reselling anonymized data to investors and others. But they say the framework is designed to put the consumers’ needs first.

The data aggregators argue the framework’s principles are critical to follow in order to avoid a fractured market that could put consumers’ data at risk of being held hostage.

Institutions like Wells Fargo, Capital One, Fidelity Investments and JPMorgan Chase have been striking data-sharing deals with fintech companies such as Intuit and Finicity. While it points to progress, it also introduces a concern: how could a smaller company pursue a model that requires it to make a deal bank-by-bank, customization-by-customization?

“It’s becoming overly complex,” said Arora.

The disjointed model could also lead to banks cherry-picking what data they share with a nonbank app — saying yes to bank balances and no to interest rates, for example. In the framework, the aggregators elaborated on the danger:

“Several financial institutions continue to demand, through proposed bilateral agreements with aggregators and other third-party providers, significant restrictions that would limit the types of data their customers would be permitted to access and the types of applications their customers would be permitted to use.”

The framework’s principles are meant to get the various stakeholders aligned in getting in front of the problem and benefit whatever innovation comes next.

For the framework to have legs, banks will have to support it. Historically, uniting fintech companies and banks on a model requiring banks to rethink the way they guard assets has been about as easy as a novice’s first day in a bullring.

But banks use aggregation services too and pressure is mounting. In Europe, the United Kingdom and elsewhere, stakeholders are collaborating to a greater degree than the U.S. — putting the competitive fintech edge at risk here.

“It worries us,” Arora said.

Yet Yodlee and Quovo aren’t advocating for legislation — not just because the likelihood of something passing in the current political environment is dim. But because there isn’t enough resistance to merit additional law.

“I don’t think there needs to be a stick coming out from Washington,” said Lowell Putnam, co-founder and chief executive of Quovo, a data aggregator. “There is enough of a carrot coming from institutions to make it happen.”

The aggregators are urging policymakers to clarify existing regulations and guidance, such as Reg E, so that it is clear whether a bank must make the consumer whole in the event of a breach for which the bank is not at fault.

Already, Yodlee and Quovo have shared the framework with customers, prospective customers and regulators. The aggregator execs said they are open to input on the framework from banks and the next step, as Arora put it, is: “Now it’s a question of how do we get to critical mass?”