Regulators have been urging banks to be careful in their dealings with vendors and other third parties for years. The ongoing threat of security and privacy breaches demand it.
But what about data aggregators, who in some cases glean customer account data from banks’ servers without the banks even knowing? The Office of the Comptroller of the Currency has some advice.
On March 5, the national bank regulator
Much of the OCC’s guidance is straightforward. But some feel the heavy emphasis on security could hamper open banking and data sharing in the United States.
“I don’t think it moves the ball forward,” said
Jason Gross, CEO of Petal, also sees the OCC’s guidance as an impediment to open banking and data sharing.
“It looks like the OCC guidelines require the banks to exert more governance over any connections to their consumer data,” Gross said. “Unfortunately, this does not solve the problem for consumers who are seeking to conveniently port their data to another bank or fintech and are unable to do so reliably. It may in fact be a step backward for open banking in the U.S.”
And Jo Ann Barefoot, co-founder and CEO of the Alliance for Innovative Regulation, said the OCC's cautious tone could become an excuse for banks to not work with data aggregators.
"Regulators have to strike a delicate balance between assuring protection and enabling innovation," Barefoot said. "A huge swath of the most pro-consumer, cutting-edge fintech innovation would die off if companies couldn't access people's bank accounts. We will probably see banks citing the OCC statement as a basis for restricting access, but I expect the issue will keep evolving as the parties all strive for further clarification over the next few years."
An OCC spokeswoman was unable to provide an agency official for an interview or answer questions about the March 5 bulletin before the deadline for this story.
What makes aggregator relationships different
One thing the OCC laid out for the first time in its bulletin is that relationships with data aggregators can be different from associations they have with vendors or other third parties.
The OCC noted that banks may not receive a direct service or benefit from arrangements with aggregators, and therefore their level of risk is lower than for more traditional business arrangements.
“Traditionally, third-party relationships mean a vendor contract that a bank signs with someone, where you are making an arrangement to provide a service to the bank,” said John Pitts, policy lead for Plaid. “Fundamentally both aggregation and fintech are different than that. These are new guidelines, and we are talking to banks to make sure we understand their perspective, but we interpret this as a signal from the OCC that banks should not be using the model that they've got for traditional third-party companies for thinking about aggregation.”
The OCC breaks banks’ relationships with aggregators into two categories of risk and due diligence.
The first category is when banks have a data-access agreement and share an application programming interface with a data aggregator as in, for instance,
"Regardless of the structure of the business arrangement for sharing customer-permissioned data, the level of due diligence and ongoing monitoring should be commensurate with the risk to the bank," the guidance says.
"Information security and the safeguarding of sensitive customer data should be a key focus for a bank’s third-party risk management when a bank is contemplating or has a business arrangement with a data aggregator," the guidance continues. "A security breach at the data aggregator could compromise numerous customer banking credentials and sensitive customer information, causing harm to the bank’s customers and potentially causing reputation and security risk and financial liability for the bank."
The second category involves screen scraping, where data aggregators log in with a bank customer’s username and password and scrape their account data. The OCC does not consider this a business arrangement. It does say banks have to have some risk management around this. They need to understand the ownership and business practices of the data aggregator, and they need to monitor data-sharing activities.
An endorsement of white listing?
By requiring banks to monitor data aggregators' behavior on their servers, the OCC appears to be providing clarity on the practice of white listing data aggregators’ IP addresses, the numeric designations that identify their locations on the internet. This is something the data aggregators have been pushing for.
“We want to make sure that it's clear that it's aggregator traffic coming in,” Pitts said. “The benefit to us is that we don't accidentally get blocked because the bank can't tell who the traffic is coming from. The benefit to the banks is that they know exactly how much aggregation traffic is happening to them and they're able to monitor data-sharing activities.”
Banks have raised questions about whether white listing would make their relationships with aggregators seem like third-party relationships that need to be regulated by federal interagency guidelines.
“This is saying you can do white listing, you can talk to the data aggregator and understand them better, without triggering a higher obligation on yourselves as a result of that conversation,” Pitts said.
Too much focus on security?
One objection some have to the OCC guidance is its emphasis on information security for safeguarding sensitive consumer data.
“The OCC doesn't have the same mandate that, for example, the [Consumer Financial Protection Bureau] does to protect consumer data access under Dodd-Frank 1033,” Pitts said. “There's a lack of balance here. I think that puts additional pressure on the CFPB to keep pace with that work from the consumer side.”
The CFPB is thinking about crafting specific rules to enforce section 1033 of the Dodd-Frank Act, which gives consumers the right to access their bank account data.
“The bank security concerns can't completely supersede that consumer's decision,” Pitts said.
Gross also said the OCC guidance puts the ball in the CFPB’s court.
“This makes it even more important that the CFPB executes on its statutory directive to prescribe rules ensuring consumers have full and reliable access to their own financial data,” Gross said. “Absent that, innovative companies like Petal that benefit underserved consumers may cease to operate in the U.S., which will continue to fall behind its peers on the global stage.”
Pitts would like to see the CFPB come out with a narrow, lightweight rule on 1033 that confirms the scope of the consumer's right to access their account information.
Data aggregators like Plaid say they should be able to access any information a consumer can access about their bank account, while banks tend to believe the scope of the data aggregators can access should be restricted.
In a recent panel discussion hosted by the CFPB, Becky Heironimus, managing vice president of customer platforms, data ethics and privacy at Capital One Financial, argued that some data should not be shared.
“Everyone in the ecosystem has data that's proprietary to them that's created and personalized or customized for their business through their own models, through their own insights,” she said. “We create personalized and customized products for consumers that are based on the proprietary methodology of our company, and that information belongs to the business itself versus the consumer.”
Specific product terms, features and functions fall under this category, she said.
Pitts at Plaid countered that data aggregators should be able to scrape product terms such as interest rates.
"The interest rate you're sharing with the customer is still the customer's interest rate, and the customer's interest to be able to shop that rate is what 1033 protects, as the CFPB identified in its consumer access principles.”