The Office of the Comptroller of the Currency recently made clear that banks aren’t necessarily entering third-party relationships when they allow customers to use fintech apps powered by aggregators.
This presents a potential benefit for consumers, banks, aggregators and fintechs — but only if everyone works together to get it right. If not, it could create compliance burdens that limit consumer choice.
Consumers have the right and ability to control, access and share their own financial information with the apps they choose. This has been true since the Dodd-Frank Act of 2010. But the question remained as to how companies should manage that new reality.
The OCC’s
The OCC released FAQs March 5 on banks’ relationships with data aggregators, the companies consumers rely on to use thousands of financial technology applications. The FAQs set principles around aggregator security practices that the industry should welcome.
If implemented well, those practices will help banks modernize risk management for the digital financial ecosystem and ensure that all consumers have access to innovative financial products and services.
Consumer choice drives data-sharing with fintech apps. Recognizing this, the OCC clarified that if banks aren’t receiving a direct service or benefit from the aggregators that power these apps, the level of risk for banks is actually lower than typical business arrangements.
Yet, the FAQs also recognized that the relationship between banks and aggregators must be secure and sound for consumer protection. The OCC advised banks that they should follow certain principles in evaluating aggregators for security, even if there is not a business relationship with them. Plaid agrees wholeheartedly.
A practical example of how the OCC’s FAQs will make it easier on bank and aggregator relationships is through so-called white lists.
A common request aggregators make to banks is that the bank “white lists” the aggregator’s IP addresses, so that it is clear when requests come through them. White-listing helps everyone: connections are higher-quality for fintechs, and banks can more easily identify and block rogue actors.
Yet some banks were unsure that the OCC would approve. The FAQs make clear that the OCC will look for banks to conduct “ongoing monitoring of data-sharing activities,” which white-listing permits.
Scaling diligence obligations to hundreds of banks could risk new compliance burdens. The best way to avoid this is through a set of common standards with which banks can evaluate aggregators' data-sharing security.
For example, Plaid is currently in a pilot program with The Clearing House and some of the nation's most innovative banks to test out an approach for doing this. And the OCC's encouragement of such programs is a step in the right direction.
Despite the positive opportunities the OCC’s FAQs signal, the OCC is silent on how to protect consumer choice and freedom. Without clear rules that protect consumer rights, the OCC’s guidance that “safeguarding of sensitive customer data should be a key focus” may lead to unbalanced implementations that block consumer choice.
The implications for failing to get this balance right are severe. According to the Financial Data Exchange, 50-100 million consumers could lose access to their favorite financial apps. Community bank and credit union customers would be hit the hardest.
Fortunately, Congress mandated an agency to protect consumer financial data access. Two weeks ago, the
To amplify these efforts, Plaid also proposed
Now is the time for the CFPB to build on the OCC’s work and further define what rights consumers have, and the necessity of consumer choice and freedom.
As the agency charged with protecting consumer financial data access, the CFPB should take a step to round out the OCC’s FAQs with rules that ensure that the proper balance between safe and secure access, and consumer choice is met.
