SIFMA Announces Principles to Safeguard Customer Data

SIFMA has released its Data Aggregation Principles to protect member firms and their customers against potential security breaches and misuse of personal financial data by third-party aggregators.

Million of customers are using third party aggregators, such as Mint and Personal Capital, via websites and mobile apps to access a complete picture of their finances on a real-time basis. While these services make it easier to budget and plan, the conveniences they provide come with risks, including misappropriation of data and potential fraud, according to SIFMA.

(Related: Talking Financial Data Portability With Digital Expert Rob Foregger)

The securities industry trade organization is especially concerned about “screen scraping” when third-party aggregators, who have been given login credentials to customers’ financial accounts, move that data onto their own platform.

“Personal data is the most important currency anyone has in the digital economy,” said Lisa Kidd Hunt, SIFMA chair and executive vice president, business initiatives at Charles Schwab & Co., who presented the principles along with SIFMA President and CEO Ken Bentsen and Associate General Counsel Melissa MacGregor at the SIFMA Private Client Conference in Naples, Florida. “Clients expect their data to be protected at every turn … We have a great responsibility as an industry to work together to protect that information.”

(Related: FINRA Warns of Data Aggregation Dangers)

Hunt likened the principles are to a “a consumer aggregation Bill of Rights … written from the consumer’s perspective.”

The four principles, which we’ve paraphrased slightly, are:

• Access: Customers may use third parties to access their financial account data and SIFMA member firms believe that access should be safe and secure.

• Security and Responsibility: Customers should not have to share confidential account credentials with third parties. They deserve assurances that anyone accessing their account data will keep it safe and secure, use the same data and security standards followed by regulated financial institutions and take full responsibility for any data that they receive and provide to others.

• Transparency and Permission: Customers should receive a clear and conspicuous explanation of how third parties will access and use their account data. They should be able provide consent before third parties use the data and have the ability to withdraw that consent easily and at any time with confidence that the collection will cease and that access to their credentials and to data already collected will be deleted.

• Scope of Access and Use. Any data beyond customer financial account data, such as asset movement or third-party trading, should be subject to separate agreements and separate informed consent for use by third parties.

SIFMA is encouraging member firms and aggregators to use application programming interfaces (APIs) or other secure technologies as a way for data aggregators to access customer data without using customer login credentials.  With APIs, aggregators get access to the data via a separate portal agreed upon with the financial institution that houses the data.

But SIFMA is not prescribing any specific technology. “Member firms are better suited to push out to their own clients and develop whatever protocols they want,” said Bentsen.

And they don’t have to start from scratch, said MacGregor, who suggested that firms consider the model API available from the Financial Services Information Sharing and Analysis Center.

For educating their customers, firms can check out available at SIFMA’s Project Invested on its website, said Hunt, adding that she hopes to see firms also create their own customer educational materials.

— Check out Complacency Is Weakest Cybersecurity Link: Dalbar/ThinkAdvisor Study on ThinkAdvisor.