A collision of rules in the evolving world of online banking
© Mint.com

For a long time, consumers conducted their banking activities at brick and mortar branches. But increasingly, like most things in life, banking has moved from the physical world to the virtual world. The migration of banking and money management to online channels has given rise to new players and new challenges.

Growth in online banking

Online banking in its modern form has been around since the mid-1990s. From its inception until the present, the growth in online banking has been remarkable. In 1999, it was estimated that 5 million U.S. households engaged in internet-based banking. By 2013, more than 51 percent of U.S. adults, or 121 million Americans, engaged in online banking, according to a Pew Research Center report.

While online banking provides a wealth of nearly real-time financial information, it also burdens consumers with management of large amounts of data from many different institutions. To address these burdens, companies providing financial data aggregation services have sprung up symbiotically alongside online banking.

Financial data aggregation

Financial data aggregation allows individuals to pull account information from multiple banks and financial institutions to a single online location managed by an aggregator.

In order for a data aggregator to do its job, an individual will typically need to provide his or her online account usernames and passwords to the data aggregator. Using those credentials, the data aggregator directly pulls the relevant financial information directly from the bank websites at which the individual’s accounts are maintained.

Data aggregation services are popular. Mint.com, a prominent financial data aggregation service, claims that it has more than 20 million users. Yodlee, another financial data aggregator, reports that it supports more than 21 million users.

Relationship between banks and aggregators

Not infrequently, friction arises between banks and data aggregators due to a combination of regulatory, security and technical factors.

Banks are subject to detailed information security rules related to customer data protection. In contrast, aggregators are generally not required to comply with the same exacting data security requirements. Hackers might find aggregators promising targets, given that aggregators maintain the same sensitive data and access credentials as banks, while being subject to less rigorous information security regulations.

ADVERTISEMENT

Banks also have potential liability for unauthorized electronic fund transfers made from their customers’ accounts. If as a result of a breach of an aggregator’s systems, a bank customer’s username and password are used to transfer funds without authorization, the bank would potentially be liable for that unauthorized transfer.

Beyond these regulatory and security issues, bank systems can also be strained when large numbers of data aggregators access the systems and  data.

Possible voluntary solutions

Some banks and data aggregators have begun addressing these concerns. One solution gaining acceptance involves combining electronic tokenization with the use of a dedicated data channel, or application programming interface (API). As part of this solution, a bank customer authorizes his or her bank to provide a data aggregator with an electronic token, which is essentially a virtual account access key.

The data aggregator then uses the token, in lieu of usernames and passwords, to access the customer’s account information through a bank-provided API. Eliminating the need for data aggregators to access customer access credentials substantially reduces the security risks associated with financial data aggregation services. Receiving data through a dedicated API will also likely result in cheaper and more reliable data access for the data aggregator and fewer burdens on bank systems.

Financial regulatory action

Financial regulators are also considering actions that could potentially assist (or complicate) efforts to resolve tensions between banks and data aggregators.

The Federal Trade Commission (FTC) regulates the information security practices of non-banks engaged in financial activities through its safeguards rule, which likely covers many data aggregators. However, the safeguards rule is neither as detailed nor as stringent as the banking information security regulations. The FTC is seeking public comment as to whether the safeguards rule should be expanded to cover more entities.

The Office of the Comptroller of the Currency (OCC) recently announced that it will move forward with plans to issue special purpose national bank charters to financial technology firms. Under the OCC’s proposal, charters could be issued to data aggregation firms engaged in money movement activities. Firms that receive such a special purpose charter would be subject to the same laws, regulations and supervision as other national banks.

The Consumer Financial Protection Bureau (CFPB) has also started a process that may ultimately result in regulations that directly  impact the financial aggregation industry. Under the Dodd-Frank Act, banks must make available to consumers, upon request and in electronic form, various financial account related information.

Dodd-Frank grants the CFPB power to impose rules related to this electronic data access. Banks already make available a wide variety of account information in electronic form at their websites. Yet in recent public statements, CFPB Director Richard Cordray has implied that data access from bank websites may not be sufficient and that consumers should have a choice in how they manage their financial data.

To that end, the CFPB has published a request for information seeking public comments on financial data aggregation services. The CFPB intends to use these comments to evaluate whether it should provide guidance or impose regulations relating to financial data aggregation services. The request creates some uncertainty as to how financial data aggregation services will be regulated in the future.

In the short term, the request may have the unintended consequence of impeding voluntary efforts by banks and data aggregators to find market-based solutions, as the industry takes a wait and see approach pending further CFPB action.

Next steps for data aggregation

Over the long term, data aggregators and banks will likely continue working on joint solutions that ensure consumer data access choice and better protection of consumer data. Regulations recognizing the responsibility of all participants to equally protect and securely distribute customer data may further help these collaborative efforts.

Todd Taylor is an attorney at Moore & Van Allen in Charlotte, North Carolina. He leads the firm’s practices focused on privacy, information security and transactional matters, with an emphasis on supporting clients in the financial services industry. He previously served as an in-house attorney at Bank of America, where he worked extensively on technology, supply chain and third party servicing arrangements.


The views of Contributors are their own and are not the views of The Hill.