finra-data-aggregation

Editor’s Note: Following right behind FINRA, SIFMA also released data aggregation principles. They contain a lot of the same advice, but both are worth reading. Read below to find out how Finicity aligns with FINRA and SIFMA.

The digital world has changed our lives dramatically.  We have more information and insights at our fingertips than could have been imagined just a generation ago.  And while that’s a monumental change, one thing hasn’t changed, the ability to make great decisions is based on having great information….or data.  Our ability as individuals or organizations to have a broader view and deeper insights into our own financial situation and to manage our financial wellness is almost limitless in the digital era.  One of the challenges is that our information or data resides in so many different financial accounts.  Having a clear view across our complex financial landscape has been one of the gaps in understanding and managing our financial lives.

Luckily a wide variety of services and applications now bring that information together into simple, digestible experiences.  Often these apps apply the analytics and intelligence needed to generate greater insights we use for better decisioning.

To gather all this information and make it readily accessible requires aggregation of data across our financial accounts.  Such financial data aggregation is a boon to innovation and to our ability to better our finances. But as with all of our data, protecting and securing that data is critical.  As a result, FINRA (Financial Industry Regulatory Authority – a not-for-profit regulating broker-dealers) issued an investor alert titled, Know Before You Share: Be Mindful of Data Aggregation Risks.  We suggest you take a minute to read this post as it provides some key points for you to consider when sharing your account information with a financial data aggregator – such as Finicity.

We agree with FINRA that you should be aware with whom and how you are sharing your information.  Often you may not know the financial data aggregator behind the service or app you’re utilizing.  But it doesn’t hurt to ask.

Financial data aggregation is our business and it’s critical Finicity not only provides the most accurate and efficient data, but that we also protect and secure the data.

Finicity prioritizes data security and consistently puts our security measures to the test through internal and external audits. We have a SOC 2 Type II certificate and have a PCI DSS 3.2 Report of Compliance.  Furthermore, as we work with banks and financial institutions in certain relationships, such as direct API integrations, they audit our security standards and procedures and do so on a consistent basis to make sure we protect consumer data. On top of that, we screen app and services providers to which we provide data to make sure their security standards are in line with our and consumer expectations.

Here are some of the key considerations suggested by FINRA and Finicity’s positions.  I’ve shortened them to get to the point quicker and easier to address:

  • FINRA Q: Read the terms and conditions to know what rights you are granting with respect to accessing your financial accounts and using your data.
    • Finicity A:  Couldn’t agree more.  It’s your data and you should use it how you see fit.  The terms and conditions should align with that. You should be prompted to accept these before you provide any of your credentials or personal information.  This prompting is a great time to stop and read through them.
  • FINRA Q: Verify that the aggregator will access only the information needed for the service. Be aware there may be charges for certain transactions and services you elect to use.
    • Finicity A:  Again, we’re on board.  In Oct. 2016 the Center for Financial Services Innovation published its Consumer Data Sharing Principles: A Framework for Industry-Wide Collaboration paper.  We are strong supporters of their position, including their stance on data minimization: “Only the minimum amount of data required for application functionality are collected, and the data are stored only for the minimum amount of time needed.”  In regard to charges for certain transactions, this will be through your app or services provider. We don’t make any charges directly to you the consumer.
  • FINRA Q: Understand the aggregator’s privacy and data security measures. Read the terms of use, privacy and security information. Here are some things to look for:
    • FINRA Q: Does (or may) the aggregator share your security credentials and data with, or provide access to your accounts to, another data aggregator or service provider? Does the aggregator sell your data to a third-party entity? If so, are you comfortable with that?
      • Finicity A:  Sharing of security credentials with others is a no-go on our end.  We are 100% committed to the security and privacy of your information. The app and services providers never have access to your security credentials.  As for sharing of a consumer’s data, for Finicity this is only possible if authorized by the consumer. And when this does happen, we share data with other data analytics firms we have partnerships with in an effort to continue to develop innovative solutions for our customers and their clients.
    • FINRA Q: Does the aggregator use encryption when retrieving your data? How long is the data retained? What is the process of purging or disposing the data once you terminate your contract?
      • Finicity A:  Encryption is essential to securing our data.  We utilize TLS encryption and we encrypt both the connections and data as well as data at rest. As far as data retention, this is dependent on the application or service being used.  For example in our credit decisioning solutions for mortgage lending, we keep data for the time period required to complete the underwriting process.  After this, all data is deleted except where required by our position as a CRA. Some apps or services may require longer data retention. As for other data purging and disposal, our customers manage their customer relationships.  So once a consumer engages with their app or services provider to have their data deleted, a deletion process is triggered and all of their data is completely purged from our systems.  It’s worth noting we are also on the path to be GDPR compliant, which further covers consumer rights in regard to data deletion.
    • FINRA Q: What happens if there is a data breach or any unauthorized access to your account? Is there a process in place to notify consumers and financial institutions should a breach occur?
      • Finicity A:  If there were a breach, we certainly have a notification process. Not only do we believe we have a responsibility to inform our customers, but we are also legally and contractually obligated to notify our customers of a data breach.  Through this notification process, we would provide all the details and required information so our customers – the app and services provider – can appropriately communicate to their customers.
    • FINRA Q: What type of liability, if any, does the aggregator bear in the event of a consumer loss due to a data breach or unauthorized access? Does the aggregator have the financial capacity or insurance coverage to compensate consumers for loss? Is there a dispute mechanism in place to resolve any issues related to data breaches or unauthorized access?
      • Finicity A:  Consumers should certainly be diligent in preventing unauthorized access or use of their credentials.  However, in cases where Finicity experiences a data breach and such information is compromised, Finicity carries insurance to cover losses associated with the breach.  As for a dispute mechanism, we do provide a process which is communicated to consumers via the end-user license agreement.
  • FINRA Q: How accurate is the data provided?  And what is done to ensure accuracy?
    • Finicity A:  At Finicity, we work to get the very best data available via direct integrations or capturing source data in the vast majority of our connections.  We use the most accurate data sources available from each financial institution. We spend significant effort on monitoring data access and data quality from each financial institution.  We are constantly testing these connections and vetting the data provided and to that end we’ve created a FI Certification program to ensure certified institutions provide the data elements required for the services we offer. For example, Finicity credit decisioning products only use data sources that offer bank-issued unique identifiers to mitigate duplicate transactions when compiling income, asset, and cash flow reports.
  • FINRA Q: Check with financial data providers to find out what, if any, data is delivered to aggregators through an Application Programming Interface (API), which is generally considered a safer alternative than scraping.
    • Finicity A:  Finicity is at the forefront of direct API relationships with the financial institutions.  We’ve already announced with two of the largest – Chase and Wells Fargo. We have others we haven’t announced yet and are working on many others.  But it’s worth noting here the points made above that we are always focused on secure connections and getting the most accurate data. The vast majority of our data is obtained in this manner and not through screen scraping.
  • FINRA Q: Do your own online research and due diligence. Look up any reviews, complaints or lawsuits against the data aggregator or the third-party service provider you are contemplating using.
    • Finicity A:  This is good advice.  One challenge for consumers is knowing who the data aggregator is behind the app or service they are looking to use.  So as noted, a good starting point will be looking at reviews of the apps and services being used and always looking for organizations that are well perceived in the market. Finicity is rightly proud of it’s A+ BBB rating and works daily to ensure any customer concerns or complaints are quickly and properly addressed.
  • FINRA Q: Finally, make sure you cancel your account and terminate the access and rights you have granted to the aggregator once you discontinue using the service. Failing to do so may expose your financial information to ongoing security risks. Understand and follow the steps that need to be taken to stop the ability of the aggregator to access your account. This may involve more than just deleting the software application from your computer or mobile device.
    • Finicity A:  Here again, consumers will need to work through the app or service provider who manages their relationship.  As noted above we are more than ready to respond to data deletion requests and have a thorough process to do this.