For years, people have been using fintech apps to access their financial data via a variety of means, the most common being screen scraping. Recently, many countries have passed regulations to enable more secure methods of data sharing. The US has been comparatively slow to adopt consistent data sharing regulations, instead relying on industry solutions such as the FDX data API standards.
In response to the lack of consistency on this issue, the Office of the Comptroller of the Currency (OCC) recently issued an updated set of frequently asked questions to clarify their previous bulletin titled “Third-Party Relationships: Risk Management Guidance.” The FAQs and bulletin assess the risks around third-party relationships, a term the OCC defines as “any business arrangement between a bank and another entity, by contract or otherwise.”
In their updated answers, the OCC reiterates that “a bank’s use of third parties does not diminish the bank’s responsibility to perform the activity in a safe and sound manner and in compliance with applicable laws and regulations.” The OCC also calls upon supervised banks to conduct governance over third-party aggregators that employ credential-based scraping to collect customer data.
Some of the largest US banks have already transitioned to API-based data sharing while many mid-sized banks are implementing an interim step of whitelisting the IPs of key aggregators for visibility and control. For banks that have taken these steps, the recent OCC requirements to provide third-party traffic reports of companies that are scraping data will be significantly easier. However, for banks that have yet to contemplate an open banking future or assign resources to building APIs, the governance load will be significantly more burdensome.
Regardless, the OCC’s clarifications represent a net positive as they bolster cooperation between financial institutions and fintechs while also pushing the industry closer to adopting open banking for data sharing. This in turn is a great outcome for consumers and small businesses looking to safely and securely access their data.
In short, the new OCC requirements will bring many benefits, including:
1. Clearer Permissions
Everyone in the financial services industry —from regulators to fintechs — rightly worries about the potential for customer data to be shared without the customer’s direct permission. By implementing API connections and whitelisting screen scraping, financial services companies make it easier for customers to grant and revoke consent. These permissions can be set on a case-by-case basis, so each customer is empowered to choose what they want people to see and what they don’t want people to see. For example, if a customer sets up a budgeting app, they can grant permission for a particular set of data that allows a financial advisor to view their progress toward their financial goals instead of sharing all their account balances.
This added control over permissions reflects the entire banking industry’s desire to reduce and mitigate risk on behalf of the customer.
2. Increased Security
With traditional screen scraping, each customer inputs their credentials including username and password. By contrast, API connections bring a higher level of security because the process replaces sharing credentials with anonymized, single-use digital tokens. This means that bad actors can’t access the personal information of end users during a transaction because tokens de-identify user data, greatly increasing the chances that personal data will not be subject to risk.
3. Added Transparency
Whitelisting data professionals such as MX can serve as a short term solution while migrating to APIs. In this way financial services companies have added transparency into scraped traffic via IP addresses and know exactly what’s happening in the scraping process. These companies are also able to immediately see if an unwanted, malicious third-party suddenly starts scraping their data and can rest assured, knowing exactly which companies are scraping and for what purposes.
Even more importantly, financial services companies that implement API connections have full insight into what data is shared and who it's shared with, bringing an added level of transparency and clarity to the process.
The Future of Data Sharing
For the foreseeable future, screen scraping will continue to play an important role in banking. However, financial services companies are increasingly implementing APIs, making the practice increasingly standard. For example, Chase announced earlier this year that they plan to switch from screen scraping access to API access only.
The move to API connections is fantastic for financial institutions and fintech companies. In addition to the benefits listed above, API connections also enable increased innovation through new ways of providing data-driven insights and advice to customers, enabling the shift from being a financial intermediary to being a financial advocate.
Above all, this customer-centered approach to ensuring people have transparent and secure access to their data is at the heart of the OCC’s new guidelines. And that is terrific news for the industry.