At MX, we believe that financial data holds immense value for organizations and their customers. Used intelligently and ethically, it can empower financial strength and grow businesses. 

We also hold a core belief that customers own their financial data and that their data should never be shared without explicit consent from the customer. This is one reason why we’ve never sold customer data and never will.

To get to specifics, we source transaction and account data from the records of the financial institutions and fintech companies. We then take that raw data and enhance it by cleansing, categorizing, contextualizing, and classifying it. We also put each user’s data on center stage, molding it into a cohesive, intelligible, and interactive visualization so users can see all their finances in one place. As a result, users engage more often and more deeply with clients that offer MX products.

To do this, we have more than 50,000 connections to over 16,000 banks, credit unions, and fintech companies. Our patented aggregation technology has backup connections on standby to reroute deficient connections, minimizing outages and increasing aggregation success.

When it comes to privacy, we follow the European Union’s General Data Protection Regulation (“GDPR”) protocols. This means we do not actively collect or otherwise process special categories of personal data as identified in the EU General Data Protection Regulation (“GDPR”) including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. We do not actively collect or otherwise process personal data relating to criminal convictions and offences. We do not collect data on minors.

Financial Data Security Best Practices

MX takes security measures seriously. We focus on five key areas:

1. Security Governance

We Implement a defense-in-depth security model — a model that protects user data via multiple security layers. We also proactively test each layer via recurring security vulnerability scans, regular compliance and security audits, security alert reviews, and third-party assessments including rigorous external penetration tests.

2. System Security

We authenticate users via strong multifactor mechanisms that include a complex password and one-time passcode authentication token. In addition, we implement industry-recognized hardening standards such as Defense Information Systems Agency (DISA), Security Technical Implementation Guide (STIG) and Center for Internet Security (CIS) benchmarks. We then use a baseline operating system (OS) image for every system build and operate using 2N (redundant) production environments. Each production environment should be located in geographically separate, fault-tolerant zones—significantly reducing the likelihood of full system failure and impactful system outages.

3. Application Security

We manage and deploy application code via a centrally managed software repository and require a documented description of each change, a peer review, systematic code style checks, code security review (including checks against OWASP’s Top 10 common coding vulnerabilities and other code vulnerability checks), and approval from a software engineering development lead. We also limit the ability to deploy code only to authorized software development leads and regularly backup code repositories to help ensure timely restore of applications in the event of catastrophic system failure.

4. Data Security

We classify data according to levels of sensitivity: public data, internal data, confidential data, and privileged data. We then encrypt confidential data and privileged data in transit using TLS 1.2. For data at rest, encrypt data using AES-256 keys. In addition, we securely destroy all data at the end of the useful lifecycle or when requested by customers and destroy media (e.g., hard disk drives) by using Department of Defense (DoD) level drive shredding techniques. 

5. Third Party Security

We maintain compliance with the AICPA’s TSP and provide evidence indicating ongoing compliance with the TSP by providing a Report on the Design and Operating Effectiveness of Controls at Service Organizations (SOC-2 Type II Report). In addition, we maintain compliance with applicable security requirements listed in the Payment Card Industry Data Security Standard (PCI DSS) to help ensure that any data that may fall under this provision is handled accordingly. Finally, we update both the MX SOC-2 Type II Report and PCI DSS Attestation of Compliance on an annual basis. 

OAuth Connections at MX

Wherever possible, MX uses OAuth to verify users. This way customers never pass their credentials to MX and each client remains in control of their customers’ login flow and experience from beginning to end. Customers can also log into their organization’s website and see where they’ve used their credentials to sign in. In addition, they can delete websites that they no longer want to share their login information with. Furthermore, because OAuth verification is the most transparent way to identify which data is being accessed and by whom, it helps organizations comply with Bulletin 2020-10 from the Office of the Comptroller of the Currency (OCC), which offers guidance on data sharing with third parties.

In practical terms, MX clients can connect directly to many of the largest financial institutions in the U.S. through OAuth APIs, covering millions of users, with many more OAuth API connections coming soon. These ultra-secure, token-based connections ensure a dependable and fast connection — accelerating the onboarding process and increasing engagement. These connections also enable MX clients to provide engaging and relevant products and services to customers (as well as reduce friction points within the loan experience), using permissioned-based data. For the many organizations that don't support OAuth yet, MX has a comprehensive fraud detection program to detect potential abuse of their customers' accounts.

Want to learn more?

View our documentation here.