The Bank Policy Institute (BPI), a non-partisan public policy, research and advocacy group representing banks and their customers, released a statement on consumer data security this week ahead of a task force hearing on FinTech from the United States House Committee on Financial Services on FinTech. 21.
While consumers should be able to use their favorite apps to manage spending and other financial matters, they shouldn’t have to give up on data security and privacy, BPI officials said. The group offers three key recommendations: consumer financial data should be safe and secure, regardless of who holds it; the informed consent of the consumer must be obtained; and consumers should have control over the type and amount of information shared.
“BPI supports the ability of consumers to access and share their personal financial data,” BPI wrote in the release. “It is of paramount importance that this data is shared on the basis of the consumer’s informed consent and effective consumer control over the type and amount of information shared and that the data is kept safe and secure. , no matter where, why or with whom this data is stored.
There are about 120 different data aggregators in the United States, according to BPI. Their business is to collect data through various practices, some of which, such as screen scraping, pose data security risks to consumers. Screen scraping allows third parties to collect a wide range of consumer data, often far beyond the information needed to deliver a specific product or service. Some estimates indicate that the largest US aggregators could hold the financial information of millions of consumers in their possession, creating a prime target for malicious actors and a significant risk to consumer privacy.
BPI argues that the industry should eliminate screen scraping practices and transfer data more securely through an application programming interface (API). Using APIs would help empower and protect consumers by ensuring their control over who has access to their data, how much data is shared, and when permission to share data is terminated with third parties.
In addition, BPI calls on the Consumer Financial Protection Bureau to use its authority to apply existing data security and privacy standards to data aggregators. Additionally, he suggests the FFIEC exam guide as a useful framework for information security requirements for these vendors. These changes would reduce cases of serious fraud and improve the security of consumer data.