The Bank Policy Institute (BPI), a nonpartisan public policy, research and advocacy group representing banks and their customers, issued a statement this week on consumer data security in advance of a U.S. House Committee on Financial Services Task Force on Financial Technology hearing on Sept. 21.
While consumers should be able to use their preferred applications to manage spending and other financial matters, they should not have to forfeit data security and privacy, BPI officials said. The group offers three key recommendations: consumer financial data should be safe and secure regardless of who holds it; informed consumer consent should be obtained; and consumers should have control over the type and amount of information shared.
“BPI supports consumers’ ability to access and share their personal financial data,” BPI wrote in the statement. “It is of paramount importance that this data is shared based on informed consumer consent and effective consumer control over the type and amount of information that is shared and that the data is maintained in a safe and secure manner regardless of where, why or with whom that data is maintained.”
There are approximately 120 different data aggregators in the United States, according to BPI. They are in the business of collecting data through a variety of practices, some of which, such as screen scraping, pose data security risks to consumers. Screen scraping allows third parties to harvest a wide swath of consumer data, often far in excess of the information needed to offer a specific service or product. Some estimates indicate that the largest U.S. aggregators may hold in their possession the financial information of millions of consumers, creating a prime target for malicious actors and a significant risk for consumer privacy.
BPI argues that the industry should eliminate screen scraping practices and transfer data more securely via an Application Programming Interface (API). The use of APIs would help to empower and protect consumers by ensuring their control over who has access to their data, how much data is shared and when data sharing authorization is terminated with third parties.
In addition, BPI calls upon the Consumer Financial Protection Bureau to use its authority to apply existing data security and privacy standards to data aggregators. Further, it suggests the FFIEC examination guidance as a useful framework for information security requirements for these providers. These changes would reduce instances of serious fraud and enhance consumer data security.