Current State: Several industry working groups have been established recently to develop standards for data access in the financial services ecosystem. Through our participation in many of these forums, we are concerned that the interests of consumers are not being adequately prioritized. In particular, data access standards must recognize consumers’ needs to access and use their data for applications that they have determined to be beneficial to them The principle that consumers own their own data and can access and use it freely and securely to manage their financial wellbeing is not just theoretical or hypothetical. Several financial institutions continue to demand, through proposed bilateral agreements with aggregators and other third-party providers, significant restrictions that would limit the types of data their customers would be permitted to access and the types of applications their customers would be permitted to use. The financial technology industry has created incredible benefits for consumers through innovative financial tools. To ensure continued innovation in the financial services market, our firms jointly propose the following high-level principles that align with the design of open banking ecosystems globally, that must be the cornerstone of any successful data access regime in the United States. This Secure Open Data Access (SODA) framework is a set of principles for ensuring open data access and financial data security in the ecosystem, with the ultimate goal of protecting consumers’ right to access innovative tools and services that improve their financial well-being. To that end, SODA includes the following four core components:
- Consumers must be able to access their financial account data for purposes of using any legitimate application;
- Consumers must provide affirmative consent on the basis of clear and conspicuous disclosure regarding the use of their data;
- All entities who handle consumer account information must adhere to leading industry practices for security standards and implement traceability / transparency;
- The entity responsible for a consumer’s financial loss must make the consumer whole. All stakeholders in the ecosystem have shared responsibility – this will start with traceability in the United States and move towards shared responsibility just like in Europe.
The Consumers
- Have the right to access their data via trusted third-party tools and to provide access to all of their own financial data to trusted third-party applications for any permissible purpose.
- Have the right to expect that the flow of data between their financial institution(s) and any third parties with which they elect to share their data is safe and secure.
- Must be made whole, by the responsible party(ies), in the event of consumer harm stemming from fraud or other malfeasance in the third-party ecosystem.
The Financial Institutions
- Must not impose unilateral restrictions on their customers’ use of their own data, or retain the right to override their customer’s consent when they elect to use a third-party application.
- Have the right to expect, in the event of a financial loss stemming from a breach for which it holds no responsibility, that it is not responsible for making its customer whole.
- Retain the responsibility for making the consumer whole in the event of financial loss stemming from a breach for which it is responsible.
The Aggregators
- Will, as part of their governance of third parties on their platforms, reasonably establish that third-party customers have capacity, through capital, insurance, or any other means, to make whole any consumers who suffer a financial loss as a result of a breach at a third party.
- Will adhere to industry best practices on data security and privacy, and exert governance over their platforms to protect against abuse and misuse of consumer data. Must implement transparency and traceability onto their platforms so that all market stakeholders – especially consumers and regulators – gain better transparency into who has access to what information and for what purpose. The Third Parties Must secure, through capital, insurance, or some other means, capacity to make the consumer whole in the event of a financial loss as a result of a breach. Must agree to ask the consumer for clear and conspicuous consent to provide access to the data required to fuel the use case(s) they are providing, and use the data in a manner consistent with such consent. Must adhere to data security and privacy standards appropriate for the type of information received.
Policymakers
- Should modernize and clarify existing regulations and guidance – promulgated long before the ecosystem grew – that incorporate these principles.
