Regulators and industry groups have finally begun focusing on the mechanics of how consumers share their financial data with third-party services, such as personal financial management apps and online lending platforms.
The Financial Industry Regulatory Authority
However, there’s a big problem: Neither group proposed workable alternatives.
True, Sifma and Finra both recommended that financial institutions develop application programming interfaces, or sets of standards and protocols that enable communication between software components, to end credential sharing and enable institutions and third parties to share data securely and directly. Unfortunately, this recommendation is only a half-measure: APIs, although useful for banks to develop in the long run, would not put a stop to credential sharing.
While APIs facilitate letting a third party securely retrieve or receive data, credential sharing still serves as a means of a user authenticating themselves, or declaring their identity, and authorizing the third party to retrieve their account data. But, the raw APIs “pipes” neither authenticate the consumer nor authorize access to their data. To reduce credential sharing, financial institutions will have to invest in implementing OAuth, a form of authorization that enables third parties to access information without requiring customers to provide usernames and passwords. In other words, the OAuth protocols split the authentication and authorization processes, allowing customers to permit a third party to access their data without sharing credentials, and to continue to have that access whenever the customer requests it.
Consumers are already familiar with OAuth, perhaps unknowingly, as the technology is often used when they create online accounts using their existing Facebook or Google profiles. With an OAuth protocol, the user typically sees a pop-up window explaining what data or information the outside party will access. If the user accepts the terms, he or she logs into a Google account instead of creating a new login for the site. The outside app then creates an OAuth key with this login information, which the app stores and uses when the company needs to access a customer’s data.
While OAuth is only one of a multitude of authentication and authorization options for data access; it is the best option for universal industry adoption. In financial services, an OAuth protocol establishes an agreement between financial institutions and a third party — such as an account aggregation service provider — to allow the third party to access customers’ data at the institution.
Today, adoption of OAuth is far from widespread in financial services, but some leading institutions already use the technology, including
OAuth is not only more secure because it eliminates a need to share credentials, it also delivers more
If financial institutions put the proper security infrastructure in place, then secure access can be provided without relying on credential sharing. The solution exists in OAuth, but the industry must turn away from discouraging credential sharing alone and focus on implementing solutions.