Fidelity Investments is joining the ranks of financial firms sharing customer account data with others through an application programming interface.
The new service, called Fidelity Access, will give third parties access to Fidelity customers' account data for use in apps and services like tax preparation, budgeting, financial planning, spending analysis and portfolio advice — provided the Fidelity customers give their OK. Customer data to be shared includes Fidelity account balances, securities holdings, and transactions.
The Boston company’s hope is that clients will stop giving out their user IDs and passwords to third parties.
“In the current cyber environment, with all the breaches that have happened in the past year, we think it’s critical to get this notion of sharing IDs and passwords out of the system,” said Stuart Rubinstein, head of data aggregation at Fidelity Investments. “Many clients use the same IDs and passwords for many different sites, and as those breaches happen, they put their financial accounts at risk. Anything we can do to eliminate that and make it more secure for clients we think is important.”
The move is part of a developing détente between banks and fintechs after several years of fighting over the risks and rewards of so-called screen scraping. Sharing data through APIs relieves fintechs of the worry that a bank will block them from accessing customer data, and it assures banks that data is being kept secure and that their servers won't be overwhelmed. The list of banks sharing account information through APIs includes Wells Fargo, Chase, Citibank, Capital One, Silicon Valley Bank and BBVA Compass.
Fidelity will provide a security dashboard through which customers will be able to see the third parties to which they have granted account access and the specific accounts they have granted access to. Customers will be able to make changes, such as cutting off websites and apps they no longer use.
The dashboard will appear on several Fidelity sites, including fidelity.com, netbenefits.com and wealthscapeinvestor.com. In addition to letting people manage how their Fidelity account data is shared, it may make them aware of account linkages they may have forgotten about or thought were disconnected.
“When we ask people in surveys why they stopped using data aggregation, they say either they just stopped using the service or they deleted the app from their phone,” Rubinstein said. “As you know, that’s not turning off aggregation — those accounts remain connected. We will remind people periodically by popping up a reminder.”
Fidelity is using the Durable Data API standard for its data-sharing pipeline.
The company has three requirements for third parties that want to use its API: They have to adhere to strict security standards, they have to agree to destroy any user IDs and passwords they may have previously acquired from Fidelity clients, and they need to assume responsibility for handling the data, including liability should that data be compromised.
The approach is generally in line with the customer data protection principles the Consumer Financial Protection Bureau released last month. Fidelity is not regulated by the CFPB, but the company commented on the agency’s data protection principles.
“We wanted to make sure that all sides of the arguments were heard,” Rubinstein said.
Fidelity itself is on all sides of the data-sharing debate: In addition to being a provider of consumer account data, it’s a data aggregator (through a service called Full View) and a consumer of data from other financial providers (it owns eMoney Advisor, which does financial planning for advisers and broker-dealers).
“We look at all sides of the issue and are firmly committed to clients being able to grant access to their data to third-party access and websites to get better advice, tax prep and other applications,” Rubinstein said. “But in this day and age, security has to be first and foremost.”