Data-sharing spec revised to encourage open banking
The Financial Services Information Sharing and Analysis Center announced Tuesday an attempt to move the ball forward on data sharing and open banking in the U.S.
One stumbling block for open banking in the U.S. has been the lack of an agreed-upon standard for sharing customer data between banks and third parties such as personal financial management app providers. In the absence of such a standard, data aggregators and fintechs tend to resort to screen scraping, an insecure and inefficient method of logging in as a customer and copying and pasting account data.
The FS-ISAC on Tuesday released a new version of its technical recommendations for data sharing, the Durable Data API specification. This could become the standard banks and third parties adopt for PSD2-style data sharing and open banking. In fact, the new standard meets all of PSD2’s requirements, according to the security data-sharing organization. (However, PSD2 also requires third parties to register and agree to be overseen by a regulator, something unlikely to happen here.)
“The key is to get banks to adopt it and aggregators to accept it,” said Bill Nelson, president and CEO of the FS-ISAC. “So having a standard could really move it forward, in my opinion.”
Some companies, including Wells Fargo and Fidelity, already use the Durable Data API spec in their sharing of data with third parties such as accounting software providers.
The new version of the specification incorporates OAuth 2.0, the latest upgrade of a spec for tokenizing credentials. It also has an expanded purview — the Durable Data API can be used not only by banks, data aggregators and fintechs, but also by insurance companies, broker/dealers, and other entities with whom customers might want to share their bank account information. The API and a related white paper was created by the FS-ISAC Data Aggregation Work Group, whose members come from more than 25 financial services firms, tech companies and data aggregators.
“It corrects some of the original deficiencies [of version one of the Durable Data API spec], but it puts us now in a position to move this forward and start actively moving firms away from screen scraping,” said Eric Guerrino, chief operating officer of the FS-ISAC.
Data aggregator members of the group asked for support for additional products, such as brokerage and pension plan accounts.
Under the new specification, when a financial application user wants to set up or add a bank, brokerage, or insurance account, they will be passed to a secure server at the financial institution to begin the enrollment process.
The consumer will then be presented with the financial institution’s consent page, where they will authorize the data they want to share with the financial application.
After authenticating, the consumer will be passed back to the financial application. Data sharing between financial application servers and financial institution servers will then be done through a virtual token that identifies the consumer and their respective accounts.