McLEAN, Va. - Warning that breaches of customer information "could be devastating," Julie L. Williams of the Office of the Comptroller of the Currency said Monday that banks must continually monitor their third-party aggregators and go above and beyond accepted privacy guidelines.
Ms. Williams, first senior deputy comptroller and chief counsel at the OCC, said aggregation may impair the integrity, accuracy, and currency of data. Banks also face risks from disputed transactions and the potential financial instability of their vendors, she said.
She urged the bankers at the Account Aggregation conference sponsored here by Thomson Financial Media, the parent company of American Banker, to do extensive due diligence of their aggregation vendors.
Banks should note how much a vendor relies on other third parties, and the ability of these third parties to safeguard customer information, she said. Detailed written contracts that allow for reviews and continuing assessment of the service are a must, she added.
Agencies like the OCC may be able to help some banks weed out unreliable vendors, Ms. Williams said. "For large banks there are resident examiners that constantly poke around, but examinations are more periodic for small banks."
When considering aggregation privacy policies, banks should go beyond "simple compliance," Ms. Williams said. They may be aggregating information from many financial institutions, so they should "make sure their policies are broad enough to encompass the breadth of offerings of products from a variety of places," she said.
"Go that extra mile so that customer information is both respected and protected," she advised.
Katherine McG. Sullivan, chief operating officer of Citigroup Inc.'s eCiti unit, said the company benefited from inviting regulators to review its policies before introducing aggregation to its customers last summer. "We met with regulators before we went live with the vendor and took them through the service so that there would be no surprises," she said.
The regulators helped Citi vet its vendor contracts, she said. "Regulators look at your contracts and make sure you bind" vendors "to your privacy rules and audit them on those standards."
Citi also imposed strict privacy standards on itself, Ms. Sullivan said. "Under our privacy promise we won't use the" aggregated "data to market even our own products to customers without their consent."
Citigroup's myCiti aggregation site for retail customers has been so successful that it has begun a similar service at the Salomon Smith Barney unit for its high-net-worth customers, Ms. Sullivan said. It also is considering offering a Yodlee Inc. service at its small-business site.
Catherine A. Allen, chief executive officer of the Banking Industry Technology Secretariat, a unit of the Financial Services Roundtable, stressed that banks need to become customer advocates on security and privacy. "Aggregation is one of the ways to be an advocate of the customer."