Banking groups' guidelines on data sharing are misguided
Regulators and industry groups have finally begun focusing on the mechanics of how consumers share their financial data with third-party services, such as personal financial management apps and online lending platforms.
The Financial Industry Regulatory Authority issued a warning about sharing account data with aggregators, and the Securities Industry and Financial Markets Association cautioned the industry and consumers about the risks of connecting financial accounts by sharing login credentials — account usernames and passwords — with third parties.
However, there’s a big problem: Neither group proposed workable alternatives.
Data is now the lifeblood of financial technology innovation. Without easy access to financial account data, the tools and services that were created to simplify consumers’ financial lives are largely rendered ineffective. So instead of urging consumers to forgo access to their financial data and avoid credential sharing entirely, as Finra and Sifma both have done, more financial institutions will need to dedicate resources to adopting protocols that improve data security without impeding consumer access. Without that investment in safer, faster access methods, credential sharing will remain necessary for authorizing an account connection, despite the additional security implications.
True, Sifma and Finra both recommended that financial institutions develop application programming interfaces, or sets of standards and protocols that enable communication between software components, to end credential sharing and enable institutions and third parties to share data securely and directly. Unfortunately, this recommendation is only a half-measure: APIs, although useful for banks to develop in the long run, would not put a stop to credential sharing.
While APIs facilitate letting a third party securely retrieve or receive data, credential sharing still serves as a means of a user authenticating themselves, or declaring their identity, and authorizing the third party to retrieve their account data. But, the raw APIs “pipes” neither authenticate the consumer nor authorize access to their data. To reduce credential sharing, financial institutions will have to invest in implementing OAuth, a form of authorization that enables third parties to access information without requiring customers to provide usernames and passwords. In other words, the OAuth protocols split the authentication and authorization processes, allowing customers to permit a third party to access their data without sharing credentials, and to continue to have that access whenever the customer requests it.
Consumers are already familiar with OAuth, perhaps unknowingly, as the technology is often used when they create online accounts using their existing Facebook or Google profiles. With an OAuth protocol, the user typically sees a pop-up window explaining what data or information the outside party will access. If the user accepts the terms, he or she logs into a Google account instead of creating a new login for the site. The outside app then creates an OAuth key with this login information, which the app stores and uses when the company needs to access a customer’s data.
While OAuth is only one of a multitude of authentication and authorization options for data access; it is the best option for universal industry adoption. In financial services, an OAuth protocol establishes an agreement between financial institutions and a third party — such as an account aggregation service provider — to allow the third party to access customers’ data at the institution.
Today, adoption of OAuth is far from widespread in financial services, but some leading institutions already use the technology, including Capital One, Wells Fargo, and JPMorgan Chase. However, we hope to see more financial institutions dedicate resources to adopting these protocols.
OAuth is not only more secure because it eliminates a need to share credentials, it also delivers more effective traceability of which app or third-party accesses data and for what purpose — making it even more desirable for protecting consumer financial data. Every login is uniquely tied to one end-agent, the aggregator or a service provider. In the event of a breach, cyber incident, misuse of data, or abuse of access, there is a clear trail of evidence to show which party is culpable. In addition, the OAuth key can be deleted at any time, shutting off the third party’s authorization to retrieve data.
If financial institutions put the proper security infrastructure in place, then secure access can be provided without relying on credential sharing. The solution exists in OAuth, but the industry must turn away from discouraging credential sharing alone and focus on implementing solutions.