While current methods of data aggregation have been around for decades, its limitations have become more apparent as the demand for fintech apps continues to rise during the COVID-19 pandemic.
Card Forum: Contactless is keenly focused on the opportunities that come with the adoption of digital and contactless payments. Senior industry leaders will examine the huge shift in consumer behavior that has increased demand and explore how banks and credit unions can stay at the forefront of innovation.
Register today and join hundreds of leaders in the payments community on March 16th!
The Consumer Financial Protection Bureau defines data aggregator as “an entity that supports data users and/or data holders in enabling authorized data access.” In other words, an aggregator helps fintechs (data users) retrieve consumer-permissioned data (authorized data access) from financial institutions (data holders).
Today, aggregators mainly accomplish this from the overwhelming majority of financial institutions through credential-based data aggregation, a process commonly referred to as screen scraping.
Credential-based data aggregation usually requires consumers to provide their login credentials, typically usernames and passwords, to fintechs who then provide these credentials to an aggregator to access and retrieve a consumer’s financial data. Consumers are often unaware that an aggregator is involved, which is troublesome since aggregators can store their login credentials and financial data for an indefinite period without their knowledge.
As consumers become more aware of credential-based data aggregation, they are growing increasingly concerned. According to a recent survey by Deloitte Insights, a vast majority of respondents say that their privacy is always top of mind when using financial services. More than 80% of respondents want an opportunity to opt out of sharing certain types of information collected by their financial institution. Moreover, they want the ability to permission only the accounts they want to be aggregated for specific fintech apps.
Credential-based data aggregation is also fragile and prone to disruptions that slow or stop the flow of data between financial institutions and fintech apps. For example, data access fails when consumer financial accounts require two-factor or multi-factor authentication and can break down when banks change or update their user experience (UX).
The practice is also subject to fluctuations in internet traffic — if systems are too busy during an uptick in usage of a financial institution’s online services, aggregators are often impacted first. When these factors come into play, the flow of data decelerates and the consumer’s UX deteriorates.
Fortunately, there is a better way to do data aggregation: Application Programming Interfaces (APIs). APIs are used to implement OpenID Connect, SAML 2.0, OAuth 2.0, and other security protocols to authenticate and authorize consumers directly with their financial institution. This prevents login credentials from being held and stored externally by a third party — not only mitigating the risk of these credentials being stolen, but also preventing data from being accessed without specific instruction to the financial institution from the consumer.
API-based data aggregation is a better solution, but there are challenges in scaling APIs industry wide. Recent API agreements between large financial institutions, aggregators, and fintechs have been a great step forward, however individual, bilateral arrangements between financial institutions, data aggregators, and fintechs are lengthy, costly, and unscalable to the thousands of financial institutions in North America. To facilitate the adoption of APIs, financial institutions, aggregators, and fintechs need to begin applying shared standards that accelerate API-based data aggregation in three key areas: consumer-permissioning, data-access agreements, and technical API specifications.
First, we must have standards to ensure the needs of the consumer come first. Financial institutions need to provide consumers with the ability to grant third-party access to their account information, as well as to monitor, modify, or revoke that access at any time.
Second, we need a standard data-access agreement and security assessment accepted by financial institutions, aggregators, and fintechs. This will provide a legal foundation for parties to quickly partner with one another.
Third, although some financial institutions have fully developed portals to enable API-based data aggregation for aggregators and fintechs, most are not there yet. All players in the ecosystem should adhere to the free and interoperable API standard overseen by the Financial Data Exchange, ensuring predictability and scalability when providing access to data, authenticating users, and systematizing data semantics and syntax.
Credential-based data aggregation is on its way out as consumers, financial institutions, and regulators begin to take note of its risks. It’s imperative that the financial services industry work together to create and implement standards that ensure APIs are quickly adopted to provide safe, reliable access to consumer financial data.
