blue sky

Perspectives

Managing third-party risk of data aggregators

Navigating OCC Bulletin 2020-10

The Office of the Comptroller of the Currency released an update to their Third-Party Relationships guidance. Learn more about the implications for the customer-permissioned market segment of data aggregators.

April 14, 2020 | Financial services

On March 5th, the Office of the Comptroller of the Currency (OCC) released an update to their Third-Party Relationships guidance (Bulletin 2020-10 ) supplementing pre-existing third-party standards from 2013 (Bulletin 2013-29 ). While many of the updates are focused on clarifying or providing additional guidance to enable adherence to the third-party risk management (TPRM) expectations, the guidance, likely updated due to the emergence of open banking and banking-as-a-service, presents new implications for the growing customer-permissioned market segment of data aggregators.

Banking customers are increasingly gaining awareness of how their own financial data can be used to improve their daily lives. By authorizing third party data aggregators to access their sensitive financial data, customers are managing their budgets, identifying competitive products, and improving the management of their financial portfolios. This growing trend by customers, as well as the increase in fintech companies entering the financial services industry, creates new risks around how to best safeguard customer data. While banks must be proactive in defining, establishing, and managing these growing third-party relationships to better safeguard customer information, data aggregators can utilize the updated OCC guidance to better align with the industry third-party expectations.

The OCC is primarily concerned with the banking industry’s ability to meet its obligation to safeguard sensitive customer data, regardless of whether a bank has an existing business arrangement or if no business arrangement exists with a data aggregator. While banks allow for the sharing of customer information, as when authorized by the customer, the relationship with the data aggregator can vary. These types of relationships can include business arrangements, where the bank’s third-party oversight should adhere to the OCC expectations, as well as the more typical “screen scraping” methods of data aggregation in which a direct relationship with the bank does not exist and related oversight is limited or non-existent. Although the guidance does not appear to be expecting banks to adhere to the formal expectations of TPRM in the absence of a business arrangement with data aggregators, the OCC does appear to be requesting that banks take additional steps to understand the third-parties accessing their sensitive customer data to ensure there are proper safeguards.

Regulators will be looking for banks to demonstrate that they have instituted the appropriate oversight of data aggregators. The banking industry is taking notice of this guidance and banks may soon require that data aggregators sign agreements in order to access customer data. Banks may also consider alternative methods that make use of existing governance and information security capabilities.

What can banks do next?

  • Be proactive in conducting due diligence to evaluate data aggregators accessing customer-permissioned data, including evaluating the reputation of the data aggregator and determining next steps (e.g., entering into agreements/business arrangements to better monitor and mitigate risk);
  • Utilize existing security monitoring programs to identify data aggregator-based activity, ownership, etc. currently existing within the bank; 
  • Enter into agreements/business arrangements with data aggregators to enable secure portal delivery (i.e., application programming interface or API) for a more efficient and safeguarded option to share customer-permissioned data; 
  • Enhance or develop data monitoring, including whitelisting IP addresses with additional authentication controls to safeguard system access (e.g., establishing an authentication process minimizing potential data loss); and,
  •  Determine which data aggregators can demonstrate that their existing security programs (e.g., security and governance practices) are effectively safeguarding customer-permissioned data. 

What can data aggregators do next?

  • Be proactive in engaging with banks and financial institutions to define and establish relationships; 
  • Be prepared to provide substantive documentation related to an established information security program that demonstrates how customer-permissioned data is safeguarded;
  • Conduct or be prepared to provide an independent assessment/audit of information security controls (e.g., System and Organization Controls for Service Organizations 2 (SOC 2)); and,
  • Engage with major market participants and consider entering into a business arrangement for sharing customer-permissioned data through an efficient and secure portal (i.e., API).

This guidance provides a significant opportunity not only for banks to better understand which firms are accessing customer-permissioned data, but also for data aggregators to align more closely with banks and provide a seamless and safeguarded experience for customers.

Endnotes

Office of the Comptroller of the Currency, “Third party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29”, accessed March 31, 2020.

2 Office of the Comptroller of the Currency, “Third-Party Relationships: Risk Management Guidance (OCC Bulletin 2013-29)”, accessed March 31, 2020.

3 Consumer-permissioned data is the information that a consumer gives a business permission to access on their behalf.

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional adviser.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

Contact us

Gina Primeaux
Principal

Deloitte Risk & Financial Advisory
Deloitte & Touche LLP

Shaun Nabil
Principal

Deloitte Risk & Financial Advisory
Deloitte & Touche LLP

   
Deloitte Center for Regulatory Strategy

Irena Gecas-McCarthy
Principal

Deloitte Risk & Financial Advisory
Deloitte & Touche LLP

Jim Eckenrode
Managing Director

Center for Financial Services
Deloitte & Touche LLP

Austin Tuell
Manager

Deloitte Risk & Financial Advisory
Deloitte & Touche LLP

Kyle Cooke
Senior Consultant

Deloitte Risk & Financial Advisory
Deloitte & Touche LLP

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Site-within-site Navigation. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.