Managing third-party risk of data aggregators

April 14, 2020 | Financial services

On March 5th, the Office of the Comptroller of the Currency (OCC) released an update to their Third-Party Relationships guidance (Bulletin 2020-10 ) supplementing pre-existing third-party standards from 2013 (Bulletin 2013-29 ). While many of the updates are focused on clarifying or providing additional guidance to enable adherence to the third-party risk management (TPRM) expectations, the guidance, likely updated due to the emergence of open banking and banking-as-a-service, presents new implications for the growing customer-permissioned market segment of data aggregators.

Banking customers are increasingly gaining awareness of how their own financial data can be used to improve their daily lives. By authorizing third party data aggregators to access their sensitive financial data, customers are managing their budgets, identifying competitive products, and improving the management of their financial portfolios. This growing trend by customers, as well as the increase in fintech companies entering the financial services industry, creates new risks around how to best safeguard customer data. While banks must be proactive in defining, establishing, and managing these growing third-party relationships to better safeguard customer information, data aggregators can utilize the updated OCC guidance to better align with the industry third-party expectations.

The OCC is primarily concerned with the banking industry’s ability to meet its obligation to safeguard sensitive customer data, regardless of whether a bank has an existing business arrangement or if no business arrangement exists with a data aggregator. While banks allow for the sharing of customer information, as when authorized by the customer, the relationship with the data aggregator can vary. These types of relationships can include business arrangements, where the bank’s third-party oversight should adhere to the OCC expectations, as well as the more typical “screen scraping” methods of data aggregation in which a direct relationship with the bank does not exist and related oversight is limited or non-existent. Although the guidance does not appear to be expecting banks to adhere to the formal expectations of TPRM in the absence of a business arrangement with data aggregators, the OCC does appear to be requesting that banks take additional steps to understand the third-parties accessing their sensitive customer data to ensure there are proper safeguards.

Regulators will be looking for banks to demonstrate that they have instituted the appropriate oversight of data aggregators. The banking industry is taking notice of this guidance and banks may soon require that data aggregators sign agreements in order to access customer data. Banks may also consider alternative methods that make use of existing governance and information security capabilities.

What can banks do next?

• Be proactive in conducting due diligence to evaluate data aggregators accessing customer-permissioned data, including evaluating the reputation of the data aggregator and determining next steps (e.g., entering into agreements/business arrangements to better monitor and mitigate risk);
• Utilize existing security monitoring programs to identify data aggregator-based activity, ownership, etc. currently existing within the bank; 
• Enter into agreements/business arrangements with data aggregators to enable secure portal delivery (i.e., application programming interface or API) for a more efficient and safeguarded option to share customer-permissioned data; 
• Enhance or develop data monitoring, including whitelisting IP addresses with additional authentication controls to safeguard system access (e.g., establishing an authentication process minimizing potential data loss); and,
•  Determine which data aggregators can demonstrate that their existing security programs (e.g., security and governance practices) are effectively safeguarding customer-permissioned data. 

What can data aggregators do next?

• Be proactive in engaging with banks and financial institutions to define and establish relationships; 
• Be prepared to provide substantive documentation related to an established information security program that demonstrates how customer-permissioned data is safeguarded;
• Conduct or be prepared to provide an independent assessment/audit of information security controls (e.g., System and Organization Controls for Service Organizations 2 (SOC 2)); and,
• Engage with major market participants and consider entering into a business arrangement for sharing customer-permissioned data through an efficient and secure portal (i.e., API).

This guidance provides a significant opportunity not only for banks to better understand which firms are accessing customer-permissioned data, but also for data aggregators to align more closely with banks and provide a seamless and safeguarded experience for customers.