Against the backdrop of Open Banking, and in an effort to compete, financial institutions (FIs) must give consumers the ability to share their data with third parties, including FinTech firms. FIs, in turn, must also protect the security and integrity of that data, while giving consumers a sense of control over how and where it’s being used.
That’s been a tough line for most FIs to walk, Dave Fortney, executive vice president of product management and strategy at The Clearing House (TCH), told Karen Webster in a recent interview.
Historically, only the largest banks have had the resources — and the time — to devote to the extensive and technical application programming interface (API) integration, testing and compliance, and the legal and contractual reviews necessary to meet FI standards for data sharing, Fortney said. That has left smaller FIs, without those resources, at a competitive disadvantage.
After a year-long effort to address this disparity, TCH released a template this week, designed to help banks link with FinTech firms, connect to APIs and shorten the journey to financial services innovation.
Known officially as the Model Data Access Agreement, Fortney said this sets forth a common foundation of generally accepted contractual terms as a starting point for these bilateral data agreements. Part of TCH’s Connected Banking Initiative, this agreement includes a technical component (the FDX API) that provides a consistent and secure protocol to connect FIs and FinTech firms.
The result, Fortney said, is a significantly shortened process (that traditionally takes a year), since firms no longer need to negotiate terms each time they enter into agreements with third parties. The use of the agreement is voluntary, and parties can negotiate elements independently as they deem appropriate.
Fortney noted that the agreement is also an acknowledgement that screen scraping is a less-than-optimal way for banks to let third parties access their consumer data, which is partly done via automated browser interaction. That leaves lingering concerns about security and data access — and how that data is used.
Making negotiations easier through at least some standardization, he said, is a strong step on the path from screen scraping to direct connections (via API) between FIs and FinTech firms. The data access agreements between traditional FIs and FinTech firms strive to address concerns over data transparency, security and control. That sense of control is indeed important — especially for consumers.
As PYMNTS noted this week in its Consumer-Centric Authentication Playbook, in just one data point: Nine out of 10 U.S. consumers want to be able to set their own authentication requirements when they access their bank accounts using digital channels. Only five of 10 consumers actually have access to such controls.
The Template For The Template
Fortney said the template’s development traces back to more than a year ago, before major banks such as JPMorgan and Wells Fargo announced agreements with Plaid, the firm that uses APIs to connect FIs and FinTech firms.
“The rest of the industry may be catching up with what JPMorgan and [Wells Fargo]have announced [with Plaid]. … That’s the reason these contracts need to exist,” he said, to foster data sharing. The move toward at least some standardization of terms and conditions, with a roadmap toward data access and liability, is especially important against a backdrop where the number of bilateral agreements mushroom among smaller FIs.
To help set up the model agreement, Fortney noted that TCH asked some of the largest banks to contribute anonymized versions of their agreements. With those as a starting point, and with the help of an outside law firm, TCH created the model contract. The agreement was developed to be consistent with the CFPB’s Consumer Protection Principles, focused on data sharing and aggregation, he explained.
As it stands now, he told Webster, the bank typically has no contractual relationship with a data aggregator, and moving to a secure API has proven to be a “thorny” process.
“You cannot just open up an API without having some contractual terms governing the use of the API, or it puts you into trouble,” said Fortney. The Model Data Access Agreement, existing as a public document, is also likely to be of value to players even further downstream, such as large core processors like FIS and Fiserv — as they offer API-based services like processing.
He added that the direct connection model — cemented by concrete agreements between parties — will give consumers more control over what data is shared. By way of example, he pointed to Wells Fargo’s practice of setting up a “control tower” that shows a dashboard of permissions that have been granted, and where the consumer has the constant right to review and revoke those same permissions.
When asked by Webster if the debut of the Model Data Access Agreement represents a step by TCH to broaden its offerings as a bank-operated network, Fortney cautioned that the agreement is meant, at this state, to be purely bilateral. “This could evolve into a network over time,” he said, “whether or not it’s TCH that does it.”
In the end, establishing best practices for third-party data access can obviate the need for policymakers and regulators to force that access, as has been the case in other parts of the world with Open Banking mandates, such as PSD2.
“We are trying to move the private sector forward,” said Fortney,” and that’s part of the purpose of this initiative.”