Technology that can pull together financial data from across the industry is increasingly popular.
Such aggregators give advisers a more comprehensive view of their clients' assets to improve the advice and financial plans they deliver. Aggregation also lets clients view all of their brokerage, banking, retirement plan and credit card accounts in a single location, helping them better understand their finances.
Some of these technologies aren't subject to bank or broker-dealer regulation and standards, though, and the convenience of aggregation has created new security and privacy vulnerabilities.
"As we continue to grow the digital economy, personal data is becoming the most important currency there is, and as an industry we have a responsibility and obligation to protect our clients' data," Lisa Kidd Hunt, executive vice president of business initiatives at Charles Schwab & Co. Inc. and chair of the Securities Industry and Financial Markets Association, said in a statement. "Our ability to capture information and data has never been easier, and our responsibility to protect it has never been more essential."
SIFMA released new guidelines Thursday on how member organizations should work with data aggregation. SIFMA CEO and president Kenneth Bentsen Jr. said the four data aggregation principles "provide customers with safe and secure access to their data and protection of their confidential account information, along with assurances that data aggregators adhere to the same data and security standards followed by regulated financial institutions."
First of all, the guidelines say customers can use third parties to access their financial account data, and SIFMA members believe the access should be safe and secure.
Customers should not have to share their account IDs or passwords with third parties. They should be assured that anyone accessing account information will keep it safe and follow the same security standards following by financial institutions, and take responsibility for any data they receive and provide to others.
SIFMA recommended that financial institutions provide a clear and conspicuous explanation of how a third party will access or use the data. Customers should consent affirmatively before aggregation begins and be able to withdraw consent easily and at any time with confidence that third parties will delete and stop collecting data.
Finally, SIFMA provided guidance on the scope of data access and use. Data on holdings, balances and transaction information are OK to share with third parties, while other nonpublic or confidential personal information is not. Account activities like third-party trading, money movement, client verification and other services beyond account data aggregation should have separate agreements.
SIFMA also encouraged firms to move away from "screen scraping" technology, which requires users to submit log-in credentials so an aggregator can access the account and automatically pull data from the financial institution's website. The practice increases the potential the data can be stolen in a hack or data breach.
Instead, firms and aggregators should use application programming interfaces, or APIs, that access data directly from the financial institution, SIFMA said, echoing a FINRA alert to investors last week.
David Johnson, the head of Morningstar ByAllAcounts, said the guidelines align well with how his team approaches data aggregation. Mr. Johnson said ByAllAccounts works with financial institutions to develop safe ways to share customer information, and collaborates with other aggregators like Yodlee and Quovo to help the industry understand how the technology works.
"We are all collaboratively working together to have the safest and securest way to show a holistic view of an investor's wealth," he said.
However, Mr. Johnson said there are emerging fintech companies that rely on financial data, but may or may not be using one of the major players in aggregation. These raise big concerns around security, especially when it comes to the movement of money and assets.
"Some firms are not going through the same security and due diligence," Mr. Johnson said. "We are proactively working with these firms, helping them create these API strategies."