Financial Data Exchange Issues Public Comment on Comptroller of Currency Notice
* * *
FDX's comments are intended to address the guidance in general and to respond to two specific questions posed by the agencies. These comments are drawn from the insight and perspective FDX has gained as an industry standards body with diverse membership/1 across the financial services ecosystem. FDX specifically wishes to provide the agencies with a vantagepoint into the relationships between financial data providers/2 (i.e., financial institutions and banking organizations), data recipients/3 (i.e., third-party financial technology companies or fintechs) and data access platforms/4 (i.e., data aggregators and ecosystem intermediaries) in relation to user-permissioned financial data sharing. In addition, FDX's comments are intended to inform the agencies about the progress and maturity of FDX since its launch less than 3 years ago, including a detailed view of FDX's mission, structure, and vision to implement common, interoperable, and royalty-free technical standards for user-permissioned financial data sharing.
About FDX
FDX is an international, nonprofit organization operating in the US and
FDX exists chiefly to promote, enhance, and seek broad adoption of the FDX API technical standard (formerly the Durable Data API - DDA), which allows for users within the financial data ecosystem to be securely authenticated without the sharing or storing of their login credentials with third parties. Through broad adoption of the FDX API, screen scraping (the retrieval of financial account information with a user's provided login credentials) will eventually come to an end, and the flow of user-permissioned data between banks, aggregators, fintech applications, payments, and online lending, for example, will be more secure and reliable. Many of the largest financial services organizations in the US have begun implementing this standard in the last several years./5
Scope of FDX Comments
FDX is barred by its charter from taking positions on legislative and regulatory policy issues. Consequently, FDX is not able to provide comment on questions or parts of questions in the guidance that relate to specific regulatory decisions or actions. However, FDX does engage in "educational advocacy" to ensure that regulators, legislators, and policymakers are educated and fully aware of the work FDX is doing, the way this work interacts with certain policies and regulations, and the way innovations across the financial services ecosystem are giving consumers and businesses the ability to securely use and share their financial data. As a market-led standards body, FDX also advocates for technical specifications and standards designed and implemented by the financial services industry for user-permissioned data sharing as opposed to regulatory or government mandated technical standards.
Considering this, and in the context of the ever-changing roles and relationships between different financial services entities in the process of user-permissioned financial data sharing, FDX believes it is important to provide the agencies with a perspective on how the ecosystem works and answer two specific questions in the proposal:
* What other aspects of third-party relationships, if any, should the guidance consider?
* In what ways, if any, could the proposed guidance provide better clarity to banking organizations conducting due diligence, including working with utilities, consortiums, or standard-setting organizations?
Historical Snapshot of Standardization of User-Permissioned Data Sharing
Over the last two decades, significant innovation in financial services has been driven by end user demand for online financial management services, payments, credit decisioning and more that requires access to and sharing of financial data. While these new financial technology tools are often provided by companies that are not affiliated with an end user's primary financial institution, financial institutions themselves also offer financial technology products and services to their customers and are increasingly on the receiving end of financial data from other financial institutions as directed by their customers.
To utilize these services, users need the ability to be authenticated so they can authorize access to their financial data from their financial institutions to other financial data parties in a convenient, secure, and reliable manner.
In order to give these parties access to their financial records, end users have historically provided their login credentials to financial applications or data access platforms (known as credential-based access). In most cases, financial apps do not store a user's login credentials, but instead pass these credentials via an Application Programming Interface (API) to the data access platform. The financial application or data access platform can then access the financial institution website and retrieve the users' data (this process is known as screen scraping).
While credential-based access and screen scraping have provided a pathway for consumers to use and share their own financial data to date, this legacy technology is inefficient and places stress on financial institutions due to the number of automated logins. Finally, and most importantly, this method of consumer authentication and data access requires the sharing of sensitive consumer login credentials and provides limited consumer control over the amount of data consumers share with third parties.
Fortunately, market adoption of a more efficient and secure method of data sharing began a few years ago and should eventually replace shared login credentials and screen scraping in most scenarios. Specifically, tokenized access, in concert with API-based data collection, allows a user to be securely authenticated by their own financial institution and authorize the data provider to supply only the data they want to share. In fact, APIs make user-permissioned data sharing easier, more accurate and more secure. Not only do they remove credential sharing and provide dedicated data access, but APIs provide the ability for data providers to give consumers control over the type of data that is shared, with whom, for how long and for what purpose.
While the advent of APIs for financial data sharing has begun to change the user-permissioned data landscape, there was still a missing element - standardization. In fact, without standard APIs and additional standardization of authentication, authorization, certification, user experience and consent guidelines, financial institutions, financial data access providers and fintech applications and services will remain fragmented - using incompatible APIs, processes and even definitions of how a user is able to permission use of their own financial data.
Accordingly, FDX was born out of a desire among all entities in the user-permissioned financial data ecosystem to have standardized APIs available for all user-permissioned financial data.
FDX Comments
FDX seeks to provide the agencies its general perspective on third party relationships within the user-permissioned data sharing marketplace and answer the following questions. FDX also seeks to contextualize its comments with background on FDX's structure and work.
1. What other aspects of third-party relationships, if any, should the guidance consider?
Roles:
FDX defines four key roles within user-permissioned data sharing, End Users, Data Providers, Data Access Platforms and Data Recipients (defined below and with full FDX Taxonomy definitions in Appendix C). And while each of these roles have traditionally been played by specific market actors, today's user-permissioned data ecosystem involves financial services firms often playing many of these roles, and sometimes simultaneously. With this in mind, FDX standards are focused on the role itself rather than the type of entity performing said role. In this, FDX encourages agencies to consider how a role-based approach could impact the way third-party guidance might apply to entities involved in consumer permissioned data sharing so that interagency guidance is able to maintain flexibility as the ecosystem continues to evolve and innovate.
* End Users: include consumers, individuals acting in a business capacity, and entities, such as a business or other legal entity, who are giving permission to share their data.
* Data Providers: the entities who hold End Users' Financial Account Information, including, without limitation to banks, credit unions and brokerages.
* Data Recipients: service companies, applications (financial apps), fintechs, financial institutions, products and services where End Users (on their own or through their End User Delegates) manage or act on their finances, whether actively managing their finances (such as moving money or applying for credit) or passively doing so (such as garnering recommendations or insights).
* Data Access Platforms: intermediaries that facilitate financial data access, transit, storage and/or permissioning on behalf of Data Recipients or End Users, also commonly referred to as "data aggregators". In some cases, Data Access Platforms may not have a direct relationship with the End User. The data may be passed through without modification or may be normalized in line with permitted objectives (e.g., parsed for readability or used to confirm other data). Data Access Platforms should not be misidentified with parties who do not obtain End Users' consent but gather data, sometimes referred to as Data Brokers or Data Harvesters.
Balancing Data Access & Third Parties
FDX notes many variables in user-permissioned data sharing within the context of managing risks associated with third-party relationships.
First, the ability for consumers to access, control and share their own financial data, whether via authorized or direct access, is the central pillar upon which FDX is built. FDX's goal is to develop, promote and seek broad adoption of neutral market-led technical standards that enable the most secure and transparent consumer data access possible while preserving the ability for the market to continue to innovate and utilize the best technological approaches for data sharing.
Secondly, FDX recognizes that financial institutions are required to maintain sound risk management strategies including addressing consumer protection, information security, and other operational risks. And that until this proposed interagency guidance, uniform and consistent principles on third-party risk management have been lacking.
Thirdly, consumer demand and the ecosystem's desire to serve customers adds further complexity to this balance. Consumers have come to expect and demand access to their own data to use, share and leverage to their financial benefit. And consumers also expect that they alone have control of how their data is permissioned, shared, used, or accessed, as well as having the ability to revoke such choices. Additionally, consumers expect to be provided with clear information about who has access to their data, what purpose it will be used for and for how long. Finally, consumers expect that their data will be transferred as needed in a secure manner.
Evolving Responsibilities
As stated earlier, consumer data access entities in the user-permissioned data sharing marketplace generally occupy roles as data providers, data access platforms and data recipients as directed by the end user. Traditionally, financial institutions have played the role of data providers, data aggregators and other intermediaries have played the role of data access platforms and fintechs have played the role of data recipients.
However, rapid innovation in just the last few years means that the entities who play these roles continue to evolve and often overlap. Further, some of these entities can occupy multiple roles at the same time.
* Financial institutions increasingly play the role as both data providers and data recipients when their customers seek access to account data from other financial institutions or seek credit that may involve cross-institution data sharing.
* The role of a data access platform has expanded to include different industry utilities, intermediaries and approaches. In addition, some data aggregators are serving functions for financial institutions to allow for more seamless data sharing experiences, like managing end-user permissions and obtaining consent.
* While still in its infancy, even fintech apps may soon move beyond the role of data recipients and into the role of data providers with two-way data sharing or reciprocity that provides a flow of fintech data back to financial institutions.
FDX can't comment on the specific regulatory aspects of business arrangements between financial institutions, data aggregators and fintech applications. However, in consideration of the ever-changing dynamics listed above and with an understanding of user-permissioned data sharing that is truly consumer-centric, FDX believes the agencies must consider user-permissioned data sharing uniquely from the more traditional way banking organizations utilize third parties for products, services, and activities. Specifically, FDX submits that third-party guidance must balance the need for data providers like banking organizations to maintain sound risk management practices, conduct activities in a safe and sound manner, and remain consistent with applicable laws and regulations, with the need for consumers to be able to access and share their own financial data with data recipients who may have no relationship with the data provider. In addition, agencies must ensure third-party guidance is flexible enough to adapt to market innovations and user demand.
2. In what ways, if any, could the proposed guidance provide better clarity to banking organizations conducting due diligence, including working with utilities, consortiums, or standard-setting organizations?
Financial data sharing innovations continue to accelerate with the increase in end users' demand for online financial management services, payments, credit decisioning and other applications that may require access to and sharing of financial data. And FDX believes that innovation in financial services is being enhanced via common, interoperable, royalty-free, and market-led technical API standards. In fact, common API standards like the FDX API offer superior security and end-user control. Further, market-led efforts bring together a vibrant and diverse ecosystem of financial services providers that gives the market varied perspectives that lead to a more robust understanding of consumer need and demand.
With this in mind, FDX encourages agencies to consider how third-party guidance might prioritize the adoption of APIs and reduce structural disincentives that might delay adoption and implementation of APIs. Specifically, and as a way to offer clarity to organizations working with standard-setting organizations, FDX believes agencies can and should do more to acknowledge that common and interoperable API standards and tokenized authentication make consumer-permissioned data sharing easier, more accurate, and more secure than credential-based access and screen scraping, including incorporating these benefits into third-party risk assessment standards to ensure that there are no inadvertent disincentives for financial institutions that wish to transition from credential-based access and screen scraping to APIs. For example, FDX found recent
On one hand, the very nature of many market-led technical standards bodies is to exist and operate outside of a regulatory structure. And yet, ecosystems developing and certifying technical standards often face a "catch 22" of sorts. Market entities want to maintain independence in technical standards work, but these entities also desire a supportive acknowledgement or reference from regulators to show approval of the standards themselves and the direction of the work. In fact, regulatory acknowledgements provide significant value. They provide a sense of stability in the work and standards themselves, and such references can also help an industry coalesce around common interoperable standards rather than pursue a multitude of proprietary implementations. This is especially helpful to smaller entities.
While FDX has not defined industry standards for business arrangement due diligence between data providers, data access providers and data recipients, future FDX certification of FDX API implementations and adherence to FDX standards and guidelines should be used in third-party evaluations in the future. Specifically, certified testing of the implementation of FDX's specifications, processes, and tools ensure that user-permissioned data sharing is secure, transparent, traceable and keeps the consumer in control. Additionally, regulatory acknowledgement of industry standards efforts could propel further industry standardization of different aspects of business arrangements in user-permissioned data sharing.
Considering this, FDX would like to submit three specific recommendations for the agencies to consider in third-party guidance:
1.) Reference & Acknowledgement - FDX encourages agencies to think about ways they can explicitly endorse or reference technical standards and certification organizations and the work they are doing. Specifically, FDX encourages agencies to evaluate Incorporation by Reference/8 as a possible tool to feature and include applicable industry-led standards work in third-party guidance. Such endorsements or references should also flow throughout the agencies - from the agency leads down to those tasked with regulatory oversight and enforcement within the agencies. Further, agencies should partner with standards and certification bodies to provide training materials on their standards so that agency officials are up to speed on the latest versions and certifications of a technical standard in the marketplace. Such deep understanding within agencies gives examiners who encounter an implementation of a certified industry standard the ability to understand how the standard works and what it means.
2.) Engagement - Agencies may want to consider ways to conduct regulatory engagement in areas where standards work may be beneficial. Especially in a digital world, where engineers can only code to 1 or 0, or where conformance testing often exists in a binary state (pass or fail), regulatory alignment with industry standards can be extremely important. For example, and while FDX cannot comment on specific policy or regulations, if there is a particular domain that the agencies would like to see technical standards address, then FDX welcomes that input, and the industry and their technical teams can work together to meet those requirements.
3.) Harmonization - FDX applauds the Fed, the OCC and the
Structure & Details of the Financial Data Exchange
As a technical standards body, FDX's members develop, enhance and adapt the FDX API and accompanying standards via a board of directors and over 30 different committees, working groups and task forces. FDX maintains fairness by ensuring that its membership is diverse and that all market segments within the larger ecosystem have the opportunity to participate in the work. FDX also employs a balanced leadership approach across all work streams with each committee, working group and task force co-chaired by a financial institution and a non-financial institution. Finally, every FDX member organization, regardless of size, type, or dues, has a single and equal vote.
FDX abides by the mantra of "Best idea wins," irrespective of firm size or type. The FDX board voting structure is also balanced by giving different market segments equivalent voting representation by requiring a super-majority of board members across industry sectors to agree on major decisions. The FDX API specification itself is free for any organization to download and use and membership starts with a no-cost tier for non-profit consumer advocacy groups and an affordable and revenue-based structure for all other entities.
Below are a few of the notable FDX Committees Working Groups and Task Forces with the full list included as Appendix B.
1.) Technical Review Committee: tasked with the ongoing maintenance and improvement of the FDX API technical specification, along with adopting or building other technical solutions to promote FDX objectives. The Technical Review Committee oversees several working groups to achieve these goals.
2.)
3.)
4.)
5.)
6.)
7.) Marketing, Public Relations and Government Affairs Working Groups: responsible for all communications functions of the organization including government affairs, public relations, and internal member communications as well as overseeing membership, marketing and FDX events.
8.) Open Financial Exchange: OFX joined FDX in 2019 as an independent working group tasked with maintaining and evolving the OFX standard as necessary to support the existing OFX implementations, while leveraging the work between the OFX and FDX standards and providing a migration path to FDX for OFX users wishing to migrate.
FDX Deliverables to the Marketplace
Since its launch in 2018, FDX has delivered key standards, guidelines, and best practices into the marketplace. Here are a few of the key FDX deliverables to date and those anticipated in the near future:
1.) FDX API Specification: Currently at version 4.6 (with FDX API 5.0 anticipated release before the end of October, 2021), the FDX API is the foundation of FDX data sharing standardization and offers consumers the ability to access over 620 different financial data elements, including banking, tax, insurance, and investment data, making it one of the most comprehensive
2.) User Experience & Consent Guidelines: As adoption and implementation of the FDX API expands, these guidelines are the product of months of work and significant consumer testing and are intended to accelerate design decision-making during implementation of data sharing experiences. The User Experience & Consent Guidelines also seek to align user-permissioned financial data sharing with consumer understanding, preferences, and expectations. These guidelines specify what information and control must be given to end users to ensure consistent data sharing experience regardless of where their data is held or who they are seeking to share it with. Specifically, concepts such as financial data sharing, data flow, and data clusters, followed by specific user experience guidelines for an end user grant consent journey for financial data sharing are defined in this documentation. Eventually, FDX certification will involve compliance with User Experience requirements and the guidelines will be tailored to each FDX defined Use Case.
3.) Taxonomy of Permissioned Data Sharing: In an effort to align industry stakeholders and help regulators and policymakers better understand and define the various roles and perspectives within the user-permissioned financial data ecosystem, FDX maintains a set of common terminology to be used as a taxonomy for the ecosystem. This documentation also includes a conceptual flow model to show how End Users interact with different participants within the current ecosystem that is evolving from legacy to new technology. The Taxonomy document/9 also provides a cursory comparison of similar terminology in the permissioned data sharing space among other parties such as the
4.) Global Registry: FDX is currently building an authoritative registry of trusted entities to help the user-permissioned financial data marketplace clearly identify ever evolving technologies and new market entrants, as well as the web of often proprietary, incomplete, and incompatible technical standards that complicate the market today. The FDX Global Registry will enable those entities operating within the FDX and other ecosystems to reliably identify and verify trusted organizations and acts as a market incentive to all entities to ensure the accuracy of the data itself, as well as the transfer or exchange of that data. This registry will also support interoperability across a variety of financial services, industry sectors and jurisdictions. In addition, the FDX registry will provide information regarding reliability and repeatability of the performance of data, traceability, transparency, and trust in FDX Certification(s), accelerates the adoption of standards, and serves to bind the ecosystem players to each other. FDX intends the Global Registry to act as a non-profit, non-commercial, technology agnostic, multi-tenant, cross-sector, authoritative international resource as well as a center of technical excellence.
5.) Use Cases: FDX use cases are testable data profiles that measure functional capability of an API against a broad business use of financial data. FDX defines these data profiles as a means of establishing functional baselines that APIs must meet to be considered useful by data consumers, but FDX use cases do not limit consumer data access. In fact, FDX encourages sharing of other data even when not defined in use cases as necessary to meet innovation and business goals. FDX recommends that any such sharing be in line with FDX's five principles of financial data sharing - Control, Access, Transparency, Traceability and Security (CATTS). So far, FDX has approved Personal Financial Management (PFM) and Credit Management and Servicing (to support credit decisioning and scoring) use cases. It expects to define and certify specific use cases in the future, such as money movement, account verification, tax preparation and fraud reporting.
6.) Developing a Certification Program: Creating a standard alone cannot promote, drive adoption, or guarantee adherence to the standard. A qualification and certification program are needed to ensure common implementation and interoperability of any technical standard and further limits the risk of data inaccuracy. Products (i.e., programs, services, and apps for consumer permissioned financial data sharing) can be approved by a certification program to test the technical compatibility/interoperability, prior to being marketed as a compliant product, or getting access to certain intellectual property rights. Work continues on FDX's certification platform, and FDX recently released foundational requirements covering availability, performance, and security that implementations of the specification must meet to apply for a FDX use case certification.
7.) Annual
Conclusion:
Third party relationships are inherent to user-permissioned financial sharing. And yet, it is clear that user permissioned data sharing adds significant complexity to the traditional understanding of third-party risk management. Specifically, (i) the advent of financial services entities often playing more than one of the four key roles within the user-permissioned data sharing ecosystem (End Users, Data Providers, Data Access Platforms and Data Recipients), (ii) the requirements on financial institutions to maintain sound risk management strategies, and (iii) the increasing consumer demand to access, share and leverage their own data for their financial benefit, all combine to challenge the current manner that banking organizations utilize third parties for products, services, and activities. FDX thus encourages agencies to consider how a role-based approach could impact the way third-party guidance might apply to entities involved in consumer permissioned data sharing so that interagency guidance is able to maintain flexibility as the ecosystem continues to evolve and innovate.
FDX also encourages agencies to consider how third-party guidance might prioritize the adoption of APIs and reduce structural disincentives that could delay adoption and implementation of APIs for user-permissioned data sharing. Specifically, FDX suggests an increased agency acknowledgement and reference of the role industry standards might play in current and future evaluation of third-party relationships as well as examining other areas where engagement and harmonization can better align the regulatory view of third-party relationships in financial services with innovations that are taking place in the market.
FDX is encouraged by the coordination of the
View attachment at: https://downloads.regulations.gov/OCC-2021-0011-0056/attachment_1.pdf
* * *
Footnotes:
1/ FDX Members
2/ From FDX Taxonomy of Permissioned Data Sharing v. 1.0: Data Providers: the entities who hold End Users' Financial Account Information, including, without limitation to banks, credit unions and brokerages. Full Taxonomy in Appendix C.
3/ From FDX Taxonomy of Permissioned Data Sharing v. 1.0: Data Recipients: service companies, applications (financial apps), financial institutions, products, and services where End Users (on their own or through their End User Delegates) manage or act on their finances, whether actively managing their finances (such as moving money or applying for credit) or passively doing so (such as garnering recommendations or insights). Full Taxonomy in Appendix C.
4/ From FDX Taxonomy of Permissioned Data Sharing v. 1.0: Data Access Platforms: intermediaries that facilitate financial data access, transit, storage and/or permissioning on behalf of Data Recipients or End Users, also commonly referred to as "Data Aggregators". In some cases, Data Access Platforms do not have a direct relationship with the End User. The data may be passed through without modification or may be normalized in line with permitted objectives (e.g., parsed for readability or used to confirm other data). Data Access Platforms should not be misidentified with parties who do not obtain End Users' consent but gather data, sometimes referred to as Data Brokers or Data Harvesters. Full Taxonomy in Appendix C.
5/ Examples of some publicly announced data sharing agreements mentioning FDX API listed as Appendix D.
7/ The
9/ FDX Taxonomy of Permissioned Data Sharing v. 1.0 listed as Appendix C
* * *
The notice can be viewed at: https://www.regulations.gov/document/OCC-2021-0011-0001
TARGETED NEWS SERVICE (founded 2004) features non-partisan 'edited journalism' news briefs and information for news organizations, public policy groups and individuals; as well as 'gathered' public policy information, including news releases, reports, speeches. For more information contact
Insurance Coalition Executive Director Issues Public Comment on Comptroller of the Currency Notice
Get ready to dig deeper: Despite reforms, insurers warn consumers that more rate hikes are coming [South Florida Sun-Sentinel]
Advisor News
- Goldman Sachs, others weigh in on what’s ahead for the market in 2025
- How is consumers’ investing confidence impacting the need for advisors?
- Can a balance of withdrawals and annuities outshine the 4% rule?
- Economy ‘in a sweet spot’ but some concerns ahead
- Trump, Capitol allies likely looking at quick cryptocurrency legislation
More Advisor NewsAnnuity News
Health/Employee Benefits News
- Opinion: Scores of Alaskans face another eye-watering spike in their health care costs next year
- Millions face higher health costs if subsidies expire
Millions will see rise in health insurance premiums if federal subsidies expire
- Study Findings from Brown University Broaden Understanding of COVID-19 (Continuity of Care and Lifestyle Intervention Programs for Spanish-speaking Immigrants Without Health Insurance At a Free Clinic In Rhode Island): Coronavirus – COVID-19
- Hospital payment caps could save millions of dollars for state employee health plans: Brown University
- Burlington County defies trends by keeping health insurance rates stable
More Health/Employee Benefits NewsLife Insurance News