Evaluating data aggregators’ support of innovation and platform adaptability

Our articles in this series on data aggregation addressed evaluating data aggregation on coverage, data types and access methods, how modern financial apps are powered by user data and how data aggregators differ when it comes to data reliability and cleanliness. Access to financial data drives innovation, as evidenced by new digital banks and new fintech apps.

A new whitepaper by Fiserv outlines five categories of evaluation criteria for selecting a data aggregator. These include data reliability and cleanliness, coverage of institutional sources and data type handling, platform adaptability and support for innovation, security practices, and privacy, transparency, and reliability.

Platform adaptability and support for innovation

As fintechs build a wider range of personalized offerings, platforms’ data access must be adapted to support evolving business models. Kevin Hughes from Fiserv notes that “an expedited path to new offerings is critical. Additional data needs to be available in days or weeks, not months.” Adaptability means that a platform provider, working with its sources, can rapidly adjust the structured data provided to its customers’ needs.

Bryan Garcia, CTO at FinLocker, shares how this flexibility enabled a business model adjustment early on. “We needed historical data beyond the standard 90 days and worked [with a platform provider] to pull 12 to 24 months for our new use case.”

At one point, Garcia’s team re-evaluated their aggregation provider and asked a competitor about flexibility. “They basically said, ‘This is the data we pull; no more, no less’.”

Fintechs may need flexibility to move beyond traditional deposit accounts into bill pay or insurance, for example. Here, companies need to understand the vendor’s architecture and flexibility. Hughes of Fiserv explains, “Our APIs are configurable so I can turn something on for one customer that I don’t need to for everyone. Other platform providers see this as custom development work and are going to pass on those costs.”

Productizing common data uses via applications from a platform is another innovation area. One example: AllData PFM from Fiserv. This personal financial management tool aggregates data from most any online financial source, and applies balance and transaction alert, expense categorization, budgeting, and customized spending insights in a ready-made PFM solution. Users can embed these widgets into their app or service, or integrate into an existing banking site, as a value-add for end users.

Depth of partnership also signifies a platform provider’s commitment to adaptability and innovation. FinLocker’s Garcia recalls the initiative Fiserv took when FinLocker pursued Day 1 Certainty approval for its asset verification solution with Fannie Mae. With this program, lenders can access asset verification reports to accelerate preapprovals for their borrowers in minutes. But Fiserv also needed its controls and processes audited by Fannie Mae.

“They didn’t come back and charge us,” said Garcia. “They knew it would make all of us better and went through an 18-month certification. In talking to Fannie Mae, it was clear that not all third-party aggregators were willing to go to such lengths.”

All the platform executives interviewed for this paper urged prospects to clearly understand their customer needs and use cases – data sets and structures, response times, insight strategies – before deep platform evaluation. The platform provider then can counsel on design and facilitate fast deployment. This customer centric planning often distinguishes those fintech market leaders with a killer app, from the rest of the pack, according to FinancialApp’s Sullivan.

Security Practices

The protection of data by the integration platform on behalf of its data users and sources is a fundamental concern. In periods of disruption, such as the COVID-19 pandemic, concern heightens as consumers increasingly rely on digital applications to complete financial transactions.

Ken Blanco, the director of the Financial Crimes Enforcement Network, a bureau of the U.S. Department of the Treasury, describes the tense reality of data aggregation security: “FinCEN has also seen a high amount of fraud ... enabled through the use of synthetic identities and through account takeovers via fintech platforms,” Blanco said. “In some cases, cybercriminals appear to be using fintech data aggregators and integrators to facilitate account takeovers and fraudulent wires.”

This creates a delicate dance between aggregators and financial institutions. Banks prioritize customer data protection and, naturally, worry about the liability of a data breach in conjunction with an aggregator. This prompts vigilant monitoring of aggregator traffic and screen scraping activities. If banks sense anything abnormal, they will cut off data access, disrupting app experiences. Moreover, insecure practices can invite regulatory intervention. In 2018, FINRA issued warnings about data sharing with aggregators, and in 2019, the FDIC inspector general also raised public concern.

For fintechs, an aggregator’s security approach matters for two key reasons. First, any data loss poses significant reputational threat. Second, data connectivity relies on the FI’s comfort with an aggregator’s security.

During the evaluation process, fintechs should determine:

• Does the platform provider follow industry best practices in network security design and implementation? For example, separate production, staging, development, corporate and specialty networks should exist, and access controls should be in place between each zone.
• Are other key controls in place: multi-factor authentication, token-based access credentials (like OAuth), resilient and redundant infrastructure, and data encryption?
• What other FI-critical systems has the platform providers maintained? These security experiences may inspire confidence in data users.
• Is the aggregator’s annual System and Organization Controls (SOC) report available for review?
• What data retention policies exist? Including, understanding what happens to customer data after account termination or deletion.

Data transmissions should employ end-to-end encryption, including encrypted data in motion. Tim Klemmer, Public Relations Chairman within the Corporate Communications working group at Financial Data Exchange, concurs. “If a platform is going to be viable, the data running through it must be encrypted at all times. And if an FI provides tokens representing customers, that platform should never hold those where data is stored,” he said.

Privacy, Transparency, and Compliance

While 54% of U.S. banking consumers use apps to help them manage money, 80% are not aware that apps may store their bank account credentials. Only 21% are aware that access is open until a user revokes their credentials.

Although one might first look to the FIs and application providers as the primary repositories and custodians of customer data, integration platforms also cache data. Because few privacy-related restrictions govern data held by aggregators, some providers have anonymized it and sold it to third parties without clearly notifying consumers.

Lawmakers are pressing the Federal Trade Commission to investigate aggregators’ data sales, though, given reports that even “anonymized” data can be unmasked using metadata and restructuring techniques. Look for clear delineation of data use and notification practices in the platform provider’s terms of service. Certain platforms declare outright that they will never sell data to a third-party.

Consumer unease highlights the need to understand aggregators’ data practices. FINRA recommends fintechs ascertain:

• What rights are being granted with respect to access. For example: how often are accounts scraped and data retrieved?
• That access is only for the service the customer elects to use.
• What type of liability, if any, does the aggregator bear in the event of consumer loss due to a data breach or unauthorized access. Does the aggregator have the financial capacity or insurance coverage to compensate consumers for loss? Is there a dispute mechanism in place to resolve any issues related to data breaches?
• How do customers terminate data access and rights? 

Some aggregators offer portals for consumers to monitor and control data use across the apps using a platform. Others provide customizable code letting their customers present all accessed data sources to their end users.