Involvement by regulators to create a new API standard for consumers and businesses to access their own financial data could slow down industry initiatives in the space, according to Don Cardinal, managing director of the Financial Data Exchange (FDX).
“The issue is, could the regulators stop [the FDX API standard] inadvertently? All they have to do is announce some new rules [or a new API standard for consumers’ financial data]. And the first thing everyone is going to do, is stop any development, stop any work in this space… because they are going to wait and see. Why build something that you are going to have to rip out?” says Cardinal.
“In that period [of regulatory uncertainty] all of the IDs and passwords that we are protecting…won’t be [protected]."
FDX was founded in 2017. It aims to provide a common API specification for the financial industry to allow consumers and businesses to easily retrieve their financial data. Cardinal says the organisation hopes that greater adoption of the standard will remove the need for screen scraping - when a third party accesses customers' financial data by logging into a digital portal with the customers permission, and 'scraping' data from the website. The practice of screen scraping has long raised concerns that banks do not have sufficient oversight of which third parties are accessing customer data.
In Europe, under the second Payment Services Directive third party providers are banned from screen scraping data held by banks on their customers' payment accounts. But many different API standards have been created across Europe.
On November 21, Cardinal spoke on the role of big data in financial services before the US House Committee on Financial Services Task Force on Financial Technology. The committee is monitoring the ethical use of financial data and the consumer protection mechanisms used by financial institutions.
The US Federal Trade Commission in March called for comment on proposed amendments to the Safeguard Rule and Privacy Rule under the Gramm Leach Bliley Act. The rules protect the security and privacy of consumer data within financial institutions. Under the proposed amendments to the Safeguard Rule, financial institutions would be required to encrypt all customer data and apply controls to stop unauthorised access to the data.
Although regulators have been encouraging of the FDX’s API initiative there is a reluctance by the organisation for them to join.
“In an emergency we can meet, vote, ratify, and publish a change within a day [to the FDX API standard]. A government would have to have hearings, would have to have public notification windows of 30, 60, or 90 days, and all the while whatever issue is burning, until they can then vote,” he says.
“So, you have this whole speed thing going on, and an industry group can always move faster.”
The organisation currently has 76 members consisting of financial institutions, fintechs, and data aggregators, but Cardinal says they have been approached with interest by a couple of large tech firms.
In a quarterly survey of its members, cardinal says there has been a significant increase in the number of customer credentials that have been converted to API, and driving the change is pressure to increase cybersecurity and the cost of screen scraping.
“As you see the number of data events, whether it be full on breeches or other issues in the press, as those go up, as cyber gets to be more and more of an issue, at the end of day we’ve realised it’s not a matter of if, but when,” he says.
“If you’re a bank or a brokerage, you are seeing a huge number of automated scraper sessions hitting your front door. Anywhere from 25-45 percent of your infrastructure to support online banking is actually just serving up screens to another computer, so it can scrape data for another app. If you can move that all off the front door, now you don’t have to buy as much hardware going forward – if I don’t have to support as many sessions, then I don’t have to have as much hardware, so it actually bends the infrastructure cost curve down, saving you money.
“It also then puts a finite cap on the exact data elements in play.”
While Cardinal believe the initiative has reached a critical mass in North America, getting core banking vendors on board will see greater adoption across smaller banking institutions. And although the spec is currently focused on the consumer and small business sectors, it could in the future incorporate standards like ISO 20022 for banks and corporates.