Customer Data Sharing: What you (and your customers) should know

By Cary Whaley


Carey Whaley

When I think about customer-permissioned data sharing, I am reminded of the scene from the movie, Ferris Bueller’s Day Off where Ferris and his best friend, Cameron, leave the keys to a Ferrari with an attendant only to discover later that the valet has taken the luxury sports car out for a joy-ride.

That’s all well and good in movies, but in the real world weighing the risk-versus the reward is no laughing matter.

In today’s marketplace, where there seemingly is an “app for everything” perceived convenience must be carefully measured against potential risks. According to a February 2018 Bankrate survey, over two-thirds of smartphone users have at least one financial app. These apps promise many benefits for consumers, including consolidated financial information, fraud identification, identity verification, bill payment, account and user validation, financial management, and financial advice.

However, many of these services come with a catch, -- consumer banking logins, the proverbial “keys” to their financial car, to provide the data that powers these apps. While community banks constantly remind their customers never to give their bank login credentials anyone else, many users do not truly understand the implications of forfeiting their logins.

These apps, the non-bank providers that operate them, and the aggregators they enlist to collect the data, pose a risk not only for consumers, but for their bank as well.  Unfettered access to a customer’s online banking portal can result in the data being shared or sold to unauthorized parties or account takeover in the event of a breach.

Community bankers are keenly aware of the challenges associated with managing direct technology vendor relationships. These challenges are exacerbated when consumers share their digital banking login with an entity with which the bank does not have a direct relationship and has not undergone the bank’s due diligence procedures.

Is there a responsibility for banks to share data with third parties? Legally, section 1033 of the Dodd-Frank Act requires a bank to make a consumer’s data and financial records available upon request.

However, the law does not require banks to provide permissioned third-party access to consumer data. In 2017, the Consumer Financial Protection Bureau published principles related to the sharing of consumer data. The nine non-binding principles cover:  access, data scope and usability, control and informed consent, authorized payments, security, transparency, accuracy, ability to dispute and resolve unauthorized access, and efficient and effective accountability mechanisms.  

Many banks allow access to third parties with consumer permission, so denying access could result in a competitive disadvantage or worse, lost business.

As a community bank, there are steps you can take to determine the impact of consumer-permissioned data sharing to your bank.

  1. Identify the extent of consumer-authorized access to online and mobile banking platforms.
  2. Assess the types of risks related to consumer-permissioned data sharing.
  3. Develop a policy for customer-permission data access.
  4. Work with your technology providers to determine ways to grant consumer-permissioned data access without sharing customer login credentials.
  5. Educate your customers on the risks associated with sharing login credentials.

ICBA offers a useful reference guide as well as educational resources for your customers that address consumer-permission data access best practices. Additionally the Consumer Financial Protection Bureau recently posted What to consider when sharing your financial data, which provides  consumer-focused education on how data sharing works.

We also continue to advocate on your behalf and maintain an ongoing dialogue with policymakers on the best ways to ensure consumer privacy and continue to protect your customer’s financial data. Additionally, ICBA actively participates in two groups, Financial Data Exchange (FDX) and Afinis, that are developing API standards to eliminate the need for consumers to share their login credentials with a fintech apps. 

Because when it comes to protecting customer data, it’s essential that community banks remain in the driver’s seat.

Cary Whaley is ICBA first vice president of payments and technology policy.