57 BANKING PERSPECTIVES QUARTER 4 2018 data aggregation and security efforts should adhere. This status quo creates a number of challenges for the industry. For example, new FinTech startups may have a harder time getting their products to market if they need to meet different technical requirements for every financial institution with which they seek to partner. The financial services sector should come together and adopt a common set of data aggregation standards and data security standards. To advance this goal, TCH became a founding member of Financial Data Exchange, a nonprofit organization that aims to unify the industry around secure financial data sharing. FDX is promoting the widespread adoption of an API called the Durable Data API or DDA, which has significant benefits for financial institutions, FinTechs, and consumers alike. The organization has also developed an operating framework, policies, membership, auditing processes, and developer support to expand the use of DDA. “FDX’s work is an important element in the move toward more secure, seamless and consumer-controlled data sharing in financial services,” said Steve Smith, co-chair of FDX. “A common and interoperable standard will enhance data security, make it easier for financial institutions and third parties to share data and speed up innovation with new financial services products to come to market.” MODEL AGREEMENT TCH and our member banks are developing a model agreement that can be leveraged as a starting point for financial institutions, FinTechs, and other third-party data aggregators as they consider establishing relationships with each other. The agreement outlines suggested terms in key areas that parties should consider as they enter into agreements for providing permissioned sharing of customer data. These key areas include customer permissions and informed consent for data aggregation and sharing; questions of legal liability; service-level agreements; data access methods and minimum security requirements; data access for other parties with whom the third party may share consumer information; and dispute resolution. It is important to note that the agreement will be entirely voluntary; its provisions will serve as guidelines rather than requirements. Parties may use and modify terms as they see fit during their negotiations. The goal of the model agreement is to provide comprehensive guidelines that save time and resources in the negotiating process and lead to agreements with strong data security provisions. TCH and our member banks are currently soliciting input from FinTechs and other data aggregators on the model agreement. We value their feedback and view the agreement as a template that will continually evolve over time to meet the needs of both FinTechs and financial institutions. GUIDELINES FOR CONSUMER PERMISSIONS AND CONTROL MECHANISMS To maintain consumers’ trust in the data sharing process, it is important that financial institutions and FinTech apps offer mechanisms through which consumers can grant permissions and control how their information is being accessed, used, stored, and shared. TCH and our member banks have outlined six elements that such mechanisms should cover: 1. CONSUMER DISCLOSURES: Financial institutions and FinTech apps should disclose to consumers the accounts and data types that a third party needs to access to perform its services, and alert consumers if other entities will or may access their information. The extent of the disclosure should be informed by the sensitivity of the data. 2. CONSUMER CONSENT: Consumers should be given the opportunity to provide explicit consent to each third party that wishes to access their data. The consent should cover which data type(s) the third party can access, how that data is used, which other parties may receive it, and the frequency and duration of data access. We invite all participants in the financial services ecosystem – including FinTechs, data aggregator intermediaries, financial institutions, regulators, consumer associations, and bank associations – to take part.