The Future of Payments

A Matter of Trust 58 BANKING PERSPECTIVES QUARTER 4 2018 3. ACCESS PERMISSIONS: Once data access has been granted, consumers should have the ability to manage their permissions, including by modifying permissions, revoking consent and having “the right to be forgotten” (i.e., the ability to revoke data access in such a way that the data is no longer stored by the third party). 4. OPT-IN PRINCIPLES: FinTech apps and other third parties should create transparent opt-in mechanisms to obtain consumer consent for all instances of data collection. Opt-ins should happen when a consumer first starts using a FinTech app, whenever the app is updated, and if the consumer permission expires. 5. PERMISSIONS EXPIRY PROTOCOLS: Financial institutions should consider establishing guidelines for when consumer permissions for data access expire. There are different approaches financial institutions could take. They may require third parties to renew consumer consent if a consumer has been inactive on an app for a certain period of time, or they may require renewed consent when certain events, such as a data breach, occur. 6. PROPOSED CUSTOMER PERMISSIONS EXPERIENCE FLOW: TCH and our member banks developed a proposed step-by-step process for obtaining consumer permissions for data access after a consumer chooses to sign up for a FinTech app. TRUSTED THIRD PARTIES Under current data sharing practices, security protocols often lead financial institutions to investigate data requests from FinTech apps with the same scrutiny as requests from other, less trustworthy third parties. This creates significant inefficiencies in the system, consuming financial institutions’ IT resources and delaying FinTech apps’ access to consumer information. A registration and assessment process could offer much-needed relief in this regard. Through such a process, a FinTech app would have the opportunity to become a trusted third party with a financial institution. The process would be managed by an independent consortium or standards body. That organization would evaluate FinTech apps and other third parties based on a set of predetermined criteria, such as whether they use acceptable authentication protocols, adhere to recommended security standards, and meet consumer transparency and permissions standards. Third parties that pass the assessment would receive a credential, which financial institutions could use as an indicator that a third party is trustworthy and its data requests require less scrutiny. A CALL FOR A COLLABORATIVE, CROSS- INDUSTRY EFFORT TO MAINTAIN CONSUMER TRUST These consumer financial data sharing activities are part of a series of steps that TCH will be taking to support safe and secure consumer data access, and more information about the priorities will be available in the future. There are also already examples of industry stakeholders spearheading efforts, such as FDX, that fulfill various focus areas. We invite all participants in the financial services ecosystem – including FinTechs, data aggregator intermediaries, financial institutions, regulators, consumer associations, and bank associations – to take part. Through a collaborative, cross-industry effort by all stakeholders, the financial services sector can ensure that consumers’ expectations for data security are being met and consumer trust – the foundation of our industry – is maintained. n To learn more about TCH’s consumer research on FinTech apps and data sharing, see this infographic: https:// The full survey report is here: ENDNOTES 1 “Fintech Apps and Data Privacy: New Insights from Consumer Research,” The Clearing House, August 2018. https://www. Privacy/TCH-Consumer-Research-Report-08-20-2018.pdf 2 “Facebook and Cambridge Analytica: What You Need to Know as Fallout Widens,” The New York Times, March 19, 2018. cambridge-analytica-explained.html 3 “Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation,” Bureau of Consumer Financial Protection, Oct. 18, 2017 https://files.consumerfinance . gov/f/documents/cfpb_consumer-protection-principles_data- aggregation.pdf