David Hamilton, president and CEO of eWise Group, comments on the impact of data-driven economies on private banks and their data aggregator service providers.
The modern economy, labelled as the Personal Data economy, is portrayed as data-driven and can only be realised if data can flow and drive new innovation in all sectors.
The private banking industry is highly impacted by this trend, as gathering personal financial information from clients is key. Having a consolidated view of customers’ financial data allows private bankers to target and customise their advice in order to achieve their clients’ personal goals.
Private bankers are using consolidation services to collect financial data from all the banks and financial institutions where a client holds online accounts, displaying the data into a single interface. The data aggregated is then shown as an online summary of the client’s assets, funds, stocks and other holdings, which could be completed by other services from the private bank such as personalised analysis.
The personal data aggregated by these services has to be protected to guarantee the highest security and privacy. Data-driven economies can only be achieved when there is consistency with user preferences and expectations; it is key to earn trust by avoiding breaches of data security.
Personal data is now seen as more valuable than gold. Breaches in personal data security are an alarming issue, specifically for the private banking industry accessing highly private information such as clients’ accounts across all their financial institution relationships.
Last year, we witnessed a mini data security war between several retail banks and third-party account aggregation providers in the US. JPMorgan Chase, Wells Fargo and Bank of America cut off access to account aggregation services for the fear of a security breach. The Wall Street Journal reported that the banks “have raised concerns that the aggregator sites may threaten consumers’ account security and the performance of bank websites.”
A JPMorgan spokeswoman said: “In the meantime, we want our customers to realise that they may be trading account security for convenience when handing over their password” to third-party sites.
The known downsides to account aggregation are highlighted in the server-side aggregation approach. Privacy is a concern because users must disclose their usernames and passwords to the banks or third parties providing the aggregation.
The end result: the ‘domino effect’ of data security. Customers are opting for simplicity and easy access. Financial institutions are in a bind because the perceived implication of convenience is the loss of privacy and access by third parties to their clients’ sensitive financial data without their explicit consent.
In a world where personal data security is increasingly under threat, how do private banks offer their customers comprehensive account aggregation tools without becoming the custodian of customer data, particularly the customers usernames and passwords, and therefore a larger target for hackers and increasing the risk of data loss?
Private banks comprehend customer demand for simplicity, aggregating all their financial accounts in one place. The answer to their concerns is to opt for a client-side aggregation model, where all the data is aggregated and saved on the user’s device and not shared with third parties. The aggregators blocked by the US banks last year are aggregating the user’s financial data and store that data on the service provider’s server in the cloud, the so-called server-side aggregation model.
It means the data aggregation service provider saves the login details and passwords of the user on their server in order to access the data whenever they need. This common architecture is not the only way to perform account aggregation. As a secure and private alternative, the client-side aggregation model, invented and patented by eWise in 2000, never requires the customer to disclose their online credentials to the aggregator provider or the private bank, and all aggregation is performed on the customer’s chosen device.
All data and information is encrypted and stored on the customer’s device in a Personal Data Vault, where the customer can chooseto share their data with his trusted private banker through permission management.
In line with security best practice, encryption keys are not stored on the device but rather on ‘zero-knowledge’ servers. Separating the place where the personal data is stored – on the user device – and where the key to open the Personal Data Vault is stored – on eWise servers – guarantees from compromising the user’s Personal Data Vault.
In the eWise client-side model, the private bank offering the data aggregation service never becomes the custodian of the customer’s online credentials. Through permissions granted by the customer, information they hold with external financial services providers may be shared with the private bank from the Personal Data Vault.
This approach not only offers customers greater control and choice over the personal data, it eliminates the compliance, legal and security risks of online credential custody for the bank. An effect of implicit credential sharing through the server-side aggregation model means that the service provider has access to users’ financial data and can then anonymise and sell that data.
In a quest for companies to invest in customer insight and explore better opportunities for cross-selling and increase in revenue, personal data is the key to access those insights. There is a very high demand from companies to acquire this data. But taking care of users’ privacy also takes care of the company’s objective.
The goal of getting more insights in order to achieve better cross-selling opportunities could be achieved in a private and secure way that is mutually beneficial. With eWise patented client-side aggregation, customers take control back over their personal data and benefit from choosing who they want to share data with.
Learn more at www.ewise.com