Fidelity data-sharing hub aims to end screen scraping
Fidelity has formed a new business to act as a data-sharing middleman between banks, data aggregators and fintechs.
The new firm, called Akoya, will offer a software platform and negotiating hub designed to address the sticking points around the issue, including what data can be shared, how it's secured, and who is liable when something goes wrong. Like other touted solutions, Akoya is trying to replace the still-common practice of screen scraping, in which consumers give up their online banking username and password to fintechs, with more secure data-sharing application programming interfaces.
“There’s demand for this as data sharing and data aggregation become more front and center of the banking landscape,” said Stephen Greer, senior analyst at Celent. “The aggregators have historically been more fintech friendly and almost seem like an invasive species to incumbent banks. Akoya comes from more of the institution side first, working to meet their needs rather than fintech needs.”
This will also be Akoya’s challenge, Greer said — balancing the needs of fintechs and banks.
“If I'm a fintech that has a machine learning algorithm that works better if I can ingest as much data as possible, I want as much customer data as I can get my hands on because I never know what my machine learning algorithm is going to pick up on," he said. "But if I'm the bank, I'm going to want to limit the amount of customer data third parties can get, and have them tell me why they need it.”
Why it's needed
Two years ago, Fidelity created an API for data sharing called Fidelity Access.
“As we rolled it out, we realized quickly that every financial institution needs to do the same thing,” said Stuart Rubinstein, president of Fidelity Wealth Technologies and head of Akoya. “Why are we all spending the same money to build the same thing, which is pretty much a utility, a commodity service? Perhaps we could find a platform that would serve our needs, almost a network that sits in the middle between financial institutions, data aggregators and fintechs.”
Unable to find such a platform, Rubinstein talked to bankers about the idea of Fidelity building a software hub for financial data aggregation. The feedback was overwhelmingly positive, he said. Akoya intends to be the hub for negotiating data-sharing agreements and for passing information between entities. It's currently onboarding Fidelity as its first user and expects to bring on several financial institutions and data aggregators this year.
Banks’ bilateral agreements with data aggregators have been fraught with friction and disputes for years. Plaid and Capital One, for instance, had a public laundry-airing over their differences. Plaid sought to obtain routing numbers and move money between accounts, while Capital One did not want to grant it that level of access. (They’ve since resolved the matter.)
Banks often want to have firm control over what customer data is shared, while data aggregators and fintechs want the ability to grab whatever information they need as their products and services change. Banks also want to not be held liable if something goes wrong at a data aggregator or fintech (a data breach or lapse in service, for instance). But data aggregators and fintechs are concerned about taking on excess liability, as they sometimes feel agreements force them to do.
How it works
Akoya is creating generic data-sharing agreements that could work like the common college application, with general clauses that would apply to everyone but provide room for modifications and added requirements.
“If an institution wants to insert an extra clause or two or a few, we’ll have the ability to put those clauses in,” Rubinstein said. “There are also some cases where the institution and the recipient already have an agreement in place, and that institution may want to outsource the management of the relationship and even the flow of the data to Akoya, but they want to keep that agreement. We can support that as well.”
Akoya will also facilitate the data sharing. It will tokenize data using OAuth 2.0 with OpenID Connect, which many banks and aggregators already use.
It will use whatever APIs banks already have in place, noted Wilson D’Souza, Akoya’s chief technology officer.
Where a bank’s APIs don’t meet the standard of the Financial Data Exchange API, Akoya will normalize the bank's data into something that looks like the Financial Data Exchange API, so recipients of the data will receive it in a standard format.
Akoya is building an API developer hub that will let financial institutions, data aggregators and fintechs build their own APIs. Akoya plans to work with the major core banking software providers to help their software be compatible with its hub.
“We think we can gradually grow and create this network effect,” said D’Souza.
The Akoya team is working with the Financial Data Exchange to define use cases and the data that needs to be shared in each. There might be one API for fintechs that help people do their taxes; it would only gather the data needed to complete tax forms. Other APIs might be created for mortgage apps and PFM apps.
Akoya will also provide a management console that lets banks monitor their data-sharing relationships and, for instance, react quickly to a data breach at a partner.
“Ultimately financial institutions answer to the consumer, protect trillions of dollars of assets, and answer to regulators, so they need to have that oversight,” Rubinstein said.
Akoya will also provide a dashboard that banks can offer their consumers, to let them see which fintech apps they’ve permitted to obtain their bank account data. This will look a little like Wells Fargo’s Control Tower app.
“The consumer grants that access, the bank is able with our help to record that so they can help the consumer monitor their outstanding connections and be reminded periodically that they have the connection and have the ability through the bank to revoke that consent at any time,” Rubinstein said.
The consumer could see, for instance, that even if he or she stopped using an app, that app is still drawing data from their bank account each month.
Banks will pay for Akoya; data aggregators and fintechs will receive data at no charge, at least for a base level of service. Rubinstein argues that the fee banks pay, which he couldn’t disclose but said will be based on volume of data, will be lower than their cost of supporting their current data aggregation infrastructure.
No data for Fidelity
Akoya will not store, look at, or resell the data, Rubinstein said.
“We only normalize it to send it out, and then we delete it,” he said. “We heard loud and clear from a group of institutions who served as an advisory panel for us, they did did not want their data being stored in one more place. We’re not creating a honeypot of data.”
Akoya tokenizes the data, so if there’s weaker security at a recipient than at a bank, those tokens could not be used directly at the financial institution. The Akoya executives emphasize that although Fidelity is an investor in Akoya, the parent company will not obtain any of this data. This was another key point made by bank executive advisers.
“We fully respect that this is not our data. We’re doing a managed service for others,” Rubinstein said.
The Akoya premises are in a separate secured area of the building, D’Souza added.
“We are in a separate network, on a separate infrastructure, our laptops are separate,” D'Souza said. “I look at the Fidelity office as a more polished WeWork. Our cloud infrastructure is completely independent. We have our own controls.”
Bankers' biggest concern about data sharing, besides the risk of losing customers to fintech competitors, is liability. There’s a sense that if anything goes wrong at a data aggregator or a fintech, the customer will blame the bank and expect it to fix the problem. Also, banks typically have deeper pockets than data aggregators and fintechs, and therefore suspect they will be required to pay to make customers whole even if they weren’t responsible for what went wrong.
“Our basic philosophy around liability is simple: Whoever causes the consumer or the institution harm needs to make good on that,” Rubinstein said. “When we have the data, during the milliseconds it passes through us, we need to be responsible. When the aggregator holds the data, the aggregator needs to be responsible for anything that happens on their watch, and when the client has the data, we believe the client needs to be responsible for what happens. That is reflected in the agreements.”
The parties will be expected to help with investigations and assume liability when they are at fault.