Over the last decade, the financial technology industry has seen an explosion of new and innovative solutions to the financial industry. From mobile banking to remote deposit capture and interactive teller machines, members are interacting with a number of different technologies and vendors. The companies bringing these solutions to market often provide flexible and valuable solutions that can usually be integrated into any core platform. With solutions available in nearly every aspect of the financial service industry, it is easy to see why so many credit unions are partnering with these providers to drive value to members. It is often looked at as a quick and inexpensive way to provide products or services not currently available to their members today.
Improved technology means increased data demands
About 30 years ago, one of the only ways for a member to interact with their financial data was through in-person transactions with a teller at their local branch. Then came phone banking, ATMs, online banking, financial aggregators, and mobile apps. Today, a member can interact with their account information 24 hours a day, 7 days a week from nearly anywhere in the world. This not only increases the frequency that members interact with their account information, but also pushes the traditional boundaries of what members expect from their financial institution.
Whether it is through data transfers, shared protocols, mobile applications, file transfers, or APIs, these FinTech providers typically require a connection to core data to provide their services. Sometimes they simply read data from the core and use it to provide their value-added services, while in other cases they are updating or providing new data back to the core. While most requests are for financial data, some systems are putting their focus on personal, behavioral, and engagement data. Put simply, many providers have realized that while the product or services are valuable, there is more potential value in collecting and analyzing member data and behavior.
Understand what each vendor is asking for
One department at my CUSO focuses on working with credit unions and vendors to help connect these services and provide an interaction between our core and these FinTech products and services. During this process, one of the key steps is to map out the movement of data from the core to the vendor providing the new functionality. Over the years, we have seen these providers ask for more and more data, often more data than one would expect is needed for the service they are providing.
In some cases, this is because they also offer additional services and having a standard data specification allows for a more streamlined integration. Other times, the data provides these vendors with a way to analyze additional data, and then identify more products and services to sell to you down the road.
While all data is not an equal risk from a security perspective, depending on the nature of the integration, a vendor may request personally sensitive data (SSN, birth date, etc.) or financially sensitive information (account numbers, credit card numbers, etc.). In addition, some products directly interact with your members directly for information or to store online banking user ID and password.
The important thing to remember here is that when an engagement like this takes place you understand the data security, data retention, and communication protocols they have in place should a breach on their end put your member data at risk. In the past if an institution had member data leaked or compromised, it was likely a leak from the financial institution or their core provider. Today, as credit unions work with more and more FinTech vendors, this risk continues to grow and could happen from a verity of third-party providers.
Make educated choices about your data
This does not mean that credit unions should avoid working with these providers, but rather should encourage them to put more focus on ensuring they understand and accept the data being moved with each vendor providing these services. Often you can mitigate risk by removing sensitive data elements that are not critical to the service being provided or work with vendors to modify their data retention policies to reduce exposure. In stressful or excited times, it can be easy to chase after the shiny new object and the value these products provide, and not enough time understanding what data is being exchanged…and why.