SIFMA, American Bankers Association (ABA) and Bank Policy Institute (BPI) provided comments to the National Institute of Standards and Technology (NIST) in response to to Draft NISTIR 8389: “Cybersecurity Considerations for Open Banking Technology and Emerging Standards.”
While acknowledging that NIST identified the importance of cybersecurity and privacy safeguards in the consumer financial data sharing ecosystem, the associations said that the report does not adequately address these important considerations or acknowledge the evolution in data sharing that has occurred in the US in recent years and that continues apace.
In the United States, shifts in consumer demand for more digital and interactive financial products and services have dramatically changed the marketplace, which now includes an increasing number of fintechs and other companies not subject to the same comprehensive regulatory oversight as banks, but increasingly facilitating access to sensitive consumer data to provide such products and services.
This surge in adoption of digital products and services has accelerated banks’ efforts to leverage market-developed technological solutions to help meet customer demand while ensuring consumers’ sensitive financial data is kept private and secure. Unlike other jurisdictions in which consumer financial data sharing has been mandated by government action, this expansion of consumer data access in the United States has developed via innovation in the marketplace. Under an industry-driven approach, participants can innovate and adapt more quickly to market changes and develop safer solutions.
“We have concerns that the report does not sufficiently address all of the complexities and risks that an open banking regime may introduce, nor does it provide recommendations for cybersecurity or privacy standards, contrary to both the title and purported purpose of the report. In addition, the report generally endorses open banking without providing a complete discussion of the potential benefits and risks of increased data sharing and recommending appropriate privacy and cybersecurity measures to address those risks, consistent with the thoughtful approaches employed by NIST in development of the Cybersecurity and Privacy frameworks, respectively. Nor does the report reflect consultation with key stakeholders in the data sharing ecosystem such as banking organizations, fintechs, or the Financial Data Exchange (FDX), an industry standard-setting body that was established for the sole purpose of developing security protocols for Application Programming Interfaces (APIs) to facilitate a more secure connected banking ecosystem.”