The Standoff Between Banks and Money-Management Sites

Ultimately, it will boil down to who wins at cybersecurity


Share this page
Financial Industry Big Data

For a few years, there’s been a tug-of-war in the world of finance between banks and burgeoning personal-management sites such as Mint.com. Essentially, they’re competing for big data and the larger insights that come from it, which is central to business growth. Now the SEC and FTC, which have become more vocal about cybersecurity compliance, may be the ones to decide who should stay and who should go.

Banking giants JP Morgan and Wells Fargo have argued that these data-aggregation sites are not held to the same standards as banks, thus putting customer data in danger. Truth is, they can’t do much because the Dodd-Frank Wall Street Reform and Consumer Protection Act mandates that customers have electronic access to their financial records anytime they choose. So when clients want to link their accounts to a third-party site, banks typically retaliate through stern warning-language and slow data transfers.

Under scrutiny by the SEC, in particular, large financial organizations have been investing heavily in cybersecurity to adequately protect data and respond to attacks. The International Data Corporation estimates that their cybersecurity spending will increase 38% by 2020 to nearly $102 million.

States are getting in on the action, too. New York’s groundbreaking regulation (full name: “Cybersecurity Requirements for Financial Services Companies”) went into effect last month. And Colorado is right behind the Empire State, with a proposal aimed at placing the onus on financial advisors and brokers to protect client data.

In contrast to banks, money-management sites are far less policed—largely because they do not engage in fund transfers. Some of these sites have argued that their data-collection methods are not only secure on the password level, but that the macro picture they provide allows customers to easily monitor their own accounts for illicit activity.

But that logic may not work for long. According to The Hill, the FTC will probably find jurisdiction where the SEC cannot, regulating “the information security practices of non-banks engaged in financial activities through its Safeguards Rule, which likely covers many data aggregators.” The Safeguards Rule mandates that “financial institutions must protect the consumer information they collect.”

Meanwhile, the Office of the Comptroller of the Currency announced its intention to “move forward with issuing special-purpose national bank charters to financial technology companies.” This means personal financial-management sites could be held to the same laws and regulations as banks. Money-management sites would have to accept the fact that security tools that aren’t built for threat visibility and big data (such as password-level protection, firewalls, and even SIEMs) are not only doomed to fail—they could lead to heavy fines.

In his story for The Hill, Todd Taylor, an attorney at Moore & Van Allen, which focuses on finance, predicts that the two sectors may begrudgingly have to work together. “Regulations recognizing the responsibility of all participants to equally protect and securely distribute customer data,” he writes, “may further help these collaborative efforts.”

Banks have been learning the hard way about the need to secure data through more advanced, machine-learning analytics. Ironically, the best way for finance-management sites to compete with Big Money is to learn from their mistakes, then follow their leads.


Share this page