Take control of your SAP testing with UiPath Test Suite
Aggregation Platforms-White Paper
1. All Aggregation Platforms Are Not Created Equal:
A Security Perspective
W H I T E PA P E R
For more information, go to yodlee.com Envestnet | Yodlee
The digital era has arrived for banking and financial
services. Online and mobile banking and financial services
are quickly becoming the channels of choice for today’s
digitally savvy customers. Nimble nonbanking and new era
financial advisors, unencumbered by brick and mortar,
legacy systems, and outdated processes, are using the
power of the Internet to entice customers away from
traditional wealth management firms. These upstarts
are using data aggregation technology to mine valuable
financial information to more accurately target customer
needs and customize offerings, almost before these
consumers realize they need them.
Key to this compelling approach are powerful, innovative
FinApps®that leverage data held by traditional financial
institutions. By their very nature, these solutions access
sensitive personal and financial consumer details found
within secure online banking, brokerage, bill pay accounts,
and more. The challenge for any financial service provider
is how to both enable online and mobile banking services
powered by aggregation technologies yet also protect
customers from data loss while also adhering to regulatory
and legal requirements.
Financial institutions must embrace the digital era, and
they must do so now to avoid market share loss as more
customers come to expect the ease and convenience made
possible through the digital channel. To do so, all financial
service providers must evaluate and manage the risks of
enabling access to their systems by aggregators in support
of their customers, with a focus on the crucial aspects of
security, privacy, risk management, and compliance. As a
trusted partner of many of the world’s leading financial
institutions and a provider of the premier consumer data
aggregation platform, Envestnet®| Yodlee®has broad and
deep experience bridging the gap between innovation and
security.
Privacy and Security Best Practices
When evaluating the risks of aggregation technology,
security of your customers’ data should be top of
mind. Many aggregation providers do not have direct
relationships, and therefore direct obligations, with the
financial institutions that hold their customers’ accounts
and data. This means the security of your customers’
personally identifiable information is unknown to the
financial institution (FI) once accessed by the aggregation
provider. It is the FI’s responsibility to ensure that
appropriate security and risk management protocols are
in place, with the appropriate physical, electronic, and
procedural safeguards to ensure all financial information
is protected against unauthorized access or misuse.
Unfortunately, providing these controls is too great a task
for most early-stage financial technology service providers.
Before you allow an aggregator access to your customers’
valuable data, make sure the service provider follows
industry best practice guidelines in the design and
implementation of their network security environment. For
example, they should provide separate production, staging,
development, corporate, and specialty networks, with
access control devices between each zone. They should
further segment networks within each zone to apply
granular security and audit controls appropriate to each
function. Other key controls to ask about include restricted
access to the data and systems, multi-factor authentication,
resilient and redundant infrastructure, data encryption, and
centralized security monitoring with real-time alerting.
It is also important that the data aggregation provider
maintains high standards, in terms of a certification
program, for the developers leveraging their data and
resources. Another key risk management process is the
application testing program.
All fintech applications leveraging customer financial
account data should undergo rigorous review to ensure
they meet the highest security and performance standards.
Finally, it is important to assess if the data aggregation
provider fully supports current and evolving authentication
protocols, such as new multi-factor authentication (MFA),
and federated and token-based architectures.
Choosing the Platform
The aggregation platform is the integration point with your
systems and should consist of a set of infrastructure
components that intelligently aggregate, cleanse, augment,
and store consumer data. However, some platforms are
better than others. To reduce the operational load and risk
to your systems, and to manage customer service issues,
you should assess if the platform you choose:
2. • Is capable of aggregating a highly extensible range of
data from a large number of data providers using a
variety of structured and semi-structured data formats
including HTML, OFX, and custom feeds;
• Supports a variety of data collection methods to provide
broad coverage across a non-standard environment of
technologies for data serving and authentication,
including screen-scraping, statement parsing, data feeds,
and batch uploads;
• Accesses data by 1) retrieving the most recently cached
data from the online transaction processing system
(OLTP), and 2) requesting that data be updated from the
source on demand, and that the OLTP database updates
intelligently and with respect for its impact on your
resources.
Advanced Monitoring and Data Operations
To ensure the aggregation platform interacts with your
systems consistently and securely, its operations must
be constantly monitored. The aggregation provider should
have specialized operations personnel on hand to solve
any problem. A sophisticated, proactive monitoring and
debugging infrastructure that addresses data source and
data quality issues quickly and without compromising the
security and privacy of consumer data is essential.
Compliance
Data aggregation providers access Nonpublic Personal
Information (NPI) and therefore fall under the Gramm-
Leach-Bliley Act (GLBA). However, only the largest and
most mature providers are monitored by the US banking
regulators under FFIEC Supervision of Technology Service
Providers for compliance with the same strict regulations
to which financial institutions must adhere. As you perform
your risk assessment on any aggregation provider,
ask about:
1. Compliance to applicable banking standards, including
strong authentication
2. Compliance with regulatory requirements for
authentication, authorization, and protection of
financial data
3. An appropriate security, risk, and compliance posture
4. Full-feature data exchange methodologies
5. Compatibility with new technologies for online, mobile,
and tablet banking, as well as evolving platforms, such
as wearable technology
Summary
Aggregation-based technology is powering exciting and
innovative new solutions that are changing the way your
customers interact with their finances, and interact with
you utilizing digital channels and apps. These solutions
are helping fintech providers create more personalized
and engaging financial experiences, and also protect your
customers against fraud with transaction analysis and
alerting tools. To support these powerful financial
applications that benefit your customers, it requires a
best-of-breed financial data aggregation provider, one
with a secure, scalable data infrastructure that safely
aggregates disparate, personal financial information
in a secure, scalable, and sustainable way. Envestnet |
Yodlee shares your goals for customer enablement and
protection, to bring these new financial experiences to life
for people around the globe.
About Envestnet | Yodlee and Its Security
Envestnet | Yodlee and its data aggregation platform is
one of the leading enablers of advanced digital financial
services and financial data in the world.
Supervised Technology Service Provider under US
Banking Regulations
Of note, Envestnet | Yodlee is a Technology Service Provider
under the direct supervision of the US banking regulators.
Technology Service Providers (TSPs) provide technology-
based systems to United States financial institutions (FIs).
These systems are deemed critical to the overall safety
and soundness of the financial institutions; therefore,
supervision by the banking regulators are warranted to
ensure these TSPs satisfy the security, privacy, risk and
regulatory compliance requirements. As a supervised TSP,
Envestnet | Yodlee undergoes examinations by the US
banking regulators (i.e. OCC, FDIC, and Federal Reserve)
just like an FI. Envestnet | Yodlee receives a Report of
Examination that is made available to its US FI clients.
US FIs are not allowed to engage with TSPs that are not
deemed satisfactory by this examination process.
PCI-DSS Service Provider
Envestnet | Yodlee is also a Level 1 Service Provider under
the Payment Card Industry Data Security Standards (PCI-
DSS). PCI-DSS is a requirement of the card brands (Visa™,
MasterCard™, American Express™, Discover™, JCP™) for
any entity that stores, processes, or transmits cardholder
data (card number, security code, expiration date, track
data). As a PCI-DSS Level 1 Service Provider, Envestnet |
Yodlee undergoes annual compliance assessments by a
PCI Qualified Security Assessor (QSA) and quarterly
technical assessments by an Authorized Scanning
Vendor (ASV). These reports are available to clients and
supplement their own assessments of Envestnet | Yodlee’s
security posture.