SlideShare a Scribd company logo

Aggregation Platforms-White Paper

Envestnet Yodlee India
Envestnet Yodlee India

All Aggregation Platforms are not created equal: A Security Perspective

Technology
1 of 3
Download to read offline
All Aggregation Platforms Are Not Created Equal: A Security Perspective W H I T E PA P E R For more information, go to yodlee.com Envestnet | Yodlee The digital era has arrived for banking and financial services. Online and mobile banking and financial services are quickly becoming the channels of choice for today’s digitally savvy customers. Nimble nonbanking and new era financial advisors, unencumbered by brick and mortar, legacy systems, and outdated processes, are using the power of the Internet to entice customers away from traditional wealth management firms. These upstarts are using data aggregation technology to mine valuable financial information to more accurately target customer needs and customize offerings, almost before these consumers realize they need them. Key to this compelling approach are powerful, innovative FinApps®that leverage data held by traditional financial institutions. By their very nature, these solutions access sensitive personal and financial consumer details found within secure online banking, brokerage, bill pay accounts, and more. The challenge for any financial service provider is how to both enable online and mobile banking services powered by aggregation technologies yet also protect customers from data loss while also adhering to regulatory and legal requirements. Financial institutions must embrace the digital era, and they must do so now to avoid market share loss as more customers come to expect the ease and convenience made possible through the digital channel. To do so, all financial service providers must evaluate and manage the risks of enabling access to their systems by aggregators in support of their customers, with a focus on the crucial aspects of security, privacy, risk management, and compliance. As a trusted partner of many of the world’s leading financial institutions and a provider of the premier consumer data aggregation platform, Envestnet®| Yodlee®has broad and deep experience bridging the gap between innovation and security. Privacy and Security Best Practices When evaluating the risks of aggregation technology, security of your customers’ data should be top of mind. Many aggregation providers do not have direct relationships, and therefore direct obligations, with the financial institutions that hold their customers’ accounts and data. This means the security of your customers’ personally identifiable information is unknown to the financial institution (FI) once accessed by the aggregation provider. It is the FI’s responsibility to ensure that appropriate security and risk management protocols are in place, with the appropriate physical, electronic, and procedural safeguards to ensure all financial information is protected against unauthorized access or misuse. Unfortunately, providing these controls is too great a task for most early-stage financial technology service providers. Before you allow an aggregator access to your customers’ valuable data, make sure the service provider follows industry best practice guidelines in the design and implementation of their network security environment. For example, they should provide separate production, staging, development, corporate, and specialty networks, with access control devices between each zone. They should further segment networks within each zone to apply granular security and audit controls appropriate to each function. Other key controls to ask about include restricted access to the data and systems, multi-factor authentication, resilient and redundant infrastructure, data encryption, and centralized security monitoring with real-time alerting. It is also important that the data aggregation provider maintains high standards, in terms of a certification program, for the developers leveraging their data and resources. Another key risk management process is the application testing program. All fintech applications leveraging customer financial account data should undergo rigorous review to ensure they meet the highest security and performance standards. Finally, it is important to assess if the data aggregation provider fully supports current and evolving authentication protocols, such as new multi-factor authentication (MFA), and federated and token-based architectures. Choosing the Platform The aggregation platform is the integration point with your systems and should consist of a set of infrastructure components that intelligently aggregate, cleanse, augment, and store consumer data. However, some platforms are better than others. To reduce the operational load and risk to your systems, and to manage customer service issues, you should assess if the platform you choose:
• Is capable of aggregating a highly extensible range of data from a large number of data providers using a variety of structured and semi-structured data formats including HTML, OFX, and custom feeds; • Supports a variety of data collection methods to provide broad coverage across a non-standard environment of technologies for data serving and authentication, including screen-scraping, statement parsing, data feeds, and batch uploads; • Accesses data by 1) retrieving the most recently cached data from the online transaction processing system (OLTP), and 2) requesting that data be updated from the source on demand, and that the OLTP database updates intelligently and with respect for its impact on your resources. Advanced Monitoring and Data Operations To ensure the aggregation platform interacts with your systems consistently and securely, its operations must be constantly monitored. The aggregation provider should have specialized operations personnel on hand to solve any problem. A sophisticated, proactive monitoring and debugging infrastructure that addresses data source and data quality issues quickly and without compromising the security and privacy of consumer data is essential. Compliance Data aggregation providers access Nonpublic Personal Information (NPI) and therefore fall under the Gramm- Leach-Bliley Act (GLBA). However, only the largest and most mature providers are monitored by the US banking regulators under FFIEC Supervision of Technology Service Providers for compliance with the same strict regulations to which financial institutions must adhere. As you perform your risk assessment on any aggregation provider, ask about: 1. Compliance to applicable banking standards, including strong authentication 2. Compliance with regulatory requirements for authentication, authorization, and protection of financial data 3. An appropriate security, risk, and compliance posture 4. Full-feature data exchange methodologies 5. Compatibility with new technologies for online, mobile, and tablet banking, as well as evolving platforms, such as wearable technology Summary Aggregation-based technology is powering exciting and innovative new solutions that are changing the way your customers interact with their finances, and interact with you utilizing digital channels and apps. These solutions are helping fintech providers create more personalized and engaging financial experiences, and also protect your customers against fraud with transaction analysis and alerting tools. To support these powerful financial applications that benefit your customers, it requires a best-of-breed financial data aggregation provider, one with a secure, scalable data infrastructure that safely aggregates disparate, personal financial information in a secure, scalable, and sustainable way. Envestnet | Yodlee shares your goals for customer enablement and protection, to bring these new financial experiences to life for people around the globe. About Envestnet | Yodlee and Its Security Envestnet | Yodlee and its data aggregation platform is one of the leading enablers of advanced digital financial services and financial data in the world. Supervised Technology Service Provider under US Banking Regulations Of note, Envestnet | Yodlee is a Technology Service Provider under the direct supervision of the US banking regulators. Technology Service Providers (TSPs) provide technology- based systems to United States financial institutions (FIs). These systems are deemed critical to the overall safety and soundness of the financial institutions; therefore, supervision by the banking regulators are warranted to ensure these TSPs satisfy the security, privacy, risk and regulatory compliance requirements. As a supervised TSP, Envestnet | Yodlee undergoes examinations by the US banking regulators (i.e. OCC, FDIC, and Federal Reserve) just like an FI. Envestnet | Yodlee receives a Report of Examination that is made available to its US FI clients. US FIs are not allowed to engage with TSPs that are not deemed satisfactory by this examination process. PCI-DSS Service Provider Envestnet | Yodlee is also a Level 1 Service Provider under the Payment Card Industry Data Security Standards (PCI- DSS). PCI-DSS is a requirement of the card brands (Visa™, MasterCard™, American Express™, Discover™, JCP™) for any entity that stores, processes, or transmits cardholder data (card number, security code, expiration date, track data). As a PCI-DSS Level 1 Service Provider, Envestnet | Yodlee undergoes annual compliance assessments by a PCI Qualified Security Assessor (QSA) and quarterly technical assessments by an Authorized Scanning Vendor (ASV). These reports are available to clients and supplement their own assessments of Envestnet | Yodlee’s security posture.
Global Headquarters: 3600 Bridge Parkway, Suite 200, Redwood City, CA 94065, T: +1 650 980 3600, www.yodlee.com © 2016 Envestnet | Yodlee.™ All rights reserved. Technology protected by one or more U.S. Patents or Patents Pending. Use subject to license terms. May include materials developed by third parties. Yodlee and the Yodlee Logo are trademarks or registered trademarks of Envestnet | Yodlee in the U.S. and other countries. All other trademarks mentioned in this document or website are the property of their respective owners. Yodlee 220 01/16 US-EU Safe Harbor Certification Envestnet | Yodlee acts as a data processor to its clients in their role as data controller for the Yodlee services they offer to their customers. As such, Yodlee must uphold the European Union Directive on Data Protection and supporting regulations related to the data our clients entrust to us from their EU data subjects. Accordingly, Yodlee has designed and operates its data privacy handling per the EU Principles applicable to our role as a data processer. To demonstrate our adequacy with the Principles, we also obtain 3rd party certification of our privacy data handling programs under the US-EU Safe Harbor Compliance Program sponsored by the US Department of Commerce. Asia Pacific Economic Cooperation Cross Border Privacy Rules (APEC CBPR) In OECD member states, Envestnet | Yodlee likewise acts as a data processor to its clients in their role of data controller for the Envestnet | Yodlee services they offer to their customers. Accordingly, Envestnet | Yodlee’s data privacy handling is also designed and operated per the OECD Privacy Principles and adheres to APEC’s Cross Border Privacy Rules applicable to our role as a data processer. To demonstrate its adequacy with the Principles, Envestnet | Yodlee also obtains Accountability Agent certification of its privacy data handling programs under the APEC CBPR System.

Recommended

Account Aggregation Services
Account Aggregation ServicesAccount Aggregation Services
Account Aggregation Servicesgarywilliams203
 
Islamic Structured Products by Mujtaba Khalid
Islamic Structured Products by Mujtaba KhalidIslamic Structured Products by Mujtaba Khalid
Islamic Structured Products by Mujtaba KhalidMujtaba Khalid
 
Fundamental of Islamic Banking - Other Services
Fundamental of Islamic Banking - Other ServicesFundamental of Islamic Banking - Other Services
Fundamental of Islamic Banking - Other ServicesMahyuddin Khalid
 
Presentation on Salam
Presentation on SalamPresentation on Salam
Presentation on SalamRana Muneer Ahmad
 
Hiwalah
HiwalahHiwalah
HiwalahWan Nur Hasyimah
 
A comparison of islamic and conventional banking system
A comparison of islamic and conventional banking systemA comparison of islamic and conventional banking system
A comparison of islamic and conventional banking systemwaqas_qazi862002
 
Understandingof islamicbankbalancesheet
Understandingof islamicbankbalancesheetUnderstandingof islamicbankbalancesheet
Understandingof islamicbankbalancesheetHaraf Ahmed
 
Islamic Credit Card
Islamic Credit CardIslamic Credit Card
Islamic Credit CardLokesh Gupta
 

Recommended

Account Aggregation Services
Account Aggregation ServicesAccount Aggregation Services
Account Aggregation Servicesgarywilliams203
 
Islamic Structured Products by Mujtaba Khalid
Islamic Structured Products by Mujtaba KhalidIslamic Structured Products by Mujtaba Khalid
Islamic Structured Products by Mujtaba KhalidMujtaba Khalid
 
Fundamental of Islamic Banking - Other Services
Fundamental of Islamic Banking - Other ServicesFundamental of Islamic Banking - Other Services
Fundamental of Islamic Banking - Other ServicesMahyuddin Khalid
 
Presentation on Salam
Presentation on SalamPresentation on Salam
Presentation on SalamRana Muneer Ahmad
 
Hiwalah
HiwalahHiwalah
HiwalahWan Nur Hasyimah
 
A comparison of islamic and conventional banking system
A comparison of islamic and conventional banking systemA comparison of islamic and conventional banking system
A comparison of islamic and conventional banking systemwaqas_qazi862002
 
Understandingof islamicbankbalancesheet
Understandingof islamicbankbalancesheetUnderstandingof islamicbankbalancesheet
Understandingof islamicbankbalancesheetHaraf Ahmed
 
Islamic Credit Card
Islamic Credit CardIslamic Credit Card
Islamic Credit CardLokesh Gupta
 
Syari'ah principles in commercial transaction
Syari'ah principles in commercial transactionSyari'ah principles in commercial transaction
Syari'ah principles in commercial transactionTitek Sobah Suyub
 
Islamic banking
Islamic bankingIslamic banking
Islamic bankingImane SBAI
 
Al-Wadiah
Al-WadiahAl-Wadiah
Al-Wadiahahmad akmal
 
Bai muajjal bai salam and istisna in islamic banking pakistan
Bai muajjal bai salam and istisna in islamic banking pakistanBai muajjal bai salam and istisna in islamic banking pakistan
Bai muajjal bai salam and istisna in islamic banking pakistanFaria Fary
 
Non resident (external) account -NRE account
Non resident (external) account -NRE accountNon resident (external) account -NRE account
Non resident (external) account -NRE accountProglobalcorp India
 
Salam
SalamSalam
SalamMAJU
 
mgt657
mgt657mgt657
mgt657afiq0622
 
Murahaba
MurahabaMurahaba
Murahabasalihaasad
 
Sukuk
SukukSukuk
Sukukieqadrinasulaiman
 
Mudharabah and Muqharadah in Islamic Finance
Mudharabah and Muqharadah in Islamic Finance Mudharabah and Muqharadah in Islamic Finance
Mudharabah and Muqharadah in Islamic Finance Camille Silla Paldi
 
Audit of bank
Audit of bankAudit of bank
Audit of bankRajpal Saipogu
 
14685550 cash-management-presentation
14685550 cash-management-presentation14685550 cash-management-presentation
14685550 cash-management-presentationDr. Ravneet Kaur
 
Shariah Non-Compliance Risk
Shariah Non-Compliance RiskShariah Non-Compliance Risk
Shariah Non-Compliance RiskMahyuddin Khalid
 
Presentation1 (1)
Presentation1 (1)Presentation1 (1)
Presentation1 (1)College of business administration
 
IFSB Guiding Principles of Risk Management
IFSB Guiding Principles of Risk ManagementIFSB Guiding Principles of Risk Management
IFSB Guiding Principles of Risk ManagementMahyuddin Khalid
 
Murabaha final presentation
Murabaha final presentation Murabaha final presentation
Murabaha final presentation Wajeeha Pervez
 
Lecture 10
Lecture 10Lecture 10
Lecture 10emailtoshahed
 
Non performing assets
Non performing assetsNon performing assets
Non performing assetsKrishna Kanth
 
Salam
SalamSalam
SalamAamir Ayaz
 
islamic Banking presentation
islamic Banking presentation islamic Banking presentation
islamic Banking presentation muhibullah1989
 
La provincia de coclé
La provincia de cocléLa provincia de coclé
La provincia de cocléablyn arrouz
 
Fgf
FgfFgf
Fgfmakasdasd415
 

More Related Content

What's hot

Syari'ah principles in commercial transaction
Syari'ah principles in commercial transactionSyari'ah principles in commercial transaction
Syari'ah principles in commercial transactionTitek Sobah Suyub
 
Islamic banking
Islamic bankingIslamic banking
Islamic bankingImane SBAI
 
Bai muajjal bai salam and istisna in islamic banking pakistan
Bai muajjal bai salam and istisna in islamic banking pakistanBai muajjal bai salam and istisna in islamic banking pakistan
Bai muajjal bai salam and istisna in islamic banking pakistanFaria Fary
 
Non resident (external) account -NRE account
Non resident (external) account -NRE accountNon resident (external) account -NRE account
Non resident (external) account -NRE accountProglobalcorp India
 
Salam
SalamSalam
SalamMAJU
 
Mudharabah and Muqharadah in Islamic Finance
Mudharabah and Muqharadah in Islamic Finance Mudharabah and Muqharadah in Islamic Finance
Mudharabah and Muqharadah in Islamic Finance Camille Silla Paldi
 
14685550 cash-management-presentation
14685550 cash-management-presentation14685550 cash-management-presentation
14685550 cash-management-presentationDr. Ravneet Kaur
 
Shariah Non-Compliance Risk
Shariah Non-Compliance RiskShariah Non-Compliance Risk
Shariah Non-Compliance RiskMahyuddin Khalid
 
IFSB Guiding Principles of Risk Management
IFSB Guiding Principles of Risk ManagementIFSB Guiding Principles of Risk Management
IFSB Guiding Principles of Risk ManagementMahyuddin Khalid
 
Murabaha final presentation
Murabaha final presentation Murabaha final presentation
Murabaha final presentation Wajeeha Pervez
 
Non performing assets
Non performing assetsNon performing assets
Non performing assetsKrishna Kanth
 
islamic Banking presentation
islamic Banking presentation islamic Banking presentation
islamic Banking presentation muhibullah1989
 

What's hot (20)

Syari'ah principles in commercial transaction
Syari'ah principles in commercial transactionSyari'ah principles in commercial transaction
Syari'ah principles in commercial transaction
 
Islamic banking
Islamic bankingIslamic banking
Islamic banking
 
Al-Wadiah
Al-WadiahAl-Wadiah
Al-Wadiah
 
Bai muajjal bai salam and istisna in islamic banking pakistan
Bai muajjal bai salam and istisna in islamic banking pakistanBai muajjal bai salam and istisna in islamic banking pakistan
Bai muajjal bai salam and istisna in islamic banking pakistan
 
Non resident (external) account -NRE account
Non resident (external) account -NRE accountNon resident (external) account -NRE account
Non resident (external) account -NRE account
 
Salam
SalamSalam
Salam
 
mgt657
mgt657mgt657
mgt657
 
Murahaba
MurahabaMurahaba
Murahaba
 
Sukuk
SukukSukuk
Sukuk
 
Mudharabah and Muqharadah in Islamic Finance
Mudharabah and Muqharadah in Islamic Finance Mudharabah and Muqharadah in Islamic Finance
Mudharabah and Muqharadah in Islamic Finance
 
Audit of bank
Audit of bankAudit of bank
Audit of bank
 
14685550 cash-management-presentation
14685550 cash-management-presentation14685550 cash-management-presentation
14685550 cash-management-presentation
 
Shariah Non-Compliance Risk
Shariah Non-Compliance RiskShariah Non-Compliance Risk
Shariah Non-Compliance Risk
 
Presentation1 (1)
Presentation1 (1)Presentation1 (1)
Presentation1 (1)
 
IFSB Guiding Principles of Risk Management
IFSB Guiding Principles of Risk ManagementIFSB Guiding Principles of Risk Management
IFSB Guiding Principles of Risk Management
 
Murabaha final presentation
Murabaha final presentation Murabaha final presentation
Murabaha final presentation
 
Lecture 10
Lecture 10Lecture 10
Lecture 10
 
Non performing assets
Non performing assetsNon performing assets
Non performing assets
 
Salam
SalamSalam
Salam
 
islamic Banking presentation
islamic Banking presentation islamic Banking presentation
islamic Banking presentation
 

Viewers also liked

La provincia de coclé
La provincia de cocléLa provincia de coclé
La provincia de cocléablyn arrouz
 
Model etika dalam bisnis, sumber nilai etika
Model etika dalam bisnis, sumber nilai etikaModel etika dalam bisnis, sumber nilai etika
Model etika dalam bisnis, sumber nilai etikamakasdasd415
 
Curriculum Nacional Base Sheny
Curriculum Nacional Base ShenyCurriculum Nacional Base Sheny
Curriculum Nacional Base ShenySheny Pop Chocoj
 
Presentazione Tesi Magistrale sul Giffoni Experience
Presentazione Tesi Magistrale sul Giffoni ExperiencePresentazione Tesi Magistrale sul Giffoni Experience
Presentazione Tesi Magistrale sul Giffoni ExperienceGiovanna Di Troia
 
El curriculum nacional base lupita
El curriculum nacional base lupitaEl curriculum nacional base lupita
El curriculum nacional base lupitaSheny Pop Chocoj
 

Viewers also liked (11)

La provincia de coclé
La provincia de cocléLa provincia de coclé
La provincia de coclé
 
Fgf
FgfFgf
Fgf
 
Model etika dalam bisnis, sumber nilai etika
Model etika dalam bisnis, sumber nilai etikaModel etika dalam bisnis, sumber nilai etika
Model etika dalam bisnis, sumber nilai etika
 
DEVELOPMENT AND MANAGEMENT
DEVELOPMENT AND MANAGEMENTDEVELOPMENT AND MANAGEMENT
DEVELOPMENT AND MANAGEMENT
 
Curriculum Nacional Base Sheny
Curriculum Nacional Base ShenyCurriculum Nacional Base Sheny
Curriculum Nacional Base Sheny
 
Presentazione Tesi Magistrale sul Giffoni Experience
Presentazione Tesi Magistrale sul Giffoni ExperiencePresentazione Tesi Magistrale sul Giffoni Experience
Presentazione Tesi Magistrale sul Giffoni Experience
 
El curriculum nacional base lupita
El curriculum nacional base lupitaEl curriculum nacional base lupita
El curriculum nacional base lupita
 
Wqw
WqwWqw
Wqw
 
Las tablet
Las tabletLas tablet
Las tablet
 
Andrea cnb
Andrea cnbAndrea cnb
Andrea cnb
 
Imt slideshare3.2
Imt slideshare3.2Imt slideshare3.2
Imt slideshare3.2
 

Similar to Aggregation Platforms-White Paper

Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
MLM Platform for Financial (Services Simplifies Industry's Complexity
MLM Platform for Financial (Services Simplifies Industry's ComplexityMLM Platform for Financial (Services Simplifies Industry's Complexity
MLM Platform for Financial (Services Simplifies Industry's ComplexityEpixel MLM Software
 
How to build a highly secure fin tech application
How to build a highly secure fin tech applicationHow to build a highly secure fin tech application
How to build a highly secure fin tech applicationnimbleappgenie
 
All You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxAll You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxITIO Innovex
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsJason Dover
 
Application-Modernization-Whitepaper.pdf
Application-Modernization-Whitepaper.pdfApplication-Modernization-Whitepaper.pdf
Application-Modernization-Whitepaper.pdfAnil
 
Application-Modernization-Whitepaper.pdf
Application-Modernization-Whitepaper.pdfApplication-Modernization-Whitepaper.pdf
Application-Modernization-Whitepaper.pdfAnil
 
Fiserv FCRM Platform Brochure
Fiserv FCRM Platform BrochureFiserv FCRM Platform Brochure
Fiserv FCRM Platform BrochurePaul Stabile
 
Trends 121415 Citizens Bank
Trends 121415 Citizens BankTrends 121415 Citizens Bank
Trends 121415 Citizens BankMichael Ouellet
 
The Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card DataThe Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card DataTyler Hannan
 
For digital media companies, effective cybersecurity programs a must
For digital media companies, effective cybersecurity programs a mustFor digital media companies, effective cybersecurity programs a must
For digital media companies, effective cybersecurity programs a mustGrant Thornton LLP
 
25 sumit 2
25 sumit 225 sumit 2
25 sumit 2SRJIS
 
DATA Working Group - Consumer Best Practices
DATA Working Group - Consumer Best PracticesDATA Working Group - Consumer Best Practices
DATA Working Group - Consumer Best PracticesDataSecretariat
 
Cards and Payments Asia - Apr. 2016
Cards and Payments Asia - Apr. 2016Cards and Payments Asia - Apr. 2016
Cards and Payments Asia - Apr. 2016Wing Yuen Loon
 
opustechglobal-com-key-risks-to-consider-when-implementing-real-time-payments...
opustechglobal-com-key-risks-to-consider-when-implementing-real-time-payments...opustechglobal-com-key-risks-to-consider-when-implementing-real-time-payments...
opustechglobal-com-key-risks-to-consider-when-implementing-real-time-payments...Opus
 

Similar to Aggregation Platforms-White Paper (20)

Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
MLM Platform for Financial (Services Simplifies Industry's Complexity
MLM Platform for Financial (Services Simplifies Industry's ComplexityMLM Platform for Financial (Services Simplifies Industry's Complexity
MLM Platform for Financial (Services Simplifies Industry's Complexity
 
How to build a highly secure fin tech application
How to build a highly secure fin tech applicationHow to build a highly secure fin tech application
How to build a highly secure fin tech application
 
All You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxAll You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptx
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant Environments
 
Top online frauds 2010
Top online frauds 2010Top online frauds 2010
Top online frauds 2010
 
Application-Modernization-Whitepaper.pdf
Application-Modernization-Whitepaper.pdfApplication-Modernization-Whitepaper.pdf
Application-Modernization-Whitepaper.pdf
 
Application-Modernization-Whitepaper.pdf
Application-Modernization-Whitepaper.pdfApplication-Modernization-Whitepaper.pdf
Application-Modernization-Whitepaper.pdf
 
Fiserv FCRM Platform Brochure
Fiserv FCRM Platform BrochureFiserv FCRM Platform Brochure
Fiserv FCRM Platform Brochure
 
Finance Industry Innovations
Finance Industry InnovationsFinance Industry Innovations
Finance Industry Innovations
 
Trends 121415 Citizens Bank
Trends 121415 Citizens BankTrends 121415 Citizens Bank
Trends 121415 Citizens Bank
 
The Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card DataThe Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card Data
 
Fintech Risks and Benefits--DR. Emmanuel Moore ABOLO
Fintech Risks and Benefits--DR. Emmanuel Moore ABOLOFintech Risks and Benefits--DR. Emmanuel Moore ABOLO
Fintech Risks and Benefits--DR. Emmanuel Moore ABOLO
 
For digital media companies, effective cybersecurity programs a must
For digital media companies, effective cybersecurity programs a mustFor digital media companies, effective cybersecurity programs a must
For digital media companies, effective cybersecurity programs a must
 
25 sumit 2
25 sumit 225 sumit 2
25 sumit 2
 
DATA Working Group - Consumer Best Practices
DATA Working Group - Consumer Best PracticesDATA Working Group - Consumer Best Practices
DATA Working Group - Consumer Best Practices
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
Cards and Payments Asia - Apr. 2016
Cards and Payments Asia - Apr. 2016Cards and Payments Asia - Apr. 2016
Cards and Payments Asia - Apr. 2016
 
opustechglobal-com-key-risks-to-consider-when-implementing-real-time-payments...
opustechglobal-com-key-risks-to-consider-when-implementing-real-time-payments...opustechglobal-com-key-risks-to-consider-when-implementing-real-time-payments...
opustechglobal-com-key-risks-to-consider-when-implementing-real-time-payments...
 
Tfs
TfsTfs
Tfs
 

Recently uploaded

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 

Recently uploaded (20)

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 

Aggregation Platforms-White Paper

  • 1. All Aggregation Platforms Are Not Created Equal: A Security Perspective W H I T E PA P E R For more information, go to yodlee.com Envestnet | Yodlee The digital era has arrived for banking and financial services. Online and mobile banking and financial services are quickly becoming the channels of choice for today’s digitally savvy customers. Nimble nonbanking and new era financial advisors, unencumbered by brick and mortar, legacy systems, and outdated processes, are using the power of the Internet to entice customers away from traditional wealth management firms. These upstarts are using data aggregation technology to mine valuable financial information to more accurately target customer needs and customize offerings, almost before these consumers realize they need them. Key to this compelling approach are powerful, innovative FinApps®that leverage data held by traditional financial institutions. By their very nature, these solutions access sensitive personal and financial consumer details found within secure online banking, brokerage, bill pay accounts, and more. The challenge for any financial service provider is how to both enable online and mobile banking services powered by aggregation technologies yet also protect customers from data loss while also adhering to regulatory and legal requirements. Financial institutions must embrace the digital era, and they must do so now to avoid market share loss as more customers come to expect the ease and convenience made possible through the digital channel. To do so, all financial service providers must evaluate and manage the risks of enabling access to their systems by aggregators in support of their customers, with a focus on the crucial aspects of security, privacy, risk management, and compliance. As a trusted partner of many of the world’s leading financial institutions and a provider of the premier consumer data aggregation platform, Envestnet®| Yodlee®has broad and deep experience bridging the gap between innovation and security. Privacy and Security Best Practices When evaluating the risks of aggregation technology, security of your customers’ data should be top of mind. Many aggregation providers do not have direct relationships, and therefore direct obligations, with the financial institutions that hold their customers’ accounts and data. This means the security of your customers’ personally identifiable information is unknown to the financial institution (FI) once accessed by the aggregation provider. It is the FI’s responsibility to ensure that appropriate security and risk management protocols are in place, with the appropriate physical, electronic, and procedural safeguards to ensure all financial information is protected against unauthorized access or misuse. Unfortunately, providing these controls is too great a task for most early-stage financial technology service providers. Before you allow an aggregator access to your customers’ valuable data, make sure the service provider follows industry best practice guidelines in the design and implementation of their network security environment. For example, they should provide separate production, staging, development, corporate, and specialty networks, with access control devices between each zone. They should further segment networks within each zone to apply granular security and audit controls appropriate to each function. Other key controls to ask about include restricted access to the data and systems, multi-factor authentication, resilient and redundant infrastructure, data encryption, and centralized security monitoring with real-time alerting. It is also important that the data aggregation provider maintains high standards, in terms of a certification program, for the developers leveraging their data and resources. Another key risk management process is the application testing program. All fintech applications leveraging customer financial account data should undergo rigorous review to ensure they meet the highest security and performance standards. Finally, it is important to assess if the data aggregation provider fully supports current and evolving authentication protocols, such as new multi-factor authentication (MFA), and federated and token-based architectures. Choosing the Platform The aggregation platform is the integration point with your systems and should consist of a set of infrastructure components that intelligently aggregate, cleanse, augment, and store consumer data. However, some platforms are better than others. To reduce the operational load and risk to your systems, and to manage customer service issues, you should assess if the platform you choose:
  • 2. • Is capable of aggregating a highly extensible range of data from a large number of data providers using a variety of structured and semi-structured data formats including HTML, OFX, and custom feeds; • Supports a variety of data collection methods to provide broad coverage across a non-standard environment of technologies for data serving and authentication, including screen-scraping, statement parsing, data feeds, and batch uploads; • Accesses data by 1) retrieving the most recently cached data from the online transaction processing system (OLTP), and 2) requesting that data be updated from the source on demand, and that the OLTP database updates intelligently and with respect for its impact on your resources. Advanced Monitoring and Data Operations To ensure the aggregation platform interacts with your systems consistently and securely, its operations must be constantly monitored. The aggregation provider should have specialized operations personnel on hand to solve any problem. A sophisticated, proactive monitoring and debugging infrastructure that addresses data source and data quality issues quickly and without compromising the security and privacy of consumer data is essential. Compliance Data aggregation providers access Nonpublic Personal Information (NPI) and therefore fall under the Gramm- Leach-Bliley Act (GLBA). However, only the largest and most mature providers are monitored by the US banking regulators under FFIEC Supervision of Technology Service Providers for compliance with the same strict regulations to which financial institutions must adhere. As you perform your risk assessment on any aggregation provider, ask about: 1. Compliance to applicable banking standards, including strong authentication 2. Compliance with regulatory requirements for authentication, authorization, and protection of financial data 3. An appropriate security, risk, and compliance posture 4. Full-feature data exchange methodologies 5. Compatibility with new technologies for online, mobile, and tablet banking, as well as evolving platforms, such as wearable technology Summary Aggregation-based technology is powering exciting and innovative new solutions that are changing the way your customers interact with their finances, and interact with you utilizing digital channels and apps. These solutions are helping fintech providers create more personalized and engaging financial experiences, and also protect your customers against fraud with transaction analysis and alerting tools. To support these powerful financial applications that benefit your customers, it requires a best-of-breed financial data aggregation provider, one with a secure, scalable data infrastructure that safely aggregates disparate, personal financial information in a secure, scalable, and sustainable way. Envestnet | Yodlee shares your goals for customer enablement and protection, to bring these new financial experiences to life for people around the globe. About Envestnet | Yodlee and Its Security Envestnet | Yodlee and its data aggregation platform is one of the leading enablers of advanced digital financial services and financial data in the world. Supervised Technology Service Provider under US Banking Regulations Of note, Envestnet | Yodlee is a Technology Service Provider under the direct supervision of the US banking regulators. Technology Service Providers (TSPs) provide technology- based systems to United States financial institutions (FIs). These systems are deemed critical to the overall safety and soundness of the financial institutions; therefore, supervision by the banking regulators are warranted to ensure these TSPs satisfy the security, privacy, risk and regulatory compliance requirements. As a supervised TSP, Envestnet | Yodlee undergoes examinations by the US banking regulators (i.e. OCC, FDIC, and Federal Reserve) just like an FI. Envestnet | Yodlee receives a Report of Examination that is made available to its US FI clients. US FIs are not allowed to engage with TSPs that are not deemed satisfactory by this examination process. PCI-DSS Service Provider Envestnet | Yodlee is also a Level 1 Service Provider under the Payment Card Industry Data Security Standards (PCI- DSS). PCI-DSS is a requirement of the card brands (Visa™, MasterCard™, American Express™, Discover™, JCP™) for any entity that stores, processes, or transmits cardholder data (card number, security code, expiration date, track data). As a PCI-DSS Level 1 Service Provider, Envestnet | Yodlee undergoes annual compliance assessments by a PCI Qualified Security Assessor (QSA) and quarterly technical assessments by an Authorized Scanning Vendor (ASV). These reports are available to clients and supplement their own assessments of Envestnet | Yodlee’s security posture.
  • 3. Global Headquarters: 3600 Bridge Parkway, Suite 200, Redwood City, CA 94065, T: +1 650 980 3600, www.yodlee.com © 2016 Envestnet | Yodlee.™ All rights reserved. Technology protected by one or more U.S. Patents or Patents Pending. Use subject to license terms. May include materials developed by third parties. Yodlee and the Yodlee Logo are trademarks or registered trademarks of Envestnet | Yodlee in the U.S. and other countries. All other trademarks mentioned in this document or website are the property of their respective owners. Yodlee 220 01/16 US-EU Safe Harbor Certification Envestnet | Yodlee acts as a data processor to its clients in their role as data controller for the Yodlee services they offer to their customers. As such, Yodlee must uphold the European Union Directive on Data Protection and supporting regulations related to the data our clients entrust to us from their EU data subjects. Accordingly, Yodlee has designed and operates its data privacy handling per the EU Principles applicable to our role as a data processer. To demonstrate our adequacy with the Principles, we also obtain 3rd party certification of our privacy data handling programs under the US-EU Safe Harbor Compliance Program sponsored by the US Department of Commerce. Asia Pacific Economic Cooperation Cross Border Privacy Rules (APEC CBPR) In OECD member states, Envestnet | Yodlee likewise acts as a data processor to its clients in their role of data controller for the Envestnet | Yodlee services they offer to their customers. Accordingly, Envestnet | Yodlee’s data privacy handling is also designed and operated per the OECD Privacy Principles and adheres to APEC’s Cross Border Privacy Rules applicable to our role as a data processer. To demonstrate its adequacy with the Principles, Envestnet | Yodlee also obtains Accountability Agent certification of its privacy data handling programs under the APEC CBPR System.