Recently, a few media outlets reported on comments the Director of the Financial Crimes Enforcement Network (FinCEN), Kenneth A. Blanco, made about increased fraudulent schemes to steal consumer funds known as account takeovers (ATOs). While Director Blanco’s full comments indicated that criminals are using all aspects of the financial ecosystem to gain consumer credentials in order to launch ATOs, many of these news stories focused unfairly on one market participant – financial data aggregators.
As an organization representing all players in the financial data industry, including financial institutions, data aggregators, Fintechs and financial trade groups, the Financial Data Exchange (FDX) wants to set the record straight – financial fraud impacts the entire industry and it will take the entire industry to fight it!
That said, Director Blanco’s comments and ATO schemes are important to understand. On September 24th at the Federal Identity (FedID) Forum and Exposition in Tampa Florida, Director Blanco said:
“The abuse of personally identifiable information, and other building blocks of identity, is a key enabler behind much of the fraud and cybercrime affecting our nation today. Account takeover, which involves the targeting of financial institution customer accounts to gain unauthorized access to funds, is an extremely common cybercrime affecting U.S. financial institutions. FinCEN is seeing around 5,000 account takeover reports each month involving approximately $350 million.”
Thankfully, Mr. Blanco also added that the vast majority of these attempted ATOs fail, giving appropriate credit to the “diligent work by bank compliance officers.”
So how do ATOs work? In order to perpetuate an ATO scheme, criminals will mimic a consumer and gain illegal access to that consumer’s accounts. Criminals mimic consumers by using their “secret” credentials (passwords, SSN, answers to security questions, etc.,) that are often acquired through hacks, social engineering, or by purchasing them on the Dark Web.
As stated by Mr. Blanco, the sources of these stolen credentials obtained by criminals are varied, they include, without limitation: “business email compromise (BEC) fraud schemes that are targeting U.S. financial institutions and their customers;” “creat[ing] fraudulent accounts on fintech platforms” in order to use “data aggregators and integrators to facilitate account takeovers;” “fraudulent merchant accounts;” and “creating fraudulent user accounts on fintech platforms as part of identity theft or synthetic identity fraud.”
Bottom-line, ATO fraud takes many forms, and while data aggregator platforms are sometimes used to attempt this fraud, the entire industry must work together to fight it. Thankfully, that industry effort is here!
The Financial Data Exchange, LLC (FDX), launched in October 2018, is the first major effort across all financial industry sectors focused on standardizing secure data sharing. Having tripled in size from around 20 members to now more than 65 of the largest leaders in the financial industry (see a list of some of our member here), FDX is a non-profit organization dedicated to unifying the financial industry around a common, interoperable, royalty-free standard for secure and convenient consumer and business access to their financial data. FDX empowers consumers through its commitment to the development, growth and industry-wide adoption of the FDX API, according to the principles of control, access, transparency, traceability and security. The FDX API permits a consumer to conveniently and securely share financial information without the use of credentials (the source of most ATOs). [For more information on Application Programming Interfaces (APIs), click here.]
FDX recently published a new white paper laying out the group’s Five Core Principles of Data Sharing. The principles serve both as operating principles for FDX, as well as guidelines for the financial services industry on the essential elements of a secure, transparent consumer-first approach to the sharing of financial data.
The Five Principles of Data Sharing are derived from and influenced by thought leaders in the financial industry as well as regulatory entities and worldwide standards bodies. They are:
- Control: Consumers should be able to effortlessly grant, modify and revoke access to their financial data for applications or services they desire to use.
- Access: Account owners should have access to their data and the ability to determine who will have access to their data.
- Transparency: Individuals using financial services should know how, when, and for what purpose their data is used and know who they have permissioned.
- Traceability: All data transfers should be traceable. Consumers should have a complete view of all parties that are involved in the data-sharing flow.
- Security: Service providers need to ensure the safety and privacy of data during access and transport and when that data is at rest.
The FDX member firms, whether they be aggregators or other fintech’s or financial institutions are united in removing shared credentials from the ecosystem through the universal adoption of the FDX API. This will reduce risk and improve security for all parties, especially consumers.
FDX is an independent subsidiary of the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium dedicated to reducing cyber-risk in the global financial system.
FDX appreciates FinCEN for its efforts in this area and for drawing attention to the benefits of working together as an industry to address security threats at all levels.
About FDX
Financial Data Exchange, LLC (FDX) is a non-profit organization dedicated to unifying the financial industry around a common, interoperable, royalty-free standard for secure and convenient consumer and business access to their financial data. FDX empowers consumers through its commitment to the development, growth and industry-wide adoption of the FDX API, according to the principles of control, access, transparency, traceability and security. Membership is open to financial institutions, fintech companies, consumer advocacy groups, and other industry participants. For more information and to join, visit www.financialdataexchange.org.