TCH Submitted Comments in Response to Joint Agency Proposed Guidance on Third-Party Risk Management
The Clearing House Association L.L.C. and The Clearing House Payments Company L.L.C. (together, TCH) commented on proposed interagency guidance on risk management expectations relating to third-party relationships. TCH’s comments are confined specifically to how the proposal would apply to relationships between financial institutions (FIs) and data aggregators and their fourth party clients and how the agencies can work to improve the ability of FIs, and particularly small FIs, to conduct such relationships in a safe, sound and secure manner. TCH and its members have been working since 2017, through TCH’s Connected Banking initiative, to create a safer environment for data sharing that is more transparent and consumer controlled, and that relies on an application programming interface (API) environment, not high risk, credential-based data access and screen scraping. Although much progress has been made, unique challenges continue to be posed by data aggregation activities that require additional work beyond the proposed interagency guidance on third-party risk management. TCH made the following comments and recommendations:
i. TCH supports the development of uniform guidance, including uniform application of relevant FAQs.
ii. The interplay between the proposed guidance and the anticipated rulemaking by the CFPB under Dodd Frank § 1033 requires coordination between the FDIC, FRB, OCC, and CFPB in order to create a unified framework.
iii. The agencies should affirm that FIs have the right to conduct appropriate due diligence and impose reasonable restrictions on time, place, manner, and scope of data access by third parties as well as periodic customer re-authorizations / re-authentications. TCH noted that regardless of such affirmation, there will remain limitations on what FIs can do to protect themselves and their customers from harm, and that FI due diligence and attempts to impose reasonable restriction are not and cannot be a meaningful substitute for the direct regulation and supervision of data aggregators and downstream parties.
iv. The agencies should work together with the FTC to clarify application of the Gramm Lech Bliley Act to data aggregators, to strengthen the FTC’s safeguards rule, and should work with the CFPB to ensure that there is a regulatory and supervisory framework in place that imposes standards and supervision on data aggravators commensurate with the standards imposed on FIs when handling similar customer information.
v. The agencies should end credential-based access and screen scraping in light of the inherent risks associated with such activities.
vi. The agencies should continue to monitor, support, and facilitate the benefits of cross-industry and trade initiatives that promote safe and secure access through common interoperable standards, industry-wide utilities, and shared assessment activities.
To read the full comment letter click here.