The Clearing House Releases Model Agreement for Sharing Financial Data
On November 12, 2019, The Clearing House (TCH) released a Model Agreement as part of TCH’s Connected Banking Initiative. The Model Agreement is intended to be used as the basis for data sharing agreements between banks and Fintechs.
TCH is a U.S. based entity that is owned by some of the world’s largest commercial banks. TCH is also the parent organization of the Clearing House Payments Company, a payments association comprised of over 1,000 financial institution members and corporate subscribers
The Model Agreement is part of TCH’s Connected Banking initiative, which aims to facilitate innovation, customer control and the secure exchange of bank-held data. TCH developed the Model Agreement to be consistent with the Consumer Protection Principles: Consumer Authorized Financial Data Sharing and Aggregation, issued by the Consumer Finance Protection Bureau (CFPB) on October 18, 2017. Rob Hunter (Deputy General Counsel, TCH) stated that “[t]he Model Agreement provides a framework for how banks and Fintechs can work together to implement the CFPB’s principles...” in an effort to “…facilitate the efficient and safe sharing of consumer data.”
TCH’s Connected Banking initiative encourages innovation that allows customers to control how they share their bank-held data with third parties in a secure fashion. The initiative is also focused on the development of application programming interfaces (APIs) which can be used to create direct connections between banks and Fintechs. As a founding member of the Financial Data Exchange, TCH also promotes the use of FDX API in order to permit financial data to be shared securely and transparently. The Financial Data Exchange describes the function of the FDX API as follows: “The FDX API works in combination with specific frameworks governing data sharing, secure authentication, data semantics, and syntax. These elements together will do for the financial data sharing ecosystem what the Bluetooth Core Specification, did for connecting devices wirelessly, providing standardization that will make it easier and safer for consumers to use financial data and apps to make good decisions.”
While the use of APIs to safely share financial data as between banks and Fintechs is gaining widespread momentum, the negotiation of the agreements governing such data sharing is not without its challenges. Hunter is hopeful that the Model Agreement will reduce the cycles and friction points in the negotiation of such arrangements: “APIs have the potential to significantly benefit consumers, but the lengthy process to reach an agreement can become a bottleneck to API adoption… Using the Model Agreement as a reference to facilitate API agreements can streamline and accelerate the adoption of API technology.”
The Model Agreement was developed by TCH in collaboration with its member financial institutions, non-bank financial institutions, and in consultation with Fintechs. While not mandatory in nature, the Model Agreement is supposed to act as a point of reference for banks and Fintechs, and does not otherwise address commercial terms, which are to be negotiated as between the parties. TCH further clarifies that the Model Agreement is intended to be a living document which is intended to be updated to reflect changing technology and market conditions over time.
Model Agreement – Some Notable Terms
Among other things, the Model Agreement helpfully outlines a set of defined terms for banks and Fintechs to use (all capitalized terms that are not otherwise defined have the meaning attributed to such terms in the Model Agreement). This alone will likely reduce the difficulties posed by disagreement over the meaning to be attributed to such terms in data sharing agreements. It also addresses the Data Recipient’s Scope of Access to Account Information, as well as the restrictions applicable to same.
Further, the Model Agreement includes obligations on the Data Recipient to flow down some of its obligations under it to Data Recipient Clients, collectively defined as the “Required General Provisions”. The Required General Provisions include the Data Recipient’s obligations pertaining to the subject matter covered by the following headings contained in the Model Agreement: Customer Account Credentials, Scope of Access, Disclaimers, Designated Customer Disclosure and Consent, Retention of Records, Audits, Data Recipient Personnel, Anti-Bribery; No Insider Trading, Exit Rights, Suspension Rights, and Insurance. It is worthwhile to note that the defined term “Data Recipient Client” in the Model Agreement does not refer to the bank’s customer seeking to share its data with the Data Recipient, but rather to “a third party developer or other service provider that obtains or has access to Account Information to display or use the Account Information in a Data Recipient Service”.
Lastly, the Model Agreement addresses screen scraping. The Model Agreement expressly refers to the cessation of Scraping by Data Recipients and a move towards a more secure and industry-accepted method of accessing Account Information as a key objective of the Agreement. The Agreement provides that Data Recipients must, as long as the Agreement is in effect:
- not access, collect or request Customer Account Credentials;
- cease use of, and not use, Scraping as a means of accessing any Account Information; and
- use the Data Access Method permitted under the Agreement as the sole means for accessing or collecting Account Information, provided that Data Recipients have obtained all relevant and appropriate consents and authorizations from Designated Customers.
The Agreement further provides that, upon the date that the Data Access Method (usually an API) has been established and is ready to be used as the data distribution channel (such date being the Applicable Cutover Date), Data Recipient agrees that it will no longer request, collect or access Customer Account Credentials, and will Delete and Destroy any and all Customer Account Credentials in the Data Recipient’s possession. Upon request by the FSE, the Data Recipient must attest that it is in compliance with its obligations pertaining to the Customer Account Credentials, and that all Data Recipient Entities have Deleted and Destroyed all Customer Account Credentials.
U.S. versus U.K. Approaches to Financial Data Sharing Agreements
The issuance of the Model Agreement by TCH is reflective of the market-led efforts towards the realization of an open banking system in the U.S., which take into consideration guidance provided by entities such as the CFPB and the U.S. Treasury. This stands in contrast to the UK Terms and Conditions for API Users, which is a standard form of agreement that may be entered into by API Users (defined as individuals or organizations that choose to access the Open Banking APIs). Such Terms and Conditions are the product of the top-down regulatory approach taken by Open Banking Limited UK (Open Banking), and govern the relationship between Open Banking and each API User.
It will be interesting to see whether the foregoing developments in the U.S. and U.K. will have an impact in Canada, where the Department of Finance is currently reviewing open banking in Canada. At this point, some of Canada’s largest financial institutions have been actively engaging Fintechs in order to negotiate data sharing deals which reflect the varying strategies taken by such financial institutions to-date. It will be interesting to see what – if any – impact such review into open banking will ultimately have on the arrangements entered into between Canadian banks and Fintechs going forward.
For more information about our firm’s Fintech expertise, please see our Fintech group’s page.