Charles Schwab continues to deliver on its commitment to customer data protection
Third-party applications often use “data aggregation” services that involve the collection and use of a user’s confidential financial account and personal information. These services may present a holistic view of a user's finances to assist them in making better spending decisions, or a variety of other functions related to payments and consumer loan applications. To use these services, in most cases customers must authorize a third-party data aggregator to access the customer’s account and personal information.
To allow this, users may be asked to provide their account credentials (user name and password) to the data aggregator in order to enable the data aggregator to access the user’s account(s) at each financial institution. The data aggregator’s software logs into the financial institution’s site as that user and accesses the customer’s confidential information on the aggregator’s platform. This method of access is often called “screen-scraping.”
Frequently Asked Questions
Q: What are some risks to providing credentials for the purpose of screen scraping that users should recognize?
A: Anytime you share confidential authentication credentials with another party, even with family, the risk of accidental exposure, loss or theft increases. You want to make sure any data aggregation services you use provide strong privacy and security controls to protect your information. The user credentials you provide to a third party can be used to access your online accounts, and, in some cases, the ability to transact and transfer funds.
It is important that you understand the aggregator's services and how they intend to safeguard and use your account and personal information, including whether they share or sell your data.
Q: What is being done to address some of the risks?
A: Schwab remains committed to collaborating with the Securities Industry and Financial Markets Association (SIFMA), the financial services industry as a whole, and our service providers to improve how we protect, permission, and provide transparency over client data. Schwab played a key role in the development of the Data Aggregation Principles with SIFMA (https://www.sifma.org).
As part of this effort, Schwab has joined a growing list of Financial Institutions, including the Financial Data Exchange (FDX), who have contributed and adopted new standards of data exchange with the intent to stop the practice of “screen scraping."
Through this on-going industry collaboration, guidelines have been established that address data security, innovation, client controls, and standards for sharing financial and personal data through an application programming interface (API).
Q: What is an API and how does it impact aggregation services?
A: An API or an “Application Programming Interface” makes allowing access to data easier, is more accurate and is more secure. The use of API’s are a best practice in the industry and utilize a token-based approach which enables clients to authorize third parties to download requested account information on their behalf in an encrypted form, without storing their usernames and passwords.
Q: How will the Schwab API work?
A: Through Schwab’s API connection, third party data aggregators who agree to data access terms with Schwab will continue to have client-authorized access to certain client data in a protected environment. In turn, clients will have greater control over and better transparency into what data they share and with whom they share their data.
Through its API development and the migration of third-party financial technology companies to its API network, Schwab provides a more secure, client-controlled authentication process.
Here’s how the API will work to protect Charles Schwab clients:
- Protection – The API issues a "virtual" token to third parties for client data to ensure client account credentials are safe. Available multi-factor authentication provides an added layer of user identification.
- Data Privacy – Through the Schwab API, clients can choose to grant access to specific accounts and specific third parties to ensure the right data is selected. Consent to allow access to data through explicit disclosures is logged and archived.
- Transparency and Control – Clients are not required to share their log-in credentials outside of Schwab. They will have higher visibility and transparency into linked accounts, including which third parties are accessing their data and the type of data through the Schwab Security Center and can easily view and change access at any time.
Q: Does Schwab charge a fee for this data service?
A: No. Schwab is not charging third party applications or third party data aggregators to use the API for access to client-authorized accounts and data; Schwab is aligned with industry standards and specifications agreed to and established by the Financial Data Exchange and its Members. As such, Schwab will require agreement on Data Access terms with third party data aggregators/financial technology companies prior to access being granted.
Q: Has Schwab agreed to Data Access terms with any third parties?
A: In 2020, Schwab has communicated, via press release, the successful signing of Data Access Agreements (DAA) with seven prominent financial technology companies: Envestnet Yodlee, Intuit, MX, Morningstar, Finicity, Fiserv, and eMoney Advisor. These seven companies comprise approximately 85% of data aggregation services used by Schwab clients. Schwab has already provided testing-based access to its API to several data aggregators who have been actively engaged with us to enable adoption of our more secure access method.
We are also actively partnering with several additional leading financial technology companies who share the mutual goal of providing clients with access to their data in a more secure and transparent manner.
For more information please see Charles Schwab Reinforces Its Commitment to Customer Data Protection
Intuit, Envestnet Inc., & eMoney Advisor, LLC are not affiliated with Charles Schwab Corporation or its subsidiaries unless otherwise noted.