The Global Industry Standard for Consumer

Access to Financial Data

1. Executive Summary
The mission of Financial Data Exchange (commonly known as FDX) is to unify the
financial industry around a common, interoperable, royalty-free standard for secure and
convenient consumer and business access to their financial data. Coordination among
industry participants is essential to success:

“Further coordination among all of the stakeholders in [data sharing] – financial institutions, data
aggregators, fintech providers, regulators and consumers themselves – will be critical to achieving a secure,
inclusive and innovative financial data-sharing ecosystem that supports consumer financial health.”

– Center for Financial Services Innovation (CFSI) - Consumer Data Sharing Principles: A Framework for
Industry-Wide Collaboration, Oct. 2016

FDX was founded by a group of the most innovative companies and engaged individuals operating in the financial
services ecosystem and engaged in consumer permissioned financial data access. Collectively, the members
represent over $2 trillion (and growing) in market capitalization that includes major financial institutions, financial
technology (fintech) companies as well as major industry groups, with continuous recruitment efforts to expand
consumer group participation and consumer outreach. FDX members have in-depth experience in consumer
permissioned data-sharing organizations that include key positions related to industry efforts, developing market
solutions and providing input to regulators and law makers.

FDX marks the formation of the most comprehensive industry ecosystem to address the common challenges of
consumer-permissioned data sharing. FDX seeks, through the development and promotion of a common
standard, to facilitate the secure exchange of information, and accelerate innovation while giving consumers
greater control of their data and better awareness of how it is being used.

FDX had its origins in early 2017 as a grassroots effort of financial institutions, financial technology companies
and data aggregators seeking to find common ground for a secure, consumer-focused data sharing framework.
Recognizing the significant progress already made by FS-ISAC’s Aggregation Working Group in the 2015-2017
time period with its Durable Data Application Programming Interface (DDA) standard, FDX became a wholly-
owned, independent subsidiary of FS-ISAC1 in 2018. FS-ISAC assigned the DDA (now known as the FDX API) 2
standard to FDX in October 2018 in connection with FDX’s launch. As a non-profit organization, FDX will
implement and oversee this interoperable standard and operating framework, continuing the development,
improvement and adoption of the FDX framework.

To achieve its mission, FDX will focus on five (5) core operating principles of providing consumers and businesses:

1
Financial Services Information Sharing and Analysis Center (FS-ISAC) is an industry consortium dedicated to reducing cyber-
risk in the global financial system. Serving financial institutions around the globe and in turn their customers, FS-ISAC leverages
its intelligence platform, resiliency resources and a trusted peer-to-peer network of experts to anticipate, mitigate and respond to
cyber threats.
2
See “The ABC’s of APIs” by visiting the FDX website at: www.financialdataexchange.org

PAGE 2 OF 9
Control, Access, Transparency, Traceability and Security. The FDX framework will additionally adopt, reference
or define:

• Standards for financial data sharing;

• Standards for secure authentication and authorization;
• A certification program and standards body; and
• User experience, consent guidelines and best practices.

FDX is comprised of committees and working groups focused on the mission of the organization, the promoting
of the adoption of the FDX API standard and ensuring interoperability. Membership in FDX is broadly open to (in
addition to Financial Data Parties (as hereafter defined)) individuals, non-profits and groups (consumer and
industry) with an interest in furthering the mission and objectives of FDX as described herein. We encourage all
members to join working groups and participate at FDX events so that the voices of all interested members can
be heard and contribute to the successful and broad adoption of the FDX API standard. Members are encouraged
to adopt and promote the standards released by FDX. FDX anticipates that once its certification programs and
procedures are established, widespread adoption of the FDX API as the industry standard will benefit consumers
through consistent standards across platforms related to control, access, transparency, traceability and security
of their financial data.

FDX will promote royalty-free technology specifications – ensuring greater adoption – and will provide a
certification program for parties wishing to mark their financial products and programs as compliant to FDX API
standards.

2. Why FDX?
FDX was organized with the consumer in mind to ensure that the financial institutions, permissioned application
providers/developers, financial data aggregators and other financial technology companies (collectively referred to herein
as “Financial Data Parties”) can more readily and securely assist consumers in achieving their financial needs,
better managing their finances and improving their financial health.

“Consumer-authorized access and use of consumer financial account data may enable the development
of innovative and improved financial products and services, increase competition in financial markets, and
empower consumers to take greater control of their financial lives. To accomplish these objectives,
however, such access and use must be designed and implemented to serve and protect consumers.”

– Consumer Financial Protection Bureau, “Consumer Protection Principles: Consumer-Authorized

Financial Data Sharing and Aggregation”, October 18, 2017

Consumers are increasingly utilizing online financial management services, payments, credit decisioning and more
that are provided by companies that are often not affiliated with their primary financial institution (where consumer
financial information is often located). To utilize these services, consumers need the ability to authorize access to
their financial data from their financial institutions to other Financial Data Parties in a convenient, secure and
reliable manner.

PAGE 3 OF 9
 In order to give these parties access to their financial records, consumers have historically provided their login
credentials (keys) to financial applications or data aggregators. In most cases, financial apps do not store the
keys, but instead pass these credentials via an Application Programming Interface (API) to the data aggregator.
The financial application or data aggregator can then access the financial institution website and retrieve the
consumers’ data (this process is known as screen scraping). While the consumer is granting rights to the financial
application or to the data aggregator to use and store their keys, the use of APIs and token-based mechanisms
for accessing data, as described herein, aims to eliminate the need to store keys and are generally seen as more
secure and reliable. Implementing FDX’s mission, objectives and operating principles on terms and conditions
clearly understood and dictated by the consumer will address many of the concerns faced by consumers, industry
and regulators today.

“During outreach meetings with Treasury, there was universal agreement among financial services
companies, data aggregators, consumer fintech application providers, consumer advocates, and
regulators that the sharing of login credentials constitutes a highly risky practice. APIs are a potentially
more secure method of accessing financial account and transaction data than screen-scraping.”

– U.S. Dept. of The Treasury, “A Financial System That Creates Economic Opportunities – Nonbank
Financials, Fintech and Innovation” July 2018
In October 2016, the Center for Financial Services Innovation (CFSI) published a white paper that recommended
all players come together to create standards for consumer data access. CFSI envisioned:

“An inclusive and secure financial data ecosystem is one in which financial institutions, data aggregators
and third-party application providers coordinate to provide data to consumers.”

FDX believes in listening to all industry voices and coordinating with the various participants to benefit the
consumer. An industry-led initiative such as FDX offers the shortest critical path to realizing the benefits of secure,
consumer-permissioned data sharing.

Other industries have successfully created Special Interest Groups to address such industry challenges. The
Bluetooth Special Interest Group and the Mortgage Industry Standards and Maintenance Organization (MISMO)
are good examples of the voices of industry coming together to successfully create a common standard. FDX is
another such example of multiple parties in an ecosystem coming together to form an organization singularly
focused on a defined mission and established objectives.

3. FDX Mission and Objectives

“Treasury sees a need to remove legal and regulatory uncertainties currently holding back financial services
companies and data aggregators from establishing data sharing agreements that effectively move firms
away from screen-scraping to more secure and efficient methods of data access. Treasury believes that
the U.S. market would be best served by a solution developed by the private sector, with appropriate
involvement of federal and state financial regulators. A potential solution should address data sharing,
security, and liability. Treasury recommends that any potential solution discussed in the prior

PAGE 4 OF 9
 recommendation address the standardization of data elements as part of improving consumers’ access
to their data.”

– U.S. Dept. of The Treasury, “A Financial System That Creates Economic Opportunities – Nonbank
Financials, Fintech and Innovation” July 2018

The mission of FDX is to unify the financial industry around a common, interoperable, royalty-free standard for
secure and convenient consumer and business access to their financial data. Doing so will empower consumers
to make information-based decisions on their personal finances and help increase financial literacy. FDX will
accomplish its mission through execution of the following objectives:

• Define Use Case Profiles: FDX will define use case profiles describing consumer-permissioned scenarios
within the financial data ecosystem. FDX will adopt and promote principles for data sharing across all use
case profiles. Members will be able to qualify their solutions for one or more profiles.

• Adopt, Promote and Improve Data-Sharing Standards: FDX will develop and promote the FDX API
standard and brand to help ensure financial data is timely, consistent, and accurate. Membership in FDX will
allow use of and/or contribution to the specifications.

• Adopt, Promote and Improve Secure Authentication Standards: Consumers should not have to reveal
their account login credentials to third parties to share financial data in the applications they choose. FDX will
adopt modern standards in the FDX API specification in accordance with industry best practices with regard
to authentication, authorization, data privacy and security in order to eventually do away with sharing login
credentials with third parties to reduce risk to consumers.

• Develop a Certification Program: FDX will create a qualification and certification program to ensure
common implementation and interoperability. Products (i.e., programs and apps for consumer-
permissioned financial data sharing) will be approved by FDX through the certification program, to test the
technical compatibility/interoperability, prior to being marketed as a compliant product, or getting access to
certain intellectual property rights.

• Develop User Experience and Consent Guidelines Best Practices: FDX will document the steps and
show examples of recommended user experiences across the end-to-end data sharing workflow to permit
users to establish their financial data sharing connections with ease and full transparency and control. These
steps will span across the lifecycle of creating a connection, managing a connection, and revoking a
connection, including the steps of disclosure, authentication and authorization.

• Seek Broad Adoption of the FDX API Standard: FDX will seek universal adoption of the FDX API standard.
Significant adoption by financial industry participants will be required to realize the full benefit of establishing
a unifying standard.

• Future Applications: Achieving FDX’s mission and objectives through its operating principles and broad
adoption of the FDX API standard may further support the development of a liability framework by the
appropriate parties as encouraged by the U.S. Dept. of Treasury.

PAGE 5 OF 9
4. FDX Operating Principles
“Consumer Protection Principles [are] intended to reiterate the importance of consumer interests to all
stakeholders in the developing market for services based on the consumer-authorized use of financial
data. [These Principles include] …Access…, Control and Informed Consent…, Security…, Access
Transparency… and Efficient and Effective Accountability Mechanisms [Traceability].”

– Consumer Financial Protection Bureau, “Consumer Protection Principles: Consumer-Authorized

Financial Data Sharing and Aggregation”, October 18, 2017

FDX believes accessible, consumer-permissioned financial data sharing not only enables consumers to better
understand their financial situation, but also serves as a catalyst for innovation in the financial industry by seeking
to:

• Empower consumers and organizations alike to leverage, and benefit from, their financial data.

• Facilitate access to financial data to improve financial literacy, financial decisions and convenience.

• Develop principles in concert with thought leaders in the financial industry as well as regulatory entities
and worldwide standards bodies.

To ensure FDX always serves the best interests of consumers, its work and operations are based on five (5) core
principles:

1. Control: Consumers should be able to permission their financial data for services or applications.3
a. All Financial Data Parties should provide clear, intuitive navigation and information to consumers,
allowing informed decision making on sharing financial data.
b. Consumers should have the ability through easy, intuitive interfaces, to effortlessly grant, modify
and revoke access to their financial data for applications or services they desire to use.
2. Access: Account owners should have access to their data and the ability to determine which Financial
Data Parties will have access to their data.
a. Intuitive navigation: The authentication process should avoid unnecessary steps or language that
delays, interrupts, or impedes access.
b. Speed of access: Hand-off between parties and systems should be convenient, smooth, secure
and efficient. Time-consuming or confusing experiences represent a barrier and frustrate
consumers.
c. Responsible Access: Consumers should provide informed consent (with the ability to revoke that
consent) for any and all access granted to Financial Data Parties. These parties will then only have
access for the purposes for which the consent was provided.
3. Transparency: Individuals using financial services should know how, when, and for what purpose their

3
Members of FDX (and certain additional parties agreeing to FDX’s Terms & Conditions) have access to FDX’s “Control
Considerations for Consumer Financial Account Aggregation Services” (Control Considerations). See Control Considerations:
Overview – The Solution.

PAGE 6 OF 9
 data is used. Only data that is required to provide such services should be shared with the
organization providing the service.
a. Consumers should be able to view who they have permissioned, as outlined above in “Control.”
b. When permissioning a new service, consumers should be fully informed regarding what their data
is used for, how long the service can access that data, who it is used by, and under which terms
the service is provided.
4. Traceability: All data transfers should be traceable. Consumers should have a complete view of all Financial
Data Parties that are involved in the data-sharing flow.
a. Data users (organizations and service providers) should know each step the data takes in order
to permit the consumers to follow the path for each data flow. Data flows should be easily
traceable and logged as the data traverses (i.e., from the financial institution through the
aggregator and to the applications) in order to aid the pinpointing of potential errors or suspicious
connections.4
b. Traceability may be used to support operational efficiencies and remediation activities.
Additionally, it may also result in the faster detection and response to potential errors and
suspicious traffic, as well as helping to pinpoint the source of the issue.
5. Security: Financial Data Parties need to ensure the safety and privacy of data during access and transport
and when that data is at rest.5
a. Financial Data Parties need to provide clear definitions on data usage and privacy, permitting
consumers to make educated decisions.
b. All parties involved in the data-sharing ecosystem must have appropriate security policies and
practices in place. These practices should reflect best-in class standards and be improved upon
continuously.
c. Security should empower consumer control, access, transparency, and traceability and should
not be implemented in a manner that introduces friction points or other features that contravene
these principles.

FDX fully expects all members to quickly move towards implementation that supports these core principles – and
provides required support so all members are able to adopt them.

5. FDX Operations
FDX is working to align the financial industry around a single technology standard and solution qualification
program that ensures “out of the box” interoperability. It will accomplish this through a technology organization
structure similar to other technology initiatives that have successfully aligned other industries.

FDX’s four (4) primary activities are to:

1. Publish data and authentication standards, specifications, and best practices for defined use cases;
2. Evangelize the FDX API standard and promote and enable rapid adoption of the standard;
3. Protect FDX trademarks and intellectual property while ensuring the specifications remain royalty free;

4
See Control Considerations: Intermediary Identity – Benefits.
5
See Control Considerations: Aggregation and Security Guidelines.

PAGE 7 OF 9
 and,
4. Administer the qualification and certification program.

6. Committees and Working Groups

The FDX board of directors is comprised of financial institutions, financial technology companies, data
aggregators and permissioned parties. The board, along with all FDX members, works diligently to continue to
develop and improve the FDX API. In order to engage the participants in an ecosystem that represents multiple
voices in the industry, FDX created several committees and working groups with active and ongoing participation
from member organizations.6

• Technical Review Committee: tasked with the ongoing maintenance and improvement of the FDX API
technical specification, along with adopting or building other technical solutions to promote FDX objectives.
The Technical Review Committee oversees several working groups to achieve these goals.

• APIs/Data Structures Working Group: tasked with creating programs and processes that will certify
proper implementation of the FDX API standard, ensuring interoperability.

• Security & Authentication Working Group: tasked with the design of appropriate security and
authentication protocols and related matters.

• Marketing and Public Relations Working Group and Government Affairs Task Force: responsible for
membership, marketing, government outreach, public relations and event planning.

• User Experience/Consent Working Group: focused on best practices for user experience, consent
matters and user engagement. The working group will work closely with the Consumer Advocacy Working
Group in order to improve standards, specifications, best practices relating to the consumer experience.

• Open Financial Exchange: As of July 2019, OFX has joined FDX as a working group to enable development
of a unified standard. The independent working group is tasked with maintaining and evolving the OFX
standard as necessary to support the existing OFX implementations, while leveraging the use cases and
work between the OFX and FDX standards and providing a migration path to FDX for OFX users wishing to
migrate.

• Consumer Advocacy Working Group: composed of non-profit consumer advocacy groups who will elect
from among themselves a board level observer. The consumer advocacy members will provide input and
recommendations at the working group and board level to ensure that consumer needs, security,
experiences and rights are kept at the forefront of FDX’s decision making process.

7. Comparison with Other Industry Forums

FDX’s mission and approach is unique to any existing financial industry forum. With its focus on creating an
interoperable standard by financial use case, it expects to adopt or extend existing standards and innovate new
ones to accomplish its objectives. FDX is the first industry group with a broad range of support and active

6
Members of FDX may request a copy of the Charter Documents for each of the Working Groups referenced herein.

PAGE 8 OF 9
membership by major industry participants: financial institutions, permissioned application providers, financial
technology companies, financial industry groups, data aggregators and consumer groups. Despite the size of
many of its members, FDX is open to nonprofits and consumer groups (at discounted rates) and individual industry
participants. FDX was founded with benefits to the consumer in mind. The protection and ease of permissioned
sharing of consumers’ financial data through the adoption of a common, interoperable, royalty-free standard for
secure and convenient consumer and business access to their financial data remains FDX’s top priority.

FDX looks forward to further participation by all financial industry stakeholders and invites consumers and potential
members to learn more and consider joining FDX by visiting its website: www.financialdataexchange.org. FDX
requires all participants to sign a Membership Agreement. This agreement, among other provisions, establishes
annual dues, membership classes and requires each member to abide by FDX’s Limited Liability Company
Agreement, Antitrust Guidelines and Intellectual Property Rights Agreement. Contact FDX to learn more.

PAGE 9 OF 9