New York's top banking regulator wants fintech apps to tighten security

New York's top banking regulator wants third-party fintech apps to tighten up their security.

The New York Department of Financial Services (DFS) is soliciting input from other top regulators including the Treasury Department's Office of the Comptroller of the Currency on how both banks and startups can bolster cyber security.

It comes at a time when third-party services that depend on bank data are facing 'throttling,' or being cut off from key data, by banks including Bank of America, Wells Fargo and JPMorgan.

Popular apps from Intuit, including its Mint and Quicken products, were prevented from receiving data from banks, prompting user outcry.

"Third-party service providers often have access to sensitive data and to a financial institution's information technology systems, providing a potential point of entry for hackers," DFS acting superintendent Anthony Albanese said in a letter to federal regulators.

"A company may have the most sophisticated cyber security protections in the industry, but if its third party service providers have weak systems or controls, those protections will be ineffective."

Third-party service providers could be required to develop policies to use multi-factor authentication for users or encrypt sensitive data. They could also be asked to reimburse customers in the event their data is hacked and their accounts are drained.

A murky issue surrounding the access of third-party apps to big banks' data and accounts is whether customers would be reimbursed by the Federal Deposit Insurance Corp. in the event of a hack through an app. Individuals are generally eligible for coverage of $250,000, but it's less clear how FDIC insurance applies to hacks that come through fintech apps.

DFS is also looking to push big banks to bolster cybersecurity policies, including as it relates to customer data and improving incident response times. The agency declined to comment on a timeline for final decisions.