Banking needs a ‘Schumer box’ for data sharing

Financial account data powers the fintech apps and services that have exploded over the past decade. Well-known companies such as SoFi, Betterment, Wealthfront and Earnin rely on connectivity to consumer financial accounts to deliver their services. Important details about access to consumer data are buried within the lengthy terms of service that a majority of consumers accept without reading as they register for a new app or service. Therefore, consumers typically don’t understand what data is being accessed, who is accessing it or for what purpose. Yet at the same time, a recently released report on fintech innovation from the Department of the Treasury urges fintech and financial services companies to change that.

The Treasury’s recommendation calls for companies that use third-party data platforms and aggregators (like Quovo) to change how they gain consumer consent to access and share account data. Similar to what the Consumer Financial Protection Bureau has previously called for, the Treasury’s report puts forth guidelines that terms and conditions should be “written in plain language” and “readily accessible” so that “consumers can give informed and affirmative consent regarding to whom they are granting access, what data is being accessed and shared, and for what purposes.”

In simpler terms, both agency recommendations promote clear and conspicuous consumer consent to data sharing. However, neither provides any detail on what exactly this new means of consent would look like in practice. Fintech companies, financial institutions and third-party data platforms need to unite to develop a consistent means of gaining consent that adheres to the Treasury and CFPB’s guidelines, in order to give consumers full power to control their financial data.

The industry doesn’t have to start from scratch to develop a mechanism to gain clear and conspicuous consent: Credit card companies already have a model for disclosures. In 1988, Congress enacted legislation that required credit card companies to be more transparent about the most important terms in their agreements. As a result, “Schumer boxes” — named after Sen. Chuck Schumer, who was responsible for the law — now appear at the very top of terms of agreement and highlight the card’s annual fees, APR and grace periods in a bold, black box, instead of buried in pages of fine print that people don’t read.

Currently, consent to data sharing typically is secured when a user signs up for an app via a tiny box that says “yes, I agree to the terms of service” with a link to pages of jargony terms of service documents. As an alternative, a Schumer box for data sharing could appear front and center during the account registration process, highlighting the key components of the terms that relate to accessing and use of a consumer’s financial data. Which third parties handle a consumer’s data, how it is used and how to rescind access in the future could all appear within that box. End users could then consciously decide if they want to proceed with granting the third party with access to their data.

The Schumer box is a solid, easily-implemented model for securing consent from consumers because the reasoning behind data access is the same as credit card disclosures: Consumers deserve to understand what they’re agreeing to so that they can make a conscious, informed decision. With a Schumer box, third parties that do not use consumer data only for consumers’ benefit, such as those that sell data to hedge funds, would have to clearly disclose this fact, which would certainly make consumers think twice about consenting in the first place.

Increased transparency will help all industry participants put consumers’ interests ahead of their own, the overarching guiding principle of the CFPB’s data-sharing principles. If consumers decide en masse not to consent to data sharing due to the resale of data, for example, this would dissuade data companies from participating in the practice.

Looking further ahead, a Schumer box could also act as a data control center. Next to the disclosure of what data the third party accesses and what they do with it, there could be toggles to turn access to the specific data points or use cases on and off at any time. For example, a user may want to permit an app to access their financial accounts for authentication purposes ahead of an ACH transaction, but not to continuously access their transaction history. With a data control setup, the user could split their permission by use case accordingly.

The Schumer box for data sharing is only one form of how conspicuous consent could be put into practice, but Treasury and CFPB guidance makes it clear that the industry needs to improve the mechanisms for gaining consent to data sharing. Innovations in finance depend upon access to consumer financial account data, and consumers should no longer be left in the dark about data use, given how integral their data is to the fintech ecosystem. No matter the final physical form of conspicuous consent, stakeholders need to begin collaborating to provide the necessary transparency as fintech continues to become more ingrained and important in the financial ecosystem.