The Consumer Financial Protection Bureau’s entrance into the battle between banks and fintechs over customer information appears to have done something remarkable by largely pleasing both sides.
Banks have welcomed the statement of principles because they are non-binding, while fintechs are encouraged by the CFPB’s recognition of key issues in the debate.
“They were carefully conceived, and not at all constructed from an industry vs. industry fight,” said Steve Boms, vice president of government affairs at Envestnet Yodlee, a company that provides technology to financial advisors and does data aggregation. “Our view is these were formulated using the perspective of the consumer, with informed consent and full transparency.”
Rob Morgan, vice president of emerging technology at the American Bankers Association, said it is “pleased that the CFPB’s new principles for consumer-authorized data sharing acknowledge key recommendations ABA outlined earlier this year, particularly with regard to security, transparency and control.”
Yet the principles could also lay the groundwork for future regulation if banks and fintechs cannot work out some outstanding issues on their own.
“You could imagine someone saying, ‘We put out principles, we hoped the industry on its own would move in this general direction, but we’ve gotten all these complaints about lack of informed consent,’” said Brian Knight, a senior research fellow for the financial markets working group at the Mercatus Center of Georgetown University. “’So clearly rulemaking is now necessary so we can provide an enforceable standard in the industry.’”
It’s clear that the CFPB isn’t there yet. The agency appeared to be walking a fine line between weighing in on the debate while not upending it.
At issue is a fight between data aggregators and fintechs on the one hand who argue banks don’t share enough of their customers’ account data with third parties, which fintechs need to provide personal financial management and robo-advisory apps. On the other side, banks say they are happy to share the data, but want to be careful with whom it’s shared. Both parties claim to have the consumer’s best interests at heart.
The CFPB’s principles, issued Wednesday, say consumers should be able to authorize third parties to obtain their financial information, for their benefit and in a safe manner. Under the principles, consumers should have control over and provide informed consent around how their data is accessed, stored, used and disposed.
The data needs to be kept secure, access to it transparent, and any party that uses it must be accountable for any harm or cost caused to the customer due to a data breach or misuse.
“It's a good thing to create a new, modernized principle-based standard for data exchange, data security and data portability,” said Rob Foregger, founder and executive vice president of NextCapital, a provider of automated financial planning portfolio management services. “Just like in the healthcare industry, a patient has the right to bring their healthcare records to another doctor for a second opinion, financial services customers need to maintain the right to access and use their financial data across institutions.”
Though nonbinding, the principles provide important clues to the CFPB’s thinking on key issues.
The most controversial aspect of data sharing is screen scraping. Banks loathe data aggregators’ practice of asking a consumer to provide their online banking login credentials, so the firm can scrape their account data. They argue it’s unsafe to hand out banking credentials and that aggregators bombard their servers with these requests, preventing actual customers from accessing their accounts.
For their part, aggregators and fintechs say they only use screen scraping because they have to, when banks won’t give them access to customer data.
The CFPB’s principles seem to discourage screen scraping without banning it. “Access does not require consumers to share their account credentials with third parties,” the CFPB wrote.
Quote"It was a very calculated political gamble by the CFPB."
Knight said the principle may encourage banks to directly provide data to third parties.
“You could see that as you shouldn’t have to give your account name and password to Mint so that they go login on your behalf to your bank account and pull in your data,” he said. “Aggregators that are forced to do screen scraping could in theory take this to the bank to say, ‘the writing is on the wall, you have to give us a better means of access.’”
Boms echoed that sentiment.
“The whole debate over credentials is really a debate over whether or not financial institutions are really, honestly sharing consumer data with their permission with third parties,” he said.
The CFPB’s principles around informed consent appeared the most stringent, suggesting that it’s not enough to just disclose what a company is doing, but disclosures must be done in language anyone can understand.
“That document, accurate as it may be, that’s written by a lawyer who went to Harvard and charges $600 an hour? That’s not going to cut it,” Knight said.
The principle may pose a challenge for banks and fintechs. How many companies send notifications about how they’re using and storing consumers’ data, in easy to understand language?
The last of CFPB’s principles calls for efficient and effective accountability mechanisms. “Commercial participants are accountable for the risk, harm and costs they introduce to consumers,” it says.
That appears to get at an argument by banks that they’re willing to share data, but if the aggregator suffers a breach that hurts the customer, the bank shouldn’t be liable.
“Is this the CFPB thinking, ‘maybe the banks shouldn’t be on the hook for every harm that occurs related to this bank account?’” Knight asked. “Maybe if the fault was with the aggregator, they should be on the hook. That would be an interesting development that might give some aggregators pause and might give banks some measure of comfort.”
Boms suggested accountability and traceability could be provided through a “forensic ledger” that would keep track of all the entities that touched a consumer's data.
“If you were the entity responsible for a consumer having had financial harm, you should be responsible for making that consumer whole,” Boms said. “If you're the financial institution and you are responsible for that, it logically follows you are responsible for making the consumer whole as well.”
He said the industry has been talking about such a system for a long time. But no such system exists in the U.S. today. Boms said the U.K. will have such a ledger when it begins its open banking in January.
“Every entity has a unique ID, and when they touch the customer's data, that identifier is embedded in code,” he said. “So we know after the fact, if there's a breach, where the breach came from.”