Banks aren't following CFPB data-sharing guidance, fintechs say
While some fintechs and data aggregators appear to have buried the hatchet with banks when it comes to sharing customer account data, not everyone is ready to say the battle is over.
Some fintechs are accusing financial institutions of not following either the spirit or letter of the data-sharing principles the Consumer Financial Protection Bureau released in October.
“While the principles have been publicly embraced, it’s important that they’re also fully implemented behind the scenes,” said Eric Showen, head of partnerships and policy at Plaid, a data aggregator. “A pick-and-choose approach, while tempting for some banks, doesn’t work for consumers.”
But banks disagree, arguing they are following through on the principles.
“We believe we’ve addressed every use case that’s been presented to us for data,” said Stuart Rubinstein, head of data aggregation at Fidelity Investments. “But it’s possible there will be a new use case or one we missed. We’re happy to talk about those.”
One of fintechs’ primary accusations is that banks are selectively choosing fintechs to work with — leaving the rest out in the cold. Though the CFPB data-sharing principles do not spell out that banks should work with everyone equally, the spirit of the document suggests financial institutions should work with all trusted third parties.
“Right now it feels like financial institutions are cherry-picking the providers with whom they want to work,” said Kathryn Petralia, co-founder and chief operating officer of the online small-business lender Kabbage, who spoke on behalf of the Consumer Financial Data Rights group, which represents 31 fintechs and data aggregators. “We have no idea what the backroom deal is on any of those transactions and it feels paternalistic, like the banks are telling their customers, ‘We know what’s good for you more than you do; you should only share your data with these people with whom we have a deal.’ ”
This disadvantages smaller fintechs, she said.
“There are a lot of really interesting consumer fintech companies that are trying to do things like help consumers make more money, help them manage their expenses, help them plan for retirement,” Petralia said. "These are not businesses making a ton of money; a lot of these are almost nonprofit. These types of businesses will lose if they can’t get access to this data to help consumers.”
But banks like Wells Fargo and Capital One protest that they will work with anyone.
“Our API is public, we advertise on our DevExchange platform, we meet with everyone who inquires about using it,” said Becky Heironimus, vice president of enterprise digital products and data connections at Capital One. “In the larger picture, our goal is to ensure we create a secure mechanism for customers to access data that meets the use cases they want to use fintechs for.”
Capital One has signed agreements with five fintechs and data aggregators—Clarity Money, Intuit, Abacus, Xero and Expensify—since introducing its data-sharing application programming interface in February. It says more are in the pipeline.
Lisa Shields, CEO and founder of FI.SPAN, a company that helps banks set up data-sharing arrangements, offered one reason why banks might be careful about choosing data-sharing partners: the potential for customer service fiascoes.
If a bank has a deal with Intuit, for example, and a mutual customer is using an app that’s integrated with QuickBooks, the bank becomes a drop-down option for importing account data into the new application.
“A comment I got from a banker last week was, ‘It doesn’t matter that it’s not my aggregation service and it doesn’t matter that it’s not my application the customer is using,” Shields said. “Even if my bank is three parties removed from that interaction, as soon as my customer sees my name anywhere in their user experience, the first time something goes wrong, I’m the one getting the phone call from the customer. I have no ability to diagnose or assist, but I’m expected to because I am the bank.’ To me, that’s a very legitimate concern and the market hasn’t quite figured all that out.”
Banks have too many conflicting requirements
Another issue cited by fintechs is that it’s tough dealing with each bank’s different set of standards and requirements.
“Some of those standards may be in conflict,” Petralia said. “It can take years to comply with a bank’s requirements and it probably eliminates access to newer startups, to smaller businesses that don’t have a lot of cash sitting on their balance sheet, to support that kind of long lead time for legal requirements.”
She said it reminds her of the 1990s, when consumers couldn’t keep their phone number when switching from one telephone company to another.
The telecoms "liked the control that gave them over their customers, because it’s really hard to change your phone number, just as it’s really hard to change your bank account,” Petralia said. “In my mind, this is being driven by the desire to retain customers and prevent portability.”
'In my mind, this is being driven by the desire to retain customers and prevent portability.'
She says U.S. banks should follow the lead of U.K. banks and collectively create a framework and a set of shared principles for gaining access to customer information.
“Standardization of data sharing would help customers make better sense of their information,” Petralia said. “Our customers would prefer that experience, in particular the ability to avoid providing a user name and password. That would be a fantastic win for everyone—for the banks, for the fintechs, for the customers.
“But the way it’s happening right now is really complicated and it’s only going to get more complicated as more banks do it,” she said.
But Heironimus said Capital One has a standard agreement it sends to anyone who is interested.
“If someone identifies something they have a problem with and they talk to us, we work it out,” she said. “The whole intent is to provide a more stable and secure connection.”
Withholding information such as PII and payment data
Another complaint is banks’ agreements with fintechs are too restrictive and leave out certain kinds of data, such as identity information like customers’ email addresses and phone numbers, which they say they need to prevent fraud, and information needed to initiate payments.
In its data-sharing principles, the CFPB does not insist that banks share all personally identifiable information with fintechs, though it does ask them to share transaction, account, fee, interest and reward data.
Yet many fintechs need identity data for their offerings to work.
“Identity data is critical for reducing risk and preventing fraud for both banks and fintechs,” Showen said.
Mortgage lenders, for instance, need the name associated with a bank account in order to process a digital mortgage. In a car payment or wire transfer, the initiator and the recipient bank typically require identity information to securely conduct a transaction.
And when banks withhold information needed to initiate payments, “that ironically makes the ecosystem less secure, because the alternative is for consumers to directly enter their account routing numbers, which is an immutable piece of information that can never be changed,” Showen said.
Heironimus said Capital One shares transaction and account data. But sometimes fintechs ask for a multitude of data fields unrelated to the service being provided.
“Each time we’re asked about additional fields, we say, ‘What are you going to use it for? What are the security risks?’ ” she said. “We have a regulatory need to protect customers’ data.”
Capital One is interested in sharing sensitive account data through a secure mechanism like tokenization, Heironimus said. “We’ve worked with many third parties on answers to that.”
Too much liability for fintechs
Fintechs further say that banks are asking fintechs to take on too much uncapped liability for anything that might occur down the road.
Heironimus pointed out that in the event of fraud, most consumers will be made whole by their bank.
“We believe anyone handling the customers’ data should share the risk of losses resulting from their actions,” she said.
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.