WASHINGTON — Banks and consumer rights groups appear to have found rare common ground in the debate over screen scraping.
Responding to the Consumer Financial Protection Bureau’s call for comments on access to financial data, representatives from both sides have asked the agency to weigh in on the application of certain regulations to fintech companies that aggregate financial data on behalf of consumers.
The American Bankers Association “recommends that the [CFPB] use existing regulatory authorities to close regulatory gaps and ensure that consumer financial data are accorded baseline privacy and security protections regardless of where the data reside,” said Robert A. Morgan, the group’s vice president of emerging technologies.
Banks' call to enforce new standards on financial data aggregators echoed recommendations from consumer groups.
"There is an opportunity to develop a set of principles that lead to standards that work for everyone — banks, data services providers and consumers," said Ed Mierzwinski, the federal director of the consumer program at U.S. Public Interest Research Group. "But ultimately, the standards cannot be enforced by the market; they must be based on enforceable rules."
The CFPB’s request for information has helped stake out the positions of various actors in the debate over screen scraping — the technology that allows consumers to give away their bank account information by sharing login credentials with third-party companies. Consumers use this access to plug their data into financial management tools and other fintech applications.
Banks have argued that the process could create significant cybersecurity and privacy risks for users.
“Consumers today are offered a Faustian bargain in which their desire for technology-driven convenience is exchanged — often unknowingly — for increased potential of catastrophe, by handing over the keys to their financial vault,” Morgan said. “When consumers share their login credentials with an aggregator, they are giving the aggregator carte blanche access to their financial data, including information about things such as their life savings or retirement account.”
Several large banks have reportedly blocked data aggregators from accessing the financial data they hold — a move that critics say was intended to preserve their grip on financial data, an important asset as financial services go digital.
“A bank, broker, or other financial company should not prevent consumers from accessing their own data to subvert competition with other providers,” said a coalition of 17 consumer rights groups, including Americans for Financial Reform, the Center for Responsible Lending, the National Consumer Law Center and the U.S. PIRG, in their letter to the CFPB. “The appropriate way to address such concerns is to facilitate consumer-permissioned access with adequate safeguards, including deploying fit-for-purpose tools.”
Despite this conflict, however, both sides appear to agree that rules applying the 1999 Gramm–Leach–Bliley Act and its predecessor the 1978 Electronic Fund Transfer Act — which codified cybersecurity and privacy standards for financial data — need to be modernized to account for the rise of these new financial services providers.
Consumer groups urged the CFPB to clarify the liability risks that come with giving data aggregators access to an account. According to the National Consumer Law Center, certain banks have been telling customers that they would be held liable for fraud or other illegal activity resulting from data scraping.
The organization argued that should not be the case, because the liability exemption in question — in Regulation E of the Electronic Funds Transfer Act — should not cover access by third-party service providers.
“This provision is intended to address a situation such as when a parent provides a debit card and PIN to child or spouse and the child or spouse misuses it to make purchases that the parent did not intend,” the law center said in its own separate letter. “But this exception to the Regulation E liability protection does not deprive consumers of error resolution or liability protection when they provide account credentials to third-party services that access account data in the course of providing services to the consumer.”
A consortium of online lenders, personal finance apps and other fintech companies also suggested Regulation E as it stands could hamper the reach of the fintech industry.
“Consumers may … be reluctant to use certain non-bank applications due to possible liability for unauthorized transactions initiated by the non-bank,” the group said in a letter signed by 11 companies, including Affirm, Kabbage and Personal Capital. “Not only could this potential liability deter consumers from using non-bank data aggregation services, it may also deter investment in non-banks thus slowing development of new fintech applications.”
For its part, the ABA argued that the CFPB should ensure liability be placed squarely on the data aggregator.
The agency, Morgan wrote, should “clarify that data aggregators are ‘service provider’ under the Electronic Funds Transfer Act … and are liable for unauthorized electronic fund transfers that exceed the consumer’s liability” under the law.
In addition, ABA called for stricter CFPB supervision of aggregators by designating them as “financial institutions” for the purpose of applying the GLBA’s privacy provisions, enforced under the Federal Trade Commission’s Safeguards Rule.
“This would help fill a critical gap that currently exists that puts consumers at a serious disadvantage,” Morgan said. “By furnishing the same disclosures as those supplied by other financial institutions, consumers would be better informed about how their data is collected and used.”
The ABA also urged the CFPB to start supervising some of the larger fintech companies engaged in data aggregation — a measure supported by the NCLC.
While similarly asking the agency to develop privacy, security and transparency standards by regulators, consumer rights groups suggested that coming from financial institutions, those concerns were more of a strawman’s argument.
“The privacy issues that they raise concerning abusive secondary uses of information by the third-party services providers are not problems that the banks themselves can in any way claim don’t apply to them,” Mierzwinski said.
U.S. PIRG went one step further, asking for bank account information to become as easily transferrable as phone numbers in order to facilitate consumer access to financial data and boost competition between banks.
“Ideally, going forward, consumers should have the right to take their financial account number to a new provider and should be rid of all the ‘account stickiness’ and ‘switching costs’ that make it hard to change your stodgy old bank,” Mierzwinski said.
Meanwhile, groups that represented fintech companies were strong opposed to the idea of government intervention in the space.
In their comment letters, groups including the Electronic Transactions Association, Financial Innovation Now and a coalition of nearly 60 fintech companies led by Plaid — an intermediary between data aggregators and financial institutions — urged the regulators to let stakeholder develop industry standards.
“FIN believes that regulation of permissioned access to consumer financial account data is not necessary at this time,” said Brian Peters, the executive director of the group, which comprises Amazon, Apple, Google, Intuit and PayPal. “We are concerned that regulation would run the risk of creating a framework that likely would restrict market developments or innovations and not easily adapt to the pace of technological innovation and consumer expectations.”