CFPB's Move on Data Aggregation Pits Banks Against Fintechs
WASHINGTON — Banks are butting heads with consumer groups and fintech firms over the need for new rules governing the use of financial data.
The Consumer Financial Protection Bureau opened the door to possible new regulations Thursday by requesting comment on what can and should be done to prevent banks from cutting off third-party access to consumer data where the customer has given permission.
At a field hearing in Utah, banking representatives said the furthest the CFPB should go is offering general guidelines.
The CFPB should provide "industry guidance via principles, versus via enforceable rules," Ryan Falvey, a managing director at the Center for Financial Services Innovation, said during a panel organized by the CFPB in Salt Lake City.
But consumer groups argue that will not be enough to ensure that consumers can use their own financial data as they see fit.
"The offer of creating voluntary standards is one that industry makes all the time to delay regulation or to delay legislation and to delay customer protections," said Ed Mierzwinski, director of the consumer program at the Public Interest Research Group. "I was born at night. But it wasn't last night."
Tensions between banks and fintech companies that use screen scraping technologies to obtain the information of consumers came to the fore earlier this year when it was reported that several large institutions had moved to shut out third parties.
CFPB Director Richard Cordray issued a stark warning this fall that such moves were not acceptable, and reiterated Thursday that more may need to be done.
"Consumers should be able to use their financial records and account information and securely share access in an electronic format," he said at the field hearing. "Technology provides opportunities to use these records to create new consumer tools that help improve financial lives."
But financial institution representatives argued that screen scraping carries significant risks, because it requires consumers to give away their login credentials to a third party without having full control over how this access is used.
"Today, when a consumer forfeits their login credentials, they give data aggregators access to their online data for an unlimited time period," said Rob Morgan, vice president of emerging technologies at the American Bankers Association. "There's a better way forward to empower customers to share their data than sharing their login credentials."
Banks fear that customers could ultimately lose control of their accounts if precautions are not taken.
The data "moves out of the bank's environment and into an environment that is less supervised," said Alaina Gimbert, associate general counsel at The Clearing House Association. "Once a consumer has enabled a third party to go into their online banking account, that third party technically could do anything the consumer is enabled to do."
Other risks invoked by industry representatives include privacy and cybersecurity concerns, in addition to potential liability if consumer data is breached.
"There's intense competitive pressure for banks to make data aggregation work," Gimbert said. But "anything that they do to enable services by data aggregators has to be done in a way that the bank can feel comfortable that there is no harm to the consumers and that they can meet their own regulatory obligations and own internal risk levels."
Consumer protection advocates recognize the risks, but argued that the right of a consumer to access and use their own financial data is paramount and must be protected by new rules.
"The genie is out of the bottle, even though some may not understand or appreciate the risks that are involved," said Joe Valenti, director of consumer finance at the Center for American Progress. "Individual consumer access must be ensured through regulation."
Valenti added that financial adviser applications can present a number of benefits that banks do not, including fighting overdraft fees and other avoidable costs, pooling all financial account data onto one site, and "unbundling."
"Bank accounts are not mobile," said Valenti, unlike, "for instance, postal mail forwards."
Panelists also noted that banks of varying sizes face different challenges. Smaller banks are less likely to have the infrastructure or visibility to partner with data aggregators in order to have some control of the process.
"Most community banks are simply not big enough to be on the radar of the large data aggregators," Morgan said.
There must be more inclusion of smaller banks in partnerships with data aggregators, he added, "to make sure that they're comfortable with what's happening."
In order to be receptive to personal finance applications, Morgan added, the infrastructure of smaller banks will have to adapt. "The core providers play a really key role here in helping community banks develop a secure way to share this customer data," he said.