Cordray Reignites Bank-Fintech Fight After Comments on Data Sharing
WASHINGTON — Consumer Financial Protection Bureau Director Richard Cordray has revived an ongoing dispute between banks and fintech firms over screen scraping, a method certain companies use to obtain access to consumer bank records.
In a speech on Monday, Cordray bluntly warned banks not to limit access to financial data by third-parties working on behalf of the customer — comments that elated fintech firms which rely on aggregating data to offer financial advice and other services.
"What the director said is that what's paramount for all of us is first and foremost making sure that consumers have access to all their data," said Anil Arora, the chief executive of Yodlee, a data aggregation platform that partners with fintech companies and banks.
Though banks and fintech companies have found several ways to collaborate on sharing and analyzing data, tensions have periodically flared particularly around the method of screen scraping. This technology allows financial advisers and other fintech companies to obtain the financial data of willing consumers through their bank's website.
Some of the largest banks have reportedly taken steps to limit screen scraping, which they argue poses significant security risk.
With "some of the screen scrapers coming in you can tell... that a login is coming from a computer," rather than a person, said Rob Morgan, the vice president of emerging technologies at the American Bankers Association. "What is really hard to tell is, is that a benign computer or is it a malicious one?"
But Cordray appeared to rebuke banks that would deny third parties access to appropriate customer information.
"We are gravely concerned by reports that some financial institutions are looking for ways to limit, or even shut off, access to financial data," said Cordray at the annual Money20/20 conference in Las Vegas on Monday. "We believe consumers should be able to access this information and give their permission for third-party companies to access this information as well."
Cordray's comments were the first of their kind for a federal regulator and may be a signal that the CFPB will consider stepping in if banks and fintech firms cannot reach an accord.
In a statement to American Banker, CFPB spokeswoman Moira Vahey declined to comment on whether the agency would issue any new rule on data sharing, but said it was currently in talks with industry groups. "It is an issue we are taking a close look at as part of our work to monitor the market for consumer harm," she said.
In addition, in a new report analyzing data from its Project Catalyst program, the CFPB delved a little further in the topic.
Calling for more information about "consumer and third-party access," the agency said it "is interested in supporting the ability of consumers to access and share personal information about their own financial lives with others where they believe it is in their interest to do so."
The ABA's Morgan said both industries are trying to find a way to open up consumer data.
"At the end of the day it really is, how do you facilitate this sharing of data in a way that protects the customer?" said Morgan. "It's not so easy to do."
But, he added, "there are a lot of banks working on this and looking at the ways to make that data available whether it's through APIs or partnerships with some of these data aggregators.
Banks are also being pressured by consumers — who have access to an unprecedented amount of financial tools — to develop ways to share the data securely.
"At the end of the day, if it's what consumers want, the banks will have to find a way to do it and to be comfortable with it," said Ryan Caldwell, the CEO of MX — a financial data analytics company that partners with banks.
If market forces are not compelling enough, he added, regulators like the CFPB might take concrete steps to force their hand.
"If banks don't find a natural way to work in this ecosystem with the aggregation providers, then I think it's inevitable that at one point regulators will step in," he said.
Still, banks will have to tread carefully to ensure they remain compliant while satisfying their customers.
"Banks are subject to specific standards and rules that come out of the Graham-Leach-Bliley Act," said Cliff Stanford, the chair of Alston & Bird's bank regulatory group and an advisor to both banks and fintech companies. "The standards are only the starting point for scrutiny of banks' practices."
In fact, Stanford noted, the CFPB has come down at least once on a fintech company for failure to protect consumer data. In March, the agency imposed a $100,000 penalty on Dwolla, an online payment platform accused of deceiving customers by claiming its data protection methods "exceeded industry standards."
With "the CFPB itself bringing enforcement actions" over data security issues, said Stanford, "banks will also have that concern."