Banks’ adversaries in the debate over account data sharing have honed their talking points and gone on the offensive.
Data aggregation companies and some fintech companies need consumers’ bank account data for their business models and products to work. The aggregators make money by collecting account data and streaming it to other companies, usually fintechs but sometimes banks as well. The data is gathered either through screen scraping (logging in to an online banking service using the customer’s username and password and copying and pasting the transaction information into a database) or through direct connections with the banks. Fintech companies, such as those that provide robo-advisers and personal financial management apps, also rely on this data to provide their services, and obtain it through data aggregators or their own screen-scraping or direct connection.
A recently formed group representing 31 data aggregators and fintech companies, called Consumer Financial Data Rights, says banks still aren’t forking over as much data as they should be. The group is meeting with bank regulators to plead their case and trying to get consumers to petition regulators on their behalf, urging them to send a Tweet that says, “.@CFPB protect Americans' ability to grant access to their financial information. #handsoffmyfinancialdata.” In November 2016, the CFPB launched an inquiry into the challenges consumers face in accessing, using and securely sharing their financial records.
When you talk to bankers, fintech companies and data aggregators individually, you could get the impression they’re all on the same page. They all claim to know what consumers want and to be the best champion of customers’ rights and protectors of their data. All say they’re in favor of open APIs for sharing data. And all say their motive is to help consumers. Yet each party appears to be primarily looking out for its own business interests.
The leaders of the CFDR accused banks of pushing bilateral agreements that restrict the types of data that will be shared and the use cases under which it can be shared. They also said large banks refuse to even talk with them about these issues. They say they would like to see the industry coalesce around a set of principles such as the European Union’s General Data Protection Rule.
“Just think about all the important advances in health care that depend upon your data, your DNA, your healthcare records,” said Jon Stein, CEO of Betterment. “If all that was owned by a single doctor and you didn’t have the right to access that data, own that data, transfer it to another doctor if you wanted to, there would be a terrific outcry.”
Banks say they have no intention of restricting data sharing, that they want to let customers decide with whom their bank account data should be shared, and that they want to make sure that data is secure.
“I absolutely agree customers should have control over banking information,” said Brett Pitts, head of digital for Wells Fargo Virtual Channels, when Wells announced its data-sharing agreement with Intuit. “The security aspects of that are important to customers.” In addition to Wells Fargo, BBVA Compass, Citi, Chase and Silicon Valley Bank have set up APIs for the purpose of sharing customer data with third parties.
Similar spats are playing out in other industries. A judge this week ruled that LinkedIn must allow an analytics company called hiQ to continue to screen-scrape user profiles while hiQ sues LinkedIn for the permanent right to scrape its data. LinkedIn argues that hiQ's automated scraping tools harvest the personal information of users and organizations for free without their permission and illegally bypasses LinkedIn's anti-scraping protections. LinkedIn has formal data-sharing deals with several other analytics companies.
There are several specific points of contention between the CFDR and the banks:
The CFDR’s top complaint about banks is that they are making one-off data-sharing agreements with data aggregators and fintechs. Chase and Wells Fargo both have announced recent agreements with Intuit and with Finicity.
“What’s happening are bilateral agreements that have been developed by a few financial institutions that have very concerning elements: data restrictions around what consumers can see around their own data and use case restrictions,” said Anil Arora, CEO of Envestnet Yodlee (the data aggregator Yodlee was sold to the wealth management software company Envestnet in 2015). “And the technologies that are being proposed are inconsistent across banks, they’re expensive, they’re not scalable, they’re one-off, in some cases they’re less secure, and may even lead to unintended consequences.”
For instance, Arora said banks are limiting the data a company like Betterment could use to provide analysis, advice and planning to its customers.
“The bank in its wisdom will decide what data fields can be passed on by the consumer and which ones cannot,” he said. “The data restrictions are pretty significant. Another restriction that’s in there is what use cases are consumers permitted to share the applications for.
“Imagine that: We’re basically saying to the consumer, You cannot make decisions about your own life in terms of how you’re using the data, you have to have a third party bank decide what you can and cannot do with your data."
Further, each bank has a different set of restrictions, Arora said.
“Imagine the logistical and practical impact of fintech, technology and aggregation companies having to have a different set of data and restrictions with each bank on a one-off basis,” Arora said. “That breaks the entire model of how you then have these solutions and services run on top of these models, because they cannot work with inconsistent data.”
Wells Fargo and Chase executives declined requests for interviews for this story. In the past, they have said they can’t comment on their agreements with data aggregators, referring to them as legal matters.
“As has always been the case, nothing is intended to constrain, but to provide data in a safe, transparent way that gives customers control,” Pitts said in the earlier interview about Wells Fargo's agreement with Intuit.
Reselling customer data to third parties
Another issue: What happens to data once it’s shared with a data aggregator or fintech company?
Yodlee reportedly sells some of the bank and card transaction data it gathers to investors, research firms, and hedge funds such as Steven A. Cohen’s Point72 for millions of dollars. The hedge funds mine the information for clues about trends that can move stock prices. This is antithetical to GDPR principles: The consumer is not being told what’s happening with his data, nor being offered an opportunity to provide consent or opt out. There’s no auditable trail of consent and permission around the use of the data.
Yodlee says it doesn’t sell personally identifiable information; the data is all anonymized. Yet anonymized data can be de-anonymized and “bank details” are specifically mentioned in the GDPR as data that needs to be protected.
The large banks, especially Chase, say it's their policy not to resell customer data.
When Chase announced its data-sharing agreement with Intuit in January, the two companies stated they would not resell data to third parties. They said customers will give explicit consent to share their data with Intuit and for Intuit applications to use specific account information, and will be able to turn on and off access for Intuit applications.
“The most important part of this is giving control to the customer,” Jamie Dimon, chairman and CEO of JPMorgan Chase, said in a statement at the time. “Customers will get to decide what they want to share and when they want to share it — without having to hand over their password.”
Secil Tabli Watson, executive vice president and head of digital solutions for business at Wells Fargo, pointed out in an interview early this summer that there are security issues with reselling customer data.
“Any data can be compromised, so you want to keep your data as secure as possible,” she said. “Just because it's anonymized, that doesn't mean there isn't value in there that you would lose if somebody was able to eavesdrop on it.”
Dan Kimerling, head of API banking, open platform and research and development at Silicon Valley Bank, pointed out that it’s hard to draw a line between legitimate reuses of data and dodgy ones. For instance, some card organizations resell transaction data for research purposes.
“If there’s data, and there are data moats, somebody’s going to want it and you’re going to sell it,” he said. “There’s always going to be a right price.”
Asking the consumer’s consent before reselling data is pointless because no one reads terms and conditions, he said.
Both sides of this debate support the use of open APIs for sharing data between banks and third parties. But they seem to have different interpretations of the word “open.”
Data aggregators and fintechs would like “open” to mean, open to everyone. Banks want it to mean, open to anyone they approve.
Wells Fargo has created an API gateway portal and several JSON- and REST-based APIs that are designed for specific purposes, such as account aggregation (these are used by Intuit and Xero), foreign exchange and cash management. The gateway is for vetted business customers; the bank says it encourages these fintech partners to use its data to create innovative products. It particularly welcomes API partnerships with companies that have a lot of the same customers as Wells Fargo.
“Obviously we’re not just going to answer an email solicitation from Honduras from somebody we don’t know who wants to access our APIs,” Watson said. In the future there may be some APIs that will be open to anyone, such as one for location data for the bank’s ATMs and branches, she said. “We don’t need to do a Know Your Customer check for someone to embed that.”
Kimerling suggests APIs should be open to anyone who meets a minimum standard that’s published and subject to an open adjudication process.
“I don’t think it’s in the public interest to let literally every Tom, Dick and Harry have access to that data,” Kimerling said.
Call for open dialogue
Another CFDR complaint is that banks won’t talk to the aggregators and fintechs about their issues.
“Why haven’t we as an industry like Europe or Asia had an open and transparent debate on options and assessed them?” Arora said. “What is secretive about the elements of what’s being proposed? If we had an open discussion of what are the options and what are the pros and cons, then you’d be able to conclude as you see fit from your perspective, but that’s not what we’re seeing.”
“There’s not a rigorous public debate happening on what we should do with this data — it’s closed and backroom-y,” he said. “It’s also very easy to say you’re protecting customers when you’re trying to protect your own business.”
Account and transaction data should belong to the consumer, in Kimerling’s view.
“Banks are fighting to hold onto this data in a way that makes little logical sense,” he said. “Consumers don’t think their bank data is that valuable. Consumers want to freely give of their data and have their data shared in ways that add value to the customer.”
Banks have valid concerns about the liability they expose themselves to when customer data is federated, Kimerling acknowledged. “But the data is going to be federated whether they want it to be or not.”
Arora and the CDFR point to Europe as a role model. “I think GDPR would be a much better alternative to the bilateral agreements being proposed currently,” he said.
That might well require legislation, though, and have you read the news out of Washington lately?
Even if there weren’t gridlock in the nation’s capital, Kimerling is uncertain about the practicality of trying to impose the GDPR in the United States, because there are thousands of banks of different sizes and varying technical resources.
“It’s hard to make standards like this because the norms that underpin them are rapidly evolving,” Kimerling said. “What seems like an illegitimate purpose now may feel legitimate five years from now. There’s a certain reality that there are rapidly evolving norms around these things and we have to be very aware of those norms. We shouldn’t assume or even want them to be static.”
The bottom line is, no one has truly thought through the best, most practical way to share data, and none of the parties involved have pure motives. It would be good to have an independent, unbiased person or group craft a solution. The job may fall to the CFPB or another regulator.
Editor at Large Penny Crosman welcomes feedback at email@example.com.