The squabble between banks and aggregators like Credit Karma or Kabbage over sharing financial data has been one of the most contentious and esoteric issues in digital banking.
A set of principles published by the Consumer Financial Protection Bureau in mid-October affirmed consumers’ ownership rights over their financial data and said that banks and outside companies must use heavy security when sharing that information.
Players on either side of the argument publicly applauded the principles, but the bureau’s position did little to quell debate over the best way to share the data, which is the lifeblood for innovation in budgeting, payments, lending and digital identity. Trust remains an obstacle: Banks have not yet accepted an open approach to sharing customers’ financial data, citing security concerns as the reason why they are selectively choosing trusted partners. Aggregators charge that a mishmash of partnerships stifles innovation and violates open data-sharing ideals.
Many deemed the principles vague, and the bureau stressed they were also nonbinding. Still, the CFPB stated it “stands ready” to protect consumers by facilitating constructive efforts or taking other appropriate action. The recent political upheaval at the CFPB only adds to the concerns of a small but growing choir of data experts who want regulators, including the CFPB, to hold banks accountable to the principles. As two potential successors vie for control of the agency following the resignation of Director Richard Cordray, the distraction could provide an opening for bank lobbyists to push the bureau to rescind the guidance or water it down, some observers suggest. It also clouds any effort to convert the principles into implementation guidelines, said Daniel Castro, director of the Center for Data Innovation.
“That looks like an increasingly unlikely scenario given the political situation at the CFPB,” Castro said. “So, yes, it is time for Congress to step in.”
Although fintech companies have been grabbing digital bank data with consumers’ permission for more than a decade, banks were publicly criticized for blocking data access to third-parties in 2015.
Banks say they are just trying to protect their customers from mounting cyber threats. But others are concerned the incumbents are motivated for anti-competitive reasons and will restrict data access again unless there are more repercussions. In a November Center for Data Innovation report, the report's authors, Castro and Michael Steinberg, urged the CFPB to create rules on data-sharing, and if it didn’t take action, the authors proposed for Congress to “pass a resolution that calls for banks and fintech companies to ensure consumers can access their data without restrictions by voluntarily developing open banking standards to enable financial service providers to securely exchange consumer data.”
As Castro sees it, without incentivizing banks to make the change that could loosen their grip on their customers, the ability for consumers to share critical data elements with the portal of their choice could be in jeopardy — it's a tension that already exists in other sectors, like travel and healthcare.
While the CFPB avoided naming how banks and fintechs should exchange data in its principles, the Center for Data Innovation’s report did not. It called for open bank application programming interfaces with regulator intervention so that banks don’t resist creating them. As the authors wrote: “Regulators are best positioned to strike the right balance to ensure that open API rules protect the legitimate interests of banks, such as not imposing undue costs, creating unnecessarily complex technical requirements, or exposing financial systems to significant security threats, while also ensuring open APIs are a pathway for the type of technological innovation that will unlock more value for consumers.”
A handful of U.S. banks, including Wells Fargo, Capital One, JPMorgan Chase and Silicon Valley Bank, have announced API deals with select tech partners in the U.S. But that is a drop in the bucket for a country with thousands of banks. Not to mention: Bilateral agreements aren’t scalable, while cherry-picking which companies get access to the data is risky for innovation. “It can’t just be if you are large enough, you get to negotiate access,” said Castro.
Advocates say such deals also misinterpret the open banking movement, a model where financial institutions don’t get to dictate the terms, including choosing who their partners are.
“The ‘daddy is in charge’ mentality doesn’t hold true in the open [banking] future,” said Louise Beaumont, strategic adviser for SapientRazorfish and co-chair of the Open Bank Working Group.
Can regulators unite on data?
While many see the CFPB as the industry’s watchdog to lead the charge in the states, there could be an important role for other regulators to play.
Data aggregation has been the focus of recent speeches by Federal Reserve Gov. Lael Brainard who has urged regulators to unite on the issue. In a prepared speech, Brainard said: “Consumers, as well as the market as a whole, will benefit if regulators coordinate to provide more unified messages and support the development of standards that serve as a natural extension of the common-sense norms that consumers have come to expect in other areas of the commercial internet.”
Jonah Crane, adviser at the data aggregator Quovo, believes a regulatory nudge can be helpful to getting banks to embrace the model, and ultimately, facilitate innovation.
In a BankThink blog, Crane outlined some steps on how. Among his suggestions were recommending the CFPB bring enforcement actions under its authority to prevent “unfair, deceptive, or abusive” acts and practices and urging the CFPB to work with the Federal Trade Commission and banking regulators to provide additional guidance on its principles related to informed consent.
One of the thorniest issues to work out, as Crane sees it, is to remove the ambiguity on which party is on the hook if there is a hack. The private sector could work out the details of who bears responsibility in the event of a breach. Regulators could also make it easier by clarifying, say, which company is liable in cases where consumers have shared their login credentials.
"There is broad agreement around the CFPB's principles, so regulators and the industry should build on those principles,” Crane said in an email to American Banker. “Data access is the fuel for consumer-friendly innovation and competition, and there is more policymakers can do to facilitate full and secure access."
Global competitors are already opening financial data to sanctioned third parties. The U.K., for example, has been undergoing regulatory reforms that champion open banking and application programming interfaces as the way to exchange data. The European Union is gearing up for PSD2, a directive that will make banks share financial data only with third-party apps that the regulators have approved.
“We’re seeing a different rate of [open banking] change in the U.S. versus the U.K. and Europe,” said Castro. “It’s going to be to the detriment of the U.S. if we don’t address it soon.”