How data sharing could change under CFPB's proposed new rules

Samuel Corum/Bloomberg

U.S. banks have shared their customers' account data with fintechs, an activity some call "open banking," for more than a decade. But they haven't always done it knowingly or willingly, and it's been a source of tension among banks, data aggregators and fintechs. Could the data-sharing rules the Consumer Financial Protection Bureau proposed last week make a difference?

The CFPB's proposed data-sharing rules under Section 1033 of the Consumer Financial Protection Act of 2010 say banks must share transaction data for deposit and card accounts with fintechs at customers' request, including transaction amount, date, payment type, pending or authorized status, payee or merchant name, rewards credits, fees or finance charges and account balance. Banks would have to provide at least 24 months of historical transaction data and information about upcoming payments. They also would have to provide interfaces developers can use to create pipelines that receive this data.

The proposal would limit the data that data aggregators like Plaid, Envestnet Yodlee, Finicity and MX gather and retain to only what's reasonably necessary to provide the consumer's requested product or service. They would not be able to sell that data to hedge funds, other Wall Street firms or anyone else, nor use it for targeted advertising or to cross-sell products. 

"My read of the rule is that it very clearly says that the consumer gets to decide who they authorize to access the data," said Amias Gerety, partner at QED Investors and a former Treasury official. "It codifies access in a specific way that gives the consumer control." 

The proposal would bring a lot more scrutiny of what data is being exchanged and how quickly consumers can revoke access to data, said Ameya Talwalkar, CEO of the application programming interface security company Cequence.

The proposal also would give consumers some control and protection over their data once it moves from a bank to a data aggregator or fintech. For instance, consumers would need to reauthorize this data access every year.

For fintechs, the proposal should make data access easier and more stable, Gerety said. Today, generally speaking, fintechs' access to bank account data is pretty good, he said. 

"But the failure rate for Plaid, Yodlee and MX is still strikingly high," he said. "Ten to twenty percent of the time, the connections break. And that's partly because much of this access today is done through screen scraping rather than through these API interfaces." A spokeswoman for Plaid declined a request for comment, but pointed to blogs about the proposal posted by the Financial Technology Association and FDATA. After this story was published, the spokeswoman said the company currently supports 75% of traffic through APIs. The remaining 25% of traffic belongs to financial institutions who have not built APIs to integrate with.

The CFPB's 1033 plan would also require banks and credit unions to provide fintechs — typically through data aggregators — data about the terms and conditions of products, including all rates and fees. This is not standard practice today, and it could let third parties like Credit Karma, NerdWallet, BankRate and LendingTree gather data directly and provide consumers with more accurate product-comparison information. 

"Stable, machine-readable, legally guaranteed access to terms and conditions will make the financial services industry more competitive," Gerety said. 

The proposal also would require banks to provide information to initiate payment to or from an account.

"That moves the ball forward," Gerety said. "I thought that was very interesting from a control element — that it's not just data, but also this idea that the consumer can take action."

This could be a windfall for Plaid, which has been trying to become a payments provider.

"Account funding is such an important part of how Plaid really delivers value in the fintech ecosystem," Gerety said. "This does look like a step in that direction to make it easier for [data aggregators] not just to get the data, but actually move customer funds."

Would screen scraping be banned?

Because the proposed rule would require banks and other data providers to offer developer interfaces, there should be less need for screen scraping — in other words, logging in with a user's online banking credentials and copying and pasting their transaction data into another app. The term "screen scraping" does not appear in the language of the rule, so it's not clear if there will be an explicit ban on the practice. The CFPB did not answer a question about this by deadline.

The requirement that data be shared through developer interfaces could be a mixed blessing for the data aggregators and other companies that provide such APIs. Logically it should bring them more business. But some of the data aggregators' value comes from their ability to manage the complexity of screen scraping, Gerety noted. 

"In the extreme case, imagine that every single bank in the country adopts the exact same API," he said. "Then you just need to know the name of the bank and then your code would read exactly the same way no matter which bank you were pulling the data from. That would be a world in which Plaid's market power basically disappears." A Plaid spokeswoman said the company has thousands of customers and offers a wide range of products and services including anti-fraud, identity verification, lending and payments software.

Data sharing

The race to build data-sharing hubs for banks — and end screen scraping

Vendors including Akoya, Plaid and MX are trying to help banks manage and view their application programming interfaces through data portals as an alternative to scraping consumers’ login credentials.

By Penny Crosman

September 20

The CFPB proposal calls for the creation of industry standard-setting bodies that would create such a standard. 

Today, the Financial Data Exchange and OAuth groups set some voluntary technical standards for data sharing. But other organizations may be created for this purpose.

Another factor is that it will take some time for all banks to have APIs.

"An end to screen scraping will take a lot of time due to the varying degree of technological capacity of our nation's financial institutions," said Jim Perry, senior strategist at Market Insights. "Will these rules offer enough incentive for the smallest institutions to quickly transition to APIs? The end to screen scraping may be a long way off."

While big banks would have to start complying in 2025, small banks would get about four years to be ready.

The backstory

Over the past two decades, the way bank account data is shared with fintech app providers has evolved. Data aggregators like Plaid, Mint and Yodlee started out by siphoning data out of bank servers in stealth mode, by getting consumers to give up their online banking credentials, logging in using their identities and screen scraping their data, without asking or telling the banks. 

Bank leaders vehemently objected to every aspect of this — the way the aggregators created fake pages that looked like the banks' mobile apps and websites (including use of banks' logos) to get people to enter their usernames and passwords; the way the screen-scraping activity became so voluminous it clogged banks' servers; the way it sometimes tripped up fraud filters; and the way data aggregators seemed to scrape and retain much more data than was called for.

Data aggregators and fintechs have over the years accused banks of blocking their screen scrapers, being anti-competitive, hoarding data and preventing customers from using useful new apps.

In December 2019, PNC Financial Services Group implemented an extra authorization step for users logging in to their account that effectively blocked some screen scrapers and led to some customers not being able to use Venmo, a Plaid client. PNC said some data aggregators were circumventing its security controls and as a result there was fraud occurring on customers' accounts. PNC also said some data aggregators were scraping all the information in banking relationships, not just the accounts to which customers granted access, and keeping that data indefinitely. 

In October 2020, TD Bank sued Plaid for trademark infringement and false advertising, saying the company was unlawfully using the bank's name, trademarks and logos when Plaid's fintech clients used its technology and services to link bank accounts and financial data to their financial and payment apps. TD Bank declined a request to comment for this story.

Two months later, PNC also sued Plaid for trademark infringement, saying the data aggregator's use of bank logos and trademarks "can easily confuse a consumer, who may make the logical assumption that the app they are using is sponsored by their bank and that it is safe to provide their sensitive information." PNC declined a request for comment for this story.

The claims raised in the lawsuits "do not reflect our practices," the Plaid spokeswoman said Tuesday. Plaid settled the TD lawsuit shortly after it was filed in 2020 and the PNC lawsuit is ongoing. Plaid denies the allegations.

"We make our role and practices clear and provide services that give consumers control over how and where they share their data," the spokeswoman said.

Over time, the data aggregators acquired so many fintech customers that they had the leverage to induce banks to sign data-sharing agreements to move bank account data through mutually approved APIs. In 2018, JPMorgan Chase signed agreements with Plaid, Intuit, Quovo and Finicity. Wells Fargo signed an agreement with Plaid in September 2019.

Not all banks have signed agreements with all data aggregators. And even where there are agreements in place, disputes persist. Fintechs say the API agreements are too stingy with data. Banks say data aggregators and fintechs gather far more data than they need for the actions the consumer wants to perform.

Some observers said data aggregators rarely stick with their API-based agreements with banks. 

"Oftentimes they will actually be screen scraping and not using those APIs," Talwalkar said. This is because they can get much richer context through screen scraping. 

"If I use my credit card to do certain shopping at certain times of the day, there is a lot more context that you can get by logging in as a consumer and scraping that data versus the API that the bank has for you to scrape that data," Talwalkar said.

The impact on community banks

CFPB Director Rohit Chopra recently said the new proposal would open opportunities for small banks.

"I think Director Chopra is overestimating the promise of an open banking ecosystem for small banks," said Perry. "This new rule may have the intent to level the playing field for small banks, but it could actually have the opposite effect. Greater ease in switching accounts is a sword that cuts both ways, and you cannot automatically assume that small banks will be the primary beneficiary."

The proposal could most benefit big banks that already have the technology in place and the fintechs and digital competitors that depend on access to consumer's financial data, he said. Some small banks would have to depend on their core-banking providers to meet the obligations of the rule. Fiserv and Plaid recently struck an agreement along these lines.

Community banks are likely to view this proposal as another compliance challenge, he noted. On the other hand, 75% of banks would have four years after the rule takes effect to actually comply, Perry noted. 

"They should use that time wisely," he said.