No shortage of ideas for CFPB data-sharing rules
Fintech experts are embracing the Consumer Financial Protection Bureau's recent announcement that later this year it will propose rules governing third-party access to consumers' bank account data — and they have strong opinions about what the CFPB should do.
“It suggests that they see some consumer financial data-rights issues that the bureau needs to strengthen or clarify and which the market may not be able to resolve without additional guidance,” said John Pitts, head of policy for Plaid, the largest data aggregator, which supplies bank account data to 3,000 fintechs including Venmo and Coinbase. “It could be a big win for consumers.”
“This is something that we and many others in the fintech and technology space have been advocating for years,” said Jason Gross, founder and CEO of Petal, a fintech that issues credit cards to people who may not have a credit score; it relies largely on a person’s cash-flow analysis, which requires access to bank account data.
The CFPB has been mulling some action in this area for years. In February, it held a symposium in which it brought together bankers, fintech executives, industry group representatives and consumer advocates to debate questions about how bank customer data should be shared with data aggregators and fintechs. The CFPB representatives at the event asked open-ended questions.
Part of the CBPB’s objective was to figure out what, if anything, it should do about a clause in the Dodd-Frank Act, Section 1033, that gives consumers a right to access information about their financial accounts.
Chi Chi Wu, attorney at the National Consumer Law Center, pointed out that Dodd-Frank was enacted ten years ago and Section 1033 has never been implemented. That lack of clarity, she said, has led to a battle between banks, data aggregators and fintechs.
“Data aggregators have wanted this for a while because they want to be able to get the information” to provide to their clients, the fintechs, she said.
Consumer advocates like herself walk a line between wanting consumers to be able to access their account data and give it to data aggregators and making sure they come to no harm along the way, she said.
"We want to make sure that when consumers permission access to their bank account data, it only happens when they knowingly and affirmatively want to do it,” Wu said.
When she signed up for Venmo, for instance, Wu said she never realized she was giving Plaid access to her bank information.
Top concern: Screen scraping
Today, for the most part, the way customer data gets shared with third parties like Venmo, Acorns and Betterment is through data aggregators like Plaid, Finicity, Envestnet Yodlee and Intuit. And the way the data aggregators obtain the data most of the time is through screen scraping — obtaining customers’ online banking login credentials, logging in with those usernames and passwords, and copying the account information.
Many feel this model is broken, for a diverse array of reasons.
Gross at Petal pointed out that a study conducted by the open banking group FDATA found that in the U.S., more than 40% of bank account connections that consumers attempt to make fail.
“That's not a good grade,” Gross said.
Consumers who apply to Petal for a credit card often have a short credit history. Petal asks such applicants to share their financial records as a way to understand their creditworthiness, their income and their employment.
“If a particular consumer’s bank does not participate in data aggregation and open banking, that consumer is unable to demonstrate their own credit worthiness,” Gross said. "As a result, they have worse odds of qualifying for a credit card, and they may receive an inferior product. In our case, it's happening to thousands of people in any given month.”
Attempts to link bank accounts to Petal often fail, Gross said, because financial institutions lack the technology or the willingness to share information.
“Screen scraping introduces errors that using better technology would prevent,” Wu said. She also pointed out that screen scraping allows data aggregators access to data elements that might not be necessary such as the identity of merchants on a debit card.
Banks don't like screen scraping because they don't want their customers giving out their online banking credentials to third parties, they don't like the strain on their systems that screen scraping often causes, and they don't like the way data aggregators obtain their consumers’ banking credentials.
In some cases, the aggregators present consumers with a screen that is identical to their bank’s login page, complete with the bank’s actual logo. Consumer advocates and banks complain that this is misleading, since the user can assume they are communicating with their bank.
“Anytime a consumer is misled, that's not good,” Wu said. “You really do need to know the role of this third party that has access to your data.”
The process looks similar to a standard method of obtaining credentials called OAuth. But in an actual OAuth process, the credentials are tokenized, so only the bank stores the usernames and passwords. In the process Plaid and other data aggregators use, they scrape, store and use consumers’ credentials.
The data aggregators argue that they would use application programming interfaces to provide data to banks directly, but a lot of banks don’t support them. (The Financial Data Exchange is also working on an authentication standard.)
Banks and consumer advocates also don’t like the unlimited access data aggregators get to consumers’ data. An aggregator can keep scraping the bank account data of a customer of a service like Venmo long after the customer has stopped using Venmo.
Banks also say there are security issues to letting data aggregators scrape customer data and pass it along to any fintech they happen to take on as a customer.
Gross acknowledged that there are legitimate privacy and security issues, but said the most important thing is that consumers have ownership over their data and have the ability to say how that data is used.
“Does the consumer want their data to be shared with XYZ financial application?” Gross said. “The data aggregators should just be carrying out the wishes of the consumer.”
What is hoped for in upcoming rules
Gross would like to see the CFPB come up with a framework that gives consumers control over their data.
"How is it shared? How much data is shared? What information is shared? All of those things should be determined by the consumer at the end of the day,” he said.
Everybody — banks, fintechs, data aggregators and customer advocates — agrees it’s best to share customer data through APIs rather than screen scraping.
“APIs and tokenized authentication make consumer-permissioned data sharing easier, more accurate and more secure,” Natalie Talpas, senior vice president and digital product management group manager at PNC Bank, said in remarks at the CFPB symposium in February.
Gross would also like to see the CFPB resolve questions about liability and how consumer protection laws apply to aggregation. “All of that will help create more certainty in the marketplace,” he said.
Wu would like to see the CFPB require that any data that can be used in underwriting decisions is subject to the Fair Credit Reporting Act, which gives consumers the right to see what's in their file.
She also says the CFPB should supervise the larger data aggregators and enforce principles about consumer control and limiting access by data element, so that if a consumer permits the use of data for one purpose, it's not used for another purpose, like collection.
PNC, which declined to comment for this story, previously said it would also like to see regulatory oversight of data aggregators' cybersecurity.
Talpas said at the symposium that any data aggregator that maintains a large store of bank account data should be "subject to regular, comprehensive information security examinations by a federal agency with expertise in this area, just as banks and [Securities and Exchange Commission]-registered broker-dealers are today."
Otherwise, they risk becoming the "weak link" that cybercriminals use to obtain access to consumer financial information that can be used to divert funds or disrupt the U.S. financial system, she said.