Small banks and fintechs give feedback on CFPB data-sharing rules

The CFPB has released a report summarizing feedback small banks and fintechs have given it about data-sharing issues.

This is the latest step in a process that has been underway for more than a decade. It was set in motion by the Dodd-Frank Act of 2010, which required the CFPB to come up with rules governing third-party access to consumer banking data. The agency has said it's working on rules that would govern what data should be shared freely between banks and fintechs and how that should be done.

The report the CFPB released Monday is the result of a different act of Congress: the Small Business Regulatory Enforcement Fairness Act of 1996, which requires government agencies to consult with representatives of small entities likely to be affected directly by proposed rules and get their feedback on them.

Data sharing has been a cause of friction for years. In the earlier days of the fintech movement, fintechs themselves and then data aggregators like Intuit and Plaid began digging under the moats banks put around their customer data and siphoning out that data to do things like qualify customers for credit. They did this by getting consumers to share their online banking usernames and passwords, logging in on their behalf and copying and pasting account data.

In 2015, a feud erupted when some fintechs publicly accused banks of blocking their attempts to screen-scrape customers' bank account data. The banks countered that the data aggregators were choking their servers and triggering fraud alerts with their high volumes of unnatural behavior, and that they didn't want their customers giving out online banking credentials to outsiders in the first place.

Since then, major data aggregators like Plaid and Finicity have signed agreements with many banks through which they share customers' data through application programming interfaces.

But problems and disagreements persist. For one thing, not every bank has the budget and staff to create and maintain APIs. In its report, the CFPB estimated that it would cost a bank $216,000 to $432,000 to create a data access portal, with ongoing staffing costs of $42,000 to $83,000.

The cost is actually much higher, wrote two executives of New Market Bank, a community bank in Lakeville, Minnesota. Anita Drentlaw, CEO, CFO and president, and Jeff Jacobson, vice president and compliance officer, said they would first have to switch out the bank's core processor, which would cost them more than $250,000.

Then creating a data portal that would meet the CFPB's proposed data-sharing rules would take about four to seven years and would cost more than $500,000, the bankers said.

"Small community banks such as ours can't absorb these costs and would be required to share these costs with customers, either directly if allowed, or by increasing other account fees," they said. "1033 would likely cause us to discontinue no monthly fee or low fee deposit accounts. We also believe these expenses are so great it could likely cause the sale or closure of rural community banks as they may not have the capital to absorb the costs."

The bankers also said other regulatory requirements, like Regulation B, preclude them from obtaining or retaining account identity information, such as age, gender, race and ethnicity.

Other regulations, such as the Home Mortgage Disclosure Act, require the bank to collect demographic information, but only to meet the requirements of that regulation — that data "shouldn't be housed in our core systems to ensure discrimination of protected classes doesn't occur," they said.

They also raised the issue of fraud. 

"The potential for substantial increases of consumer fraud is inherent whenever financial institutions are required to provide confidential financial information to other parties in the ecosystem via a third party portal," the New Market Bank executives said. "We take customer privacy very seriously and are required under the Gramm-Leach-Bliley Act to safeguard consumer data. We ask that the Bureau to require data recipients and data aggregators be held to GLBA or comparable requirements so they are on an even playing field with financial institutions."

The bankers also asked the CFPB to take on regulatory authority over data recipients and data aggregators. 

"Without the ability to enforce data privacy laws the potential for fraud increases exponentially at the risk of grave consumer harm," the bankers said.

Another point of contention between banks and fintechs has been about how much data aggregators can scoop up from bank accounts and how long they may continue to do so. 

Over the years, banks have railed against aggregators' practice of continuing to gather bank account data long after a consumer has stopped using an app.

"Some aggregators are going in and scraping all the information that you have in your banking relationship, not just on the one account you gave them access to," said Karen Larrimer, executive vice president, head of retail banking and chief customer officer of PNC Financial Services Group, in a 2019 interview. "Once they're in your accounts and into your relationship, they can see everything, they can scrape everything, and they can do that multiple times a day. They're storing that data, consumers don't know where they're storing it, and they keep it indefinitely, including once you choose to shut down your app."

But Petal, a fintech that uses bank account data in its credit card underwriting decisions, pushed back on the idea that consumers should have to authorize every use of their data in its feedback.

"'Reauthorization' requirements that force consumers to express, again and again, on some periodic basis, their intent to share data, would frustrate the intent of the consumer and sap the utility of many useful financial products and services of ongoing nature derived from persistent data access," wrote Jason Gross Rosen, founder and CEO of Petal. 

Rosen argued that the CFPB should not just subject banks to its data sharing rules, but also providers of mortgages, student loans, car loans, personal loans and certain closed-loop prepaid card issuers. Data from these companies could help consumers qualify for credit, he said.

"Petal's comments ask the CFPB for the right to retain and use consumer-permissioned data for other internal purposes, not just for the exact purpose that the data was shared," said Jonathan Joshua, principal of the Joshua Law Firm. "Which makes sense for them because they use open banking data to generate credit scores. And they're worried that if they get data from somebody under this requirement, under this set of rules, that they won't be able to do that. I think consumers would be surprised to learn that sharing their banking data when submitting a loan application could lead to the inclusion of that data in a credit report."

Joshua also worries about the scope creep of these new rules, especially since the CFPB is considering broadening the types of data that can be shared, including information about demographics.

"One of the concerns I've always had with open banking systems is, who doesn't have access?" he said. "I'm for regulation and I'm glad that [the CFPB is] taking their time, but I don't know how you can really reasonably anticipate all the ways this could go wrong."

For reprint and licensing requests for this article, click here.
Data sharing CFPB News & Analysis Technology
MORE FROM AMERICAN BANKER