WASHINGTON — Banks, fintech firms and data aggregators are asking regulators to provide more clarity on how to handle consumer data and who is responsible for leaks when it is shared between firms — a request that’s seemingly a reversal from the deregulatory approach the industry often takes.
The potential liability stemming from consumer data has become a critical concern for the financial industry as more data aggregators and fintech firms rapidly enter the space, seeking access to customers' bank account information in order to offer loans and other products.
While banks, fintechs and aggregators are working to develop their own standards, there is a growing recognition that regulators also need to step in.
“It’s all well and good for us to have contractual agreements even amongst the banks and the fintechs” but “ultimately there will have to be regulatory involvement here to spell out what the expectations are from a regulator safety and soundness standpoint,” said Steve Boms, president of public policy strategist Allon Advocacy LLC, during a Federal Deposit Insurance Corp. conference this week.
Boms was speaking on behalf of the Consumer Financial Data Rights Group, a consortium of data aggregators and fintech firms who are backing a set of data sharing standards just launched by three leading aggregators: Envestnet’s Yodlee, Quovo and Morningstar’s ByAllAccounts. The four standards announced Thursday are meant to encourage data sharing without creating safety and soundness concerns across parties. Other groups have launched similar standards.
The problem, however, is that such rules have to be voluntarily adopted by the industry and do not have as much of a widespread impact as formal guidance or rulemaking.
“You have to be sure the consumer data will be protected. There has to be standards of policing, reliability and accountability, which is a big problem right now,” said Jo Ann Barefoot, CEO of Barefoot Innovation Group and a former deputy comptroller of the currency. “Policymakers need to explore it and allow some breathing room for some experimentation and testing of these ideas. And to do so in a way that does not leave the industry terrified that any little well-intentioned mistake could end up with regulatory catastrophe.”
The Consumer Financial Protection Bureau released a set of principles in October 2017 as part of a requirement in the Dodd-Frank Act. That measure, in Section 1033 of the law, said banks must provide data upon the consumer’s request and electronically to be used by computer applications. Many fintech firms and data aggregators say this means banks should give them access to the data when the customer gives permission.
“This is life or death for financial innovation,” Barefoot said. “These innovators have to have access to the kind of information. If they can’t get it, then financial innovation will die.”
But bankers are concerned that if too much data is given or hacked, the blame will fall largely on the banks, where most of the regulation on data security is applied.
“When a customer is harmed, the bank is usually the first place they come,” Rob Morgan, vice president of emerging technologies at the American Bankers Association, said during the FDIC conference. “But when it moves out of my environment and I have no ability to control for that risk . . . we think that that liability needs to sit” with the responsible party.
Morgan added that this concern was the reason banks have been careful not to give third parties full access to consumer when authorized, though he added that banks are not resisting requests either.
“I’m dispelling the myth that banks don’t want to share this data,” he said. Banks will share the data “so long as it’s done right by the customers.”
In an attempt to find a middle ground, Boms said the Consumer Financial Data Rights group is working on technology that would allow greater “traceability” when consumer data is moving from a bank to various third parties and data aggregators. Essentially each piece of data is encoded with a unique identifier that every party has access to. When a breach occurs, they can decode exactly when and who is liable.
“At the end of the day, the liability cannot rest solely on one entity in the chain and by that, I mean it can’t rest solely on the banks” or data aggregators, Boms said during the FDIC conference. “To do this though . . . you need to be able to implement traceability and that’s something that our community, the CFDR, is in the process of doing right now.”
During the FDIC conference, agency officials moderating the event were careful not to take a stance on any potential policy positions with regard to data aggregation, only emphasizing the CFPB’s existing principles.
However, FDIC Chairman Martin Gruenberg said FDIC officials wanted “to gain a deeper understanding of emerging technologies” being used by banks and the potential risks, namely, cybersecurity.
“This emphasis on risk management is especially important for the FDIC and our fellow regulatory agencies to understand as we supervise insured institutions with evolving business operations,” he said.