When bankers complain about the security risks of sharing data with fintechs, they get an eye roll. Such complaints tend to be regarded as a cover for an ulterior motive: unwillingness to give customer details to competitors.
But when Chair Sheila Bair, a former chairman of the Federal Deposit Insurance Corp., recently warned of the security risks of sharing customer data with third parties, it made some people stop and think.
“Sheila Bair has proven herself to be an honest broker,” said Harry Sandick, a partner with the law firm Patterson Belknap Webb & Tyler who specializes in white-collar criminal defense and investigations. “She was a tough regulator, she was one of the people in the aftermath of the financial crisis who really dug in, along with Elizabeth Warren and Neil Barofsky, so if she thinks there are concerns here, there probably are concerns here,” said Sandick, a former assistant U.S. attorney for the Southern District of New York.
Regulated banks have to provide many layers of security that are audited by government agencies, Bair wrote in a recent opinion piece in the Financial Times. “But as the Equifax data breach highlights, other entities, such as credit reporting agencies, reside outside this system,” she said.
“The protection they offer is only as good as their management's vigilance, and that is often lacking,” she said. “Given the relative success of bank cyber regulation, why would we want to provide new points of penetration?”
Sandick said that as a consumer, he had long focused on data sharing’s benefits: access to useful products.
“But at the same time I want to make sure my privacy is protected, both in terms of the bank not sharing the information without my consent and also in terms of my information being protected when I choose to share it,” he said. “I don’t think we want to have a situation where a bank has to share my information with any third party that maybe will be careless about it.”
He said he sees merit in the worry that storing customer in data in more places creates fresh opportunities for that data to be compromised through human error or hacker activity.
“The more people that have access to data, the more people that can be responsible for a compromise of the data,” Sandick said. “As Benjamin Franklin said, three people can keep a secret if two of them are dead.”
But there is also an argument to be made that no institution has perfect data security, including banks.
“I generally agree with the direction of [Bair’s] arguments — that we have not really seen the downsides of open banking yet,” said Dan Kimerling, co-founder of the venture capital firm Deciens Capital and former head of application programming interface banking, open platform and research and development at Silicon Valley Bank. “But what I don’t agree with is the premise that banks are secure.”
Some, including Kathryn Petralia, chief operating officer of the online lender Kabbage and a spokeswoman for the Consumer Financial Data Rights group, think fintechs and data aggregators should be held to the same security standards as banks.
“Anybody handling any kind of [personally identifiable information], anything as simple as their email address, data that’s transactional, finance-related, health care-related, or personal should be held to that standard,” she said.
Kabbage encrypts customer data at rest and in transit, she said. Access to customer data is closely monitored and physical access to computers is tightly controlled. The company even has cameras in its offices recording all human activity.
“Tracking and being aware of that is really important because so many of the breaches that happen are caused by humans,” Petralia said.
Kabbage also uses third-party penetration testing services to see if its systems are hackable. “Those types of tools and services are really valuable, but you have to be prepared for answers you don’t like much,” she observed.
Higher bar for data aggregators?
Bair also pointed out in her article that account data aggregators can amass large databases of transaction data, “making them a juicy target for hackers.”
This has also been a refrain applied to credit bureaus — many in the fintech industry believe it’s time for a distributed, perhaps blockchain-based, method of verifying identity and computing credit scores.
Data aggregators have a unique security challenge because they are gathering bank customers’ online banking credentials, Petralia said.
“One of the reasons data aggregators are perceived as being riskier is because of this credentials process,” Petralia said. “Credentials are broken.” New methods of protecting access to account information, such as biometrics, could help mitigate this risk, she said.
Bair further warned that sharing customer account data with third parties hampers banks’ efforts to detect fraud because “customers may no longer interact with banks directly. No longer able to see and understand how customers are using their accounts, they will be hard put to identify red flags.”
It is true that when fintechs and data aggregators log in to customers’ accounts, they can obscure banks’ efforts to verify that the incoming IP addresses — numeric designations that identify their locations on the internet — belong to the customers who own the account.
But Petralia pointed out that banks know the data aggregators’ and fintechs’ IP addresses by now, so they should be able to adjust their fraud monitoring tools accordingly. And there are many other ways to analyze transactions for signs of fraud besides incoming IP address, she said.
Fintechs’ limited resources
Another issue is, who will bear the financial burden when a data breach occurs?
Bair noted in her article that regulators in the U.K. and EU say they will make third-party providers financially responsible for unauthorized withdrawals directed by their systems. Here in the U.S., the Consumer Financial Protection Bureau has said much the same, that third parties should be liable for any fraud or security lapse that happens on their watch.
But Bair went on to wonder whether fintechs and data aggregators will have the resources to pay for a security breach or fraud.
“I do think that’s an important concern,” Sandick said. “It would be unfair for banks to be compelled by law to make certain information available to third parties, then punished if the third parties lose track of or expose the information and then a lawyer says, ‘I’m just going to sue everyone.’ It seems like the accountability should rest on the people who didn’t have the proper gated security in place, not on others.”
Petralia described this worry as legitimate. “It’s unfair to expect banks to bear the burden of data breaches that take place with their customers’ data that lives somewhere else,” she said. “Any entity that is gathering this data on behalf of customers should be in a financial position to be able to make customers whole if there’s a breach.”
As for small fintechs that do not have a lot of money, “there seems to be an insurance product for everything,” Petralia said. “I think the solution is a combination of creative insurance and decent balance sheets. I don’t think because a company is a startup or serves an underserved population, they get a pass. Controlling, accessing and storing customer data is not for the faint of heart.”
Editor at Large Penny Crosman welcomes feedback on her posts at firstname.lastname@example.org.