In the world of consumer financial data aggregation, regulators and industry participants alike often contemplate the issue of third-party, consumer-permissioned account access as a binary choice between credential-based (i.e., username and password) screen scraping or token-based application programming interface (API) connectivity. However, the reality is that other technological solutions exist today that both enable safe and secure consumer authentication and eliminate the need for financial institutions to invest in expensive technological overhauls. As the Consumer Financial Protection Bureau (CFPB) contemplates a rulemaking to implement Section 1033 of the Dodd-Frank Act, it should consider these access methods as alternatives to screen scraping.
Rather than relying on screen scraping or token-based access, there exists in the marketplace today authentication solutions that require a consumer to only provide elements of their personally identifiable information (PII), such as their name, telephone number and bank account number. With this information, and after transparently presenting the consumer with disclosures regarding, among other things, what data is being collected and for what purpose, third-party providers of financial technology tools can utilize integrations with wireless carriers and credit bureaus to authenticate the consumer using those companies' existing, regulated customer authentication processes. This authentication method is already providing hundreds of thousands of American consumers with the ability to share data access to third-party tools, and doesn't require financial institutions to deploy any new authentication technologies.
The lack of uniform open banking standards in the U.S. has resulted in a patchwork system wherein users of third-party financial tools don't have the right to deploy their own financial data as they choose, and which relies on data connectivity that's built on increasingly outdated access methods. Third-party financial providers have traditionally accessed their consumers' permissioned data via screen scraping, which requires users to hand over their bank log-in information to third-party providers and aggregators. This process creates opportunities for unscrupulous actors. Fraudsters can use scraped data to commit application fraud, exposing consumers to unauthorized account access or transactions, and, in some cases, financial harm.
On Friday, Federal Reserve Vice Chair for Supervision Michael Barr will share findings from his review of the supervision of Silicon Valley Bank before its failure last month.
While some of the largest U.S. financial institutions have in recent years invested in and deployed token-based consumer-permissioned data access portals, the overwhelming majority of banks across the country have not, and with good reason. Smaller financial institutions often lack the resources to build and implement sophisticated technological solutions. This is likely why the CFPB, in its memo late last year outlining considerations for its forthcoming Section 1033 rulemaking, asked for public comment on whether customers of small financial institutions should have the same rights to access and share their data as customers of larger banks, and whether the bureau should mandate that any financial institutions covered under the rule will have to migrate away from screen scraping and toward token-based access by some date certain.
Providing data rights to only some consumers in the U.S. would fail to realize the full potential of Section 1033 of the Dodd-Frank Act. On the other hand, a mandate to the thousands of small U.S. financial institutions that they deploy token technologies over the next few years is impractical.
To provide data rights for all U.S. consumers, regardless of which financial institutions they use, and to avoid imposing a costly mandate on small financial institutions across the country, the CFPB should in its Section 1033 rule should provide a "Goldilocks" solution: Where no token-based access exists for a particular financial institution, authentication may be performed using the consumer's PII and account number. Such an outcome would transition the market away from credential-based access and would allow the consumer-permissioned data access ecosystem to move toward direct and regulated data flows. In fact, this alternative authentication process could very well provide the CFPB with a novel solution to address its concerns regarding the continued proliferation of credential-based authentication within financial services.
Debates around permissioned data access, data privacy and financial inclusion are likely to continue in the financial services community for the next several years. As federal policymakers justifiably seek out alternatives to credential-based authentication methods, it is critical that all stakeholders fully understand the wide range of technologies and use cases that are already deployed in the consumer-permissioned data access ecosystem.
