Trust. It's a small word, with tremendous implications — particularly when it comes to safeguarding banking information.
The underlying foundation of the banking system is reliant on customers trusting that a bank will keep their money safe. Banks have earned customers' trust, particularly from customers using
And — our customers value their own data. They want their data to be secure and to control who they share it with and how it's used.
The
This rulemaking comes at a critical time.
Most consumers today have accounts at multiple financial institutions and increasingly use a variety of digital apps to share their financial data between those institutions and apps. Banks, big tech firms and fintechs rely on consumer-permissioned data sharing to provide customers with helpful, innovative tools for budgeting, borrowing, tax preparation, retirement planning and other services. Make no mistake — innovation in financial services has created tremendous opportunities for customers to save, invest, budget, get verified and move money.
Many companies, including banks, have made significant investments over the past several years to make permissioned data sharing work better, but the current patchwork system has some critical flaws, particularly an overreliance on screen-scraping and a lack of consumer transparency and control. Now, the CFPB has a great opportunity to make the entire system work better through thoughtful, well-calibrated regulation.
We are overwhelmingly supportive of our customers who want to share their financial data with the apps they use, recognizing that the ability to share data can have profound impacts on their financial lives.
But if that data is not handled securely, and customers lose control over its use, innovation and progress will be damaged — not to mention the lives of real people. Setting and enforcing high standards for protecting customer data is not, as some might claim, a pretext for stifling data sharing, slowing innovation or blocking competition. Rather, protecting consumer data is the best way to preserve trust and fuel sustainable innovation in the long run.
Everyone touching customers' banking data must be required to play by the same safeguarding rules — full stop.
As the CFPB reviews industry feedback and shapes final regulation, we hope for a final framework that achieves four key objectives: security, privacy, control and convenience. Consumers deserve all four.
Here are a few areas the framework needs to get right:
First, consumers deserve to know their sensitive data is secure and private.
The Consumer Financial Protection Bureau said it was invoking a special authority to supervise entities that pose risks to consumers in taking on World Acceptance Corp.
Financial data should not become less protected when a regulated bank shares it with a diverse ecosystem of big tech firms, merchants and fintechs. It's not sufficient to set high-level data security requirements while lacking an appropriate mechanism to test ongoing compliance.
Consumers must know all parties that are going to get access to their data if an app wishes to use an intermediary for connection or data enrichment.
Moreover, when a consumer shares data for a given purpose (like budgeting), they may not expect that company or intermediaries to use the data for unrelated purposes. And many such companies are not subject to supervision over data use practices as regulated banks are. Accordingly, consumers are best protected if their data is only used by permissioned parties to enable the primary service the consumer signed up for.
Second, consumers should never be asked to share credentials with third parties.
Consumer-permissioned data sharing should happen via safer interfaces (e.g., APIs) that don't require consumers to give away their passwords to third parties. To make this happen, the CFPB should require third parties to use APIs when available and not to screen-scrape.
Third, consumers should authenticate and authorize with their current data provider to share their data with third parties.
Banks commonly receive requests from thousands of companies to access data on behalf of millions of consumers. To respond in a safe way, common practice is for the data provider to perform authentication and collect authorization directly from the consumer. This lets the data provider confirm with confidence exactly what data the consumer wants to share.
By contrast, alternative models propose forcing the data provider to rely on third parties alone to capture consent from the consumer. This approach is at odds with industry standards and creates the risk that the wrong data would be shared, potentially opening the door to fraud or privacy violations.
Cutting corners when it comes to consumer protection and privacy would erode trust and pose a threat to maintaining a safe and sound financial system over the long run. We shouldn't settle for anything less than a data sharing ecosystem that achieves security, privacy, control and convenience.
We believe that's possible.
