To Share or Not to Share? That Shouldn't Be the Question
It is common in the midst of a presidential election cycle to hear candidates promise to “cut red tape” and “reduce regulatory burdens” on businesses to help increase job growth and improve the economy, and this year is no exception. Rarer, though, is industry approaching the federal government and requesting more thorough regulation and supervision.
That, however, is what certain data aggregators and fintechs have been asking the Consumer Financial Protection Bureau (CFPB) to do - and they assert that Congress gave the Bureau the necessary authority to do almost a decade ago in Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.
This seemingly surprising request is part of a much broader conversation around consumer data – a valuable and sensitive asset across multiple industries - and an ongoing scuffle within the financial services industry over who should control it.
Currently, control of a consumer’s financial data largely resides with financial institutions. If a bank’s customer wants to share their financial data in order to use a third-party product or service, such as Petal or Venmo, that customer must give permission, through their third-party of choice, to a data aggregator to access their financial data to power the service. For instance, a consumer may want to apply for a loan from a company that will evaluate her cashflow patterns to boost her creditworthiness, especially if she has no or little traditional credit history. Or a consumer may want to use an app that will help him save money more easily, based on analyzing the income and spending patterns reflected over time in his checking account.
Financial institutions maintain that they have the right to limit, restrict, or deny this access in the name of consumer protection. Lack of regulatory clarity in the fintech space has resulted in consternation over who is responsible if something goes wrong (like a data breach) when an external party is accessing a consumer’s financial data. Accordingly, financial institutions argue that, as the entities responsible for ultimately having to make a consumer whole, it is also their responsibility to implement controls on their customers’ data access. In recent years, in addition to potentially restricting data access permissions to fintech applications, financial institutions have also sought to increase their governance over individual third parties to determine whether each will safely and securely share, store, and guard their customers’ information.
The issue of third-party data access in the financial realm raises a host of policy questions. How much customer data should be shared with a third party? What happens to the data after it is shared? For how long is it stored? Is it shared with any entities other than the product or service that the customer wishes to use? These are critical concerns at the center of the broader privacy debate. Pointedly, two of the most influential steps taken to date by governments to protect consumer privacy, the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), have consumer control over their own data at their core.
The questions embedded in this debate are more complex than simply customer safety and security. Financial institutions have incentives beyond concern for the security of their customers’ data as they build their own in-house tools to compete with many fintech innovations. Bank-launched products such as Zelle directly compete with third-party offerings like Venmo, and as banks control access to their customers’ data, they have a distinct advantage. For example, PNC denied customer account access to Venmo, thereby disabling their own account holders’ ability to use Venmo, and when customers complained, PNC publicly suggested that they use Zelle instead.  Fintechs argue that circumstances like this unfairly stifle competition. The recent investment in Akoya, an aggregation platform created by Fidelity, by The Clearing House is another area of concern for aggregators and fintechs who worry that recent financial institution efforts represent a significant potential threat to competition and innovation in financial services technology, as well as to consumers’ ability to choose the providers best suited to their individual financial needs.
At the heart of the debate over customer financial data is the truth that the ability to capture and share consumer data can be transformative to a consumer’s financial health, particularly for consumers who are un- and under-banked and often underserved by the traditional financial services industry. For these consumers, data can enable access to a wide variety of innovative financial products and services. For consumers who have no or thin-file credit records, fintech companies can enable safe access to credit to buy a home, start or grow a business, and manage financial shocks. For those living paycheck to paycheck, fintech products can help consumers better understand their expenses, when bills are due, how much they have in their account and where they can save, helping to avoid overdraft fees or running out of money before their next paycheck. Some innovators allow consumers to invest their money with no minimum investment requirement. Others enable consumers to send money and pay bills largely for free. All of these tools require that the third party has access to a certain amount of a consumer’s financial data in order to function. If a consumer wants to use a tool, but their bank will not allow it, the customer is often simply out of luck through no fault of their own.
Congress presciently afforded the CFPB the authority to solve for these issues in the financial services space under Section 1033 of the Dodd-Frank Act. Under the statute, the CFPB was granted the authority required to establish an open finance system in the United States by giving consumers the legal right to control their own financial data. The statute provides that, “subject to rules prescribed by the Bureau,” an entity that holds financial data about a consumer shall make that data available to the consumer, “including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data.” Further, a report issued by the Department of the Treasury in 2018 determined that the definition of “consumer” under Section 1033, consistent with the definition of the term throughout the statute, “is best interpreted to cover circumstances in which consumers affirmatively authorize, with adequate disclosure, third parties such as data aggregators and consumer fintech application providers to access their financial account and transaction data from financial services companies.”
Ultimately, consumer protection is critical to the success of the financial services industry. Industry, including aggregators, fintech providers, and financial institutions, has been improving data protection on its own through better technology, including by utilizing token-based Application Program Interfaces, or “APIs,” to access and share consumer data, which can be more secure and controllable than credential-based “screen-scraping” in which the data aggregator simply gets access to the consumer’s view of the account and pulls out the needed information. The CFPB has had this authority and ability to help put consumers first for over a decade but has remained largely quiet on the matter. In February the CFPB held a symposium focused on consumer access to financial records and section 1033 of the Dodd-Frank Act. The long-overdue conversation examined and discussed these issues from multiple angles, but at the end of the day, the industry was not any closer to a resolution, underscoring the critical need for clarity from the government. The industry should constantly work to improve consumer protection and ensure customer wellbeing, and that includes allowing consumers to utilize the products and services that best fit their individual financial lives. Congress gave the CFPB the authority ten years ago to ensure, by rule, that consumers have a legal right to their own financial data. It is well past time for the Bureau to use that authority and provide clarity for the industry and consumers alike.