Fight Over Consumer Data Ownership Pits Banks Against Fintechs

In the absence of a regulatory structure for open banking and data sharing in the U.S., the market has hobbled along with the less-than-satisfactory 'screen scraping.' Mounting frustrations with this old-tech approach and concerns about privacy and fraud are driving efforts to replace scraping with new approaches built on application programming interfaces and narrowly defined third-party access to financial records.

The Age of the Financial App wouldn’t exist without the ability to automatically gather data from multiple sources. From personal financial management to robo-investing to online lending, computer and mobile device functions that Americans take for granted rely on the ability to share data quickly.

In the absence of anything like the “open banking” regimes put in place in Europe, the U.K., Australia, and elsewhere, in the U.S. these connections have pretty much evolved ad hoc as competitive innovations.

This situation may soon change. There are several reasons why:

  • Increased regulatory attention
  • Growing concerns over privacy and fraud protection
  • Increasing competitive pressure
  • Frustrations over current technological approaches
  • Increasing desire among consumers for a complete picture of their finances

Why All Financial Institutions Have a Stake in This Battle

Among traditional financial institutions, these issues have underscored the growing risks of becoming “dumb pipes.” This refers to when fintechs build leading-edge apps and services on the framework created by traditional institutions. It’s a critical issue in terms of how traditional institutions will compete in the modern financial services arena. For example, many smaller institutions’ accounts don’t work with current aggregation approaches, which can frustrate consumers who want to avail themselves of the fintech apps that need to connect to their bank accounts.

Read More: Citibank CEO Warns Traditional Banks Risk Becoming ‘Dumb Utilities’

Wrapped up in this is the concept of a consumer’s right to access their own financial data — something the framers of the Constitution couldn’t have imagined, yet which is recognized in federal legislation. What the “consumer right” really translates to is their right to share that data with third-party providers of apps and other services.

“Many people have multiple financial institution relationships and they are using aggregation to see their complete financial picture,” says Jane Barratt, Chief Advocacy Officer at MX. “That is something that is really important to call out.” The ability to share information not only between banking institutions and third-parties but also from institution to institution has become increasingly important, she explains. While open banking gives some official structure to this process in Europe, the process is fragmented and opaque in the U.S.

While such data sharing may seem like a reasonable expectation by consumers — “Whose data is it, anyway?” is a question that they may ask — the matter quickly grows complicated. Some information, like balances, seems clearly to be the consumer’s, while other information, such as the pricing of their accounts, is seen by some institutions as proprietary competitive intelligence. Added to this is concern over liability — once data leaves its original home in a bank or credit union, where does it go? And what does it get used for?

Because of such questions, more and more major institutions are blocking aggregator access to consumer accounts except where those entities have entered into formal agreements, bank by bank. Among the latter are Envestnet|Yodlee, Plaid and Finicity.

Read More: Why Fintech Challengers May Not Conquer Banking After All

Screen Scraping Nearing the End of Its Useful Life

More than likely, if you use any type of third-party financial app, at some point you provided your financial account usernames and passwords to that app’s provider so it could “screen scrape.” This approach, simply speaking, uses the same HTML technology used on bank and credit union websites, but in reverse, to gather data such as balances from webpages.

The controversial technique automates information gathering that most consumers would never take the time to perform manually. The front end of the process is called “credentialed access,” basically meaning that the third-party goes where the consumer could go as a proxy so long as it had the login information.

Lila Fakhraie, SVP for Digital Banking APIs at Wells Fargo, explains the controversy by analogy.

“It’s like giving your house key to a painter and saying, ‘Just paint that one wall. That’s all I want’,” she stated at a symposium sponsored by the Consumer Financial Protection Bureau. “And now the house painter has your key forever. They come and go as they please and take things if they want. That’s one of the key obstacles for us to move forward in the space of data sharing.”

The point Fakhraie and others made at that CFPB symposium is that credentialed access and screen scraping represent an all-or-nothing affair. There’s no limiting the third-party just to what their app immediately involves, and what they do with the data, in terms of storing it own their own servers, or even sharing it with their own vendors and beyond.

“I think we all agree that credentialed access to financial data is not the best approach , but it has served us really well for 20 years,” said Nick Thomas, Co-Founder and Chief Technology Officer at Finicity, a major data aggregator. “There have been issues, but generally speaking, consumers have spoken. They want access to their data [for third parties they have subscribed with] and screen scraping has been the only way to make that available.”

Thomas added that “screen scraping isn’t evil,” a view resisted somewhat by representatives of financial institutions and other panelists at the symposium. He acknowledged that the use of credentialed access is something that institutions, fintechs and aggregators all want to get away from now that better technology is available, using application programming interfaces (APIs) and electronic tokens to allow access.

“But there is a long tail of institutions,” Thomas said, “and it is going to take time for these API standards to proliferate.”

Webinar
REGISTER FOR THIS FREE WEBINAR
CFPB 1033 and Open Banking: Opportunities and Challenges for Banks
Reserve your seat today for this live webinar and explore the potential of CFPB 1033 for open banking initiatives within your bank.
WEDNESDAY, April 17th AT 2:00 PM (ET)
Enter your email address

Traditional Institutions Aren’t Fans of the Status Quo

Bankers on the symposium program generally expressed the view that screen scraping couldn’t go away fast enough. For several years Federal Reserve Board Governor Lael Brainard has been raising issues about data access in speeches and CFPB has been issuing guidance and gathering input.

“Maybe screen scraping isn’t evil, but it’s dangerous for consumers,” said Becky Heironimus, Managing V.P. of Customer Platforms, Data Ethics and Privacy at Capital One. She said that consumers haven’t understood what they were agreeing to. “Now, people are waking up to the fact that they have no control over what is being taken,” said Heironimus.

“Maybe screen scraping isn’t evil, but it’s dangerous for consumers. People are waking up to the fact that they have no control over what is being taken.”
— Becky Heironimus, Capital One

Americans have grown used to protection provided by regulators and laws against digital mistakes and they have grown careless. “Consumers don’t actually read privacy policies,” for example, said Christina Tetreault, Senior Policy Counsel at Consumer Reports, nor do they delve into what they’ve agreed to when handing over credentials for screen scraping. At an extreme, Tetreault points to one financial institution that asserted the right to draw health information from consumers’ mobile phone health apps.

“That, to me, is way outside reasonable expectations,” said Tetreault. “Permissioning for one purpose should not mean neverending surveillance.”

Putting an end to free-ranging access to consumer data is something banking institutions broadly support, putting them in opposition to aggregators like Plaid.

“The consumer has already decided. They have already voted with their thumbs that this is something that they want,” said John Pitts, Policy Lead at Plaid. “Our shared objective is to make sure that the consumer, having made that decision, is safe and can be confident in having made that decision.”

Steven Boms, Executive Director of FDATA N.A., a data users association, said that in Europe and elsewhere the consumer information issue is seen as a matter of “data portability” — the consumer being able to take their data anywhere they choose, like personal property. By contrast, he said, in the U.S. the practice is to augment financial services with narrow fintech service providers that the consumer chooses to opt into. While this tends to be seen as a tech issue, it’s really about rights, he indicated.

But bankers resist this because they increasingly see it as risky for consumers — and that the risk could bounce back and hit their banks.

“We want to give our customers control over their data in a safe, secure and transparent way,” says Natalie Talpas, SVP and Product Group Manager, Digital, at PNC. This includes data only be used in regard to the areas covered by the app they selected and within their control.

“Screen scraping has reached the peak of its benefits,” said Talpas. “I think we would love to say that ‘the consumer has decided’ — that’s the future state we want to get to — but the fact of the matter is that today they are not able to because the consents they agree to are not consistent, they are not transparent, and they are not clear.”

“Screen scraping has reached the peak of its benefits.”
— Natalie Talpas, PNC

Talpas noted that apps often access consumers’ records more frequently than people may have expected. On the other hand, there’s Jason Gross, Co-Founder and CEO of Petal, which describes itself as “a credit card company that was started by people who were sick of credit card companies.” He said that such frequent access helps Petal keep continuing tabs on borrower activity and that this enables the company to provide credit at a lower interest rate than if it were relying on traditional credit reporting.

Screen scraping has never been as neat a process as anyone would like, either, according to multiple speakers. Connectivity breaks down and consumers need to supply their credentials all over again or take other steps to make the process work. When institutions’ websites undergo redesigns, third-party apps may grab data from the wrong place, based on former structure.

Gross points out that the ability or inability of a third-party fintech like Petal to reach financial institution data sources can directly impact consumers.

“We see daily interruption of our business because of lack of reliable access to the extent that it threatens the viability of our service and others that would use technology to expand access to credit for consumers,” said Gross. “It’s not just poor connectivity, but also a wide variety in the amount of data that is returned. Two customers could be treated very differently simply because they have different access to their account information.”

Read More:

Major Banks Pursue Bilateral Agreements with Fintechs

The banking industry viewpoint has chiefly been that regulators should allow the market’s tech and protocol solutions to proceed without imposing new regulations. On the other hand, banks have been frustrated by the role of data aggregators in this area.

An exception to their resistance to new regs is their support for pulling aggregators directly under CFPB’s supervisory oversight. The Dodd-Frank Act gave CFPB the ability to expand the types of nonbank companies it regulates, given cause.

“Banks support pulling data aggregators directly under CFPB’s supervisory oversight.”

James Reuter, President and CEO of FirstBank, with $19.5 billion in assets, represented the smallest institution, by far, speaking at the symposium. Reuter, who serves on the board of the American Bankers Association, expressed strong support for regulating aggregators.

“Establishing accountability across all providers of comparable financial products and services is a fundamental mission of the bureau,” Reuter said in a written statement. “This is especially important for data aggregators, given the sensitive consumer financial information they store and process.” Where the bureau will head is uncertain — the symposium was structured as a fact-finding exercise and CFPB officials gave no clues in their statements during the meeting.

In the absence of direct government action, the banking industry has pursued technological solutions and contractual ones, including bilateral contracts between financial institutions, fintechs and aggregators. This follows several large institutions’ efforts to block third-party access to consumers’ data.

Wells Fargo and JPMorgan Chase, both represented at the symposium, are among the leaders in this resistance — which some critics credit as much to competitive zeal as to concern about data security.

Chase has been open about its efforts to fight uncontrolled third-party access. Its first agreement was struck with Intuit, which owns Mint, in 2017. Since then, according to Chase, it has reached agreements that cover 95% of the aggregator traffic coming into the bank.

The Chase agreements with the third parties include:

  • Secure access to records at Chase through APIs that use tokens instead of consumer’s account credentials.
  • Customer transparency and control concerning what data the third party can access.
  • Assigning responsibility to aggregators for the risks they introduce to the process.

As part of the third element, Chase imposes insurance and indemnification requirements on the aggregators and fintechs, according to Natalie Williams, Managing Director and General Counsel for Responsible Banking, Data & Privacy at Chase. She told symposium listeners that the idea is that if third parties with access to confidential consumer information “have skin in the game, they will therefore take the necessary steps to police it.”

Beyond that, the contracts call for these firms to pass on their information security requirements to other companies they work with.

One of the drawbacks of the screen scraping approach is that even if a consumer deletes an app from their phone, that does nothing by itself to stop access to their records nor to remove any information about them that has made it into a third-party’s database. Chase offers consumers a service called AccountSafe, a dashboard that shows them which third parties they have granted access to, via the API, and which accounts and what data each third party is permitted to view. The dashboard also enables consumers to make changes to these settings. Wells Fargo offers a similar service called Control Tower and Plaid is building a dashboard.

While aggregators and others have struck such agreements with major institutions, they are far from popular among all aggregators and fintechs. Plaid’s John Pitts pointed out that every single bilateral agreement is subject to its own negotiations, format, and more, at present. This represents the potential for around 10,000 sets of agreements between each third party and financial institutions, he said.

“These are very hard to scale,” Pitts said, with understatement. He also noted that allowing such a piecemeal approach to continue progressing “will lead to a siloed market where everyone is playing in a little ‘walled garden’ and consumer choice is restricted as a result.”

The Clearing House, the New York-based standards setting group, has published a model agreement that institutions can adapt for their own negotiations that is in accord with CFPB guidance on data access.

Read More:

Shared System of APIs May Be the Solution

Ultimately shared approaches to solving the challenges in a more-encompassing way may turn out to be the answer. While each company represented at the symposium has its own views and interests, many belong to a nonprofit group, Financial Data Exchange (FDX), that is pursuing a process that will replace credentialed access and screen scraping.

FDX is a nonprofit collaboration of mostly major banks as well as aggregators and fintechs that has developed an API designed to be shared among members. The API and its operating framework is designed to provide a mechanism that enables consumers to decide not only which third parties can access their data, but also which data for what purposes. The use of a token through the API would replace the need for consumers providing user names and passwords to third parties.

The FDX API is already available for use by group members and can be downloaded for review by other interested parties. The hope is that in time smaller financial institutions can look to their core providers to help them adapt to the API approach.

In a related development, in early 2020 FMR LLC, the parent of Fidelity Investments, spun off Akoya. The new company is jointly owned by Fidelity, The Clearing House Payments Co. and 11 member banks.

Akoya, launched in 2019, is designed to provide a network enabling consumers to share the data they wish without surrendering credentials. Akoya’s network is aligned with FDX’s standards.

As these efforts move forward, much of the free-for-all aspect of third-party data access may go away. Says Jane Barratt of MX, “we are building the bones of a financial system that will have a lot more controls.”

This article was originally published on . All content © 2024 by The Financial Brand and may not be reproduced by any means without permission.