Eighteen of the country’s biggest banking consumer financial advocacy groups are insisting the Consumer Financial Protection Bureau enact a regulation which would require banks and credit unions to give people easy, sharable access to their banking information.
And while it may be cause for celebration among consumers, data-hungry fintechs and aggregators, many financial institutions are concerned. And for good reason.
The regulation would implement Section 1033 of the Dodd-Frank Act, which became law in 2010 and created the CFPB among many other post-financial-crisis measures. Section 1033 — which permits the agency to finalize regulations detailing financial data access and sharing rules — has been hovering as a cloud over the banking industry ever since.
The loudest voices arguing for finally implementing Section 1033 come from a consortium of advocacy groups, who urged in a May 27, 2021 letter addressed to CFPB Acting Director David Uejio, that it is the responsibility of the agency to ensure consumers have access to their personal financial information.
“Consumer privacy and data security should not be used as a cudgel to stifle competition,” the letter reads. It was signed by the American Economic Liberties Project, the Education Fund, Progress America, The Other 90% and 14 other advocacy groups.
Although the CFPB has opened up the section for debate several times in the course of the last decade, the most concrete move taken yet was in October 2020, when the agency issued an advance notice of proposed rulemaking (ANPR).
CFPB then opened a comment period (which ended Feb. 4, 2021) to gauge support and gather input for how to implement Section 1033. The agency has yet to release a report detailing its findings and it is unclear when final action will be taken, prompting the letter from the advocacy groups.
Easier Sharing is Not So Easy
Dialogues about data sharing have been anything but tepid. Arguments from both sides of the political aisle say implementing a regulation like Section 1033 protects an inherent right of consumers, who should be able to control the data financial institutions have about them and share that data easily between other providers and/or fintechs in ways other than the still prevalent practice of “screen-scraping.”
However, the new rules, if enacted, would have major implications for banks and credit unions. For one, banking providers maintain it would be significantly more difficult to safeguard people’s data from breaches and fraudulent transactions, a condition consumers simply expect from financial institutions.
Currently, six in ten Americans (61%) trust their banking provider with their private financial information, according to Morning Consult research. And although people want an easy method for sharing their personal financial data, almost two thirds of them say they would leave their bank or credit union if there was any kind of data breach.
Others point out that while some information belongs to the consumer, there are also portions of account-related information that belong only to the institution.
Screen scraping — basically a high-tech “cut and paste” practice in which consumers provide their login and password to a third party — has long been a point of contention between financial institutions and data aggregators and others. Use of the practice to populate third-party apps, has been diminishing as various parties negotiate direct access using APIs to securely obtain data. But it is still an issue. In late 2019, PNC came under fire from some consumers venting on social media that they could not quickly and easily connect their PNC accounts to the Venmo P2P app.
Although most financial institutions don’t want to block consumer use of fintech apps they like, there is a bigger picture to consider. Karen Larrimer, Head of Retail Banking and Chief Customer Officer at PNC said there are major security concerns in the practice.
“A number of months ago, we saw a higher degree of ACH fraud occurring on customers’ accounts and we were able to trace that back to how some particular aggregators were circumventing security controls,” Larrimer told The Financial Brand at the time.
To make it more complicated, since there is no single data protection law governing all the parties handling consumer data, the CFPB would need to quickly follow up with supplemental regulation to ensure the waterfall of consumer information would be protected across all channels where it is shared.
Yet, it’s not all about security. Creating an open-ended, cloud-like database would open up the grounds for banking competitors to step in. Traditional financial institutions, which are concerned the involuntary outsourcing of its data would “disrupt the status quo,” are reluctant to share data unless it’s on their terms, say three authors in a University of Michigan paper.
- Banks Need to Buckle Up for These Big Data Trends
- Why Data Privacy Could Be Banks’ Next Big Competitive Battleground
What CFPB’s Nominated Leader Believes
Although financial institutions have legitimate concerns about security of customer date, the ongoing news reports and social media chatter stating that banking providers are barring people from sharing or even accessing their own financial data is leaving consumers worried.
A key question is whether Section 1033 will have the support of Rohit Chopra, who is expected to take over as director of the CFPB soon. While Chopra has not commented specifically about Section 1033, he has addressed a consumers’ right to access their own financial information.
“We need to think more holistically about what is the control that we have over our data. Do we get to license our data to people for funds or for the uses of services? What’s our ability to take that back?” Chopra said in a 2018 International Association of Privacy Professionals podcast.
And a few months before that, when Chopra was testifying during his Senate confirmation hearings for his FTC nomination, he openly criticized how credit bureaus were organizing and selling consumer data without consulting the people who the data belonged to, as reported by Intercept.
“I don’t want to see a banking system or financial services system where new market entrants cannot get in, cannot compete and win the day,” Chopra explained. “Dominant players should not be able to squelch out competition and that’s something we always need to be mindful of.”
Other Data Sharing Initiatives In Progress
While Europe moved first to address issues of sharing financial data, the U.S. private sector has been active more recently. In the EU for some time, data has been considered the personal property of the consumer, and should be easily transportable. The European financial system allows individuals to keep their international bank account numbers (IBANs) when switching from institution to institution.
And, back in early 2018, Europe introduced open banking rules (PSD2) requiring financial institutions to provide consumer account data to third-party service providers if a consumer provided consent.
The U.S. has been moving to close the gap, however. With Section 1033 in limbo for so long, the U.S. private sector has been developing several data sharing initiatives.
One of the more recent ones — the Streamlined Data Sharing Risk Assessment, developed by TruSight by IHS Markit in cooperation with The Clearing House — standardizes and streamlines risk evaluations of data aggregators and financial apps.
“This centralized approach can reduce the need for financial apps and data aggregators to provide the same risk information again and again as they engage in data exchange agreements with FIs,” said The Clearing House Senior Vice President Ben Isaacson in a statement.
As part of its “Connected Banking” initiatives, The Clearing House’s mission is helping banks and credit unions determine what kinds of information apps are sharing between financial institutions and partner fintechs to protect consumer data.
TCH insists the program gives “consumers control and visibility into how they share their data.”
One of the core principles of the Financial Data Exchange (FDX), an industry consortium of financial institutions, fintechs, data aggregators and others, is that “the consumer, not the institution, owns the data.” Founded in 2018 by 21 companies, FDX now has 181 member organizations. It facilitates data sharing using its API, which provides a common interoperable data-sharing standard. It’s free to be used by any institution.
The FDX standard is already in use facilitating direct API links between financial institutions and data aggregators, or in some cases, with a fintech or other company directly.