Data aggregators have an unusual request for the Consumer Financial Protection Bureau as the agency writes rules on the sharing of consumer account information: Please regulate us.
As the CFPB seeks to regulate how much control consumers have over their own financial data, aggregators such as Plaid say direct supervision from the agency should replace the current system in which banks oversee aggregators as third-party vendors.
“We are asking the CFPB to supervise Plaid and data aggregators because we don’t have formal oversight,” said John Pitts, policy lead at Plaid.
Plaid was among several companies — including aggregators, fintech providers, banks and trade groups — that submitted feedback to the CFPB on its pending rulemaking. The comment period closed Feb. 4.
The CFPB rulemaking, required by the Dodd-Frank Act, aims to clarify standards for how fintechs access bank account data. Banks have long objected to screen scraping and increasingly partner with aggregators to send data to fintechs using application programming interfaces. But that requires auditing agreements between each partnering bank and aggregator.
"Companies don’t lightly volunteer for supervision by the CFPB," said Pitts, but regulators need "to supervise the data holders and the companies doing the data retrieval to make sure they are all meeting their obligations.”
Aggregators say direct CFPB regulation would be simpler and ensure consistency for all companies. CFPB supervision would be better than bilateral oversight from banks, they say, because it would block banks from restricting access to consumer data.
“To have the CFPB directly supervise rather than have a bank exert oversight makes a lot more sense from a consumer protection perspective,” said Steve Boms, executive director of the Financial Data and Technology Association, a trade group representing aggregators such as Plaid, Envestnet Yodlee, Intuit and MX, as well as the fintech firms themselves.
Boms said the CFPB could coordinate its policy on bank-aggregator partnerships with the prudential bank regulators that oversee banks' third-party relatonships.
“If you, as a regulated entity, are doing business with another regulated entity, why should the financial institution be required to conduct its own auditing or compliance if the entity is being supervised by the federal government?” he said.
The CFPB’s data-access rulemaking, mandated under section 1033 of Dodd-Frank, could be one of the most consequential rules implemented by Rohit Chopra, President Biden’s nominee to lead the bureau.
Though a rule is not expected until 2022, the battle lines are already being drawn. Few issues raised by the CFPB’s advance notice of proposed rulemaking are as thorny as third-party oversight and how much authority banks should have over data aggregators.
For some, CFPB oversight of data aggregators seems like a foregone conclusion. In the comment letters, even banks want aggregators to be subject to direct supervision.
“Everybody sees the writing on the wall,” said Dan Quan, a senior adviser at McKinsey and a former senior adviser at the CFPB. Yet he added that the data-access rule is sure to spark "ongoing debate" between different industries. "The aggregators want consumers to have access to their own data and banks want to control it,” Quan said.
To begin the process of examining data aggregators, the CFPB likely will have to issue a separate rule under its powers in Dodd-Frank to designate "larger participants" in certain nonbank sectors for supervision.
"The CFPB should regularly supervise and examine data aggregators and brokers under its 'larger participants' authority," said Rhonda Thomas-Whitley, vice president and regulatory counsel at the Independent Community Bankers of America.
Rob Morgan, the American Bankers Association’s senior vice president of innovation and strategy, agreed, writing in a comment letter that the CFPB "should bring data aggregators under direct supervision."
“Banking regulators should clarify that bank agreements with data aggregators do not constitute third-party vendor relationships,” Morgan added.
Banks have long sought to end the practice of screen scraping where third-party providers obtain bank customers’ usernames and passwords then log in and access bank data. But the trend in recent years has been for banks and data aggregators to sign bilateral agreements that govern APIs.
Aggregators say more consistent rules will help financial innovation efforts and create a more equal playing field.
"We believe that without a sensible regulatory framework, the U.S. is currently on a path toward a closed finance system where consumers are not in control of their data and are limited in the decisions they can make," Jane Barratt, chief advocacy officer of the aggregator MX, wrote in a comment letter to the CFPB.
She added, "Up until now, much of the work on data access has happened via an industry-led approach."
"Enormous progress has been made on key issues, and the work continues as players in the ecosystem create a technical standard for the sharing of consumer data," Barratt wrote. "However, we are already seeing a widening gap between haves and have nots, along with policy questions that are still unanswered and legal and regulatory points of uncertainty that unfortunately leave the consumer at a disadvantage."
Plaid asserts that banks and aggregators have far more in common now than in the past because of the evolving ecosystem.
“I want to push back on the narrative that this a battle between banks and fintechs,” said Pitts. “The fact that you’ve got banks and aggregators calling for supervision of aggregators is a pretty big point of alignment. So the next layer is that we need a different set of third-party guidance specific to the industry. The current approach to third-party does not work.”
Currently, when banks enter into bilateral agreements with aggregators they are required by prudential regulators to conduct oversight. But that means banks are often swamped with paperwork. Some experts say more guidance from the CFPB would help reduce the lengthy process of drafting contractual agreements to address liability issues.
Last March, the Office of the Comptroller of the Currency addressed the issue of bank oversight of third-party relationships in an
“It is up to bank management to determine the risk associated with each of the bank’s third-party relationships,” the OCC update said. “The higher the risk of the individual relationship, the more robust the third-party risk management should be for that relationship.”
At its core, aggregators are opposed to prudential regulators giving banks the green light to police them.
“Nobody is going to disagree that banks need to exercise due diligence, but if they use that as a smokescreen to control access to data, that is something aggregators do not want,” Quan said.
Yet few experts think the effort to eliminate third-party oversight requirements will succeed given that bank oversight of service providers is a bedrock of prudential regulation.
“Neither the banks nor the aggregators like this framework of third-party risk management,” said Amias Gerety, a partner at the venture capital firm QED Investors in Alexandria, Va., and a former acting assistant secretary for financial institutions at the Treasury Department. “It’s definitely imperfect, but it’s not going away.”