Consumers like John and Jane Everyperson love using an ever-growing list of apps and companies to help manage their personal finances. That's banking, budgeting, applying for loans, accounting and tax preparation or simply sending money to family and friends. When John and Jane link their bank account data to third party apps like these, they love the benefits that help them live healthier financial lives.
That said, John and Jane might overlook the many risks they may be taking. Data sharing needs to be implemented thoughtfully to avoid harm to consumers and the overall safety and soundness of our financial system. That includes ensuring regulations being authored by the Consumer Financial Protection Bureau (CFPB) this year reflect key principles to keep consumers safe.
The risks of data sharing are growing every day as more consumers do more banking digitally and link their bank accounts to more digital apps. It is hard for consumers to understand what a financial app does with all their data. Consumers are likely to believe that they enjoy security protections when they allow nonbank apps to access their bank accounts, but that may not be the case.
It starts when consumers give their bank ID and passwords to a third party to link their bank accounts to a financial app. In doing so, they just allowed the third party to access their bank account and act as if the third party were them! The third party can collect every data element and everything John and Jane can see online at their bank, even transfer money. That access also can include account numbers, and information about their credit cards, investments and the accounts they share with their kids.
To reap the benefits of data sharing, apps and fintech companies need to access a consumer's private financial data. That private financial data is both personal and sensitive. That's why we strongly believe that John, Jane and all consumers should have full understanding, control and visibility over who wants access to their financial data and how they want to use it.
For example, is the app keeping John and Jane's financial data safe from hackers or from being misused by others? Is the app reselling John and Jane's data? To whom, and for what purpose? John and Jane don't know and likely won't, until something happens to their data or their bank account. And then, they will turn to their bank to help them solve the problem when in reality the issue was caused by the third party they linked to their bank account.
So, what is the best way to protect the millions of consumers that share their financial data with financial apps every day? The CFPB is working to create rules that govern data sharing for financial institutions, fintechs and data aggregators. How can these regulations preserve both consumer trust in and the systemic soundness of our financial system?
Simply put, by adopting rules that incentivize companies to deliver security, convenience, control and privacy when a customer chooses to share their financial data with third parties. These consumer expectations are foundational to banking and should be the primary driver of the CFPB's rulemaking to preserve consumer trust in the financial system.
As the future of consumer-permissioned data sharing in the United States is determined over the next several months, it is critical to build on and fortify the trust consumers have with their bank. Consumers should remain confident that they can reach out to their bank for help. Consumers trust their bank to keep their money and private financial information secure, so the CFPB's rulemaking should follow four key principles.
First, the CFPB should ensure that banks (and all data providers) can collect consent directly from consumers that request to share data with a third party with strong protocols in place for how data providers and authorized third parties work together to collect and store requests to share data. The CFPB should also promote the prompt adoption of Application Programming Interfaces (APIs) to facilitate data sharing. If banks and credit unions don't have the resources or expertise to build their own API, they can turn to a variety of third parties to help them implement them.
Second, they should allow banks to enable consumers to share tokenized deposit account numbers with third parties to further protect consumers' accounts — a solution that is more secure than sharing an actual bank account number.
Third, they should limit the scope of data shared with third parties only to what is needed by them to serve the needs of the consumer and prohibit third parties from using customers' online banking credentials to screen-scrape.
Finally, they should ensure that third parties have agreed to protect consumers' data and are liable when they fail to do so.
More and more banks are now implementing dedicated APIs to give customers like John and Jane more control over their financial account data when they share it with third party apps. A dedicated API puts consumers in the driver's seat by empowering them to decide what data to share, without needing to provide their username and password to a third party.
We encourage all banks and data providers, regardless of size, to adopt data sharing practices that empower their customers to safely share their financial data and the CFPB to adopt data sharing rules that embody these key principles. This way, all consumers will be able to realize the powerful benefits that safe data sharing can unlock.