The financial technology revolution, which is being led by entrepreneurs rethinking everything from the
This month, the Consumer Financial Protection Bureau took an important step toward making that potential a reality with its
But the CFPB’s principles are just that — nonbinding statements of CFPB policy. While the ball is largely in the industry’s court to work toward new data-sharing technical standards, regulators still have an important role to play too.
First, data sharing can be risky, as the CFPB went to great lengths to make clear. Why? Data sharing often requires consumers to provide
However, some banks have
Second, the CFPB should work with the Federal Trade Commission and banking regulators to provide additional guidance on its principles related to informed consent. In the guidelines, the CFPB rightly stated that the terms of data access should be “consistent with the consumer’s reasonable expectations.” In other words, all potential uses of consumers’ data should be clearly and conspicuously disclosed in an easy-to-read way. Too often, that is not the case today. From Google to Facebook to Equifax, there is a growing concern about the ways that our data is collected and sold. Financial account data access operates on an opt-in basis; however, additional affirmative consent should be required when a consumer's data is being used for any purpose other than the service he or she signed up for.
Third, banking regulators could update their third-party vendor risk management guidelines to clarify the kinds of due diligence banks are required to conduct on parties with whom they share data. But regulators must tread carefully here. Data aggregation is not a traditional vendor relationship and simply applying current guidance would run counter to the CFPB’s principles by allowing banks — not consumers — to control which third parties can access data, overriding consumer consent.
In an April
In her prepared remarks, Brainard cited the terms and conditions that developers agree to when producing apps for Apple’s App Store or Google’s Android platform as informative examples of third-party vendor risk management. However, this framework should not be imported into consumer data access. Apple is not like the bank in this analogy. Further, when an app developer agrees to Apple’s terms and conditions, it is seeking access to Apple’s data, so it’s appropriate for Apple to assert some amount of control. When a consumer grants a fintech app permission to access financial account information, it’s the consumer’s information.
Fourth, there is the issue of liability. Some banks have asserted in their terms and conditions that if bank customers provide their login credentials to a third-party app, they lose their right to protection against unauthorized transactions. Consumer advocates have, naturally, taken the opposite view. Without wading into those choppy waters, bank regulators and the CFPB could still clarify that consumers will be fully protected in a security breach if banks had provided data access in a manner not involving login credentials.
This is an area where more regulation could actually facilitate innovation — and where the U.S. risks falling behind Europe. The revised Payment Services Directive, which Europe is readying to take effect next year, requires banks to make account information available through secure portals to foster a more innovative and competitive financial ecosystem.
Bringing PSD2 to the U.S. would be difficult, and imposing a one-size-fits-all standard on the nearly 6,000 banks in the United States (to say nothing of the thousands of other financial institutions) would be unwise. But those challenges should not stop regulators from setting minimum standards and requiring banks to provide full data access without the use of login credentials.
The CFPB’s data-sharing guidance is a great start in driving bank innovation. But the bureau and other regulators must follow it up with additional steps to make sure consumers are the real winners of the fintech revolution.