House Financial Services Committee Democrats and Republicans have found initial common ground on the need for stronger protections for consumer financial data used by third-party companies that share the data across bank accounts, payment apps and other services.
Lawmakers at a Financial Technology Task Force hearing on Sept. 21 questioned whether consumers understand the degree of access they hand over to third-party data aggregators and whether stronger protections are needed. The intermediaries make payment apps such as Venmo and other fintech tools possible by sharing a consumer’s banking data with the apps.
Financial Services Chairwoman Maxine Waters, D-Calif., said she will work closely with the Consumer Financial Protection Bureau as it works to issue regulations on financial data. However, Congress should act on the issue, she said. The Senate confirmed Rohit Chopra on Sept. 30 to be the new director of the CFPB.
“I think this is something that maybe we should have done a long time ago,” Waters said in an interview after the hearing. “I want our public policy to be a lot tighter than just always turning it over to someone else to interpret and then to implement it. I want us to get more into the details.”
She added that there’s a possibility to work with committee Republicans on legislation to protect consumers’ control over their financial data.
“It seems as if I’m agreeing with Luetkemeyer for the first time since we have served on this committee together,” Waters said during the hearing, referring to Missouri Republican Rep. Blaine Luetkemeyer, who criticized a practice called “screen scraping.”
The practice allows data aggregators authorized by the consumer to use the username and password to extract data from those accounts and to share the information gleaned with other parties. The aggregators can access those accounts without a relationship with the company housing that information.
“Whenever I discuss screen scraping with my constituents and explain to them what it is, they are aghast,” Luetkemeyer said. “I’m telling you, people don’t believe it’s OK. And, therefore, we need to take a different perspective on this and say, ‘Whoa, OK.’ The first way you protect people’s privacy and their information is to be honest with them.”
Better disclosure that makes clear to consumers what kind of access they’re allowing is needed, he said.
Tom Carpenter, director of public affairs at Financial Data Exchange, a nonprofit group setting industry-led standards for sharing financial data, said it’s not so simple. The organization is pushing the industry to shift from screen scraping to tools that allow financial firms to share data with each other directly, Carpenter said.
The industry is “rapidly moving” away from screen scraping, he said. “It’s just a matter of, it does take time. You can’t flip that switch overnight and cut off access to consumer data sharing.”
‘When is consent meaningful?’
Rep. Stephen F. Lynch, D-Mass., chairman of the Financial Technology Task Force, said screen scraping is just one part of consumer data privacy that Congress should address.
“Another piece here is consent. When is consent meaningful?” Lynch said in an interview after the hearing.
“If you’ve got a 60-page terms of service agreement that no one’s going to read, and then you can go without access and not get access to the service, or you can click ‘I Agree,’ those are your choices,” he said. “The power is all with the provider, so we’ve got to hold their feet to the fire as well. They cannot demand that the consumer yield all of their rights in order to get access to that application.”
Regulators are looking at the problem too.
The CFPB is working on a new regulation to clarify standards around consumer-authorized access to financial data. The bureau last year asked the public for input on developing regulations to implement Section 1033 of the 2010 Dodd-Frank Act, which provides consumers the right to access financial records.
It said there may be benefits from authorizing third parties to access data on their behalf and allowing those parties to deliver new personal financial management services, payments, improved retirement savings outcomes and access to credit.
“While consumer access to financial records can enable the development of innovative and beneficial consumer financial products, it can also present consumer risks,” the CFPB said. The rule-making outreach seeks information on costs and benefits of consumer data access, competitive incentives, standard-setting, access scope, consumer control and privacy, and data security and accuracy.
Raul Carillo, an associate research scholar at Yale Law School who testified at the Financial Services Task Force hearing, said a consumer payment made with a mobile money account today typically involves a merchant, bank, payments processor, mobile device maker, internet service provider and app provider.
“Additionally, roughly 50 percent of U.S. consumers and 95 percent of U.S. deposit accounts are estimated to have signed up for financial apps that frequently rely on unregulated or under-regulated data aggregators,” Carillo said.
Carillo previously worked as an attorney for low-income consumers in New York City and as special counsel to the enforcement director of the CFPB.
He said rules and laws governing consumer rights to their data can be meaningful only with a broader policy that minimizes data collection and inappropriate usage “as a first-order principle.”
That kind of policy could run counter to some who’ve advocated for broad adoption of fintech as an economic driver and a way to move “underbanked” people into the financial system.
Carpenter advocated for technical standards that allow consumers to connect a wide array of apps and services to their financial accounts to be developed by the financial industry, rather than through a regulatory process.
“For a host of reasons … we believe the industry is best suited to maintain and continually adapt standards to the needs of the market and consumer demand,” he said.
That drew a rebuke from Rep. Ritchie Torres, D-N.Y., who said big banks “are not disinterested arbiters of what is best for consumers. The banks do have a vested interest in maintaining their oligopoly on consumer information.”