From the earliest days of e-commerce, there has been a perpetual tug-of war between ease of use and the safety and security of transactions. It is also the core dilemma surrounding the relationship between FinTechs and federally chartered banks.
FinTech, and the firms that offer related non-depository services, can bring improvements to the processes behind loan applications, account monitoring, and reach the unbanked in ways that traditional brick and mortar facilities fall short.
Enter the dilemma of convenience versus risk. Make it easier to conduct mobile banking and money transfers: count many consumers as all in. Learn that Facebook, nefarious in the eyes of many for spreading personal data among third parties, wants access to their financial data to facilitate those needs and alarm bells ring.
Where do federal regulators and Congress fit in?
On Sept. 18, The Senate Banking Committee convened a hearing a hearing entitled, “Fintech: Examining Digitization, Data, and Technology.” Sen. Mike Crapo (R-Idaho), committee chairman, said the goal was to “solicit unique perspectives FinTech offerings and partnerships.
“Digitization and data are constantly evolving, challenging the way we have traditionally approached and conducted oversight of the financial services sector,” Crapo said. “Less than a decade ago, the concept of mobile banking, a simple transaction, was relatively new. Now, consumers have countless options by which to interact with and access their financial information and conduct transactions.”
Among bank regulators, there are ongoing efforts to act as a catalyst, not a roadblock, for FinTech adoption.
The Office of the Comptroller of the Currency is experimenting with the issuance of special, bank-like charters for select FinTech. In July, the Treasury Department released a report laying out a regulatory blueprint that favors deregulation over rulemaking that might otherwise stifle a growing industry.
Among those testifying was Stuart Rubinstein, president of Fidelity Wealth Technologies and head of data aggregation for the firm.
Financial data aggregation, in this context, refers to services that, with customers’ consent, collect financial information from their various bank, brokerage, and retirement accounts, along with other sources, to be displayed and processed in an aggregated view. An example would be a budgeting and planning smartphone app.
Current data aggregation practices make this process challenging for firms, because they rely on consumers providing their financial institution log-in credentials (username and password) to third parties, he explained. Those data aggregators then almost always employ a practice known as “screen scraping.” At its most basic, this involves the use of computerized “bots” to log-in to financial institution websites, mobile apps, or other applications as if they were the consumer.
“There are consumer data security problems with this practice. As a matter of basic security, consumers should not be asked or required to share their private log-in credentials in order to access a third-party service,” Rubinstein said. “Doing so creates cyber-security, identity-theft, and data-security risks for the consumer and financial institutions.”
“Unfortunately, due to years of this practice, financial institution log-in credentials are now held by a myriad of companies,” he added. “Some are likely very secure, while others may not be secure at all.”
Fidelity espouses several principles Rubinstein says could guide industry in creating better data sharing solutions:
Supporting consumers’ right to access their own financial data and provide that data to third parties;
Data access and sharing must be done in a safe, secure, and transparent manner;
Consumers should provide affirmative consent and instruction to financial institutions to share their data with third parties;
Customers should tell financial institutions which third parties have permission to access their financial data; and
Third parties should access the minimum amount of financial data they need to provide the service for which the customer provided access.
What’s working against adoption of safer data sharing technologies? Rubinstein blames, in large part, inertia.
“Existing practices have been the norm for close to two decades. Getting firms to adopt new technologies can be challenging no matter what the benefits,” he testified.
Another countervailing force, he says, is cost.
“Liability is the most stubborn blocker to wider adoption of safer data sharing technologies,” Rubinstein testified. “Third party aggregators want to limit their potential liability in the event that financial data is illicitly obtained… We believe firms that obtain and handle consumer data should be held responsible to protect that data from unauthorized use, just as we are. Any other standard creates moral hazard and does not incentivize aggregators to take their data stewardship responsibilities seriously.”
Steven Boms, president of Allon Advocacy, testified on behalf of the Consumer Financial Data Rights Group, a consortium of nearly 50 financial technology companies, including financial data aggregation companies, and end user-facing technology tools. His testimony also incorporated the perspective of the Financial Data and Technology Association of North America, a trade association for which he serves as executive director.
Boms praised the industry’s potential and decried needless federal roadblocks, particularly when it comes to all-important data access.
Not all financial institutions are disposed to allow third-party tools, some of which compete directly with their own products and services, to have complete access to their customers’ data. The Treasury’s report noted, for example, that “access [to financial data] through APIs was frequently and unilaterally restricted, interrupted, or terminated by financial services companies.”
“The market is therefore fundamentally dislocated,” Boms testified.
The Consumer Financial Protection Bureau engaged in a year-long process to address this issue, which ultimately culminated in the release, in October 2017, of nonbinding principles for consumer-authorized financial data sharing and aggregation.
“Though the engagement was earnest and well-intentioned, the principles it ultimately released did not meaningfully shape or change market behavior,” Boms said.
Meanwhile, he fretted, legislators abroad have sought to stake their own turf for financial innovation, creating “a huge risk the U.S. will fall behind, and with that a risk that jobs will go elsewhere.”
Earlier this year, CFDR released a set of principles, Secure Open Data Access. It called for the implementation of traceability, minimum cyber-liability insurance standards, and other measures designed to ensure that the entity responsible for consumer financial loss as a result of a data breach—whether a bank, an aggregator, or a FinTech firm—is the entity charged with making the end user whole.
Brian Knight is the director of the Innovation and Governance Program and a senior research fellow at the Mercatus Center at George Mason University.
“The advance of technology has shown significant promise for improving the market for financial services,” he testified. “Specifically, the collection, aggregation, and use of consumer data has significant potential to allow consumers to enjoy the benefits of a more competitive and innovative market. Of course, there is no such thing as a free lunch, and increased risks may accompany the benefits.”
More granular data collection and broader access might increase the risk and harm of data breaches to consumers, Knight said. There are also concerns that the enhanced use of algorithms may lead to more discrimination, a lack of transparency, or diminished access to essential services like credit.
He added, however, that “there is no reason to panic” and “rash regulatory intervention may frustrate pro-consumer innovation, leaving consumers worse off.”
The use of artificial intelligence, machine learning, and other advanced algorithmic techniques to process data present the possibility of more accurate, fair, and inclusive underwriting and risk management, he added.
“Although this area is often presented as a lawless Wild West, it is incorrect to think that these areas are unregulated. In general, we should see how well the existing laws and regulations work with new technology before we impose new restrictions,” Knight testified. “We should consider the possibility that, in fact, we already have too much regulation that affects these new technologies.”
Knight, like others on the panel, said a deterrent to wider adoption is institutional liability concerns that could emerge with granular, dispersed data sharing.
“There are questions regarding the scope of liability for a financial institution in the event consumer data is lost owing to a failure on the part of a data aggregator or a downstream application,” he said. “Financial institutions feel at risk that they will ultimately be forced to compensate customers, even if the financial institution was not at fault, because the aggregator or application lacks sufficient resources to make aggrieved customers whole.”
Knight added to the list of upsides that algorithms may prove to be less prone to discrimination than human decision-making.
“To the extent that discrimination is driven by subconscious or unconscious bias, those biases are less likely to survive the process of being written down in an intentional underwriting algorithm compared to a ‘gut decision’ by a lending officer,” Knight said. “To the extent human decision-making incorporates inaccurate stereotypes when making decisions, algorithms, with access to more and better data, and without the baggage of inaccurate stereotypes, may be able to do a better job.”
A contrarian view of the Treasury Department’s report came from Saule Omarova, a professor of Law at Cornell University who teaches subjects related to U.S. and international banking law and financial sector regulation. She also served in the George W. Bush Administration as a special advisor on regulatory policy.
“Treasury’s normative stance is ‘fundamentally deregulatory,’” she said. “The financial industry and its representatives have a long historical record of justifying their demands for regulatory easing by reference to consumer benefits. The unstated goal of the Treasury’s ‘modernization’ strategy is to enable regulated banks to form large-scale de factopartnerships with technology companies, without subjecting the latter to bank-like oversight.”
Omarova took umbrage at the fact that so many opaque technology companies, many offering cloud-based services, would have potentially unfettered access to consumer financial data. Only four mega-tech companies, she said, currently dominate the worldwide market for cloud services: Amazon, Microsoft, Alibaba, and Google.
“It is intuitively easy to understand the obvious dangers of allowing large tech platform companies such an easy access to bank customers’ personal financial data,” she said. “A strong public reaction to the recent news of Facebook, one of the world’s largest and most notorious data aggregators, requesting access to large banks’ customer data shows that consumers care deeply about keeping their financial information private, safe, and secure from all manner of unauthorized use.”
“Nobody really knows what exactly these companies can see or what they can do with the data they touch,” she added.
Also, Omarova warned, these companies will be positioned to use the vast amounts of data gained from monitoring consumers’ behavioral patterns and commercial transactions (and now the detailed real-time bank account data) to “up-price” financial products and services offered to individuals.
“In essence, they will be able to charge individual borrowers not the fair market price but the maximum price each of them is able to pay,” she testified. “Rather than gaining meaningful control over their personal financial data, American consumers will be an easy target for unscrupulous salesmen of the digital era.”
During questioning by the committee, Crapo returned the conversation to recent media reports that Facebook had unsuccessfully attempted to enjoin financial institutions, including Bank of America, Citibank, and Wells Fargo, to share otherwise consumer banking data needed to build upon its offered services.
“I’m glad the banks refused Facebook’s access to their bank customers’ data, but I don’t kid myself for a minute that they have done so out of some moral respect for customer privacy,” Omarova replied. “They have done it because of the regulations that are applied to them today. If we remove those regulations, then all of our sensitive financial data will be open to companies like Facebook and we will not know how it will be used.”