The U.S. House Committee on Financial Services Task Force on Financial Technology considered testimony on developments in data sharing and FinTech which raise consumer protection and regulatory questions.

In a Memorandum to the members of the Committee, majority staff explained that the increased use of consumer data to create new products and services has resulted in a significant rise in the amount of personal and financial data that is obtained, maintained, and furnished to third parties, raising consumer protection and regulatory questions. The staff pointed to the development of credential sharing, screen scraping and application program interface ("API") methods as examples of data sharing means that "lack adequate consumer protections and privacy protections, and face cybersecurity weaknesses." However, the staff noted that the development of these new products and services can provide consumers with improved means of overseeing their finances, setting savings goals and managing other financial responsibilities.

Witnesses included:

  • Tom Carpenter, Director of Public Affairs at Financial Data Exchange, a nonprofit FinTech organization, who emphasized the progress made in the FinTech space with respect to technical standards that have enabled under-permissioned financial data sharing (i.e., screen scraping). Mr. Carpenter highlighted the benefits of such progress, and credited the use of negotiated and standardized APIs. The benefits of such APIs, he said, include (i) providing consumers with more transparency into their financial standings, (ii) expanding consumer access to credit and reducing the cost of credit, and (iii) enhancing consumer financial literacy. However, Mr. Carpenter stated that user-permissioned data sharing lacks standardization in a number of respects, including (i) the authentication, authorization and certification of data, (ii) how consumers access the data, and (iii) the scope of the data and how it is processed. Mr. Carpenter asserted that efforts to establish technical standards should be spearheaded by the FinTech industry because such standards would "adapt to the needs of the market."

  • Raúl Carrillo, Associate Research Scholar at Yale Law School and Deputy Director of the Law and Political Economy Project, who underscored the conflict of interest between the FinTech industry, which relies on data "maximization," and consumers, who would benefit from financial data collection through a data "minimization" paradigm. Mr. Carrillo urged the CFPB to issue (i) a Dodd-Frank Section 1033 ("Consumer rights to access information") rulemaking to support consumer control and consumer data minimization and (ii) a rulemaking to establish the CFPB's authority to oversee data aggregators. In addition, Mr. Carrillo suggested that Congress adopt legislation to (i) establish "structural partitions" between large tech companies and financial institutions and (ii) prohibit data collection and usage barring certain exceptions.

  • Kelly Thompson Cochran, Deputy Director of FinRegLab, an independent research organization, who asserted that while FinTech industry-led efforts are important for addressing technical and process issues with respect to consumer data use, regulatory action to establish basic criteria for such data can make industry-led efforts significantly more effective. Ms. Cochran stated that regulatory initiatives to improve consumer data protections and aid in the industry's standardization efforts include (i) FTC's evaluation of a proposal to update the information safeguard obligations of non-bank financial services entities pursuant to the Gramm-Leach-Bliley Act, (ii) the CFPB's advance notice of proposed rulemaking on the development of regulations to implement Dodd-Frank Section 1033, and (iii) the Federal Reserve Board, the FDIC and the OCC's proposed risk management interagency guidance concerning third-party relationships of banking organizations. In general, Ms. Cochran observed that an enhanced, broader regulatory framework for consumer data use involves (i) establishing "meaningful consent" for data access, (ii) facilitating access to data for the development of products and services to the benefit of consumers, and (iii) more comprehensive and efficient regulation of data intermediaries.

  • Chi Chi Wu, a Staff Attorney at the National Consumer Law Center, who expressed support for the CFPB's issuance of a Dodd-Frank Section 1033 rulemaking. Ms. Wu noted that access to financial data can be both beneficial and harmful to consumers, stating that effective consumer protection regulation ensures (i) consumer choice and control over their data, (ii) enhanced competition to promote a shift in the evaluation of consumer creditworthiness, (iii) the application of existing consumer protection provisions under the Fair Credit Reporting Act, the Equal Credit Opportunity Act and the Electronic Funds Transfer Act, and (iv) improved data security protections.

  • Steve Smith, Co-Founder and CEO of Finicity, a service that allows financial account holders to link their accounts to a variety of financial applications and services, who highlighted the importance of data aggregation as a means for "empower[ing] consumers and small and midsize business with access, control, and the consented use of their data." Mr. Smith stressed that consumer data rights are rooted in consumers' ability to obtain and use their data to their benefit. He noted that the CFPB's progress on a rulemaking under Dodd-Frank Section 1033 is a step in the direction toward a straightforward regulatory framework for protecting and advancing open banking in the United States.

Commentary

There was a good bit of bipartisan consensus at the Task Force's hearing on the need to move away from screen scraping, as well as the need for the CFPB to move as quickly as possible to implement a rule under Dodd-Frank Section 1033. However, it seems unlikely that the CFPB will issue a proposed Section 1033 rule until a Senate-confirmed Director of the CFPB is in place. Rohit Chopra's nomination remains pending.