In a recent speech at the Northwestern Kellogg Public-Private Interface Conference, Federal Reserve Board Governor Lael Brainard indicated that the relationships between banks and data aggregators within the “fintech stack” may present safety and soundness concerns that warrant oversight by the FRB (and perhaps other prudential regulators). Governor Brainard’s address of consumer financial data aggregation activities follows the Consumer Financial Protection Bureau’s Request for Information on this topic last fall. The growing chorus of regulatory concerns from the FRB and the CFPB, among others, increases the likelihood of enhanced regulatory scrutiny in the near-term and potential regulatory intervention in the medium- to long-term.
In her speech, Governor Brainard discussed how consumer financial data aggregation technologies are changing the way consumers obtain, analyze and use financial information. The speech focused in particular on the role that consumer financial data aggregators and banks each play in the “fintech stack,” which references the overlay of different services and functionality from different entities to deliver a fintech product or service. The following are highlights from Governor Brainard’s speech.
Banks Play a Key Role in the “Fintech Stack”
Most fintech products run via application programming interfaces (“APIs”) and involve a banking organization to support critical functions, including: access to consumer deposits or related account data, access to payment systems, credit origination, or compliance management. One of the challenges posed by new fintech offerings is determining how to best allow access to consumers’ financial data. The data systems at many banks are a mix of computing mainframes and technologies developed after mergers or restructurings and long before current cloud computing technologies were available. Governor Brainard indicated that banks will need to apply significant resources to update their data infrastructure to allow access to real-time data for third-party developers.
Safety & Soundness Interests in Consumer Financial Data Aggregation Activities
Governor Brainard highlighted that bank safety and soundness concerns are involved in consumer financial data aggregation activities:
[S]ome of the key underpinnings of consumer protection and safety and soundness in the banking world–that consumers should be exceptionally careful in granting account access, that in certain conditions banks could be presumed to bear liability for unauthorized charges, and that banks can be held responsible for ensuring that service providers and vendors do right by their customers–sit uneasily alongside the requisites of openness, connectivity, and data access [for consumer financial data aggregation activities] that enable today’s app ecosystem….
Governor Brainard explained that because banks are more tightly regulated than the average fintech company, consumer protection and safety and soundness considerations should supersede experimental innovation. She also indicated that data security and control over third party service providers are essential for banks to meet their safety and soundness obligations, expressly stating that prudential regulators have an interest in ensuring that banks adequately manage their relationships with data aggregators.
Trend Towards Bilateral Data Aggregation Agreements & Bank Vendor Management
Governor Brainard noted that banks can and have been controlling access to consumer financial data through agreements with fintech companies and data aggregators that support the use of APIs. These agreements can include terms that provide for proper vetting and ongoing oversight of those accessing the bank’s data. In some cases, she continued, data aggregators then facilitate access to the bank data by thousands of fintech developers, without the banks having to create and maintain their own open-access APIs.
Governor Brainard indicated that a key component of these bilateral vendor relationships for supervised banks includes supervision and assessment of associated safety and soundness concerns:
[I]f agreements between data aggregators and banks are structured as data aggregators performing outsourced services to banks, the bank should be able to conduct the appropriate due diligence of its vendors, whose services to those banks may be subject to examination by safety and soundness regulators….
While some banks may elect to give access to data aggregators, Governor Brainard observed that other banks may be unwilling or unable to provide permissioned access to third parties due to fears about compliance with laws and regulations and the ability to monitor and control the use and access to data. She then noted that the Fed’s supervisory role should focus on ensuring that financial institutions subject to its supervision operate safely and follow applicable law. At the same time, she stated that the Fed has “a strong interest in permitting socially beneficial innovations to flourish, while ensuring the risks that they may present are appropriately managed, consistent with the legal requirements.”
Trend Towards Regulatory Intervention Around the World
Governor Brainard recognized that regulators in other countries have recently implemented varied approaches to consumer financial data access. For example, the United Kingdom recently required their nine largest banks to allow open APIs to share pricing, fees, and terms information this year, and will require open-access APIs for consumer transaction data and payment information in 2018. In the European Union, implementation of the revised Payment Services Directive (PSD2) will require banks to permit licensed third parties access to consumer bank account information. However, Governor Brainard acknowledged that regulators in the United States may not be ready or able to implement regulations demanding a similar degree of openness, in part because of the way regulatory authorities are broadly distributed and certain statutory limitations that predate the current fintech and technology ecosystem.