The American Bankers Association (ABA) appreciates the opportunity to submit a statement for the record for the hearing titled “Banking on Your Data: the Role of Big Data in Financial Services.” We believe that responsible innovation in financial services will continue to benefit customers as it has throughout the history of banking. The use of data plays a critical role that can help promote financial inclusion, make it possible to extend credit to many more borrowers, and give customers improved transparency into the financial products they use every day. While ABA has articulated our position on issues such as data privacy and the use of alternative data, it is critical to also address how to ensure consumers remain protected when they choose to share their financial data with third parties.
Technology has facilitated the creation of a tremendous amount of consumer financial data. The unprecedented proliferation and availability of this data has enabled the development of new financial innovations that stand to benefit customers. However, the inherent sensitivity of this data and the discussion around the appropriate role of large technology companies in banking highlights the timeliness of this hearing and the need to ensure that financial data are handled appropriately.
As banks innovate, they do so within an established regulatory framework, backed by strong supervision and oversight, that ensures robust customer protection. Innovation is also taking place outside of the banking space. Technology-focused startups are building products that rely on access to consumer financial data. As a result, the demand for consumer financial data has increased dramatically, creating a market for these data.
We believe that if handled appropriately, access to these data can benefit consumers. This is why ABA fully supports the customer’s ability to access and share their financial data in a secure, transparent manner that gives them control. Banks and technology companies are collaborating to build the tools that facilitate access to financial data in a way that protects and empowers consumers.
However, it is important to note that sharing financial information is not the same as sharing information about where a consumer ate dinner. Consumer financial data are extremely sensitive and must be protected appropriately. Accordingly, Congress has recognized the sensitivity of financial information and has provided protections for it in the Gramm-Leach Bliley Act of 1999 (GLBA)–obligations that apply to all parties that hold it throughout its lifecycle.
Banks take very seriously their responsibilities to their customers to maintain the highest level of privacy, security, and control over their financial assets and transactions. Today, consumers trust that their financial data are being protected and handled appropriately. This trust is critical to the functioning of the financial system and is the reason banks dedicate significant resources to safeguarding financial data.
Current practices in the data aggregation market, however, may leave consumers exposed and create risks that undermine this trust. Legacy processes known as “screen scraping” require users to forfeit their bank username and password, granting technology companies unfettered access to a customers most sensitive data. When this happens, customers – often unknowingly – trade their privacy for technology-driven convenience in a way that exposes them to serious financial risk. Consumers often do not fully understand what data is being taken, where it is being sent, or how it is being used.
Banks, aggregators, and technology companies are all aligned on the need to move away from these legacy technologies that create risk to more secure technologies like APIs and are working together to make rapid progress toward this goal.
In 2017, the Consumer Financial Protection Bureau (CFPB) released a set of principles4 to support responsible sharing of consumer data. According to then Director of the CFPB, Richard Cordray, “these principles express our vision for realizing an innovative market that gives consumers protection and value.” These principles have served as a flexible bedrock for industry discision that has facilitated real progress. Since the principles were released, Industry collaboration has led to the development of technical standards, model contracts, and other technologies that can help facilitate responsible sharing. We believe that continued industry collaboration is the best way to advance this goal, however there are several regulatory clarifications and other recommendations that would help facilitate responsible data sharing.
ABA has developed a set of principles – consistent with the CFPB and the rest of industry – that we believe ensure that consumers remain protected when they share their financial data.
Banks support our customer’s ability to use third-parties to access their financial account data in a way that is safe and secure.
Consumers deserve bank-level security and protection regardless of where they choose to share their data. This means that consumer data are treated the same – and subject to GLBA protections – whether at a bank or a third party.
Consumers must have transparency about how companies use their financial data. It should be clear to consumers what data a technology company are accessing, how long the company is holding this data, and how it is using the data.
When consumers share their financial data they should have control over what information is shared and how it is used. Intuitive control would allow consumers to see easily who is authorized to receive their data, modify what access they have, and revoke that access when a service is no longer used. If consumers can easily control the data being accessed, they can better understand what is being used and protect themselves accordingly.
Consumers should expect that data-sharing is limited to the data that are needed to provide the service they have authorized and only maintain these data as long as necessary. Limiting sharing to necessary data helps minimize privacy risks and allows consumers to better understand what kind of data is being accessed and used. Services that go beyond financial account aggregation, such as money movement, present different risks and should be subject to separate agreements and require separate informed consent.
ABA believes that collaboration between banks, technology companies, and data aggregators is the best way promote an ecosystem that facilitates responsible data sharing. The significant industry progress in recent years demonstrates this to be true. There are several separate, but related pieces needed to build an ecosystem that supports responsible sharing that include 1) technical standards to securely move the data from point A to point B, 2) contracts that make it easy for banks to work with aggregators, and 3) permissioning systems that track and manage consumer consents.
It is critical that we move away from legacy processes like “screen scraping” that leave consumers exposed to risk and adopt technical standards that can securely move data from banks to aggregators and beyond. Application Programing Interfaces (APIs) serve as universal adaptors for data, allowing for more secure transmission of data between systems in a standardized format. This empowers customers to share financial data without forfeiting their bank-user credentials. For more information on how APIs work, please refer to ABA’s Understanding APIs report.
This is an area where industry has made significant progress. In the fall of 2018 banks, aggregators, and technology companies came together to found the Financial Data Exchange (FDX) out of a recognition that progress was only possible with the participation of a diverse group of stakeholders. FDX is a nonprofit formed to develop a common, interoperable, royalty-free standard for secure and convenient consumer and business access to their financial data. FDX has developed an API that can facilitate secure data sharing among all of these parties. ABA is a member of FDX alongside many of our banks, technology companies and aggregators.
The nature of innovation means that things are constantly changing, and it is important to note that no one technology will always be the right tool to facilitate secure data transmission. There are also many different APIs for different solutions and while APIs are the best technology today, we need the flexibility to adopt new technologies as the business of banking evolves. Technology mandates would lock us into legacy technologies and risk undermining both safety and innovation.
In order to move to API standards, banks and data aggregators must enter into legal contracts that dictate how data is accessed and protected. These contracts are critical to ensuring that customers remain protected and that their data is afforded bank-level protections when it is shared.
With legacy practices like “screen scraping” the bank has no direct relationship with an aggregator. This is because from a bank’s perspective, the aggregator looks like their customer. They effectively show up on a banks website and enter login credentials and access an account.
Implementing an API requires a contract that governs the use of that API and ensures the bank’s data security and privacy requirements are being honored. However, negotiating these contracts is an expensive and time-consuming process, often taking as long as 12 months. While larger institutions have the resources and scale to engage in these negotiations, community banks typically lack the resources to negotiate directly with aggregators.
The Clearing House (TCH) recently released a template agreement known as the Model Data Access Agreement designed to improve the process of contract negotiations. The model agreement was designed in consultation with banks and technology companies. This model contract is voluntary and is intended to be modified as individual circumstances may warrant. Additionally, it avoids taking positions on commercial terms that would be negotiated between parties. The contract does, however, provide for a common ground from which banks can engage with aggregators.
While significant progress is being made, concerns remain about some aspects of contracts, including the timing, retention, and deletion of existing data.
The third key component of empowering consumers to securely share their financial data is a permissioning system. Unlike the first two efforts, these are not industry-wide efforts, but typically done at the bank level as it is part of a bank’s digital experience. These systems are key to facilitating transparency and consumer control over their data. Permissioning systems track where a consumer has consented to share their financial data and provide a transparent portal to that allows them understand what data are shared, limit the data that are shared, and revoke access altogether.
We have seen many large banks unveil permissioning platforms, Wells Fargo’s “Control Tower” is just one example. However, this technology is largely unavailable to community banks today as it is not offered their core banking platforms. These core providers play a critical role in ensuring that community banks have the tools to meet market demand and remain competitive in a digital economy.
While we believe a market-driven approach is the best way to empower consumers to control their financial data, there are several regulatory and legal clarifications that can help give certainty to the market that will allow the private sector to more quickly make progress.
We believe the following recommendations are necessary to ensure that customers of all banks – regardless of their asset size – can control their financial data and fully benefit from financial innovation.
Community banks rely on technology infrastructure from companies that provide software systems known as core banking platforms. Core technology supports everything from accepting deposits to originating loans, all of which tie into operating the core ledger that keeps track of customers’ accounts. For many banks, their core provider is the heart of their IT infrastructure. Without the support of these core providers, it would be impossible for community banks to offer the API access or permissioning systems that the market demands today.
ABA has engaged with the core providers through its banker driven Core Platforms Committee, made up of community and mid-sized banks, in an effort to strengthen relationships between banks and cores. One of the key priorities that this committee has identified is data access. Community banks often struggle to quickly and easily access the data held in their core platforms, much less facilitate access for third parties. For community banks to remain competitive, it is critical that the core providers engage in industry efforts and adopt technologies that facilitate the secure data sharing that customers demand.
U.S. law has long accorded special status to consumer financial information given the sensitivity of the information. To ensure consumer financial information is properly secured, it is subject to laws related to privacy, data protection, and restrictions on data use and accessibility. For example, the Gramm-Leach-Bliley Act of 1999 (GLBA) imposes on financial institutions obligations to respect customer privacy and to safeguard financial information. Specifically, Section 501 of that law imposes on financial institutions an “affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.”
Consumers should expect that their financial data is protected whether it is held by a bank or a data aggregator. As discussed above, GLBA provides a robust framework to protect “nonpublic personal information” of a consumer that is held by a “financial institution.” ABA believes that data aggregators fall under the GLBA’s definition of “financial institution” and therefore should be subject to all the rules that apply to all other financial institutions. This assures that data protections apply consistently regardless of where the data originated, where it is transferred, and the type of company is using or storing the data.
Congress used an intentionally robust and expansive definition of “financial institution” in GLBA, which encompasses “any institution the business of which is engaging in financial activities as described in [the Bank Holding Company Act of 1956, section 4(k).]”8 This definition includes not only banks, but as interpreted by the Board of Governors of the Federal Reserve, the definition encompasses any entity that provides data processing, data storage and data transmission services for financial data. In other words, GLBA clearly applies to data aggregators.
While we believe it is clear that GLBA applies to data aggregators, any confusion in the market could stifle the progress toward moving to more secure methods of data sharing. Therefore, we believe that Congress should encourage the CFPB to articulate clearly that data aggregators fall within GLBA’s definition of “financial institution” subject to the requirements of GLBA as they apply to other financial institutions. This would ensure that consumers receive the GLBA security protections as implemented by the Bureau’s Regulation P and the FTC’s Safeguards Rule.
By the nature of their business, data aggregators hold a tremendous amount of consumer financial data. It is estimated that data aggregators hold the consumer login credentials for tens of millions of customers. Despite this, many consumers don’t know that these intermediaries exist or how much of their information is being collected. In most cases consumers do not have a direct relationship with these companies and must trust that their data is being handled appropriately.
As discussed in above, ABA believes that data aggregators are subject to GLBA, but their compliance with its privacy and security obligations is not clear and, more important, is not subject to supervision or regular examination. Proactive supervision is critical to identifying risks before any harm is done to consumers.
A cornerstone of Title X of the Dodd-Frank Act was the authority given to the CFPB to establish a supervisory program for nonbanks to ensure that federal consumer financial law is “enforced consistently, without regard to the status of a person as a depository institution, in order to promote fair competition.” Experience demonstrates that consumer protection laws and regulations must be enforced in a fair and comparable way if there is to be any hope that the legal and regulatory obligations are observed. ABA believes that establishing accountability across all providers of comparable financial products and services is a fundamental mission of the Bureau. This is especially important for data aggregators, given the sensitive consumer financial information they store and process.
The bulk of the data processing in this area is managed by a select group of large companies. Accordingly, Congress should urge the CFPB to initiate expeditiously the rulemaking process under Dodd-Frank Act 1024 to define those “larger participants” in the market for consumer financial data that will be subject to regular reporting to and examination by the CFPB. Once the Bureau has imposed supervisory authority over the larger data aggregators, the CFPB can better monitor – and react to – risks to consumers in this rapidly evolving marketplace.
Under §1005.14 of Regulation E, a person that provides an electronic fund transfer service to a consumer is generally subject to Regulation E, with certain modifications, if it (1) issues an access device that the consumer can use to access the consumer’s account held by a financial institution and (2) has no agreement with the account-holding institution regarding such access.
Data aggregators that permit consumers to initiate electronic fund transfers from accounts held at financial institutions that do not have an agreement with the financial institution are “service providers” under Regulation E, as they issue “access devices” that may be used to permit electronic fund transfers to and from the account. As service providers, they are liable for unauthorized transactions under Regulation E as well as certain other provisions.
Imposing liability for unauthorized transactions under these circumstances is appropriate and fair. The data aggregator is in the best position to control the risk of unauthorized transactions conducted through its system. In contrast, the financial institution holding the account has no relationship with the data aggregator, no knowledge of, and no power over the data aggregator’s security system. This approach is consistent with payment system laws which generally assign liability to the party that is in the best position to avoid a loss and manage the risk of a loss. Indeed, it is for these reasons that Regulation E assigns liability to service providers.
Moreover, other provisions related to service provider responsibilities support classifying data aggregators as service providers under Regulation E. These include requirements related to error resolution, disclosures, the prohibition against the issuance of unsolicited access devices, and change in terms notices.
ABA believes that data aggregators providing electronic fund transfer services are service providers under Regulation E. To avoid any ambiguity, Congress shold urge the Bureau to confirm this in the regulation or official commentary.
Notably, data aggregators are authorized by and act on behalf of bank customers, not the bank. When banks enter into agreements with data aggregators, they do so to reduce risk and to apply additional protections to their consumers’ data as it leaves the secure banking environment.
Section 7 of the Bank Service Company Act (BSCA) requires banks to notify their regulators of contracts or relationships with certain third-party service providers and undertake due diligence on these partners. This is intended to capture relationships where banks partner with third parties to deliver experiences to their customer. In the case of data aggregators, there is no such partnership. A consumer has directed his or her bank to share their data; a bank’s contract simply lays out the terms for how that data is shared and provides a more secure portal for doing so. Such a contract should not result in the data aggregator becoming a third-party service provider to the bank. Rather, the relationship should be regarded as a customer-aggregator relationship.
A lack of clarity about the applicability of the BSCA to contracts with data aggregators could stifle adoption of more secure technologies that provide additional protections for customers. Moreover, banks have little ability to perform due diligence or supervise these data aggregators because the aggregators have no incentive to respond to bank due diligence requests since there is no business relationship between the bank and the aggregator.
Today, technology is fundamentally changing the way financial services are being delivered. Consumer financial data is more available and widely shared than ever before. ABA believes that innovations in financial services present tremendous value. This value is only realized when innovations are delivered in a responsible manner that maintains the trust that is critical to the functioning of our financial system. The focus on the consumer financial data market is important.
By fairly addressing both the opportunities and risks, we have the ability to give consumers innovative services that they can trust. Customers need security, transparency and control to unlock the true potential of fintech and take charge of their financial future.