Who owns the information in your bank account? Transactions, balance history, every other detail? The answer might seem obvious: You do.
“You don’t. You totally don’t,” says Ed Mierzwinski, Consumer Program Director and Senior Fellow for the U.S. Public Interest Research Group.
Yes, it’s your money. But the data, from savings balances to your history of car payments, belong to whatever institution holds the account. And just who has the rights to see that data has become a pitched battle, with Washington as a front.
There’s a consumer-rights angle, with public-interest advocates and politicians such as Sen. Elizabeth Warren weighing in for stronger consumer protections. But as is typical in Washington, the battle is really between two sectors of the financial industry.
What they are arguing over is a vast trove of information on Americans’ cash flows.
The average American household has several financial accounts – not just checking and savings, but credit cards, retirement savings and loans. And the recent Equifax hack, in which the credit-reporting company revealed that a whopping 145.5 million Americans might have had their information hacked, revealed just how widely our data can spread across the landscape – and just how little control we have over where it goes.
That pot of data is of huge interest to marketers and money managers and the whole multitrillion dollar financial industry. On one side of the lobbying argument are traditional banks – the firms that actually hold your money, operate your online checking account and give you a password.
On the other side is a new breed of financial-service firms, like one-stop digital dashboards to summarize your financial information in one place.
They include financial-management sites like Mint– which, with your consent, can take your passwords and assemble a much bigger picture of your portfolio than any individual bank.
Those firms are a business threat to traditional banks, which make money by expanding their services and keeping customers in-house. But banks also raise legitimate concerns about how and when consumer financial data get shared. Many of the new-generation firms use a method called “screen-scraping” to collect the data, requiring users to share their passwords and security questions, and then getting their information by essentially copy-and-pasting it. From the bank’s end, such access can look similar to a hack.
In a 2015 meeting with Richard Cordray, the director of the Consumer Financial Protection Bureau, J.P. Morgan CEO Jamie Dimon reportedly brought up his concerns over firms that combine financial data from various accounts into a single dashboard for customers, like Mint and Yodlee.
Rob Morgan, vice president of emerging technologies for the American Bankers Association, said the first priority for banks is to keep customer information secure.
“Banks are for customers sharing their financial information,” he said, adding concerns that third-party aggregators could lead to more exposures of consumer financial data, particularly due to screen-scraping. Morgan compared scraping to giving your plumber a set of keys to come into your house at anytime. “The model of sharing right now is not the way,” he said.
The newer financial firms argue that a more open approach to data-sharing is key to enabling innovation—and that consumers deserve a controlled, secure system for sharing their information with whomever they decide to work with. They also argue that they wouldn’t need to screen-scrape if the banks would just offer secure application programming interface portals in the first place.
The issue has ended up in the lap of the CFPB. The Dodd-Frank financial reform law passed in 2010 included a mandate to allow consumers to access their financial data in a usable electronic form, a job that falls to the agency; it asked for input from industry and consumer advocates over consumer financial data in November 2016.
In a speech delivered nearly a year ago in the last place you might expect to find a financial regulator, a Las Vegas hotel, Cordray laid out a view on consumer financial data that seemed to push back on the big banks’ claims, and offer a pathway for more open access to the new firms.
“Many exciting products … depend on consumers permitting companies to access their financial data from financial providers with whom the consumer does business,” Cordray said to the U.S. iteration of Money 20/20, the largest financial technology conference in the world.
“We recognize that such access can raise various issues, but we are gravely concerned by reports that some financial institutions are looking for ways to limit, or even shut off, access to financial data rather than exploring ways to make sure that such access, once granted, is safe and secure.”
Aligned on the side of increased access are not just an array of startups, but the nation’s wealthiest tech firms, who say it would help them provide better products to consumers. Financial Innovation Now, a policy association that includes tech giants Amazon, Apple, Google, PayPal and Intuit, also supports increased data flow, as does the Center for Financial Services Innovation, a nonprofit that receives funding from JPMorgan as well as Mint’s parent company Intuit.
In a letter for the request for information that the CFPB completed earlier this year, CFSI laid out broad principles it hopes will become industry standard: availability of data on third-party applications in a timely and reliable manner, with permission of the customer, and sharing only the minimum data necessary.
A similar model is already being tried in the European Union, where a 2015 rule that will fully phase in next year mandates that banks and other payment services providers like Venmo and PayPal grant the means for secured access, authorized by customers, for transaction history and account balances.
They’re required to provide it through APIs, a form of online interface that allows for controlled sharing of information, and avoids less-secure mechanisms like scraping.
“What is happening there is something we point to as a positive,” says Brian Peters, executive director of FIN.
Many of the new financial firms and banks say they'd prefer to work out a standard on their own rather than by government mandate, and to an extent that’s already underway. JPMorgan and Wells Fargo, both of which had restricted or cut off access to account information to third-party firms, have started to reach individual deals. JPMorgan announced an agreement with Mint, which software firm Intuit owns, and for access to JPMorgan accounts for its applications like QuickBooks and TurboTax. Wells Fargo announced a similar deal with Xero, a New Zealand company that provides accounting software for businesses. But the consumer advocate Mierzwinski is skeptical of industry-driven approaches: If companies set the standard themselves, he says, it “will ultimately prove to be the least common denominator.”
So far, the CFPB has used its spotlighting of the issue to foster more dialogue around consumer financial data between banks and fintech firms, and there’s a good chance it may not take the issue past the dialogue phase: Cordray is rumored to have political ambitions and has less than a year left in his term as director.
That may not be enough time for the bureau to act, even if it wanted to. It’s unclear whether a rulemaking, if the CFPB has the appetite for one, would be met with resistance by Congress, which could potentially overturn it.
For now, the system remains piecemeal, meaning consumers will rely on bilateral deals to keep the data flowing—basically the current status quo.
“You’re going to see industry standards develop and the CFPB monitor them,” says Mierzwinski.