Wednesday, December 6, 2023

What fintechs think of the CFPB’s proposed data-sharing rule

Must read

Penny Lee, CEO of the Financial Technology Association (left), and Steve Boms, executive director of the Financial Data and Technology Association of North America, see the CFPB’s proposed rule implementing section 1033 of the Dodd-Frank Act as a win for consumers.

Transcription below:

Penny Crosman (00:03):

Welcome to the American Banker Podcast. I’m Penny Crosman. The Consumer Financial Protection Bureau has come out with its long awaited rule on data sharing: Dodd-Frank Act section 1033 on consumer access to financial records. Here to share their take on the proposed rule are Penny Lee, president and CEO of the Financial Technology Association, and Steve Boms, who is executive director of the Financial Data and Technology Association in North America. Welcome Penny and Steve.

Penny Lee (00:32):

Thanks, Penny. Good to be here.

Penny Crosman (00:35):

So Penny, in case people aren’t familiar, can you share a little bit about the mission of the FTA and who your members are and the kinds of work you’ve been doing?

Penny Lee (00:46):

Sure. Nice to be here. As I said on the show, I am president and CEO of the Financial Technology Association and we are an organization comprised of what we refer to as digitally native financial services companies. So some of these are what you would consider consumer facing. So some names that you might hear of such as Venmo, Cash App and others. Some large majority of them, though, are kind of what we would call in the infrastructure and making all of the apparatus flow between your e-commerce, between your digital banking, between digital investing, all kind of a host of everything that is now digitally financial services companies. So some of them, like I said, some of them you might recognize their names such as PayPal, Block, Stripe, Square, others such as in the buy now, pay later area such as Zip, Klarna, Zilch, many others in digital investing, like Betterment. So what we would call a wide aperture of how we define digitally native financial services. So things that you interact with both from a consumer and a small business most likely on a very daily basis.

Penny Crosman (02:07):

Penny, can you say how many members you have?

Penny Lee (02:10):

Sure. We have 26 members and like I said, they kind of go through a wide aperture payment companies, lending companies, buy now pay later, earned wage access, AI companies that are focused in using AI for credit underwriting. Also thinking through kind of how we do income and employment verification, capital markets and other infrastructure such as data aggregators like Plaid and MX, Stripe and others.

Penny Crosman (02:39):

Okay, thank you. And Steve, same for you. Can you tell us a little bit about the mission of FDATA and the kinds of work you do?

Steve Boms (02:47):

Of course, Penny, and thanks for having me. So FDATA, the Financial Data and Technology Association, is a global trade association of financial technology companies of data platforms and as financial services companies started in the U.K. back in 2013 where the U.K. was going through its open banking journey. And we are a consortium that advocates for government-led open banking mandates across the globe and here in North America. We engage with policymakers both in the U.S. and Canada as both of those countries are obviously on their own independent journeys. And in North America we’ve got just less than three dozen different companies that are members and similar to Penny and the FTA, they all have different use cases. They all provide different services, products or tools, either directly or through B2B relationships with other companies. But the one thing that they all rely on to provide the benefit of their product or service, their tool to the end user is the ability of that end user to permission access to some part of their financial data held somewhere else in the financial service ecosystem.

Penny Crosman (04:04):

So you both have fintech members that take in data for the products that they offer, take in bank account data basically, and then other kinds of financial transaction data. So all of them will clearly be affected by this 1033 rule. Penny, can you share what was your reaction to the rule and what did your members think of it?

Penny Lee (04:37):

Well, we are still working through it in the sense that it’s not final yet, but this is 12, 13 years in its making and something that our members, it started off with Dodd Frank when it was first drafted and this section has been included, it has now taken 13 years to get to where we are today, which is going into the final phase of making it into our final rule. So we have been pleased with the progress that Director Chopra and others have made to get it to this point because we really believe it’s a win for consumers. The United States has kind of lagged behind in what the open banking, open finance rules have been and we truly believe, along with Director Chopra and President Biden and others, that consumers have the right to their data, the right to their financial data to be able to share it with institutions or financial technology companies or others, permission it in a way and be able to share their own data that they own so that it can create better outcomes for themselves.


Whether it’s in working with a fintech app to be able to budget better or to be able to manage their own finances or to think through investment opportunities or for others to be able to think through and look at a holistic viewpoint of who the consumer is for better underwriting, for working with credit unions to be able to determine whether or not what kind of credit should be available to them. So we truly believe this is a win for consumers and will really put the United States kind of on footing with many other regulatory bodies across the world.

Penny Crosman (06:19):

Where do you think that’s not happening today? Because obviously we have a situation where data aggregators take data from banks either through APIs or screen scraping and feed them to fintechs. Where is today’s landscape of current practices breaking down?

Penny Lee (06:42):

I would think some of it is in the uncertainty of it, and that is that there’s not a real clear rules of the road. And that’s what this rule will do is certain institutions, each institution has their own way in which they handle data, in which they share it, in which they allow the consumers to have access to it. And so this is codifying in saying that consumers do have that right to their own data to be able to share in the ways in which they would like to. So some of the hindrance has been just there’s many different institutions. As you know, we have over 4,900 or 5,000 banks and institutions. Each has a little bit different approach, but this will actually codify and say this is the type of information that can be and should be and needs to be shared. This is the kind of information that consumers have the right to and to be able to interact with the financial labs or for the other financial institutions if they want to move banks to be able to get a better interest rates or whatever the case might be, that that is done in a much more seamless and much more certain way.

Steve Boms (07:53):

And Penny, if I could, I would actually go a step beyond where Penny just went. I would argue that the fact that the Bureau released this proposed 1033 rule, I think underscores that the market can’t deliver this on its own. It’s been trying for the last functionally 20 something years. We have members in FDATA who have been at this since the late nineties, and I think Penny articulated a number of the reasons why there are these challenges. But today, if you’re a consumer and you’re trying to use a third party tool, or for that matter if you’re trying to share data between one bank and another bank, because the dirty little secret here is it’s not just fintechs that are accessing data with consumers’ permission, it’s banks as well and credit unions, you may not be able to do that or you may be able to only do that for some of your data, but not all of your data.


But generally speaking, when you are able to share access to your data to use another tool, it’s governed by a bilateral contract between a data intermediary and a bank that you, the end user, have no transparency into, no control over and either that dictates whether you’re limited in what data you can access, what use cases you can or can’t access, that doesn’t provide for an even playing field. And to Penny’s point, it’s also not scalable across the entire ecosystem. Each institution has its own terms and conditions. As Penny said, it can take anywhere from six months to three years to sign these bilateral agreements. And so expecting that 9,000 banks, credit unions and other institutions that are effectively data providers are going to be able to execute bilateral agreements with every intermediary or every third party in the us, it’s just not realistic. And so that’s why 1033 is such an important development.

Penny Crosman (09:47):

So would you prefer that bilateral agreements not happen?

Steve Boms (09:54):

I think for the data that’s included under a 1033 rule, the objective would be that there would not need to be bilateral agreements. Ultimately, what the CFPB is trying to do, at least in our view in this rule, is to create the standards through which from a policy perspective and to some degree a technology perspective, although they’re not specific on what technology has to be used, take the types of things that are negotiated in these bilateral agreements and set floors, set standards for what those should be. And so our view would be as more and more data is ultimately made available under 1033 and the Bureau has articulated in this proposal that they intend to start with Reg E and Reg Z and then kind of work their way from there and that there would be less and less need for bilateral data access agreements moving forward.

Penny Crosman (10:45):

And what would you like to see in those standards that need to be formed?

Steve Boms (10:52):

There’s a lot there, Penny. So I think first and foremost where the Bureau has started in this NPRM is the right place. So number one, a transition away from credential-based screen scraping towards what they call in this rule developer interfaces, but what in present day we all think about as APIs, I think everybody agrees in the marketplace that APIs are a more efficient, more effective, more secure way of accessing data. Having then mandated that these APIs be built, the standards would include things like what data fields need to be made available through the APIs, how much volume should those APIs be able to handle on a daily, monthly basis, how responsive should the APIs be in terms of how many seconds does it take between when you give your authorization as a consumer and when that data is then transmitted, what is the minimum uptime of those APIs on a daily, monthly basis? How accurate is the data that’s put on these APIs versus the accuracy and the reliability of data through the main consumer-facing portal through which you access your data just to check your balance through your bank. Those are the types of things depending from a technology perspective that we’re hoping the final rule incorporates. A lot of that is already captured in the proposal.

Penny Crosman (12:17):

One thing that I hear in the field is that often there will be an API that was created as a result of a bilateral agreement as you were saying, but then the data aggregator involved will scrape additional data that the fintech wants that the bank doesn’t necessarily want to share or doesn’t feel is appropriate. What do you think is the way to approach that kind of friction?

Steve Boms (12:50):

Couple thoughts there, Penny. So first I might even just go level up from that question. It is not the case that it’s always a fintech is the data recipient and a bank is the data provider in many cases.

Penny Crosman (13:02):

But that’s usually the case.

Steve Boms (13:04):

No, it’s not true. It’s not true. So by volume, a majority of data today is actually being collected and accessed with consumer’s permission by financial institutions, not by fintechs. So I think when you think about how 1033 works, the best kind of frame of reference is there’s a data provider, there’s a data recipient, and there’s typically a platform in the middle of consumer permission platform in the middle that’s enabling that access. The reason why any third party, whether they’re a platform or a fintech or anybody else would scrape data when there’s an API available is for one of just a few reasons. Number one, that data isn’t in the API. Number two, the API is not reliable enough to use. And so it’s a binary choice in those situations. Either the consumer doesn’t get to use the product, the tool, the service that they’ve signed up for or the only way to get that data is through other means. And so the solution to that is ultimately to have as much data as possible made available through APIs that are robust, reliable and usable so that there’s no need for scraping anymore.

Penny Crosman (14:16):

So I guess just where I’m not understanding that point is if party one and party two have agreed to an agreement and an API where we’re going to share these eight data fields and then party B decides later this isn’t enough, why don’t they work that out rather than just try to grab more data.

Steve Boms (14:45):

In the example you’re giving, Penny, party B has articulated for months or years the full scope of data that’s required for existing use cases that party A’s customers depend on today and party A and party B were for whatever reason not able to come to an agreement on adding those data fields to the API. So I would argue it’s not the case that party B is changing its mind at some point later in the future. There’s just no other way that party B can access that data. Having made party A aware that that’s the data that’s required to fuel use cases that its customers use today.

Penny Crosman (15:21):

Well, where do you both see the line between data that the customer should have control over versus proprietary data? I mean one thing I noticed in the CFPB rule was that terms and conditions of products are to be included and reward programs and things like that, which I would’ve thought was not necessarily customer data but more a company’s business model data. But where’s the right boundary between data that is appropriate to share out and data that can be considered proprietary?

Steve Boms (16:10):

In our review, Penny, we spent a lot of time at FDATA thinking about where that line is. And so the way that we’ve kind of defined it as proprietary data is customer data to which some type of analytics or other type of additional calculation has been applied. So for example, a credit score, that would be proprietary, right? Because it’s not just your raw data, there’s some type of analytics that have been applied to it to assess your credit worthiness, but generally speaking, transaction data, experience data, the fees that you pay, the interest rate that you pay or that you earn, the terms and conditions that dictate how you can and can’t use the account or the product that you’ve sent up for. We do view that all as data that the customer should be able to share electronically. And I guess in its simplest form, the way that I think about this is 1033 is obviously it’s getting a lot of attention and we’ve been advocating for it for many, many, many years, but at its simplest form it’s taking the shoebox full of account statements and receipts that you used to have to bring to your accountant once a year or to your financial advisor and it’s just digitizing that.


So if you’re able to go online to your consumer facing portal and download your terms and conditions of your account and print those out within the shoebox, you’re able to print out your statement and you’re able to print out your receipts and put them in a shoebox. All 1033 is doing is saying you shouldn’t have to go through the rigamarole of printing all that paper and trying to sort through it. You should just be able to do that digitally. And in that context it makes a ton of sense, at least from my view, that T’S and C’s should be part of the scope of data that’s included.

Penny Crosman (18:07):

So other than a credit score, nothing is off limits. Anything that’s a part of an account statement should be shared, in your view.

Steve Boms (18:18):

Unless there’s analytics applied to it. And so the credit score was just one example of that, Penny, but there are others. So the output of a KYC check that a financial institution does that’s taking in raw customer data and it’s making an assessment of whether or not it’s sufficient information for the institution to know their customer. I think the same would be true of any type of BSA checks that a financial institution does. But there’s a number of examples, but as a general matter, your transaction data as a customer, your experiential data in our view, that should be yours to share if you want to.

Penny Crosman (19:01):

And what did you think of the need to re-up the permission every year? So it’s not just never ending, but the person has to recommit to sharing the data annually. Does that make sense to you?

Steve Boms (19:18):

We can see because we’ve moved, as Penny Lee said earlier, we’ve moved more slowly than other markets. We can see kind of what best practices are and so a year is probably appropriate in the U.K. and Europe. They started at a 90 day authentication requirement and what they found was because consumers signed up for on average something like seven different open banking accounts, in actuality they were getting these 90-day pings about once a week or so and it just became too much for consumers to kind of go through and sort. And so adoption of open banking tools dropped significantly and so they went back ultimately and revised that 90-day requirement to make it less friction full. So I think 12 months generally is more appropriate certainly than 90 days. There are some use cases for which you don’t need anything beyond just a one-time access. There are some use cases for which persistent data test make sense, but ultimately a framework that says to the end user, Hey, you’re in control of this. You can rescind this at any time and here’s how you do it means that it’s unlikely that somebody would have authorized access and not interacted with it by the time a year is out in one way or another. So we think that the control framework is appropriate.

Penny Lee (20:41):

And I’ll just weigh in a little bit on that as well is that we also want to ensure that the consumer has a full understanding of how their data is used because to instill trust, as we bring this rule forward and as this permission comes into law and consumers start to use it, we want to ensure that trust and safety is continued throughout. And so we want to make sure, as you saw in the outline, and we’ve also adopted our own privacy along with FDATA privacy rules, to ensure that the consumer has a full understanding of how their data is being used when services are requested, the right to remove themselves, the right to delete their own data. So all of those protections are also an important part of this because there’s nothing more important than obviously your financial data when it comes to how it’s being moved, how it’s being shared, where is it going, and for a consumer to have full control of that.


So we applaud the efforts and the consumer protections that were put into place. Well, can you continue to have our own standards and privacy and other rules? We would hope that the United States on a separate matter would move to a full data privacy, applaud the house for moving through in the house financial services, a markup on the data privacy, would love for the United States to adopt a full federal exempt so that we don’t have 50 different state rules, but we want to make sure that the consumer has trust in the system, that they have the ability when they both either capture or share the data that is done in a safe and secure manner.

Penny Crosman (22:25):

I looked through the rule and I wanted to see if there was a ban on screen scraping. Definitely the rule says that a company should use APIs to share any data that the consumer decides they want to share, but I didn’t see the term screen scraping anywhere. Do you see this rule as banning screen scraping?

Steve Boms (22:54):

Penny, I think the rule very clearly requires institutions to block efforts to undertake screen scraping for covered data that’s made available through APIs for covered accounts. And so number one, yes, I do think the rule has that in there. Number two, I think if you look at the rule as a whole, the framework it sets up is a significant incentive to consume data through APIs, which would mean that there is really no reason to go through screen scraping. That said, it’s really important to remember as currently constructed this rule would apply to Reg E and some Reg Z accounts. There is a very wide scope of additional accounts that consumers interact with that the rule at present would not cover. To the extent that some institutions make data for those accounts available through APIs and some do already, then every single third party would still prefer and will continue to access that data through APIs.


But if that data is not available through an API, even after this rule is finalized and implemented, the fact remains that it’s still a binary choice. If a consumer says, as an example, I want to share information from my mortgage account with a tool that can help me figure out if refinancing is the best option for me by comparing rates in my specific particular unique mortgage needs, if the financial provider, if the mortgage lender doesn’t have mortgage data available in their API, the only way to get access to that data even after this rule is final, will be through screen scraping. So over time, once mortgage data is included under 1033, there wouldn’t be a need to go through screen scraping because that data would be available to the APIs. But until then, I think the best way to look at this rule is a fast but thoughtful transition away from scraping towards APIs. And by the way, as I think you’ll hear from many of our members, the market has already started meaningfully moving towards API consumption over the last several years. This is going to help hasten that.

Penny Crosman (25:15):

Is there anything in this rule that you or your members would like to see changed or done differently?

Steve Boms (25:27):

There are some things, Penny, that I think we’d like to see enhanced here. So as one example, we are, as you probably can tell, we’re advocates of additional accounts beyond just Reg E and Reg Z accounts being included under the rule. We acknowledge the CFPB is saying you’re going to do that in future, but we’d still very much like to make sure that that happens as quickly as possible. The CFPB in this proposed rule asks whether EBT accounts should be added to this rule. We strongly think that they should be. We don’t have a two-tiered financial system where wealthier consumers have some rights and protections but less wealthy consumers don’t. We have some suggestions to the CFPB around some of the SLAs that they have in this role for the APIs particularly are making sure that there’s enough capacity for the volume that’s required through the API traffic. And we have some kind of technical things we want to clarify around how authorization and confirmation of authorization work. But broad strokes, Penny, we are very supportive of what the bureau has put out here.

Penny Lee (26:38):

Yeah, I would echo the same thing with the support for expanding eventually going into an open finance with the expansion beyond Reg E, Reg Z, also on the EBT. And then we’re also going to be taking a look at also some of how the data is used as well and whether or not to make sure that it’s not prohibited from research or from fraud prevention or some other potential secondary use. And so we’re going to be digging into that aspect of the rule too and have a full comment if it is implemented as is.


Penny Crosman: What are some things your members might need to do differently?


I think for our members is, I don’t know about do differently, but they will have access to a fuller scope and to a fuller understanding of who the consumer is. And so they will be able to interact and engage with the consumer in likely more personalized ways, meaning to push notification on, hey, did you know you could save this amount? Or here’s a budgeting tip that you might be able to do. Or when we look at you from a holistic part from credit underwriting, here’s where I think in working with a financial institution, here’s where we think this person might be able to have, where the amount of credit that should be available to them as well. So I think it’s less on what will they do differently is that there’s just going to be a whole host of greater information about the consumer, the ability to interact with them, to be able to provide them digital tools and other matters that be able to have them live a healthier and more complete financial life. So we’re excited about what this rule will bring.

Penny Crosman (28:32):

How about you, Steve? Any thoughts on what your members will need to change?

Steve Boms (28:40):

So Penny alluded to FDATA and the FTA have put out our own privacy frameworks from the FDATA perspective. That includes things like compliance with safeguards, rules like GLBA, like data privacy requirements. So worth noting that this rule proposal would require that entities that access consumer’s data with their permission comply with those things, right? So not something that our members aren’t doing already, but just for third parties generally, that could be an uplift in terms of the way that they manage consumer privacy. There’s going to be a prescribed authorization procedure and so any third party, whether they’re a bank or not, that’s accessing data with a consumer’s permission is going to need to follow that authorization flow. And the same goes for some of the prescriptive requirements around disclosure and consumer consent.


So those things we think are appropriate and our members are doing those things today. But I think it’s really important to understand this is a balanced rulemaking from our perspective. So it certainly puts requirements on the backs of data providers to make this data available, but it similarly puts requirements on third parties or data recipients to make sure that when they do access the data, they’re doing it responsibly, they’re doing it under a strong data privacy regime and perhaps most importantly, they’re doing it with the full consent and at the full express direction of the consumer.

Penny Crosman (30:15):

Alright, well Penny and Steve, thanks so much for joining us today and sharing some of your perspective. And to all of you, thank you for listening to the American Banker podcast. I produced this episode with audio production by Kevin Parisi. Special thanks this week to Penny Lee at the FTA and Steve Boms at FDATA. Rate us, review us and subscribe to our content at For American Banker, I’m Penny Crosman and thanks for listening.

Latest article