House fintech task force discusses consumer data privacy
On September 21, the House Financial Services Committee’s Task Force on Financial Technology held a hearing titled, “Preserving the Right of Consumers to Access Personal Financial Data,” to discuss developments in fintech sharing and consumers’ right to control their own financial data. Task Force Chair, Stephen Lynch (D-MA), opened the hearing by expressing his concerns about the “uncertainty given the transformational technology and advancements as well as changing relationships and customer preferences.” He also noted that while the Committee is in agreement regarding the importance of protecting consumers’ control over their own financial data, “there’s a question whether both regulators and policymakers alike are moving fast enough to address the uncertainties.” The committee memorandum focused on recent developments in the data sharing fintech ecosystem discussed during the hearing, which included the following, among other things:
- Consumer Data Market Participants. The task force reported that new technologies have led financial service providers to utilize consumer-authorized data, such as data aggregators and payment processors. The task force also noted data privacy advocates have concerns that consumers may authorize the use of their data for purposes beyond what is understood by the consumer, and stated that the CFPB may consider the need for regulatory guidance on data use limitations, including possible time restrictions, in its rulemaking.
- Regulatory Structure Over Consumer Data. The task force discussed federal and state laws that cover data privacy, such as the Gramm-Leach-Bliley Act, FCRA, ECOA, and EFTA and their respective purposes in protecting consumer data through privacy and security.
- Screen Scraping, Application Program Interface (API), and Open Banking. The task force noted that many data aggregators have transitioned to using a structured data feed or API, instead of credential sharing and screen scraping. However, the task force expressed concerns that these methods may “lack adequate consumer protections and privacy protections, and face cybersecurity weaknesses.”
- DFA 1033 Rulemaking, Executive Order 14036, and Other Recent Developments. The task force discussed regulatory guidance and the need for clarity on consumer data sharing between financial institutions. The task force noted that some concerns from consumer advocates may involve the burden of liability or risk shifting to the consumer when consumers provide consent to financial institutions.
- International Data Sharing Landscape. The task force mentioned that several foreign countries promote consumer-permissioned data sharing access through APIs, due to cybersecurity concerns. For example, the United Kingdom requires large banks to adopt open API banking standards and the European Union’s General Data Protection Regulation established a set of rules regarding personal data throughout the EU.
Task force members heard concerns from witnesses regarding tighter legal and regulatory measures around data-sharing among financial institutions and third parties, in addition to requests for more robust, informed consent from consumers when their information is aggregated and allocated. Congressman Davidson (R-OH) expressed hope that the CFPB will find that individuals have a property right in their own data, and called for regulators to continue to “provide [a] consumer-focused, principle-based framework that will allow for innovation and competition.” He also found it encouraging that the “CFPB [is] continuing to make progress towards rulemaking under Section 1033 of the Dodd-Frank Act.”