Opinion

The CFPB must act to give consumers ownership and control of their data

But taking the notion of consumer ownership seriously is more difficult than it appears.

The CFPB must act to give consumers ownership and control of their data

Taking the notion of consumer ownership seriously is more difficult than it appears.

Photo: Getty Images

Amias Gerety joined QED as a partner in 2017 to find new investment opportunities with a focus on back-office technologies and infrastructure companies. Chris Odinet is a professor of law at the University of Iowa.

For years, fintechs and banks have been in a battle over access and control of consumer financial data. And now, the Consumer Financial Protection Bureau has taken the first steps toward issuing a rule, first authorized in the Dodd-Frank Act of 2010, that would give every consumer clear control over their financial data. The rule would outline how consumer rights to financial data should be operationalized, including the obligations of those who hold or want to use the data.

But unless people are closely tracking bank regulatory newsletters, they may not have noticed that this rulemaking is underway. Even without such a rule, fintech customers have become familiar with the "link your bank account" screen, enabled through an uneasy détente between banks and fintechs. Today, fintechs use data aggregators to "scrape" this information and build new financial services on top of it. For example, management tools that can monitor spending patterns and make budgets or suggestions for saving, or consumer loan underwriting that's based on real bank account cash flow instead of credit scores.

However, because scraping technically violates financial institutions' terms of service, this access is unstable, and many large banks have frequently threatened to shut it down while trying to push for industry standards or utilities where they would have more control.

Moreover, the actual effects of sharing financial data with a fintech are often opaque to the consumer. Many fintechs use that authorization for daily or even more frequent data pulls — and then use the data for analytical or monitoring purposes that the consumer may not understand. Today's equilibrium provides access but very little control.

Nonetheless, the CFPB's request for comment has been greeted by eerily similar rhetorical flourishes on all sides of this battle. Banks, consumer-facing fintechs and the data aggregators all acknowledge that financial data belongs to the consumers.

Taking the notion of consumer ownership seriously, however, is more difficult than it appears.

The U.K.'s experience with open banking is instructive. The U.K. government's rules on consumer data were explicitly targeted to make it easier for new banks and fintechs to compete with established players. But without clear standards for the process and form of the data, each large bank set up a series of Rube Goldberg-esque steps necessary to access the data.

The U.K. then quickly set up a publicly-chartered corporation to centralize the access point for open banking data. Now there is a single access point for consumer banking data, but as a consequence, any startup that wants access to that data on behalf of its customers has to go through a licensing process. The U.K. approach would require new legislation to happen here in the U.S., but it shows clearly that forces can easily enshrine an oligopoly of aggregators or an equilibrium with very little data sharing absent implementing standards.

The CFPB's decade-long delay in issuing this rule at least gives us a chance to learn from others. Like in the U.K., CFPB action must make clear that the consumer has the right to the data and can demand the data. Even further, the CFPB must require that the data is actually furnished. But the regulation cannot simply reflect today's arrangements. We can also go beyond merely addressing point of access concerns to putting consumers in control of their financial data throughout the life of their financial relationships.

For example, there are advances in computer science that allow for data to be shared in the form of attestations, such as verifying that someone's age is over 21, rather than asking for a copy of a driver's license. New approaches to machine learning allow predictions to help consumers without ever storing raw data about spending patterns, and the blockchain community has been experimenting with ways to compensate consumers for data usage. [Disclosure: QED has made investments in these areas.]

If the CFPB embraces its role as a consumer advocate, it can push the boundaries here, not simply require another disclosure and permission screen as we've seen become ubiquitous with web cookies. Federal law requires a simple disclosure format for credit cards known as the Schumer box. This law requires credit card companies to disclose their rates, fees and other terms and conditions using the same "box" format, thereby making comparison shopping easier. The CFPB should consider that same approach for data, requiring the players in this system to couple clear disclosures with granular controls — an interactive Schumer box for financial data access.

The future of financial services is both digital and data-rich. While we know that financial institutions need our data for underwriting, payments, lending and insurance, control of our data belongs to consumers. The CFPB's new rule should see to it that financial institutions treat it that way.

Latest Stories
Bulletins