Tag Archives: data sharing

Who Owns Your Financial Data Anyway?

Consumers have been wrestling for years now about access to their personal data.  There are many non-bank financial products such as Mint and WalletGyde that help consumers manage their money, but it has always been a fight between the banks and these companies (of which there are at least hundreds, maybe more).  As a group, these companies are called FinTechs.

In Europe, the government said that consumers owned their data and even forced a standard on banks for sharing data with FinTechs that consumers wanted to share with.

In the U.S. there is no standard and up until now no requirement that banks allow you to be able to grant access to your own data.  This has led to FinTech companies having to ask you to trust them with your banking userid and password and those same companies having to scrape your data right off the screen.  About a year ago I got a message from Chase warning me that if I shared my password with a FinTech company (or anyone else), the bank was disavowing any responsibility for what happened.

This week that all changed.

The Consumer Financial Protection Bureau issued a long waited-for ruling on the subject.  Their answer.


This is a win for consumers who now will be able to have a more timely and secure method of sharing their data with third parties and it is a win for the FinTechs who have been fighting for this.  For the banks, it is not good news, but probably expected.  Banks are fighting for their survival.  Until say ten years ago, they were the king of the financial hill.  Now, they are just one player of many and when it comes to data aggregation, the banks aren’t really much of a player at all.  This is one more nail in that coffin.

Up until now the data sharing between banks and FinTechs have been one off agreements between two parties such as:

  • Chase and Intuit have created a data interchange agreement
  • Wells and Xero have an agreement
  • Capital One and Xero have an agreement
  • And likely others that we have not heard about

The principles that the CFPB created include –

  1. Access – users can obtain information from a service provider and grant access to a third party
  2. Data Scope and Usability – The available data should include transaction and fee information and any other aspect of a consumer’s usage.
  3. Control and informed consent – Consumers can control their data sharing and revoke it whenever they want to
  4. Authorizing payments – Accessing data is different from authorizing payments to be made, but consumers may grant third parties both of these permissions.
  5. Security – The data has to be secure.  This seems to give the CFPB a camel’s nose under the tent to make sure that the FinTechs protect consumer’s data.
  6. Access Transparency –  Consumers need to be able to easily understand what permissions they have granted to whom with relevant parameters (like how often the third party can access their data).
  7. Accuracy –  Consumers can expect the shared data to be accurate and have reasonable means to dispute and resolve inaccuracies.
  8. Ability to dispute and resolve unauthorized access – Consumers have reasonable and practical ways to dispute and resolve issues related to unauthorized access and payments.
  9. Efficient and accurate accountability mechanisms –  Commercial participants (i.e. the FinTechs) are accountable for the risks, harms and costs they introduce to consumers.

So this swings both ways and the CFPB has already whacked FinTechs from time to time (Search for CFPB Dwolla consent decree, for example).  All in all, though, I would say that this is great news for consumers, good news for FinTechs and not so good news for banks.

Now it is up to the banks and the FinTechs to work out the details.  It is likely to get a bit messy before it gets cleaned up.  MAYBE, the banks will agree to a data interchange standard, which would be great, but I haven’t seen anything public on that subject.

Information for this post came from American Banker, here, here and here and the CFPB.

Senate Reverses FCC Rule on ISP Privacy Requirements

Last year the FCC proposed a rule requiring Internet Providers to get your permission before selling your data.  The rule was set to go into effect in April.  The large ISPs – AT&T, Verizon, Comcast and others – didn’t like this rule since it affected their revenue.  They said that Facebook and Google didn’t need to get your permission, so why did they need to.

After President Trump’s inauguration, the control of the FCC changed and the new chairman, Ajit Pai, suspended the effective date of the rule and this week the Republican controlled Senate and House voted to permanently stop the FCC from implementing this rule or anything like it, now or in the future.

So what is the impact to you?

One needs to consider this.  Facebook or Google only has access to your data when you visit one of their websites or their partner websites.

On the other hand, your Internet provider has more information about you, such as:

  • Who you call, when you call, how long you talk, etc.
  • Who you text, when and potentially the content
  • For encrypted messaging like Whatsapp, who you are exchanging messages with and when
  • What web sites you visit, how often and when – even if the data itself is encrypted
  • Your location data – where you go and when and how long you stay there.
  • In fact, they can likely track anything you do online

With no rules, you cannot opt out of this data collection.

A couple of years ago Verizon and AT&T installed secret apps on your phone (Caller IQ, for example), super cookies and by inserting universal identifiers or UIDs, all to track your traffic.  They stopped some of that when it became public and the bad press outweighed the revenue.

Again, with no rules, ISPs can keep this data for as long as they want to keep it.  In addition, they can sell it to whoever they want to.  Or give it away.

Obviously, this does not overturn any other laws, but in general, there are very few rules in this arena.  This is especially true when it comes to meta data.  There is a difference between selling your emails and selling the fact that you sent an email at this time to this person.

There are also no rules regarding who they can sell (or give) this data to.  Could be your employer or your insurance company or even law enforcement.

Recently we saw that Scotland Yard hired hackers in India via the Indian police to hack journalists they were interested in eavesdropping on.

Assuming your ISP decides to collect and keep this data, there is no reason why the police couldn’t either ask them nicely for it or subpoena it.  We have already seen cases where the police want the data in your Amazon Echo and even the data in your smart water heater, so why not this data?

Could your insurance company or employer ‘acquire’ this data, directly or indirectly?  I don’t see why not.

And, you apparently have no way to opt out –  unless the ISP voluntarily decides to give you that option and I would not count on that.  I do not expect this to change during the current administration, but it could if enough people complain.

We live in an interesting world.

Information for this post came from PC Magazine.