Consumers have been wrestling for years now about access to their personal data. There are many non-bank financial products such as Mint and WalletGyde that help consumers manage their money, but it has always been a fight between the banks and these companies (of which there are at least hundreds, maybe more). As a group, these companies are called FinTechs.
In Europe, the government said that consumers owned their data and even forced a standard on banks for sharing data with FinTechs that consumers wanted to share with.
In the U.S. there is no standard and up until now no requirement that banks allow you to be able to grant access to your own data. This has led to FinTech companies having to ask you to trust them with your banking userid and password and those same companies having to scrape your data right off the screen. About a year ago I got a message from Chase warning me that if I shared my password with a FinTech company (or anyone else), the bank was disavowing any responsibility for what happened.
This week that all changed.
The Consumer Financial Protection Bureau issued a long waited-for ruling on the subject. Their answer.
CONSUMERS SHOULD HAVE ACCESS TO FINANCIAL DATA THAT IS TIMELY, ACCURATE AND SECURE ON WHATEVER TRUSTED THIRD-PARTY TOOL THEY CHOOSE TO USE.
This is a win for consumers who now will be able to have a more timely and secure method of sharing their data with third parties and it is a win for the FinTechs who have been fighting for this. For the banks, it is not good news, but probably expected. Banks are fighting for their survival. Until say ten years ago, they were the king of the financial hill. Now, they are just one player of many and when it comes to data aggregation, the banks aren’t really much of a player at all. This is one more nail in that coffin.
Up until now the data sharing between banks and FinTechs have been one off agreements between two parties such as:
- Chase and Intuit have created a data interchange agreement
- Wells and Xero have an agreement
- Capital One and Xero have an agreement
- And likely others that we have not heard about
The principles that the CFPB created include –
- Access – users can obtain information from a service provider and grant access to a third party
- Data Scope and Usability – The available data should include transaction and fee information and any other aspect of a consumer’s usage.
- Control and informed consent – Consumers can control their data sharing and revoke it whenever they want to
- Authorizing payments – Accessing data is different from authorizing payments to be made, but consumers may grant third parties both of these permissions.
- Security – The data has to be secure. This seems to give the CFPB a camel’s nose under the tent to make sure that the FinTechs protect consumer’s data.
- Access Transparency – Consumers need to be able to easily understand what permissions they have granted to whom with relevant parameters (like how often the third party can access their data).
- Accuracy – Consumers can expect the shared data to be accurate and have reasonable means to dispute and resolve inaccuracies.
- Ability to dispute and resolve unauthorized access – Consumers have reasonable and practical ways to dispute and resolve issues related to unauthorized access and payments.
- Efficient and accurate accountability mechanisms – Commercial participants (i.e. the FinTechs) are accountable for the risks, harms and costs they introduce to consumers.
So this swings both ways and the CFPB has already whacked FinTechs from time to time (Search for CFPB Dwolla consent decree, for example). All in all, though, I would say that this is great news for consumers, good news for FinTechs and not so good news for banks.
Now it is up to the banks and the FinTechs to work out the details. It is likely to get a bit messy before it gets cleaned up. MAYBE, the banks will agree to a data interchange standard, which would be great, but I haven’t seen anything public on that subject.