Testimony & Comment Letters

FinRegLab Responds to Comments on Proposed Third-Party Relationships Guidance


WASHINGTON, D.C.,

BY EMAIL

Chief Counsel’s Office

Attn: Comment Processing

Office of the Comptroller of the Currency

400 7th St. SW, Suite 3E-218

Washington, DC 20219

Mr. James P. Sheesley

Assistant Executive Secretary

Attn: Comments-RIN 3064-ZA24

Federal Deposit Insurance Corporation

550 17th St. NW

Washington, DC 20429

Ms. Ann E. Misback

Secretary

Board of Governors of the Federal Reserve System

20th Street and Constitution Ave. NW

Washington, DC 20551

RE: Proposed Interagency Guidance on Third-Party Relationships: Risk Management, Docket No. FRB OP-1752, FDIC RIN 3064-ZA26, OCC-2021-0011

FinRegLab is pleased to submit these comments in response to the agencies’ Proposed Interagency Guidance on Third-Party Relationships: Risk Management (“the Proposed Guidance”) as it potentially relates to customer-directed data transfers from depository institutions to other financial services providers. Such transfers, which facilitate the exercise of consumer rights under § 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act,1 are fueling an increasing range of financial services in the U.S. and warrant careful attention by regulators. However, as detailed below, recent history has illustrated that there are substantial disadvantages to attempting to manage their potential risks through guidance that is primarily designed to address how depository institutions structure their relationships with companies from which they obtain products and services or through which they conduct their own business activities.

Harmonizing and clarifying the agencies’ risk management expectations for depository institutions with regard to customer-directed data transfers could be extremely helpful to the market, but we urge the regulators to consider the implications of relying so heavily on general third-party service provider frameworks for managing associated risks, to consult closely with the Consumer Financial Protection Bureau and Federal Trade Commission regarding their rulemakings on closely related topics,2 and to seek additional input from stakeholders in finalizing such guidance. Coordinated action is critical between federal regulators to continue moving the growing ecosystem for customer-directed transfers toward adoption of safer technologies and practices without undermining consumers’ § 1033 rights or frustrating the law’s potential benefits for competition and innovation.

Background

Established in 2018, FinRegLab is an independent, nonpartisan innovation center that tests and monitors the use of new technologies and data to drive the financial services sector toward a responsible and inclusive marketplace. Through our research and policy discourse, we facilitate collaboration across the financial ecosystem to inform public policy and market practices.

FinRegLab has focused on issues concerning customer-directed data transfers since the launch of our first empirical project in 2018, which evaluated the use of cash-flow data from bank accounts and other sources in underwriting consumer and small business credit.3 We structured our work as a case study of the potential for customer-directed data transfers to spur greater competition and innovation in financial services, and concluded the project last year by publishing a policy analysis of how various stakeholders could help to strengthen financial inclusion and borrower protections in the broader ecosystem.4

In partnership with the Financial Health Network, Flourish, and Mitchell Sandler, we also published a report that describes existing U.S. federal law governing consumer financial data and highlights open issues, areas of ambiguity, and other emerging topics.5 We also partnered with the Federal Reserve Bank of San Francisco in 2019 to host a symposium on the Role of Consumers in the Data Ecosystem,6 and were invited to participate in the Consumer Financial Protection Bureau’s 2020 symposium on consumer data access issues7 and a recent hearing by the House Financial Service Committee’s Financial Technology Task Force on preserving customers’ rights to data access.8

Our prior publications contain substantial analyses of the technology, market, and regulatory context that is shaping customer-directed data transfers, and are incorporated by reference. We focus these comments on major themes and recent developments. FinRegLab is not an advocacy organization, but through our research and engagement we work to identify market and policy issues that will be particularly critical in determining the benefits, risks, and scale of adoption for specific data and technology uses.

Discussion

A. The potential benefits, risks, and scale of customer-directed data flows

The generation of customer financial data has accelerated exponentially in recent decades as the financial services industry has come to rely heavily on digital information sources, backoffice automation, and electronic service delivery. The increasingly sophisticated use of data and technology can produce significant benefits for consumers and small businesses, for instance by increasing the speed and convenience of financial services delivery, expanding access for historically underserved populations, supporting more individually tailored financial products and services, and giving customers more control over their financial lives. Congress decided that § 1033 of the Dodd-Frank Act would facilitate such innovation and competition benefits by granting consumers the right to access the data collected and generated by financial services providers with respect to consumers’ accounts for consumers’ own benefit.9

The ecosystem for facilitating such transfers has grown substantially over time, with data aggregators at its hub acting on behalf of consumers to transfer information between providers. Aggregators have historically operated by obtaining consumers’ bank log in credentials and collecting data through a process called screen scraping. Executing transfers through such means allows consumers to direct the data to the financial services provider of their choice, though it can have significant disadvantages for data sources, data users, and customers relative to more modern technologies that are now gradually being adopted pursuant to bilateral contracts between large aggregators and data sources.10 After substantial growth during the COVID-19 pandemic, roughly 50% of U.S. consumers are estimated to have signed up for financial services that frequently rely on aggregators to effectuate transfers.11

Many of the initial financial services that were facilitated by this system involved financial advisory and account management offerings for relatively wealthy and/or technologically sophisticated consumers, often provided by banks and other traditional market participants.12 But over time customer-directed transfers have come to support an increasingly diverse range of financial services—including various personal financial management (PFM) platforms, payment services, and credit products that rely on automated verification services and/or new data sources for underwriting—by an increasingly broad range of providers to an increasingly broad range of customers.13 Our research suggests that customer-directed transfers could be particularly important for addressing concerns about the fairness, inclusion, and general predictiveness of credit underwriting models by providing more holistic, real-time information about both consumers and small businesses. These concerns have substantially increased in recent months due to both to economic damage from the COVID-19 pandemic and greater awareness of the effect that racial disparities in credit information systems and underwriting have on wealth gaps and broader economic participation.14

Yet while the scale and significance of customer-directed data transfers continues to increase, the regulatory frameworks that govern such transfers have not kept pace with technology and market changes. For instance, data sharing and usage practices have evolved significantly over the past two decades, but information security requirements for non-banks have not been updated since the initial implementation of the Gramm-Leach-Bliley Act in the early 2000s.15 The CFPB also has not yet implemented § 1033 or clarified the application of various existing protections to customer-directed data flows, such as whether banks may initially have to absorb certain costs for unauthorized transactions in the event that a consumer’s log-in credentials are misused in connection with a data transfer.16 The CFPB also has not yet taken steps necessary to begin examining larger data aggregators and other certain other non-bank data users for compliance with various federal laws.17

B. The role of third-party guidance in shaping the current market

In light of this broader context, it is understandable that prudential regulators have come to view the increasing volume of customer-directed transfers as a source of potential source of risk for both depository institutions and their customers, and have begun emphasizing the need for better monitoring processes and substantive standards in recent years.18 The Office of the Comptroller of the Currency has specifically relied on its third-party guidance to manage such risks, for instance by issuing 2020 FAQs stating both that data-sharing contracts or other “business arrangements” between banks and aggregators increase the banks’ monitoring obligations and that banks have certain due diligence obligations even in the absence of such business arrangements.19 However, other differences in the three agencies’ written guidance and variations in oral feedback from individual examination teams may also have contributed to uncertainty about when and how third-party principles and processes should be applied to data aggregators20 and/or their downstream customers.21

The effect of the guidance on the current market is difficult to quantify but is frequently cited by large national banks as they have been negotiating bilateral agreements to govern data sharing and the move to technologies such as read-only tokenized access and application program interfaces (APIs). Some banks have gone so far as announcing that they have or are preparing to block any screen scraping by aggregators who have not already signed data sharing agreements,22 and two large aggregators have indicated that 75% to 80% of their data transfers will be pursuant to such contracts by the end of 2021.23 While contractually governed data flows may still be effectuated via credential sharing and/or screen scraping as the parties work to implement new technologies, they have served as the first step toward enhancing information security and privacy protections as well as increasing the accuracy and efficiency of data transfers.24

Yet while the market is gradually moving toward more secure technologies, recent experience has also revealed substantial disadvantages of relying on bespoke agreements, technologies, and monitoring programs to manage the broader ecosystem. Where each bank has its own interpretation of third-party obligations and list of demands, negotiations take substantial time and resources and implementation becomes more complex for aggregators and end users. In addition, there are concerns that business incentives and unequal bargaining power are skewing both the terms of the contracts and the ways that they are executed in practice. For instance, banks have strong competitive reasons to want to limit data flows to rival financial services providers beyond concerns about information security, privacy, and liability, and may not be strongly motivated to structure or maintain technical systems in ways that reduce process frictions. At the same time, as the contracts place increasing responsibility on data aggregators, it is unclear whether they have either the incentives or clout necessary to monitor end users consistently on all potentially relevant issues, especially since the end users are the aggregators’ customers. And efforts to develop common standards and platforms have been substantially complicated by competitive tensions and coordination challenges among different market actors.25

In addition, smaller institutions face particular challenges in contracting with and monitoring the activities of other actors in the ecosystem. Smaller banks’ practical ability to facilitate data access is often limited due to dependence on core processors and other vendors to implement technical solutions, limited technology and compliance staffing, and the fact that their small scale affects their degree of contracting and monitoring leverage relative to larger counterparties. The more intense due diligence and monitoring expectations become under third-party guidance frameworks, the more that some banks may be inclined to refrain from attempting to negotiate data sharing agreements or simply to shut off access altogether, notwithstanding the rights created by § 1033.26 Particularly to the extent that smaller institutions may tend to focus on historically underserved populations, this pattern also may affect financial inclusion and the accrual of benefits and risks from authorized data access to different groups of consumers.

For all of these reasons, there are practical and conceptual disadvantages to managing risks associated with customer-directed data flows through the frameworks that the agencies developed primarily under the Bank Service Company Act to address how depository institutions structure their relationships with companies from which they obtain products and services and through which they conduct their own business activities.27 Banks when dealing with vendors and business partners (and, in turn, those companies in dealing with their own subcontractors or business partners) have certain contractual, financial, and process tools for requiring and monitoring compliance that do not apply in situations involving a data aggregator that is acting at the direction of a consumer to transfer data to a competing financial services provider. While extremely large institutions may have enough scale to impose a proximation of this structure through data sharing contracts, it is difficult to create consistent standards for the entire ecosystem through such mechanisms. Indeed, stakeholders have voiced concerns that application of third-party frameworks may have actually slowed and complicated the adoption of data sharing agreements to implement safer technologies in individual cases, particularly by medium and smaller depository institutions.

C. The importance of moving to more direct, coordinated standards going forward

The rulemakings by the FTC and the CFPB have the potential to substantially improve the current state of the market by strengthening direct regulation and supervision of the broader customer-directed transfer ecosystem. For instance, the FTC is in the process of modernizing information security requirements for all non-bank financial institutions that handle customer directed data flows, including both data aggregators and their customers. The CFPB has also begun a rulemaking to implement § 1033 data access rights and clarify the obligations of entities that act on behalf of consumers in effectuating such transfers. The Bureau potentially could also use the proceedings both to clarify the application of various other federal consumer protection laws and to initiate supervision of larger data aggregators and additional non-bank financial services providers.

The FTC and CFPB rulemakings could narrow the focus and strengthen the incentives for industry standardization initiatives as well as providing a more efficient and effective alternative to relying primarily on duplicative and overlapping contractual monitoring mechanisms to manage risks in the market. We believe these effects could be further strengthened if prudential regulators consider providing guidance that is more specific to customer-directed data transfers instead of relying heavily on general third-party frameworks, coordinate closely with the FTC and CFPB on the substance of such guidance, and seek additional comment from stakeholders. Moving the ecosystem toward safer technologies and practices is potentially beneficial for all ecosystem participants, but the process must be carefully calibrated to avoid creating unintended consequences for smaller depository institutions, undermining consumers’ § 1033 rights, or frustrating that law’s potential broader benefits in stimulating competition and innovation.

For instance, rather than relying on individual institutions and examiners to adapt vendor management principles and frameworks to data transfers between competitors, the agencies could consider articulating more specific, tailored guidance concerning their expectations for banks in (1) handling customer-directed data transfers by entities that have not specifically identified themselves as data aggregators; (2) dealing with known data aggregators; and (3) negotiating and executing data sharing agreements with aggregators or direct data users, separately from situations in which aggregators are transferring data on behalf of depository institutions themselves in a traditional vendor posture. Such an approach would provide an opportunity to account for differences in resources and leverage between small and large depository institutions, the differences in the postures of both banks and aggregators outside of a traditional vendor relationship, and the effects of the FTC and CFPB rulemakings on market conditions. Similarly, such an approach could take into account the competing interests that may be at play in this ecosystem.

We recognize that timing considerations may complicate coordination efforts given that the FTC and CFPB have recently come under new leadership and are still evaluating the pace and scope of these rulemakings relative to other priorities. However, there may be ways for the agencies to continue to encourage better risk mitigation while other essential building blocks are being put in place. For example, while U.S. financial institutions have often chosen to implement tokenized access at or near the same time that they implement APIs, encouraging tokenization or other authentication initiatives that do not require consumers to provide their bank platform log-in credentials to aggregators could be a helpful intermediate step in its own right. While technical details are important for smooth, consistent execution, such options could help to reduce concerns about liability for unauthorized transactions without requiring smaller institutions to develop and implement APIs while questions about the accessibility of particular data elements are being resolved under § 1033.28

Given the importance of these issues, the risk of unintended consequences for both smaller banks and consumers and small businesses, and the fact that the agencies’ request for comment on the Proposed Guidance did not ask any specific questions concerning customer-directed data transfers to independent financial services providers, we urge the agencies to seek additional comment before finalizing guidance that would apply to such transfers.29 Thank you for the opportunity to comment on these important topics.

Kelly Thompson Cochran

Deputy Director and Chief Program Officer
FinRegLab

Prior to joining FinRegLab, Kelly helped to stand up the Consumer Financial Protection Bureau, where she served most recently as the Assistant Director for Regulations. In that capacity, she oversaw rulemaking and guidance activities under the Dodd-Frank Act, Electronic Fund Transfer Act, and various other federal consumer financial laws. Kelly previously was counsel at WilmerHale, where she advised financial institutions on a wide range of legal and regulatory matters including product development, compliance, enforcement, and litigation. Kelly also conducted research on financial services innovation, community reinvestment, and other topics at the University of North Carolina at Chapel Hill.

Melissa Koide

CEO & Director
FinRegLab

Prior to establishing FinRegLab, Melissa served as the U.S. Treasury Department’s Deputy Assistant Secretary for Consumer Policy. In that role, Melissa helped to build the first government offered preretirement savings product, the myRA. She also established the $5 million Innovation Fund to support research and strategies to improve consumers’ financial health and their access to safe and affordable financial products and services. Melissa has testified before the Senate Banking and House Financial Services Committees, and she has spoken extensively to policy, industry, and consumer advocacy audiences. She is also a member of the New York State Department of Financial Services’ Financial Innovation Advisory Board.

Download Pdf

Endnotes

[1] 12 U.S.C. § 5533 (requiring covered persons to make information relating to financial products or services that they have provided to consumers available in electronic formats to consumers upon request); see also 12 U.S.C. § 5481 (defining “consumer” to include agents, trustees, and representatives acting on behalf of an individual).

[2] 84 Fed. Reg. 13158 (Apr. 4, 2019) (FTC proposal to update non-bank financial services providers’ obligations to safeguard consumer information under the Gramm-Leach-Blilely Act); 85 Fed. Reg. 71,003 (Nov. 6, 2020) (CFPB Advanced Notice of Proposed Rulemaking concerning implementation of § 1033 and the application of other federal consumer financial protection laws to consumer-directed data transfers).

[3] FinRegLab, The Use of Cash-Flow Data in Underwriting Credit: Empirical Research Findings (2019) (hereinafter, Cash-Flow Empirical Research Findings).

[4] FinRegLab, The Use of Cash-Flow Data in Underwriting Credit: Market Context & Policy Analysis (2020) (hereinafter, Cash-Flow Market Context & Policy Analysis).

[5] Financial Health Network, Flourish, FinRegLab & Mitchel Sandler, Consumer Financial Data: Legal and Regulatory Landscape (2020) (hereinafter, Legal and Regulatory Landscape).

[6] The symposium informed our 2020 cash-flow report as well as a report by SFFRB staff. Kaitlin Asrow, The Role of Individuals in the Data Ecosystem: Current Debates and Considerations for Data Protection and Data Rights in the United States, Federal Reserve Bank of San Francisco (2020).

[7] We also submitted a comment in response to the Bureau’s Advanced Notice of Proposed Rulemaking on consumer data issues. FinRegLab Comment Letter to the Consumer Financial Protection Bureau on Advanced Notice of Proposed Rulemaking on Consumer Access to Financial Records 3-7 (Feb. 4, 2021) (hereinafter, FinRegLab § 1033 Comment Letter).

[8] FinRegLab Testimony, House Financial Services FinTech Task Force, Preserving the Right of Consumers to Access Personal Financial Data (Sept. 20, 2021) (hereinafter, FinRegLab Testimony). A recording is available at https://financialservices.house.gov/calendar/eventsingle.aspx?EventID=408301#LiveStream.

[9] 12 U.S.C. § 5533; Legal and Regulatory Landscape at 29-45; Cash-Flow Market Context & Policy Analysis §§ 4.2.1, 5.2.2.1. See also Executive Order 14036: Executive Order on Promoting Competition in the American Economy (Jul. 9, 2021) (discussing the potential competition and innovation benefits of § 1033).

[10] See Cash-Flow Market Context & Policy Analysis § 4.2.2 for discussions of the evolving technologies and methods used in data collection and transmission. Disadvantages to credential sharing and screen scraping include risks for consumers that log-in credentials will be used to conduct unauthorized transactions or that more data will be collected than needed; systems burdens and information security and liability concerns for the data sources; and the risk of “noisy” data and broken connections for data users. Id.

[11] Aggregators are estimated to be able to access data from about 95% of U.S. deposit accounts, and at least one aggregator estimates that it alone has connected to one in four financial accounts in the U.S. Zack Meredith & Zeya Yang, Blog, The All-New Plaid Link, Plaid (Oct. 2, 2020); Michael Deleon, A Buyer’s Guide to Data Aggregation, Tearsheet (Feb. 19, 2019). Firm estimates of how many consumers have authorized transfers are difficult to obtain because industry statistics are generally tracked on an account basis, and surveys that focus solely on use of nonbank fintech services may count providers that do not rely on authorized data transfers and exclude banks that do use them. But growth trends are evident across multiple sources, particularly during the pandemic downturn. See, e.g., Plaid & The Harris Poll, The Fintech Effect: Fintech’s Mass Adoption Moment (2021); Penny Crosman, Plaid and U.S. Bank Agree to Share Bank Customer Data Through an API (May 13, 2021); Alexis Krivkovich et al., How US Customers Attitudes Toward Fintech Are Shifting During the Pandemic, McKinsey & Co. (Dec. 17, 2020); Karl Dahlgren, COVID-19 Pushes Digital Banking Adoption to the Tipping Point, BAI (Sept. 30, 2020); Plaid, The Fintech Effect: Consumer Impact and the Future of Finance (2020); EY, Global FinTech Adoption Index 2019 at 8 (2019); The Clearing House, Consumer Survey: Financial Apps and Data Privacy 2 (2019).

[12] 81 Fed. Reg. 83806, 83808 (Nov. 22, 2016).

[13] Cash-Flow Market Context & Policy Analysis § 4.2.1. Attempts to improve services to historically underserved populations have grown over time but may be particularly sensitive to process frictions, cost factors, and concerns about data safeguards. FinRegLab Testimony at 4-7; FinRegLab § 1033 Comment Letter at 4-7.

[14] Cash-Flow Market Context & Policy Analysis §§ 2, 5.1; FinRegLab, Research Brief, Data Diversification in Credit Underwriting (2020). The agencies themselves have acknowledged the potential benefits of using alternative data in credit underwriting and the Office of the Comptroller of the Currency has launched an initiative to further explores such benefits, though its first pilot program does not rely on customer-directed channels. Board of Governors of the Federal Reserve System, Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, National Credit Union Administration, and Office of the Comptroller of the Currency, Interagency Statement on the Use of Alternative Data in Credit Underwriting (Dec. 3, 2019); Office of the Comptroller of the Currency, News Release 2020-89, OCC Announces Project REACh to Promote Greater Access to Capital and Credit for Underserved Populations (July 10, 2020); Peter Rudegeair & AnnaMaria Andriotis, JPMorgan, Others Plan to Issue Credit Cards to People with No Credit Scores, Wall St. J. (May 13, 2021).

[15] Legal and Regulatory Landscape at 46-80. Unlike federal prudential regulators, who have issued extensive information security guidance since their initial GLBA safeguards guidance in 2001, the Federal Trade Commission did not propose to update its initial 2002 GLBA safeguards rule until 2019. 67 Fed. Reg. 36484 (May 23, 2002); 84 Fed. Reg. 13158 (Apr. 4, 2019).

[16] Legal and Regulatory Landscape at 29-45. The Bureau issued non-binding principles regarding consumer data access in 2017 but did not start rulemaking activities until 2020. Consumer Financial Protection Bureau, Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation (2017); 85 Fed. Reg. 71,003 (Nov. 6, 2020).

[17] 12 U.S.C. § 5514. The Dodd-Frank Act authorizes the CFPB to examine non-bank financial services providers that are “larger participants” in various markets after defining the relevant size thresholds by rule. The Bureau has set thresholds for consumer reporting, auto lending/leasing markets, and several other categories of financial services, but has not addressed data aggregators or general consumer loans.

[18] Compare Joint Final Rule, 66 Fed. Reg. 8616, 8620 (Feb. 1, 2001) (stating that GLBA safeguards guidance does not require banks to prevent access by third parties with consumers’ consent or to monitor the use or redisclosure of a customer’s information by such parties, including passwords), with Office of the Comptroller of the Currency, OCC Bulletin 2020-10, Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29 (2020); Lydia Beyoud, FDIC Eyes Data Sharing Standards for Banks, Bloomberg Law (Apr. 24, 2019); Federal Reserve Governor Lael Brainard, Speech, Where Do Banks Fit in the Fintech Stack? (Apr. 28, 2017).

[19] OCC Bulletin 2020-10, FAQ 4.

[20] See, e.g., Office of the Comptroller of the Currency, OCC Bulletin 2013-29 (Oct. 30, 2013) (applying guidance to all “business arrangements where a banking organization has an ongoing relationship [with a third party] or may have responsibility for the associated records”); Board of Governors of the Federal Reserve System, Supervisory & Regulation Letter 13-19 (Dec. 5, 2013) (applying guidance to “all entities that have entered into a contractual relationship with a financial institution to provide business functions or activities”); Federal Deposit Insurance Corporation, Financial Institution Letter 44-2008 (June 6, 2008) (applying guidance to “all entities that have entered into a business relationship with the financial institution,” generally for purposes of “outsourcing certain operational functions to a third party or … using a third party to make products and services available that the institution does not originate”).

[21] For instance, while banks typically have some “fourth-party” obligations with regard to sub-contractors of their vendors, it is not clear whether or how such obligations would apply in the context of customer-directed data transfers by aggregators to independent financial services providers who are their customers rather than their vendors.

[22] See, e.g., Penny Crosman, Plaid and U.S. Bank Agree to Share Bank Customer Data Through an API (May 13, 2021); Laura Noonan, JPMorgan to Ban Fintech Apps from Using Customer Passwords, Fin. Times (Jan. 1, 2020).

[23] Ryan Christiansen, Blog, Finicity Strengthens Data Access Agreements with Partnerships from Leading, National Financial Institutions (Mar. 31, 2021); Ginger Baker & Niko Karvounis, Blog, Plaid’s Strategy to Facilitate an APIBased Ecosystem (Nov. 19, 2020); see also Rebecca Ayers & Suman Bhattacharyya, Why Screen Scraping Still Rules the Roost on Data Connectivity, FinLedger (Mar. 10, 2021) (noting recent agreements signed by Envestnet/Yodlee and estimates by the company that it will take until late 2023 to transition fully to APIs).

[24] Stakeholder interviews and news reports suggest that screen scraping is frequently continuing to occur alongside API transfers, particularly where API limitations restrict the cadence or scope of available information. Cash-Flow Market Context & Policy Analysis §§ 4.2.2, 5.2.2.1; Legal and Regulatory Landscape at 40-42; Ayers & Bhattacharyya.

[25] FinRegLab Testimony at 9; Cash-Flow Market Context & Policy Analysis § 4.2.4; see also Penny Crosman, The Race to Build Data-Sharing Hubs for Banks — and End Screen Scraping, Am. Banker (Sept. 20, 2021); Financial Data Exchange, Financial Data Exchange (FDX) Reports 22 Million Consumer Accounts on FDX API (Sept. 1, 2021); Penny Crosman, BofA, Chase, Wells Fargo Pilot Service to Rein in Screen Scraping, Am. Banker (Jan. 26, 2021).

[26] See, e.g., U.S. Department of the Treasury, A Financial System that Creates Economic Opportunities: Nonbank Financials, Fintech, and Innovation 86-95 (2018).

[27] 12 U.S.C. §§ 1861–1867.

[28] Some sources have reported implementation costs as high as $500,000 per API. Penny Crosman, JPMorgan Chase Moves to Block Fintechs from Screen Scraping, Am. Banker (Jan. 2, 2020).

[29] Seeking comment from a full range of stakeholders is particularly important if new guidance would involve immediate changes to technologies or process expectations, given the potential scope of banks, customers, and other financial services providers affected.

About FinregLab

FinRegLab is an independent, nonprofit organization that conducts research and experiments with new technologies and data to drive the financial sector toward a responsible and inclusive marketplace. The organization also facilitates discourse across the financial ecosystem to inform public policy and market practices. To receive periodic updates on the latest research, subscribe to FRL’s newsletter and visit www.finreglab.org. Follow FinRegLab on LinkedIn and Twitter (X).

FinRegLab.org | 1701 K Street Northwest, Suite 1150, Washington, DC 20006