Testimony & Comment Letters

FinRegLab’s Testimony to the House Financial Services Fintech Task Force


House Financial Services FinTech Task Force

“Preserving the Right of Consumers to Access Personal Financial Data”

FinRegLab Testimony

Good morning. Thank you for the opportunity to testify before you today at the FinTech Task Force hearing, “Preserving the Right of Consumers to Access Personal Financial Data.”

My name is Kelly Thompson Cochran. I am the Deputy Director of FinRegLab, a D.C.-based independent, nonpartisan research organization that evaluates the use of new technologies and data to drive the financial services sector toward a responsible and inclusive marketplace. Through our research and policy discourse, we facilitate collaboration across the financial ecosystem to inform public policy and market practices.

FinRegLab has focused on issues concerning customer data access since the launch of our first empirical project in 2018, which evaluated the use of cash-flow data from bank accounts and other sources in underwriting consumer and small business credit.1 We structured our work as a case study of the potential for customer-directed data transfers to spur greater competition and innovation in financial services, and concluded the project last year by publishing a policy analysis of how various stakeholders could help to strengthen financial inclusion and borrower protections in the broader ecosystem.2 In partnership with the Financial Health Network, Flourish, and Mitchell Sandler, we also published a report that describes existing U.S. federal law governing consumer financial data and highlights open issues, areas of ambiguity, and other emerging topics.3 We also partnered with the Federal Reserve Bank of San Francisco in 2019 to host a symposium on the  Role of Consumers in the Data Ecosystem4 and were invited to participate in the Consumer Financial Protection Bureau’s 2020 symposium on consumer data access issues.5

Our research has focused most intensely on the use of customer-permissioned data for credit underwriting because credit has such important implications for broader economic participation, racial equity, and disaster recovery.6 However, customer-directed data transfers are also being used to support the provision of other financial services—including various payments and personal financial management applications—that could also have substantial benefits for historically underserved populations. Customer data access can also potentially facilitate the provision of financial services that are specifically tailored to meet the needs of small business owners.7

But manifesting these benefits is highly dependent on the commercial infrastructure that has developed to facilitate and use customer-permissioned data flows. Market activities and structures have expanded and evolved more quickly than U.S. regulatory frameworks over the last two decades, and action is needed by policymakers to calibrate competition and protection concerns to produce greater benefits from the system as a whole. We are encouraged to see regulatory activities by the Consumer Financial Protection Bureau, Federal Trade Commission, and prudential agencies that could help to address a number of critical questions. While additional work by industry and Congress will be needed to improve the broader data ecosystem, these regulatory initiatives are critical to help sharpen the focus of complementary efforts by other stakeholders and policymakers.

Why it matters: The potential scale, benefits, and risks of customer-permissioned data access

The generation of customer financial data has accelerated exponentially in recent decades as the financial services industry has come to rely heavily on digital information sources, back-office automation, and electronic service delivery. Financial services providers are also increasingly using information for marketing, verification, and other activities that is generated through their customers’ interactions with other businesses, such as payroll services companies, merchants, and social media platforms. While traditional credit bureaus and payment networks have transferred customer data between financial services providers for decades, new types of intermediaries such as data aggregators and data brokers are becoming increasingly important hubs in this broader data ecosystem.8

The increasingly sophisticated use of data and technology could produce significant benefits for consumers and small businesses, for instance by increasing the speed and convenience of financial services delivery, expanding access for historically underserved populations, supporting more individually tailored financial products and services, and giving customers more control over their financial lives. However, changes in data and technology also require careful evaluation and management of risks, such as protections against data breaches and unauthorized transactions, the risk of replicating or re-enforcing historical discrimination, and potential losses of personal privacy and control.

The regulatory frameworks that govern the sharing and use of customer data by financial services providers have not kept pace with technology and market changes. While Congress adopted certain baseline privacy and information security requirements in 2000 and strengthened credit reporting protections in 2003, data sharing and usage practices have evolved significantly since that time.9 Moreover, while § 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act codified consumers’ right to access their own data in 2010, the CFPB has not yet implemented that law or clarified the application of various existing protections to customer- directed data flows.10 The Bureau also has not yet taken steps necessary to begin examining larger data aggregators and other certain other non-bank data users for compliance with various federal laws.11

Despite increasing concerns about U.S. regulatory infrastructure, the volume of customer- directed data flows—and of data sharing and use more broadly—continues to expand. Today, roughly 50% of U.S. consumers are estimated to have signed up for financial apps or other products that frequently rely on data aggregators to collect information via customer-authorized transfers, with substantial growth in the first months of the COVID-19 pandemic.12 The traditional credit reporting system is even larger—with files on approximately 90% of U.S. adults—and impacts not only access to credit, insurance, and transaction accounts, but also employment and rental housing.13 Large financial technology companies are also increasing their involvement in financial services, acting as data sources, partners, and/or competitors to traditional providers.14

The resulting ecosystem is producing positive effects for many consumers and small businesses, but it is also imposing substantial burdens and risks that are reducing its ability to drive greater customer-friendly innovation and competition.15 As discussed below, competitive dynamics, coordination challenges, and regulatory uncertainty are substantially complicating the transition to safer and more reliable technologies for collecting customer-permissioned data. The lack of a consistent framework for data permissioning and protections also increases the burden on consumers and small businesses in managing how their data may be used and shared by a broad range of firms who participate in the provision of financial services.

Addressing these issues could be particularly important to improving services to communities of color and other groups whose needs have not been fully met by either traditional financial services or early fintech initiatives:

  • Credit access: Prior to the pandemic, an estimated 50 million consumers lacked sufficient traditional credit history to be evaluated using the most widely adopted credit scoring models, and an additional 80 million were rated as “nonprime” even though many of them individually may be likely to repay. Information barriers also substantially constrain credit access among small businesses. Research suggests that applicants of color, low- income households, and women entrepreneurs are disproportionately affected.16

FinRegLab’s 2019 empirical analysis of cash-flow information from bank transaction accounts and other sources suggests that the data could be valuable in predicting credit risk both among populations who lack traditional credit history and populations who do have credit scores, in part because the data appear to provide somewhat different insights than traditional credit reports.17 Our stakeholder outreach suggests that the information may be particularly valuable in detecting signals when economic circumstances are changing relatively rapidly or individual applicants are working to stabilize their finances. However, while interest in the use of such data is increasing particularly in the wake of the pandemic downturn, challenges in securing reliable data flows and uncertainty about applicable regulatory requirements remain significant obstacles to broader deployment.18

  • Tools to help manage debt, build savings, and meet other specific financial planning needs: Although use of authorized data transfers to support personal financial management tools is far more widespread than in credit underwriting, many initial products were designed for and/or marketed primarily to relatively wealthy and technology-oriented consumers. Over time, some apps targeted to the needs of low- income households and other underserved populations have been developed by government agencies, nonprofits, and fintech companies.19 However, research suggests that additional product tailoring, outreach, and efforts to address concerns about data privacy and security could help to increase take-up rates.

For example, a project focusing on the high levels of high-cost debt among African- American households by Prosperity Now found some interest among research participants in using financial applications as a way to obtain tailored debt management advice.20 However, in a user study of two apps, data flow issues proved to be a significant obstacle: Some participants were unwilling to set up account linkages due to identity theft and other risks, yet where manual data entry was an option they often did not enter sufficient data to generate the most valuable and tailored advice.21 Research by the Financial Health Network similarly suggests that both a lack of tailoring in product features and interfaces and the need to address information-related concerns have tended to reduce fintech take-up rates among low- to moderate-income consumers over 50, despite that population’s rapidly increasing levels of digital connectedness and strong interest in both immediate financial management and retirement planning.22

  • Payment services: A number of digital payment services providers that are working to lower costs and/or increase convenience relative to traditional payment methods are using authorized data transfers via aggregators to facilitate their services. For instance, such data can be used to authenticate consumers’ identities, confirm that consumer accounts have been properly linked to the apps, and check balances before processing a transaction over various types of payment rails. However, surveys suggest that at least with regard to so-called person-to-person payment services, usage is lower among African-American, Hispanic, and low-income households relative to white and higher- income households. In contrast, households of color and low-income consumers are more likely than white and higher-income households to use non-bank providers of money orders, check cashing services, and bill payment services even though such options may carry relatively high fees.23

Addressing these unmet needs will require more than just improving the efficiency and safeguards for customer-directed data flows—and the regulatory frameworks governing customer data use and sharing more generally. For example, improving digital connectedness and access to basic transaction accounts, targeted outreach and marketing, user-centric product design, and regulatory safeguards for the specific financial services at issue could also have significant effects on customer use of and confidence in various financial services. However, frictions in managing underlying data flows may have a particular impact on efforts to meet the financial services needs of underserved populations, for instance where providers’ margins are already thin due to higher costs or lower returns,24 or where particular customer groups are especially sensitive to concerns about privacy, security, and other aspects of data control.25 Thus, improving the market and regulatory infrastructures for data sharing and use has critical implications for competition, customer protection, and financial inclusion going forward.

Current market and regulatory initiatives

The development of infrastructures supporting customer-directed data transfers is particularly significant within the broader ecosystem because they provide mechanisms for consumers and small businesses to use their data to obtain a range of products and services from additional financial services providers, in contrast to data flows that are provider-initiated. Development of the customer-permissioned system to date has been largely driven by competitive dynamics between the largest and most technically sophisticated companies. While recent efforts to develop technical standards and other mechanisms could potentially benefit smaller participants, competitive and coordination challenges remain substantial. Federal regulators could substantially boost these efforts by resolving certain threshold issues so that market participants can focus on remaining technical and process questions.

The customer-directed system started in the 1990s when aggregators began using customers’ log-ins to banking and investment website platforms and automated programs to “screen scrape” data for use in various personal financial management applications. As the volume of activity rose to support an increasing range of financial services, many data holders reacted defensively in light of systems burdens, information security and liability concerns, and competitive tensions. Regulatory uncertainty has heightened some of these tensions, such as disagreements over how federal limitations on consumers’ liability for unauthorized transactions would apply if their account log-in credentials are misused or breached in connection with a data transfer.26 Uncertainty over the application of prudential regulators’ guidance concerning bank oversight of third-party relationships has also complicated industry dynamics.27

Against the backdrop of potential blocks to access (and sometimes actual shut-downs), large data holders have negotiated an increasing number of confidential bilateral agreements with individual aggregators to transition to read-only tokenized access, application program interfaces (APIs), and contractual limitations on data use and other topics. These newer technologies can increase the safety, accuracy, and efficiency of data transfers, but they have resource and competitive implications for the broader market. Screen scraping is frequently continuing to occur alongside API transfers, particularly where API limitations restrict the cadence or scope of available information.28

Relying so heavily on contracts and due diligence mechanisms to police the broader data transfer system has other substantial drawbacks. Data holders may be direct competitors of the companies that are receiving the data from aggregators, and thus may have business incentives to impose restrictions on other ecosystem participants. Data intermediaries may not have the incentives or leverage to police the conduct of their clients across all potentially relevant issues. And smaller companies face greater resource constraints in adopting new technologies, negotiating contracts, and conducting due diligence activities.29

In light of these disadvantages, efforts to create standards and other infrastructure that can be used on a turnkey basis by a large number of participants have begun to attract increased interest from industry stakeholders in the past few years. For example, nearly 200 participants have joined the Financial Data Exchange to work on implementation of a common API, developing user experience guidelines to promote more consistent permissioning processes, and defining minimum data elements for particular use cases. The group includes a range of industry stakeholders, as well as some consumer advocate representation in its working groups. Other initiatives by several large banks and The Clearing House have both raised hopes that they will benefit smaller data holders and fears that they could be used to the founders’ competitive advantage.30

While industry-led standardization efforts can be critical to solving technical and process issues that may be both legally and practically difficult to enshrine in regulation,31 the experiences of the last several years suggest that such efforts will be far more effective if regulatory initiatives set certain basic parameters. For instance, even where consumer advocates have a seat at the table, it can be extremely difficult for voluntary private initiatives to establish and enforce consistent market-wide standards, particularly on topics that require careful balancing between the interests of multiple groups of consumers and financial services providers. More broadly, implementation and coordination costs remain serious challenges, and the COVID-19 pandemic has diverted substantial attention and resources to other issues. While FDX statistics indicate that the number of accounts using the FDX API for data transfers has increased to about 22 million, that represents only a small fraction of overall data transfer volume.32

Setting clear regulatory baselines concerning the basic rights and protections for consumer data access could thus help to sharpen the focus of industry standardization initiatives. Three such agency initiatives are currently underway:

  • The FTC is considering a proposal to modernize information safeguard requirements for non-bank financial services providers under the Gramm-Leach-Bliley Act, which could drive more robust data protections for intermediaries (including both traditional credit bureaus and data aggregators) and a wide range of non-bank data users.33
  • The CFPB has issued an Advanced Notice of Proposed Rulemaking to seek input on implementation of § 1033. The notice focused both on data access questions and on the treatment of consumer-permissioned data flows under other existing federal consumer financial protection laws, such as GLBA, the Fair Credit Reporting Act, and the Electronic Fund Transfer Act, though it did not focus extensively on supervision of data aggregators and other non-bank ecosystem participants.34
  • The prudential banking agencies are seeking comment on harmonizing their guidance concerning third-party service provider obligations, including its application to customer-permissioned data transfers. The notice seeks comment on whether the regulators should collectively adopt and/or revise guidance that the OCC issued in 2020 stating that banks have due diligence obligations even in situations in which they only have API agreements or no contractual relationships with data aggregators who are acting on behalf of competing financial services providers.35

Yet while Executive Order 14036 recently encouraged the CFPB to proceed with a § 1033 rulemaking to “facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions and use new, innovative financial products,”36 several of these agencies are in leadership transitions and the scope and prioritization of these initiatives relative to other activities is not yet clear. We believe that the regulatory agencies could substantially strengthen the incentives for and efficiency of industry standardization efforts by providing a decisive answer to such core issues as:

  • the deadline for particular groups of financial services providers to make data available upon consumer request under § 1033;
  • the scope of data that is subject to § 1033 access rights or to exceptions under the statute, and whether data sources can impose other conditions before providing data access;
  • the obligations of companies acting on behalf of an individual consumer in connection with a § 1033 data transfer and the requirements for data recipients to safeguard such information;
  • the Bureau’s plans to begin supervision of data aggregators and possibly other categories of non-bank financial services providers that rely heavily on customer-permissioned data; and
  • the scope of banks’ oversight responsibilities concerning activities of aggregators (or aggregators’ customers) in their downstream handling of customer data.

Interagency coordination is particularly important as these initiatives progress. For example, strengthening GLBA information safeguards requirements for all non-bank financial institutions and conducting CFPB examinations of data aggregators and other key actors could reduce the need to rely on bank oversight mechanisms to manage the broader ecosystem. And third-party service provider guidance can have important implications for competitive dynamics and the volume and nature of § 1033 data flows, for instance if heightened due diligence expectations disincentivize smaller institutions from entering agreements to manage and develop APIs to manage data transfers.

Revisiting the broader regulatory framework

In addition to sharpening the focus of future industry efforts, the agencies’ activities may also highlight the need for specific Congressional actions. For instance, § 1033 is focused primarily on retail financial products and services like loans and deposits, even though securities and insurance information could also be useful for personal financial management purposes.37 The statute also does not affirmatively define protections for § 1033 data. Other existing federal laws provide potential safeguards, but they were not crafted specifically with the current customer- directed transfer system in mind and may not apply to all use cases.38 And while the Bureau could potentially  prescribe  conduct  requirements  for  companies  who  act  as  “agents”  or “representatives” on behalf of consumers in connection with § 1033 transfers,39 it is unclear whether it will decide to do so or what such duties might entail.

Thus, Congressional action may well be required to help further strengthen and tailor the regulatory guardrails for customer-directed transfers. And even beyond those particular data flows, the gaps and disconnects between various federal consumer financial laws are becoming more problematic in light of the substantial evolution in industry players, technologies, and market practices over the last several decades. For instance, the GLBA privacy provisions that create some baseline limitations on when financial institutions can transfer data to other parties for their own purposes have not been substantially updated since their initial adoption, and raise substantial complexities as to the extent to which they limit data use and transfers by companies that receive the data downstream.40 While U.S. law has historically provided more protection for customers’ financial data as compared to data in general commerce, gaps in the effectiveness and scope of those protections are becoming more important as data sharing and use within the financial sector continues to expand and as the boundaries between financial services and general commerce become more porous.

Several other nations and states are starting to adopt comprehensive regimes that create baseline rights and protections for customer data across all sectors, sometimes in combination with more tailored provisions to address customer protection and competition concerns in financial services.41 The potential conceptual and practical tradeoffs of different structures is beyond the scope of this testimony,42 but the need to modernize the regulation of customer data as used for financial services is becoming increasingly urgent. Several illustrations help to demonstrate this need:

  • Meaningful consent and its relation to meaningful protections. Notice and consent concerning data access and use is a critical feature of today’s broader digital economy, but federal consumer financial laws often focus more on informing consumers about product pricing and features prior to selection decisions rather than related data flows. Where prior consent is used to authorize transfers of consumer financial data, it often relies on “opt out” structures that may not be as effective in empowering consumers to exercise robust control over their data.43

Section 1033 substantially increases the conceptual and practical importance of consent because it relies upon affirmative consumer opt-ins to data transfers. Adopting consistent, consumer-friendly disclosure content, formats and consent processes (particularly those designed for digital interfaces) will be important to effectuating the statute and realizing its larger benefits for innovation and competition.44

But deeper thought about the nature of meaningful consent and its relationship with meaningful protections across the broader financial data ecosystem would also be helpful. Even with the adoption of best practices and model forms, there is growing evidence of “information overload” among consumers as they are asked to manage the use of their data while interacting with a broad range of entities in both financial services markets and general commerce. While some financial services providers are working to make this process more manageable by creating data dashboards and other best practices, it is difficult for individual commercial actors to overcome coordination challenges in gathering information from downstream parties. Setting regulatory baselines for traceability, the scope of permissible use activities, and other substantive data practices could also help to reduce cognitive burdens on consumers, for instance by reducing the number of issues that have to be managed on a company-by-company basis.45

  • Access to data for research and development. While § 1033 provides a right for individual consumers to access their data one financial services provider at a time, it does not address the fact that access to large pools of representative historical data can be critical for both product development (for instance, creation of more accurate and inclusive predictive models for credit underwriting) and research to inform improvements in market practices, public policy, and regulation. Existing laws such as GLBA and FCRA have been interpreted to provide more flexibility for research and development activities where data does not contain personally identifying information. However, new tensions between individual and collective interests are emerging as research highlights the risks of re-identification through linking of data sources and as notions of consumer control strengthen to include such concepts as a right to demand deletion.46

New “privacy enhancing technologies” that reduce the possession and transfer of personal data while facilitating beneficial use cases may help to manage some of these tensions,47 but policy frameworks may also need to be revised and recalibrated. For instance, the lack of access to data pools can substantially disadvantage startup financial services providers relative to incumbents that have already amassed substantial historical information. Thus, creating mechanisms that facilitate the development of products and services that will help consumers derive further benefits from their data could substantially increase § 1033’s potential benefits for innovation and competition.

  • The critical role of data intermediaries. Data intermediaries often do not have direct relationships with consumers or small businesses but play increasingly important roles in the financial data ecosystem both as the repositories of information concerning millions of customers and as counterparties in an increasingly complex web of commercial relationships. Their activities and scale have important implications for both customer protection and competition, and different types of intermediaries are engaging with each other through both partnerships and acquisitions. Yet the extent to which different types of intermediaries are subject to direct regulation and supervision under current federal consumer financial laws varies. Third-party risk management authorities provide some additional protections, but they can be less comprehensive and efficient than direct regulation.48

With regard to examinations, for instance, the Dodd-Frank Act vested the Consumer Financial Protection Bureau with authority to supervise non-banks that are “larger participants” in markets other than mortgage, payday, and private student lending.49 This excludes smaller intermediaries that may nonetheless aggregate the data of millions of consumers, simply because they are smaller than other competitors. Moreover, the Dodd-Frank Act did not authorize the CPFB to examine non-banks for compliance with GLBA information security requirements even when the agency is conducting other supervisory activities. The importance of this issue has been underscored by the Equifax data breach in 2017 and the increasing scale of data aggregators.50

  • Treatment of small business owners. Small business owners are not covered by § 1033 or most other federal consumer financial laws, yet they have substantial unmet needs for financial services.51 What research is available suggests that they are sensitive to many of the same data protection concerns as consumers.52

The Consumer Financial Protection Bureau and other federal agencies can begin to tackle many of these questions with their existing authorities, but there are gaps and inconsistencies that they cannot bridge without action by Congress. Increasing the consistency and comprehensiveness of protections that apply to (1) different sources of data for credit underwriting; (2) customer- permissioned data transfers for all types of use cases; and (3) the use of customer data in financial services more generally would help to reduce risk levels to consumers and small businesses, create a more level playing field among financial services providers, and encourage customer friendly innovation and competition going forward. Such changes would not only increase the competitiveness of the U.S. financial system relative to parallel sectors in other countries, but increase the dynamism and competitiveness of our broader economy by helping historically underserved populations increase their economic participation, financial stability, and long-term wealth.

Conclusion

Some sources have estimated that broad adoption of open finance in the U.S. could add as much as 1.5% to the nation’s gross domestic product by 2030, including up to $90 billion of economic value for individual consumers, $50 billion for micro, small, and medium sized businesses, and $100 billion for financial institutions.53 But achieving such benefits will require sustained attention and action from industry, regulators, and Congress. The regulatory actions that are underway now are important steps down that path, and complex undertakings in their own right. They can help to sharpen the focus of subsequent standardization and legislative efforts, but fully modernizing the market and regulatory infrastructure that governs the use of customer data in financial services is an even larger undertaking that will require a sequencing of efforts by multiple stakeholders. The longer those efforts wait to start, the more risk that builds up in the system and the more benefits are forgone both in the financial sector and the broader economy.

Thank you again for the opportunity to speak with you today about these important issues.

Download Pdf

Endnotes

[1] FinRegLab, The Use of Cash-Flow Data in Underwriting Credit: Empirical Research Findings (2019) (hereinafter, Cash-Flow Empirical Research Findings), https://finreglab.org/wp-content/uploads/2019/07/FRL_Research- Report_Final.pdf.

[2] FinRegLab, The Use of Cash-Flow Data in Underwriting Credit: Market Context & Policy Analysis (2020) (hereinafter, Cash-Flow Market Context & Policy Analysis), https://finreglab.org/wp-content/uploads/2020/03/FinRegLab_Cash- Flow-Data-in-Underwriting-Credit_Market-Context-Policy-Analysis.pdf.

[3] Financial Health Network, Flourish, FinRegLab & Mitchel Sandler, Consumer Financial Data: Legal and Regulatory Landscape (2020) (hereinafter, Legal and Regulatory Landscape), https://finreglab.org/wp- content/uploads/2020/10/Financial-Data-White-Paper.pdf.

[4] The symposium informed our 2020 cash-flow report as well as a report by SFFRB staff. Kaitlin Asrow, The Role of Individuals in the Data Ecosystem: Current Debates and Considerations for Data Protection and Data Rights in the United States, Federal Reserve Bank of San Francisco (2020).

[5] We also submitted a comment in response to the Bureau’s Advanced Notice of Proposed Rulemaking on consumer data issues. https://finreglab.org/wp-content/uploads/2021/04/FinRegLab-Section-1033-Comment- Letter-2021-1.pdf.

[6] Credit can not only help borrowers bridge short-term gaps, but fund long-term investments in housing, transportation, education, and small business formation. The credit system thus both reflects and influences the ability of families, small businesses, and communities to participate in the broader economy. For instance, historical discrimination in lending and other sectors has contributed to substantial racial disparities in income and assets, which in turn can affect household financial stability and the predictions of default risk that lenders rely upon to evaluate credit applications and set pricing. Cash-Flow Market Context & Policy Analysis §§ 2, 2.1, 2.2.

[7] FinRegLab, The Use of Cash-Flow Data in Credit Underwriting: Small Business Spotlight (2019) (hereinafter Cash- Flow Small Business Spotlight), https://finreglab.org/wp-content/uploads/2019/09/FinRegLab-Small-Business- Spotlight-Report.pdf; Karen G. Mills, Fintech, Small Business and the American Dream eBook.

[8] Data aggregators emerged initially to support “personal financial management” services by collecting data from bank and investment firm websites, though they now support a broader array of financial services. Data brokers do not necessarily focus on financial data, though their information is used by many financial services providers for marketing and fraud detection. They collect and transfer information largely without consumers’ knowledge or consent. Cash-Flow Market Context & Policy Analysis § 4.2; Legal and Regulatory Landscape at 12-13.

[9] For background on the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act as amended by the Fair and Accurate Credit Transactions Act of 2003, see Legal and Regulatory Landscape at 46-106.

[10] 12 U.S.C. § 5533. The Bureau issued non-binding principles regarding consumer data access in 2017 but did not start rulemaking activities until 2020. 85 Fed. Reg. 71,003 (Nov. 6, 2020); Consumer Financial Protection Bureau, Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation (2017).

[11] The Dodd-Frank Act authorizes the CFPB to examine non-bank lenders of any size that extend mortgages, private education loans, or payday loans, as well as “larger participants” in other markets after defining the relevant size thresholds by rule. 12 U.S.C. § 5514. The Bureau has set thresholds for consumer reporting, auto lending/leasing markets, and several other categories of financial services, but has not addressed data aggregators or other types of consumer loans.

[12] Aggregators are estimated to be able to access data from about 95% of U.S. deposit accounts, and at least one estimates that it alone has connected to one in four financial accounts in the U.S. Zack Meredith & Zeya Yang, Blog, The All-New Plaid Link, Plaid (Oct. 2, 2020); Michael Deleon, A Buyer’s Guide to Data Aggregation, Tearsheet (Feb. 19, 2019). Firm estimates of how many consumers have authorized transfers are difficult to obtain because industry statistics are generally tracked on an account basis and surveys that focus solely on use of non-bank fintech services may count providers that do not rely on authorized data transfers and exclude banks that do use them. But growth trends are evident across multiple sources. See, e.g., Alexis Krivkovich et al., How US Customers Attitudes Toward Fintech Are Shifting During the Pandemic, McKinsey & Co. (Dec. 17, 2020); Karl Dahlgren, COVID- 19 Pushes Digital Banking Adoption to the Tipping Point, BAI (Sept. 30, 2020); Plaid, The Fintech Effect: Consumer Impact and the Future of Finance (2020); EY, Global FinTech Adoption Index 2019 at 8 (2019); The Clearing House, Consumer Survey: Financial Apps and Data Privacy 2 (2019).

[13] Cash-Flow Market Context & Policy Analysis § 2.2; Legal and Regulatory Landscape at 11, 81-106; FICO, Expanding Credit Access with Alternative Data 3 (2021). Data brokers, whose status as “consumer reporting agencies” under the Fair Credit Reporting Act depends on the intended use of their data, are also estimated to have information concerning nearly all U.S. consumers. Federal Trade Commission, Data Brokers: A Call for Transparency and Accountability 7-14 (2014).

[14] See, e.g., Cash-Flow Small Business Spotlight § 4; Legal and Regulatory Landscape at 15; CBInsights, The Big Tech in Fintech Report (2021).

[15] For in-depth discussions of the burdens and risks of the current market in connection with credit underwriting, see Cash-Flow Small Business Spotlight §§ 3-5; Cash-Flow Market Context & Policy Analysis §§ 3-6.

[16] Cash-Flow Market Context & Policy Analysis § 2.2; Cash-Flow Small Business Spotlight § 2. Credit scoring models group borrowers into bands based on their relative default risk, but without additional data, lenders cannot differentiate within those bands to determine which individual applicants are higher-risk. Even if most applicants within a particular band are likely to repay their loans, lenders may choose not to lend to that cohort or may impose higher prices because default risks for the group as a whole are relatively high.

[17] Cash-Flow Empirical Findings § 5. The study involved an independent analysis of data from six companies that use cash-flow information in lieu of or in addition to traditional credit bureau data to underwrite consumers or small businesses. The analysis also found evidence that the participating companies were extending credit to applicants who may have faced constraints in accessing credit historically, and that the degree to which the information was predictive of credit risk appeared to be relatively consistent across borrowers who likely belong to different demographic groups.

[18] Cash Flow Market Context & Policy Analysis §§ 4-5; Cash-Flow Small Business Spotlight §§ 4-5; see also FinRegLab, Research Brief, Data Diversification in Credit Underwriting (2020).

[19] See, e.g., Jeff Kauflin, Fintech Apps Offer Financial First Aid For Hardest-Hit Consumers, Forbes (Apr. 3, 2020); Financial Health Network, Preparing for Tomorrow by Fixing Today: Helping Low- and Moderate-Income Americans Thrive in Retirement (2018); MAV Foundation, 8 Mobile Apps That Can Help Low Income Families (Mar. 14, 2018); Lucy Gorham & Jess Dorrance, Catalyzing Inclusion: Financial Technology & the Underserved, University of North Carolina Center for Community Capital 38-39 (2017); David Wessel, Fintech Apps Bring Stability to Stressed Families, The Brookings Institute (Apr. 25, 2017); Suman Bhattacharyya, How Financial Tech Startups Are Reaching Out to Low-Income Americans, Tearsheet (Feb. 10, 2017).

[20] Prosperity Now, Overdue: Addressing Debt in Black Communities 24, 27 (2018); Prosperity Now, In Search of FinTech for Debt Management and Repayment 25-26 (2020).

[21] Prosperity Now, In Search of FinTech for Debt Management and Repayment at 5, 9-10, 14, 17, 19, 20-21.

[22] Financial Health Network, Fintech Over 50: Designing for Low- to Moderate-Income Older Adults (2020); Financial Health Network, Preparing for Tomorrow by Fixing Today at 9-15.

[23] Federal Deposit Insurance Corporation, How American Banks: Household Use of Banking and Financial Services 6-7, 37-38 (2020).

[24] For a discussion of how these factors affect bank efforts to serve non-prime populations, see Cash-Flow Market Context & Policy Analysis § 5.2.1.2.

[25] Although research specifically in the financial services context is limited, some surveys indicate that concerns about privacy may be higher among respondents of color and low-income households than the general population, in part due to lower trust in government institutions and business organizations. Brooke Auxier et al., Americans and Privacy: Concerned, Confused, and Feeling Lack of Control over Their Personal Information, Pew Research Center (2019); Mary Madden, Privacy, Security and Digital Inequality, Data & Society Research Institute 2-10 (2017).

[26] Cash-Flow Market Context & Policy Analysis §§ 4.2.3, 5.2.1.2; Legal and Regulatory Landscape at 152-171.

[27] Cash-Flow Market Context & Policy Analysis at 50; Legal and Regulatory Landscape at 107-122. After the U.S. Treasury Department suggested that some agency guidance was actually discouraging companies from entering agreements to move to safer data transfer technologies because banks feared the agreements would trigger heightened monitoring obligations, the Office of the Comptroller of the Currency issued guidance in 2020 stating that banks have due diligence duties even with regard to screen scraping activities by aggregators with which they have no contractual relationships. The guidance has created additional questions about the practical extent to which banks in such situations can gain sufficient assurances about aggregators’ data controls and whether banks in certain circumstances have obligations to conduct “fourth party” monitoring of the data controls of aggregators’ customers. U.S. Department of the Treasury, A Financial System that Creates Economic Opportunities: Nonbank Financials, Fintech, and Innovation 86-95 (2018); Office of the Comptroller of the Currency, OCC Bulletin 2020-10, Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29.

[28] Cash-Flow Market Context & Policy Analysis §§ 4.2.2, 5.2.2.1; Legal and Regulatory Landscape at 40-42.

[29] Cash-Flow Market Context & Policy Analysis §§ 4.1.2, 4.2.2.

[30] Cash-Flow Market Context & Policy Analysis § 4.2.4; see also Penny Crosman, BofA, Chase, Wells Fargo Pilot Service to Rein in Screen Scraping, Am. Banker (Jan. 26, 2021).

[31] Section 1033 directs the CFPB to develop rules that “prescribe standards applicable to covered persons to promote the development and use of standardized formats for information,” but also to consult with other federal regulators to “ensure, to the extent appropriate, that [its] rules … do not require or promote the use of any particular technology in order to develop systems for compliance.” 12 U.S.C. § 5533(d), (e). The Bureau also lacks authority to set information security standards under GLBA. 15 U.S.C. § 6801(b). Even where legal authorities are clear, it can be challenging to keep rules that enshrine technical standards updated as technologies and market practices evolve. Cash-Flow Market Context & Policy Analysis § 5.2.2.1.

[32] Financial Data Exchange, Financial Data Exchange (FDX) Reports 22 Million Consumer Accounts on FDX API (Sept. 1, 2021).

[33] 84 Fed. Reg. 13158 (Apr. 4, 2019); Cash-Flow Market Context & Policy Analysis § 5.2.2.2; Legal and Regulatory
Landscape at 71-81.

[34] 85 Fed. Reg. 71,003 (Nov. 6, 2020).

[35] 86 Fed. Reg. 38,182 (July 19, 2021); 86 Fed. Reg. 50,789 (Sept. 10, 2021); see supra note 25 and accompanying text.

[36] Executive Order 14036: Executive Order on Promoting Competition in the American Economy (Jul. 9, 2021).

[37] 12 U.S.C. §§ 5481(5), (6), (15), 5517, 5519, 5533(a).

[38] For discussions of the protections provided by the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Electronic Fund Transfer Act and the questions and tensions raised by their potential application to customer- permissioned data flows, see Cash-Flow Market Context & Policy Analysis §§ 4.2.1.2, 5.2.2.2, 6.1.2, 6.1.3; Legal and Regulatory Landscape at 46-106, 152-171.

[39] The Dodd-Frank Act defines “consumer” to include not only individuals but also “agent[s], trustee[s], or representative[s] acting on behalf of … individual[s].” 12 U.S.C. §§ 5481(4), 5533(a). Thus, in determining application of § 1033, the Bureau could define what it means to “act on behalf” of an individual consumer. Under state law, for example, agents often have fiduciary duties to their principals, such as for instance by exercising appropriate care and diligence, acting within scope of delegated authority, and avoiding self-dealing.

[40] Cash-Flow Market Context & Policy Analysis at 96-101, 122; Legal and Regulatory Landscape at 48-70, 174.

[41] For a detailed discussion of the intersections between data protections and data rights, see Asrow at 7-8, 11-12, 54-72. For summaries and discussions of other jurisdictions’ approaches to create comprehensive data regimes and to facilitate open finance systems relative to U.S. approaches, see Cash-Flow Market Context & Policy Analysis at 71; Asrow at 14-17, 52-53; Olivia White et al., Financial Data Unbound: The Value of Open Data for Individuals and Institutions, McKinsey Global Institute (2021).

[42] See Cash-Flow Market Context & Policy Analysis § 7.3 for a brief discussion of selected issues.

[43] Cash-Flow Market Context & Policy Analysis § 6.2.1; Legal and Regulatory Landscape at 43-44, 58-64, 92-94; Asrow at 22-29.

[44] Cash-Flow Market Context & Policy Analysis § 6.2.1; Legal and Regulatory Landscape at 43-44, 58-64, 92-94; Asrow at 22-29.

[45] Cash-Flow Market Context & Policy Analysis § 6.2; Legal and Regulatory Landscape at 58-64, 92-94; Asrow at 22- 29, 30-35, 57-58, 63-66, 68-69.

[46] Cash-Flow Market Context & Policy Analysis § 6.1.3; Legal and Regulatory Landscape at 43-44, 55-57, 87; Asrow at 36-38, 59-60, 66-68.

[47] Cash-Flow Market Context & Policy Analysis at 100; Asrow at 75-77.

[48] Cash-Flow Market Context & Policy Analysis §§ 4.2.1, 4.2.4, 5.2.2.2; Legal and Regulatory Landscape at 9-13, 107-122. Under the Bank Service Company Act and Dodd-Frank Act, the prudential regulators and the CFPB can examine vendors to supervised financial service providers, in addition to the due diligence and monitoring conducted by the providers themselves. However, while prudential regulators have examined at least one data aggregator in its capacity as a vendor to a bank, they reportedly have disavowed such authority with regard to nationwide consumer reporting agencies. And because each supervised entity may interpret its due diligence obligations slightly differently, processes can be extremely duplicative for both banks and data intermediaries or other vendors.

[49] 12 U.S.C. § 5514(a)(1)(B).

[50] Cash-Flow Market Context & Policy Analysis §§ 4.1.2, 6.3.2, 7.2; Legal and Regulatory Framework at 18-19, 73-
75, 111-113.

[51] Cash-Flow Small Business Spotlight §§ 2, 5; Mills Chapters 1-5, 9.

[52] Barbara J. Lipman & Ann Marie Wiersch, Uncertain Terms: What Small Business Borrowers Find When Browsing Online Lender Websites, Board of Governors of the Federal Reserve System 23, 27 (2019); Barbara J. Lipman & Ann Marie Wiersch, Browsing to Borrow: ‘Mom & Pop’ Small Business Perspectives on Online Lenders, Board of Governors of the Federal Reserve System 12, 16-17 (2018); Barbara J. Lipman & Ann Marie Wiersch, Alternative Lending Through the Eyes of ‘Mom & Pop’ Small Business Owners: Findings from Online Focus Groups, Federal Reserve Bank of Cleveland 17 (2015).

[53] White et al., at 10-11. The analysis calculates potential benefits from three potential benefits to customers (increased access to financial services, greater user convenience, and improved product options) and four potential benefits to financial institutions (increased operational efficiency, better fraud protection, improved workforce allocation, and reduced friction in data intermediation).

About FinregLab

FinRegLab is an independent, nonprofit organization that conducts research and experiments with new technologies and data to drive the financial sector toward a responsible and inclusive marketplace. The organization also facilitates discourse across the financial ecosystem to inform public policy and market practices. To receive periodic updates on the latest research, subscribe to FRL’s newsletter and visit www.finreglab.org. Follow FinRegLab on LinkedIn.

FinRegLab.org | 1701 K Street Northwest, Suite 1150, Washington, DC 20006