[Senate Hearing 115-380]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 115-380


         FINTECH: EXAMINING DIGITIZATION, DATA, AND TECHNOLOGY

=======================================================================

                                 HEARING

                               BEFORE THE

                              COMMITTEE ON
                   BANKING,HOUSING,AND URBAN AFFAIRS
                          UNITED STATES SENATE

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                                   ON

           EXAMINING FURTHER THE DIGITIZATION, DATA, AND TECHNOLOGY 
                            ASPECTS OF FINTECH

                               __________

                           SEPTEMBER 18, 2018

                               __________

  Printed for the use of the Committee on Banking, Housing, and Urban 
                                Affairs
                                
                                
                                
 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                               
                                


                Available at: http: //www.govinfo.gov /
                
                
                
                                __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
32-753 PDF                  WASHINGTON : 2018                     
          
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected]                               


            COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS

                      MIKE CRAPO, Idaho, Chairman

RICHARD C. SHELBY, Alabama           SHERROD BROWN, Ohio
BOB CORKER, Tennessee                JACK REED, Rhode Island
PATRICK J. TOOMEY, Pennsylvania      ROBERT MENENDEZ, New Jersey
DEAN HELLER, Nevada                  JON TESTER, Montana
TIM SCOTT, South Carolina            MARK R. WARNER, Virginia
BEN SASSE, Nebraska                  ELIZABETH WARREN, Massachusetts
TOM COTTON, Arkansas                 HEIDI HEITKAMP, North Dakota
MIKE ROUNDS, South Dakota            JOE DONNELLY, Indiana
DAVID PERDUE, Georgia                BRIAN SCHATZ, Hawaii
THOM TILLIS, North Carolina          CHRIS VAN HOLLEN, Maryland
JOHN KENNEDY, Louisiana              CATHERINE CORTEZ MASTO, Nevada
JERRY MORAN, Kansas                  DOUG JONES, Alabama

                     Gregg Richard, Staff Director

                 Mark Powden, Democratic Staff Director

                      Joe Carapiet, Chief Counsel

                      Kristine Johnson, Economist

            Laura Swanson, Democratic Deputy Staff Director

                 Elisha Tuku, Democratic Chief Counsel

                       Dawn Ratliff, Chief Clerk

                      Cameron Ricker, Deputy Clerk

                     James Guiliano, Hearing Clerk

                      Shelvin Simmons, IT Director

                          Jim Crowell, Editor

                                  (ii)


                            C O N T E N T S

                              ----------                              

                      TUESDAY, SEPTEMBER 18, 2018

                                                                   Page

Opening statement of Chairman Crapo..............................     1
    Prepared statement...........................................    29

Opening statements, comments, or prepared statements of:
    Senator Brown................................................     2
        Prepared statement.......................................    29

                               WITNESSES

Steven Boms, President, Allon Advocacy, LLC, on behalf of 
  Consumer Financial Data Rights.................................     4
    Prepared statement...........................................    30
    Responses to written questions of:
        Senator Brown............................................   117
        Senator Scott............................................   117
Stuart Rubinstein, President, Fidelity Wealth Technologies, and 
  Head of Data Aggregation.......................................     6
    Prepared statement...........................................    37
Brian Knight, Director, Innovation and Governance Program, 
  Mercatus Center at George Mason University.....................     7
    Prepared statement...........................................    40
    Responses to written questions of:
        Senator Brown............................................   118
        Senator Heller...........................................   119
Saule T. Omarova, Professor of Law, and Director, Jack Clarke 
  Program on Law and Regulations of Financial Institutions and 
  Markets, Cornell University....................................     9
    Prepared statement...........................................    45
    Responses to written questions of:
        Senator Reed.............................................   119

              Additional Material Supplied for the Record

Letter From The American Academy of Actuaries Submitted by 
  Chairman Mike Crapo............................................   122
Statement From Financial Innovation Now Submitted by Chairman 
  Mike Crapo.....................................................   182
Letter From Electronic Privacy Information Center Submitted by 
  Senator Sherrod Brown..........................................   184
Statement Submitted by Independent Community Bankers of America..   187

                                 (iii)

 
         FINTECH: EXAMINING DIGITIZATION, DATA, AND TECHNOLOGY

                              ----------                              


                      TUESDAY, SEPTEMBER 18, 2018

                                       U.S. Senate,
          Committee on Banking, Housing, and Urban Affairs,
                                                    Washington, DC.
    The Committee met at 10:01 a.m., in room SD-538, Dirksen 
Senate Office Building, Hon. Mike Crapo, Chairman of the 
Committee, presiding.

            OPENING STATEMENT OF CHAIRMAN MIKE CRAPO

    Chairman Crapo. This hearing will come to order.
    Today we will hear four very unique perspectives on a 
segment of financial technology, or ``FinTech.''
    Almost exactly 1 year ago, the Committee held a hearing to 
explore the various sectors and applications of FinTech.
    In the short time period between that hearing and this one, 
many developments and innovations have occurred, both in the 
private sector and on the regulatory front.
    Digitization and data, in particular, are constantly 
evolving, challenging the way we have traditionally approached 
and conducted oversight of the financial services sector.
    As technology has developed and the ability to readily and 
cheaply interact with and use data has flourished, we have 
experienced a sort of revolution in the digital era. This 
digital revolution brings with it the promise of increasing 
consumer choice, inclusion, and economic prosperity, among 
other things.
    Less than a decade ago, the concept of mobile banking, a 
simple transaction, was relatively new. Now consumers have 
countless options by which to interact with and access their 
financial information and conduct transactions.
    As this marketplace rapidly develops, so must we constantly 
evaluate our regulatory and oversight framework, much of which 
was designed prior to the digital era. To the extent that there 
are improvements that can be made to better foster and not 
stifle innovation, we should examine those.
    Although these technological developments are incredibly 
positive, the increased digitization and ease of collecting, 
storing, and using data presents a new set of challenges and 
requires our vigilance.
    Many products and services in the FinTech sector revolve 
around big data analytics, data aggregation, and other 
technologies that make use of consumer data. Oftentimes these 
processes operate in the background, and are not always 
completely transparent to consumers.
    It is important for consumers to know when their data is 
being collected and how it is being used. It is equally 
important for the companies and the Government alike to act 
responsibly with this data and ensure that it is protected.
    As we have seen in recent years, this can be a challenging 
task. In order to fully embrace the immense benefits that can 
result from technological innovation, we must ensure that 
proper safeguards are in place and consumers are fully 
informed.
    Today I hope to hear from our witnesses about the ways in 
which FinTech is changing the financial sector and the 
improvements that can be made to ensure the regulatory 
landscape welcomes that innovation; what kind of data is being 
collected and used and how such data is secured and protected; 
and what the opportunities and challenges are going forward.
    Senator Brown.

           OPENING STATEMENT OF SENATOR SHERROD BROWN

    Senator Brown. Thank you, Mr. Chairman.
    In the run-up to the financial crisis, Wall Street banks 
bragged about innovations that they claimed made the financial 
system less risky and credit more affordable. Some of these 
innovations were in consumer products, like interest-only 
subprime mortgages. Other innovations were happening behind the 
scenes, like the growth in risky collateralized debt 
obligations and credit default swaps.
    According to the banks, technological advances like 
increased computing power and information sharing through the 
Internet allowed financial institutions to calculate and 
mitigate the risks of these complex financial innovations. In 
Washington, banks told lawmakers that regulation would hold 
back progress--they say that often on many issues--and make 
credit more expensive for consumers. Rather than look at 
financial technology with an eye to the risks, Federal banking 
supervisors repealed safety and soundness protections, and they 
used their authority to override consumer protection laws in 
several States.
    Eventually, so-called financial innovations led to the 
biggest economic disaster in almost a century, costing millions 
of Americans their homes, their jobs, and much of their 
savings.
    Criticizing the bankers and regulators who lost sight of 
the enormous risks that came with these new innovations, former 
Fed Chair Paul Volcker declared, ``The ATM has been the only 
useful innovation in banking for the past 20 years.''
    I am more optimistic about some new technologies benefiting 
consumers rather than just lining Wall Street's pockets, but I 
think we should look at this Treasury report with the same 
level of skepticism.
    Rather than learn from past mistakes, the Treasury report 
embraces the shortsightedness of precrisis regulators. It 
exalts the benefits of ``financial innovation,'' describes 
Federal and State regulation as ``cumbersome'' or as ``barriers 
to innovation,'' and recommends gutting important consumer 
protections, like the CFPB's payday lending rule. It even 
suggests stripping away what little control we as consumers now 
have over our own personal financial data, just a year after 
Equifax put 148 million Americans' identities at risk, 5 
million in my State alone.
    Just like a dozen years ago, Wall Street banks and big 
companies are making record profits, but working families are 
struggling just to get by. Student loan debt is at record 
levels; credit card defaults are rising. Worker pay is not 
keeping up with inflation--comments from the Administration 
notwithstanding--but we have managed to cut taxes for the 
richest Americans while CEOs and shareholders have reaped huge 
windfalls through over half a trillion dollars in stock 
buybacks.
    Plenty of financial institutions are adopting new 
technologies without running afoul of the law. Rather than 
focusing on how we can weaken the rules for a handful of 
companies who prefer to be called ``FinTechs'' rather than 
``payday lenders,'' or ``data aggregators'' rather than 
``consumer reporting bureaus,'' Treasury should be focused on 
policies that help working families.
    This is not a partisan issue for me. I raised concerns 
about relaxing the rules for FinTech firms when Comptroller 
Curry, appointed by President Obama, suggested a special 
``FinTech'' charter almost 2 years ago.
    The new leaders at the Federal Reserve, the OCC, the FDIC, 
and the CFPB have already made it clear that they are ready to 
give Wall Street whatever it asks for. And they never have 
enough. And the recommendations in this report call for more 
handouts for financial firms, FinTech or otherwise.
    I am interested, however, to hear from our witnesses about 
how new financial technologies could increase our control over 
our own information, better protect against cyberattacks, or 
make it easier for lenders to ensure they are following the 
law. And as traditional banks partner with technology firms, I 
think it is important for the Committee to consider where gaps 
in regulation might lead to future systemic risks.
    Thank you, Mr. Chairman, for holding the hearing.
    Chairman Crapo. Thank you, Senator Brown. And I agree with 
you this is not a partisan issue. We all want to get the 
benefits of what can be developed with this kind of increase in 
technological capacity. But there is significant concern about 
privacy and protection of data of our consumers that is agreed 
to on both sides of the aisle here, I believe.
    We welcome our witnesses here with us today. We have Mr. 
Steven Boms, the president of Allon Advocacy, on behalf of the 
Consumer Financial Data Rights association; Mr. Stuart 
Rubinstein, president of Fidelity Wealth Technologies; Mr. 
Brian Knight, director of the Innovation and Governance Program 
at Mercatus Center at George Mason University; and Ms. Saule 
Omarova, who is a professor of law and director of the Jack 
Clarke Program on the Law and Regulation of Financial 
Institutions and Markets at Cornell University.
    We again welcome all of you. We appreciate your being here 
to share your expertise with us. Your written statements will 
be made a part of the record. We ask you to please be very 
careful to pay attention to the 5-minute clock for your oral 
comments and as you are engaged in questioning. The Senators 
have a 5-minute clock, too, and sometimes they run right up to 
the last second for their last question, and when that happens, 
I ask you to be prompt in your responses to those questions.
    With that, Mr. Boms, you may begin.

 STATEMENT OF STEVEN BOMS, PRESIDENT, ALLON ADVOCACY, LLC, ON 
            BEHALF OF CONSUMER FINANCIAL DATA RIGHTS

    Mr. Boms. Thank you, Mr. Chairman.
    Chairman Crapo, Ranking Member Brown, and Members of the 
Committee, thank you for this opportunity to testify today on 
behalf of the Consumer Financial Data Rights, or CFDR, Group, a 
consortium of approximately 50 aggregators and FinTech firms 
united behind consumers' rights to access their financial data.
    My testimony this morning also represents the views of the 
Financial Data and Technology Association, or FDATA, of North 
America, which is the trade association urging the adoption of 
an open banking-like regime in the U.S., Canada, and Mexico.
    The CFDR Group and its members consulted frequently with 
the Treasury Department as it considered the current state of 
the FinTech market. Our engagement was principally focused on 
the crucial issue of consumer-permissioned financial data, 
which was an area of emphasis in the Department's report and 
which I would like to focus on today.
    A recent White House study concluded that 20 percent of 
adult Americans are underbanked by the traditional financial 
services system and almost 9 million households are entirely 
unbanked. For these consumers, third-party, technology-based 
tools can provide vital, affordable access to a financial 
system that has left them behind. These tools also help other 
Americans address the growing complexity of the financial 
system. Most consumers have multiple accounts across a variety 
of products providers. The most basic, fundamental first step 
toward financial health--understanding what one has and what 
one owes--can be needlessly difficult. Technology-powered tools 
can provide intuitive, accessible platforms that enable even 
the least financially savvy among us to manage their finances 
and improve their economic outcomes. The lifeblood of these 
tools is user-permissioned data access: the right of the 
consumer or the small business to affirmatively grant access to 
the application of their choice to connect to or see the 
financial data.
    Unlike in other jurisdictions globally, there is no legal 
requirement in the United States stipulating that a financial 
institution must make the consumer's a small business' 
financial data it holds available to a third party when the 
customer provides consent or whether restrictions on the 
consumer's access to that data are permissible. Consumers are 
dependent on the financial services providers with which they 
do business, with disparate outcomes for Americans who bank 
with different financial institutions. The lack of a cohesive 
framework also threatens American competitiveness and financial 
innovation internationally.
    The Treasury Department identified the key outstanding 
issues with regard to user-permissioned data access. I briefly 
highlight five Treasury recommendations for the Committee's 
consideration here, noting that I provide significantly more 
reaction in my written testimony.
    Number one, the Bureau of Consumer Financial Protection 
should affirm that third parties properly authorized by 
consumers fall within the definition of ``consumer'' for the 
purpose of obtaining access to financial account and 
transaction data.
    Though it may seem self-evident, Section 1033 of Dodd-Frank 
provides that the Bureau has the authority to promulgate a rule 
to ensure end users have electronic access to their online 
data. But the Bureau has thus far declined to do so. Treasury's 
affirmation that Dodd-Frank provides this right to consumers 
and small businesses, even in the absence of a Bureau 
rulemaking, represents a significant victory for innovation and 
for consumer and small business financial empowerment.
    Number two, all regulators should recognize the benefits of 
consumer access to financial account and transaction data in 
electronic form.
    One of the systemic disadvantages facing the FinTech 
ecosystem in the United States is the immense relative 
regulatory fragmentation that exists. There are at least eight 
Federal regulatory agencies with jurisdiction over some portion 
of financial data access. There are, of course, also State 
regulatory authorities. Treasury has called for all agencies to 
align behind its interpretation of Dodd-Frank Section 1033 as 
an important step toward a level playing field and one that 
could be hastened by congressional engagement.
    Number three, the Bureau should work with the private 
sector to develop best practices on disclosures and terms and 
conditions regarding consumers' use of products and services.
    The United Kingdom's Open Banking architecture includes 
prescriptive consent flows that ensure that a consumer's or a 
small business' experience granting or revoking consent to 
access their data to any third party is uniform. These open 
banking consent standards are an excellent starting point for 
creating best practices in the U.S. market.
    Number four, a solution must address resolution of 
liability for data access. The CFDR earlier this year released 
a set of principles, Secure Open Data Access, or SODA, which 
called for traceability, minimum cyberliability insurance 
standards, and other standards designed to ensure that the 
entity responsible for consumer financial loss as a result of a 
breach--be it a bank, an aggregator, or a FinTech firm--is the 
entity charged with making the end user whole for direct losses 
resulting from that breach. While CFDR members are implementing 
these principles, regulatory agencies and Treasury could 
augment and assist this work by undertaking efforts to create a 
more vibrant and affordable cyberliability insurance market.
    Number five, address the standardization of data elements 
as part of improving consumers' access to their data. While the 
CFDR Group and FDATA North America wholeheartedly agree with 
the Department's recommendation, I would respectfully submit an 
addendum. The standardization of data elements should be made 
available to the consumer to permit access to third parties of 
their choosing so that all data elements available to the end 
user in their native online banking environment is also 
available to the third party if the consumer consents. This 
approach would fully enable end users to leverage their own 
financial data to their economic benefit, and it would allow 
for the realization of a competitive, free marketplace in which 
consumers have full transparency into financial products and 
services offered by FinTech providers and financial services 
firms alike.
    Thank you again for this opportunity to testify. Though 
tens of millions of American consumers and small businesses are 
already utilizing third-party tools to improve their financial 
well-being, more can be done to harness the power of innovation 
safely and securely. We stand ready to work with this Committee 
to identify and implement Treasury's recommendations.
    Thank you.
    Chairman Crapo. Thank you, Mr. Boms.
    Mr. Rubinstein.

  STATEMENT OF STUART RUBINSTEIN, PRESIDENT, FIDELITY WEALTH 
           TECHNOLOGIES, AND HEAD OF DATA AGGREGATION

    Mr. Rubinstein. Thank you, Chairman Crapo, Ranking Member 
Brown, and Members of the Committee. My name is Stuart 
Rubinstein. I am president of Fidelity Wealth Technologies and 
head of Data Aggregation at Fidelity Investments. Fidelity is a 
leading provider of investment management, retirement planning, 
brokerage, and other financial services to more than 30 million 
individuals, institutions, and intermediaries with more than $7 
trillion in assets under Administration. We are strong 
supporters of FinTechs and are a major FinTech investor.
    I am appearing today to represent Fidelity with a specific 
focus on the topic of financial data aggregation. At Fidelity, 
we have a unique perspective. We are an aggregator ourselves, 
and we are also a source of data to aggregators who act on 
behalf of our customers.
    Fidelity is a strong believer in the benefits our customers 
receive when they can see a consolidated picture of their 
finances through aggregated data. We have offered aggregation 
services to our customers for well over a decade, and our 
customers have been able to access their Fidelity data through 
various third parties since the 1990s. But the cybersecurity 
environment has changed over time, and risks have become far 
more pronounced and must be addressed.
    First, most financial data aggregation that occurs today 
requires consumers to disclose their financial institution's 
user name and password to the third-party aggregator or 
FinTech. While this process may have worked in the past, it is 
now antiquated as there are new technologies that eliminate any 
such requirement. Because cybersecurity is of paramount 
importance, we believe that customers should not have to 
disclose their user name and password in order to access any 
third-party service.
    Second, aggregators using credentials may have access to an 
entire website or mobile app, which means they can access more 
data than may be necessary to provide their services. For 
example, a simple app that tracks your spending does not need 
to know your investment holdings, but it will have access to 
that under the current methods.
    Because of the advancement of cyberthreats, Fidelity and 
others in the industry have worked hard on developing a 
different approach to data aggregation that helps to protect 
consumers. At Fidelity, we have developed what we believe are 
five principles for empowering consumers to share their data 
safely with third parties.
    First, consumers should be able to access their financial 
account data where they want it and when they want it and 
through third parties if they so desire. The question becomes 
not if they can do it, but how.
    Two, access must be provided in a safe, secure, and 
transparent manner.
    Three, consumers should provide affirmative consent and 
directly instruct their financial institution to share data 
with specific third parties.
    Four, third parties should access only the financial data 
that they need to provide their product or service. This should 
not be a Trojan horse for the gathering, accumulating, and 
reselling of consumer data.
    And, five, consumers should be able to monitor those 
account access rights and direct their financial institution to 
revoke that if they so desire.
    In an effort to back up these words with actions, Fidelity 
announced in November of 2017 a new service based on these 
principles called ``Fidelity Access.'' Fidelity Access will 
allow Fidelity customers to provide third-party access to 
customer data through a secure connection without providing 
log-in credentials to any third party. We have also been 
working with policymakers and industry groups to advance these 
principles and are pleased that many have taken thoughtful 
approaches to this problem.
    Finally, I would be remiss if I did not mention the most 
difficult issue standing in the way of wider adoption of safer 
data-sharing technologies: the issue of responsibility. We 
believe companies that collect and handle financial data should 
be responsible for protecting that data and making customers 
whole if misuse, fraud, or theft occurs. As we have been 
discussing Fidelity Access, we have seen aggregators try to 
limit their liability, some to very small dollar amounts. 
Fidelity believes firms that obtain and handle consumer 
aggregated data should be held responsible to protect that data 
from unauthorized use just as we are. Any other standard 
creates moral hazard and does not incentivize aggregators to 
take their data stewardship responsibilities seriously.
    Thank you again for the opportunity to testify before you 
today. I look forward to answering your questions.
    Chairman Crapo. Thank you, Mr. Rubinstein.
    Mr. Knight.

STATEMENT OF BRIAN KNIGHT, DIRECTOR, INNOVATION AND GOVERNANCE 
      PROGRAM, MERCATUS CENTER AT GEORGE MASON UNIVERSITY

    Mr. Knight. Thank you, Chairman Crapo, Ranking Member 
Brown, and Members of the Committee. My name is Brian Knight, 
and I am the director of the Innovation and Governance Program 
at the Mercatus Center.
    Whether it is a loan to deal with an emergency, moving 
money to a loved one in need, or capital to build a business, 
access to high-quality financial services is essential. 
Technological innovation in financial services, or FinTech, has 
the potential to significantly improve this access.
    As the Treasury Department notes, one area where technology 
may dramatically change financial services is in the collection 
and use of data. Technology advances allow financial services 
firms to obtain more data from consumers and process the data 
in new ways, with the goal of providing more accessible, 
inclusive, and cost-effective options. While it is early, there 
are encouraging signs that innovation is, in fact, helping 
consumers. These include innovative products giving consumers 
more transparency as to their finances and allowing lenders to 
offer potential borrowers better-quality credit through 
innovative underwriting.
    There is also indication that technology is making credit 
markets less discriminatory. This is promising. But there have 
also been concerns raised about potential risks to consumers, 
including risks of privacy and discrimination. These concerns 
should be taken seriously, and we should react appropriately. 
But we should be loath to rush into regulation without being 
certain that new regulation is necessary.
    As we assess what the Government response to technological 
innovation should be, we should keep a few things in mind.
    First, we should judge an innovation compared to the status 
quo, not perfection. Innovative financial service products will 
not be perfect, but they may be better than the alternative. 
Imposing unduly burdensome regulation that hampers innovation 
and competition may ultimately be more harmful to the very 
consumers that regulation seeks to protect.
    Second, we should acknowledge that existing regulations may 
address new risks. For example, the requirement that a lender 
be able to explain why it took an adverse action could mitigate 
against a concern that algorithmic underwriting will be unduly 
opaque. There are existing regulatory incentives as well as 
market incentives for companies to ensure their products are 
fair and appropriately transparent.
    Third, we should be open to the possibility that in some 
cases the current regulatory system is, in fact, overly 
burdensome. There may be cases where the costs of regulation 
now exceed the potential benefits or where a regulatory 
structure that made sense in the past has been overtaken by 
market developments. This does not mean that new regulation may 
not sometimes be needed, but as technology changes what is 
possible with financial services, the optimal level or type of 
regulation may change.
    FinTech offers exciting possibilities for better, cheaper, 
and more inclusive financial services. We should be mindful of 
the risks posed, but we should not overreact. Instead, we 
should work to ensure that the legal and regulatory system 
facilitates innovation and competition while preserving 
consumer protection so that Americans can obtain the best 
financial services possible.
    I look forward to our discussion, and thank you for your 
time.
    Chairman Crapo. Thank you, Mr. Knight.
    Ms. Omarova.

STATEMENT OF SAULE T. OMAROVA, PROFESSOR OF LAW, AND DIRECTOR, 
    JACK CLARKE PROGRAM ON LAW AND REGULATIONS OF FINANCIAL 
          INSTITUTIONS AND MARKETS, CORNELL UNIVERSITY

    Ms. Omarova. Senators, thank you for inviting me to testify 
here today. My written testimony lays out the details of what I 
have to say, so let me focus on a few big-picture points.
    FinTech is by far the hottest topic in today's finance. 
Cryptography, cloud computing, big data analytics are changing 
financial markets by making transacting faster and easier to 
automate and scale up. We have just heard arguments emphasizing 
the immense societal benefits of these changes as long as 
FinTech innovations are not stifled by outdated regulations.
    Let us put these arguments in context. It is quite symbolic 
that we are convened here today almost exactly on the tenth 
anniversary of Lehman Brothers' failure that triggered the 
global financial crisis. I do not have to tell you, Senators, 
what a calamity that crisis was. You lived through that crisis. 
And for years before the crisis, you and your colleagues 
probably sat through many hearings just like this one listening 
to many confident and articulate gentlemen with impeccable 
industry credentials tell you that you should not let outdated 
regulations stifle financial innovation. They told you and the 
American public that innovative products like derivatives and 
subprime mortgage loans were making the financial system more 
efficient, resilient, and democratic by enabling better risk 
management, expanding consumer choices, and making credit 
available to low-income Americans. And so risky derivatives and 
predatory subprime loans were allowed to grow unregulated until 
they crashed the financial system 10 years ago.
    Today the same rhetoric of financial innovation and 
consumer choice that brought us the crisis of 2008 returns to 
the center stage in the policy debate on FinTech. Of course, 
this time it is different. It is not about derivatives, but 
about crypto assets. It is not about predatory subprime 
lending, but about marketplace lending--once again new 
technologies promising to make the system more efficient, 
resilient, and democratic: to expand consumer choices and to 
give low-income Americans access to financial services.
    The Treasury report adopts this rhetoric and translates it 
into a strategy of significant deregulation in the U.S. banking 
sector, meant to enable banks to form large-scale business 
partnerships and even outright corporate affiliations with 
technology companies.
    For example, the report advocates for a significant 
rollback of existing regulations in order to make it easier for 
the banks to give unaffiliated tech companies, data 
aggregators, cloud service providers, and various FinTech firms 
much more direct access to their customers' account and 
transactional data.
    Currently banks are reluctant to allow data-mining 
businesses to get the direct feed of their depositors' account 
data because regulations make banks ultimately responsible for 
the handling of sensitive customer information. For the same 
reasons of regulatory compliance and liability, banks are 
currently cautious about moving all of their data to the cloud 
operated by a third party.
    The Treasury characterizes this as a bottleneck in the flow 
of financial information and calls for a concerted regulatory 
effort to push banks to share their customer data and to 
outsource its management to third parties much more freely. The 
claim here is that allowing unaffiliated tech companies to 
access, host, and manage bank data will make financial services 
faster and cheaper for all consumers and give consumers control 
over their financial affairs.
    Of course, banks will benefit from being able to reduce 
their operational and compliance costs and potentially 
increasing their revenues by charging aggregators for direct 
feeds of customer data. And consumers will get the convenience 
of living in a seamless virtual space where all FinTech apps 
can just magically connect to all of their bank accounts. But 
this will also expose consumers to tremendous risks. Imagine 
that your personal bank account data, transaction history, and 
other sensitive information previously managed by your local 
bank is now stored in the cloud and shared directly and in real 
time with multiple data-collecting companies. These companies 
are not regulated under a bank-like regime with dedicated 
supervisors making sure that the data is safe and secure, that 
these companies maintain strong operational controls and do not 
misuse sensitive consumer information. In this environment, it 
is easy to imagine not just one but many Equifax-style 
catastrophes occurring far more frequently and with far more 
devastating consequences.
    This is, in fact, a particular kind of a broader problem 
that our system of bank regulation has jealously guarded 
against since the 19th century: the potential for excessive 
concentration of financial and market power, if banks are 
allowed to engage too intimately with nonbank commercial 
businesses. This separation of bank and commerce remains a core 
principle of U.S. banking law to this day. The Treasury report, 
however, calls for measures that will directly undermine this 
longstanding and sensible regime.
    What it frames as low-key technical fixes to how regulators 
apply banking laws is, in fact, opening the door to de facto 
FinTech conglomeration. If allowed, this new platform trust 
will be able to monopolize the flow of both money and 
information and effectively take control of our lives not only 
as economic actors but also as citizens.
    The American Republic of George Washington and Teddy 
Roosevelt was never meant to become a dystopic company town of 
this kind. As you are deliberating on FinTech as a public 
policy matter, I urge you to stand on guard and not let this 
become even a remote possibility.
    Thank you.
    Chairman Crapo. Thank you, Ms. Omarova.
    I will start my questions with you, Mr. Knight. While 
innovations in data have brought many benefits, it has also 
become known that firms may be, in fact I think are, using this 
data to drive social policy and to restrict access to entirely 
legal, in fact sometimes constitutionally protected conduct and 
do this for reasons of trying to influence social policy 
unrelated to safety and soundness or other concerns that would 
make these targeted groups unfit to do business with.
    Do you think this presents a problem?
    Mr. Knight. Thank you, Senator. I do, and I think it 
presents a couple of problems. The first one, to key in on the 
data point, is to the extent that a financial institution is 
collecting data that relates to a sensitive or private matter, 
and particularly the more granular the data collection is, the 
potentially more harmful a breach would be. Information that is 
relatively innocuous at one level of detail can become 
extremely damaging at another level of detail. And, of course, 
depending on how much microtargeting, if you will, the bank is 
doing and the level of detail that the bank has stored, if that 
data is breached, that data is now available and people can be 
harmed more than had the data been recorded at a less granular 
level.
    The second and, I think, bigger issue that we are dealing 
with here is I think our starting point should be that a 
business can choose to do or not do business with anyone they 
want for whatever reason they want in a free market, and then 
we are going to narrow that for some compelling societal issues 
like antidiscrimination. The problem is banks are not a free 
market. For banks, because of public policy, there are barriers 
to entry; there are barriers to exit; there is significant 
subsidy. And so banks derive part of their market power from 
public power. And so when they choose to use their market power 
in an effort not to do what they have been charged to do, which 
is effectively intermediate credit or provide savings, but 
instead try to insist or de facto regulate the American people 
in a social policy setting, they are not using their market 
power. They are using public power. And the people who are on 
the receiving end of that do not have the same market 
protections that they would in a freer market.
    You know, let us take an example of YouTube, which will 
periodically say, ``We will not cover certain types of videos 
for social policy reasons.'' Well, you can stand up a YouTube 
competitor tomorrow. You do not need a Government-granted 
discretionary charter. And if you were to stand up a competitor 
to YouTube, YouTube does not get special access to Government 
Internet. It does not get insurance. It does not get loans from 
the Government. There is not a presumption that if YouTube is 
about ready to fail, the Government will bail it out, which is 
something that banks enjoy versus their nonbank competition, 
and that increases the ability of banks to throw market power 
around that is not derived from anything other than Government 
power.
    Chairman Crapo. Well, thank you, and I share those 
concerns.
    I want to shift a little bit here, and to you, Ms. Omarova. 
I appreciated your testimony on some of the positive aspects 
that FinTech offers consumers. But some of the concerns that 
you raise are also concerns that I share.
    There is an article in today's Wall Street Journal that 
highlights this intersection, and this is the title of it: 
``Facebook and Financial Firms Tussled for Years Over Access to 
User Data''. This follows an August article in the Wall Street 
Journal entitled, ``Facebook to Banks: Give Us Your Data, We 
Will Give You Our Users''. The article suggests that data 
privacy is a sticking point in these conversations.
    Can you discuss the data privacy concerns and the need to 
better understand what kind of data is being collected and used 
and how such data is secured and protected? And I only have 
about a minute left in my time, so I----
    Ms. Omarova. I think this article actually highlights 
precisely what is at stake here. This is not what the Treasury 
report is suggesting: it is not so much about what current data 
aggregators do with data today. It is about companies like 
Facebook, and it just shows that those big tech companies, 
platform companies that use information as currency in their 
businesses, once they get their hands on the data, on the 
sensitive bank customers' data, in any way for any reason, they 
will try to use that data to increase their revenues in a 
variety of spheres. And it will be extremely difficult to 
actually check how they use the data. They use proprietary 
algorithms to basically hide that from us. And who is going to 
oversee it? Who regulates Facebook for these kinds of issues? 
Nobody does.
    I am glad that Bank of America and Wells Fargo refused 
Facebook access to their bank customers' data, but I do not kid 
myself for a minute that they have done it out of some kind of 
moral respect for customer privacy. They have done it because 
of the regulations that apply to them today. If we remove those 
regulations, then all of our sensitive financial data will be 
open to companies like Facebook and we will not know how it 
will be used.
    Chairman Crapo. Well, thank you, and I share those concerns 
as well.
    Mr. Rubinstein and Mr. Boms, I am out of time, but I am not 
out of questions for you. I might have to submit them if we do 
not get another opportunity.
    Senator Brown.
    Senator Brown. Thank you, Mr. Chairman.
    Ms. Omarova, thank you for mentioning the tenth 
anniversary. There is, as I remind many of my colleagues here, 
a bit of collective amnesia on this dais and in this Senate, 
and thank you for always reminding me of that.
    I have three questions I would like to get through, and I 
am going to start with you, Ms. Omarova, and if you would give 
answers as close to yes or no as you can, I will start with her 
on each of the questions and move from my right to my left.
    The Treasury Department and much of the financial industry 
argue that consumers should have the right to share their 
financial data with any third party of their choosing. Do you 
think this should include the right for consumers to require 
that a FinTech or a data aggregator erase all information at 
that consumer's request?
    Ms. Omarova. Yes, absolutely. And, you know, we have to 
keep in mind, though, that this rhetoric of consumer choice and 
consumer's right to share the information also implies the 
firm's right to share their information, and that is what we 
need to guard against.
    Senator Brown. Mr. Knight.
    Mr. Knight. Yes, subject to reasonable considerations like 
law enforcement.
    Senator Brown. OK. Mr. Rubinstein.
    Mr. Rubinstein. Yes, absolutely. Consumers should 
understand why they are sharing their data, and share it for a 
specific purpose. When they no longer have that purpose, they 
should be able to stop sharing it and have it deleted.
    Senator Brown. Mr. Boms.
    Mr. Boms. Agreed, subject to applicable regulations and 
laws.
    Senator Brown. Thanks.
    Ms. Omarova, it is hard for consumer to understand all the 
ways that financial data might be used by a company they share 
it with. Should there be legal limits on how aggregators use 
the consumer's financial information in addition to consumer 
identified limits?
    Ms. Omarova. Yes, absolutely. Basically, data aggregators 
and other data platform companies like Facebook should not be 
allowed to engage in a form of ``insider trading'' once they 
get access to customer data in one context so they could use it 
another context.
    Senator Brown. Mr. Knight, legal limitations?
    Mr. Knight. I believe the limitations should revolve around 
disclosure and the fact that any consent is knowingly given and 
the consumer has rights to terminate that consent at any time.
    Senator Brown. Mr. Rubinstein.
    Mr. Rubinstein. Yes, I would agree with that. I think 
really under a disclosure with explicit consent so the consumer 
knows what they are getting into, really understands it, and 
can control it. I do not know that we need a specific legal 
limitation, though.
    Senator Brown. Mr. Boms.
    Mr. Boms. I would echo what the past gentleman said with 
the additional addendum, which is we as an industry, not just 
FinTech but the financial industry, can and should do a lot 
better on conspicuous disclosures.
    Senator Brown. OK. So you are saying legal limits. You are 
saying disclosure should be the emphasis.
    Last question. Companies like Google and Facebook collect 
enormous amounts of personal information. They also influence 
what information consumers are exposed to. For example, 
Facebook might show payday loan advertisements to 
servicemembers or to minorities, but not its other users. 
Should fair lending laws be updated to cover not just providing 
credit products but also their targeted advertisements on 
social media platforms? Ms. Omarova.
    Ms. Omarova. Yes, absolutely. Algorithmic opacity raises a 
new spectrum of discrimination concerns, and we have to guard 
against that.
    Senator Brown. Mr. Knight.
    Mr. Knight. Senator, that is a great question, and I do not 
know if I can give you an answer in the time limit you would 
want. If you would like to submit a QFR, I am happy to answer 
it.
    Senator Brown. I will do that. Thank you.
    Mr. Rubinstein.
    Mr. Rubinstein. Senator, I am sorry. I am not an expert in 
fair lending, and I probably cannot respond to that question.
    Senator Brown. Could I still send a letter to you and have 
people at Fidelity answer it?
    Mr. Rubinstein. You can send the letter. We can try. We are 
not lenders, so I do not know that we would have a good answer 
on that one for you.
    Senator Brown. OK. Mr. Boms.
    Mr. Boms. Senator, I would echo, I would be happy to 
respond in writing. It is not smuggling that we have discussed 
with our members.
    Senator Brown. OK.
    Fourth question. Thanks for your promptness, all of you. 
The biggest four banks control about 45 percent of bank assets. 
According to your testimony, Facebook and Google together 
capture between 59 and 73 percent of the online advertising 
revenue in the U.S. Do you think the Treasury report's 
recommendation, which many of you have cited, favorably would 
benefit the large incumbents or would increase competition? Ms. 
Omarova.
    Ms. Omarova. Well, the increase in competition is another 
good rhetorical choice to, you know, promote deregulation. But, 
in reality, both the financial sector and the tech sector are 
the businesses where economies of scale and economies of scope 
are extremely important. So in reality, what the Treasury 
report wants us to have is the maximum scale and maximum scope 
of these conglomerates.
    Senator Brown. So it would benefit the larger----
    Ms. Omarova. It would benefit the large incumbents.
    Senator Brown. Mr. Knight.
    Mr. Knight. Senator, I believe that it would actually be 
potentially a mixed benefit. In some cases the largest 
companies would benefit; in some cases the ability of smaller 
financial institutions to plug into large data providers may 
allow them to compete with larger financial services companies.
    Senator Brown. Mr. Rubinstein.
    Mr. Rubinstein. Yes, Senator, the Treasury report refers to 
APIs, which is tech speak for more secure data-sharing methods. 
I do believe that they actually increase competition. With 
respect to standards, small companies only need to build to one 
API standard to plug into many interfaces, so, yes, I do think 
it helps competition.
    Senator Brown. It would certainly be working against 
trends, but, Mr. Boms.
    Mr. Boms. And, Senator, I would just say on behalf of many 
smaller financial technology firms, not the Facebooks or 
Googles of the world, there is a very strong view that this 
would promote competition.
    Senator Brown. So the smaller guys think it would promote 
competition?
    Mr. Boms. Yes, that is correct.
    Senator Brown. Thank you.
    Chairman Crapo. Senator Rounds.
    Senator Rounds. Thank you, Mr. Chairman. First of all, 
thank you all for being here today.
    One of the common threads that I have noted throughout each 
of your testimonies was the importance of data breach or data 
security in FinTech. I am really curious about the issue of the 
importance of or the challenges of a national data breach 
standard.
    A number of businesses and trade associations have called 
for Congress and the Federal Government to step in and to 
establish one unified data breach standard so businesses could 
operate across State lines; they would not be forced to comply 
with a patchwork of different regulations. In addition, my 
colleague in the House, Congressman Blaine Luetkemeyer, 
recently released the Consumer Information Notification 
Requirement Act. This legislation, which has passed the House 
Financial Services Committee, would require Federal regulators 
to establish a national unified data breach standard.
    On the other hand, 31 State Attorneys General have released 
a letter opposing a prior version of a data breach bill in the 
House because it would preempt State laws.
    I would like your thoughts, first of all, on what we are 
discussing right now coming out of the House. And, second of 
all, is a national standard necessary? And if so, how do we 
balance that with State interests? Who would like to begin?
    Ms. Omarova. Let me take this on. I think, as a general 
matter, just because a particular standard is unified, 
universally applied, and easier to understand does not 
necessarily make it the better standard. It depends on what the 
standard is, qualitatively.
    We have the Federal system of regulation in this country 
because we believe in the checks and balances. Sometimes State 
consumer protection laws have to step in more effectively to 
protect us consumers from abuse by large companies. And 
sometimes the Federal laws do a better job by basically, you 
know, creating an even playing field for everybody else.
    So, my response to that would be it is not necessarily a 
bad idea to have a unified standard, but the key to that would 
be that that standard creates the maximum protection for the 
customer's financial data from various abuses that would likely 
ensue if we take State authorities completely out of the game.
    Senator Rounds. Thank you.
    Other thoughts?
    Mr. Rubinstein. I am happy to respond, Senator.
    Senator Rounds. Please.
    Mr. Rubinstein. Thank you for the question. We do support a 
Federal breach notification. While a large firm like ours can 
stay on top of the various State laws, speed is often very 
necessary in a breach notification. Being able to understand 
one law and being able to respond quickly to that I think 
enhances consumer protection, and gets customers and regulators 
just notified faster.
    Senator Rounds. Other thoughts?
    Mr. Boms. Senator, if I may, I would just add I think 
certainly you would find broad support within the FinTech 
ecosystem for a national standard, provided that it was strong 
enough and provided the right consumer protections.
    Just to juxtapose that with the ecosystem that we have 
today, it is very inconsistent from a regulatory perspective. 
We have CFDR members who are, for example, FFIEC supervised and 
examined as third-party vendors to large financial 
institutions. We have other FinTechs who are State regulated, 
and so who are not subject to the prudential bank regulatory 
oversight. And so one standard that encapsulates best practices 
I think would be welcomed.
    Mr. Knight. Senator, I cannot speak to Representative 
Luetkemeyer's bill specifically, but I would also say that when 
assessing whether or not a Federal standard makes sense, some 
other things to think about are whether or not the patchwork of 
regulations is generating inefficiency that ends up costing 
consumers money; whether or not there is a disparate treatment 
among competitors, so some people get to leverage one standard, 
some people get to leverage a different standard;, and third, 
whether or not we are seeing citizens being de facto regulated 
by other States to a significant degree because, of course, you 
know, if you are a national player, you are going to comply 
with California even if someone in Wisconsin maybe would not 
support that standard.
    One of the potential advantages of a Federal standard is 
that there is broader political representation in setting it 
and everyone gets a seat at the table, even if you do not end 
up winning.
    Senator Rounds. Is there a process today where a lot of 
these States that have individual offices, in particular 
Attorneys General offices and consumer offices, to where they 
have--do they have an association, so to speak, where they can 
speak with a unified voice in terms of what should be part of a 
core of a national standard that you have worked with?
    Mr. Knight. Well, I have not worked with them on this 
topic, but the National Association of Attorneys General may be 
a place to go. They do work together both on advocacy and on 
enforcement through multi-State enforcement actions.
    Senator Rounds. Any of you worked with any one of your 
associations? No? OK. Thank you.
    Thank you, Mr. Chairman.
    Chairman Crapo. Thank you, Senator Rounds.
    Senator Reed.
    Senator Reed. Well, thank you, Mr. Chairman. And thank you 
for your excellent testimony.
    Mr. Rubinstein, thank you. Very thoughtful comments. We 
appreciate it. You point out in your written testimony that 
there are significant benefits, but there are also, as you say, 
very real cybersecurity and privacy risks. Can you project or 
let us know what your fears are about sort of the big problems 
that are out there lurking?
    Mr. Rubinstein. Senator, thank you for the question. Number 
one is the issue of credential sharing, people giving away 
their IDs and passwords. Today when FinTechs or aggregators 
show up at our front door, they log in typically with robotic 
activity. It is robots that impersonate the customer, 
basically, same as you sitting at your keyboard typing in your 
ID and password. That only gives access to data, and some of 
that data may be private which you did not intend to share. But 
it also can give access to transactions. If you think about 
that, what does that mean? It means that potentially a robot 
can come in and move your money to somewhere else. That is a 
risk from having just open access to the website, which the 
current methods have.
    It is difficult for a financial institution to know that 
that is a robot coming in because it looks just like a 
customer. It is also difficult for the customer then to come 
back later and say, ``I did not authorize that activity,'' 
when, in fact, they actually gave their ID and password to a 
third party. Those are real risks that we think about each and 
every day.
    Senator Reed. Thank you very much.
    The other aspect of this is that we are at the beginning of 
a huge wave. Eventually the aggregation of data will go way 
beyond just sharing financial information from an institution 
with customers of a place like Facebook. It will go to all the 
information they collect: what websites you are looking at, 
maybe what potential pharmaceuticals you are ordering, et 
cetera. The financial decisions that are being made may not be 
being made by even individual human beings, and they might not 
be made in the financial institutions. It will be a machine 
that is sharing all this data. Is that something that you are 
concerned about?
    Mr. Rubinstein. I think there are great concerns with data 
that flows without the customer's knowledge and affirmative 
consent. So I think, you know, all that comes in.
    However, we do firmly believe in the customer's right to 
share their data. It is their data. If they understand that it 
is being shared, understand how it is being used, frankly, if 
they want to participate in selling that data, let them 
participate. Hopefully they will get rewarded for that. But 
they should be able to turn it off at any time, too.
    Senator Reed. So in one concept there is the notion that--
and I think we have said it before--there has to be an opt-in 
and opt-out, not just a generic one when you sign up, but 
constantly as the situation changes; that if there is value in 
your data, then somehow the customer should be able to realize 
that value, or at least make the decision based upon, you know, 
I am giving something up or I am getting something. And then 
the notion of erasing data is critical. Do you agree?
    Mr. Rubinstein. Yes, Senator. Take Fidelity Access, as I 
mentioned earlier in my comments, as an example. When we use 
that, a customer can actually have a dashboard that they can 
see which third parties they have granted access to their data, 
so they can monitor that on an ongoing basis and with a single 
click be able to revoke that consent.
    Now, that only works--and many financial institutions are 
building similar things. That only works on the financial 
institution side. Once a consumer shares their data with a 
third party, we do believe that they should be able to get that 
erased. But that is actually between the third party and the 
consumer.
    Senator Reed. That is where we have to step in and provide 
some type of sensible rule so they can do that. Correct?
    Mr. Rubinstein. I think so, yes.
    Senator Reed. Ms. Omarova, in this deregulatory climate, 
which more and more is going to be left to the market, isn't 
that an argument for giving people the right to go to court if 
they feel aggrieved, even more so than today, giving people a 
private right of action if they feel aggrieved?
    Ms. Omarova. I suppose so. I think in general, because of 
the complexity of the environment with which we are dealing 
today and because of the complexity of understanding exactly 
what kind of personal data is available to whom and how it 
could be used and the difficulty of monitoring all of that use, 
I think absolutely every lever of control over the use of that 
data by the big tech companies, especially, should be utilized.
    Senator Reed. Thank you very much.
    Thank you, Mr. Chairman.
    Chairman Crapo. Senator Perdue.
    Senator Perdue. Thank you, Mr. Chairman.
    One of the unintended consequences of the Dodd-Frank law 
was I think it spawned probably--and it is arguable--the 
greatest period of bank consolidation in U.S. history. We have 
lost 1,700 banks in the last decade, and virtually no new banks 
have been started. So I have got a question.
    In that environment, Dr. Omarova, you mentioned earlier--I 
have a question for Mr. Knight first, but I want to come back 
to you on a second question. But Dr. Omarova talked about 
aggregation, the bigger the banks get, the more important this 
aggregation of data becomes. I am concerned that today in that 
environment of consolidation we have six examining agencies 
charged with consumer financial protection. One of those is the 
CFPB. We had the Acting Director before this Committee a couple 
months ago tell us there have been at least 240 breaches of 
data that they are investigating and possibly as many as 800. 
Any one of those could be worse than the Equifax breach.
    So the question I have, as we talk about--Mr. Knight, you 
talk about accessing this data can help banks actually improve 
services, particularly for people who are underserved today, 
and I agree with that. But this unified national data security 
standard, as we are talking about, breach notification that I 
think we all agree on, how would that apply in your mind to 
these Federal examining agencies that have access to this same 
data?
    Mr. Knight. I apologize. If I understand your question, is 
the concern that there is going to be a breach at the agency 
level?
    Senator Perdue. Yeah, we have already been told--there are 
240 CFPB known breaches today, 800 they are investigating, any 
one of which could be worse than the Equifax breach.
    Mr. Knight. I absolutely share that concern, and I think 
that the challenge is if you allow any entity to access data, 
be it the bank or be it a Federal agency, there is that risk. 
And I think that while there are concerns and tools available 
to punish banks in the case of a breach or Equifax in the case 
of a breach--and we can debate whether or not those tools are 
adequate--it is harder in many respects to go after an agency 
due to issues like sovereign immunity.
    Senator Perdue. But should they be held to the same 
standard of data protection that commercial interests are?
    Mr. Knight. At least the same standard, Senator.
    Senator Perdue. Thank you.
    Dr. Omarova, I have a question about where the United 
States sits with our regulatory environment relative to other 
countries. In Kenya, for example, 93 percent of Kenyans have 
access to a bank account through M-PESA, a mobile phone-based 
money transfer and microfinancing service in China. Alibaba--I 
was on a visit with Alibaba and Tencent a couple months ago in 
China. They help facilitate $12.8 trillion in mobile payments 
in China. They have leapfrogged us and our technology here. No 
matter what we think of our FinTech, a lot of these innovations 
were developed here, but we are slow adopters somehow in the 
United States. Are we falling behind places like the U.K., 
Kenya, and China in terms of the adoption of this technology 
and FinTech?
    Ms. Omarova. Well, Kenya is very different, has a very 
different financial services market than we do here. They do 
not have an actual banking system.
    Senator Perdue. But the U.K. is very similar.
    Ms. Omarova. I will get to that in a second. And in Kenya, 
by the way, the success of their mobile banking was built on 
the central bank and the major telephonic provider banding 
together. So the State was critical to providing the service to 
everybody else.
    China, yes, China has Alibaba, which is competing with our, 
you know, PayPals and Facebooks and what have you. Again, in 
China, the State apparatus is so strong that China can control 
whatever those companies do, and that is a critical factor.
    The U.K., we always hold up the U.K., especially the 
industry does, as this sort of principles-based, much more 
market friendly, much smarter kind of regulator type 
environment. But, remember, before the crisis, I worked in the 
Treasury, and we were doing reports about how the Financial 
Services Authority was so much better than our regulators were 
in terms of allowing financial innovation to go forward. And 
then the crisis hit. Where is the Financial Services Authority 
now? I am not so sure that the Open Banking Initiative in the 
U.K. is actually achieving the benefits that it was promising.
    So I think what we should look for is not so much how, you 
know, industry-friendly or deregulatory a particular country's 
environment is. I think we should look at our market structure 
and the concentrations of power in the tech industry and the 
financial sector in our country.
    Senator Perdue. And that is my question. I have to gauge 
this against other standards and other performances, and so are 
we falling behind the adoption of these technologies relative 
to consumer protection and consumer access to banking services? 
And I would welcome anybody's response to that.
    Ms. Omarova. I do not think we are falling behind. I think 
we are taking a more cautious approach simply because we have 
probably much more to lose.
    Senator Perdue. Very good. Anybody else?
    Mr. Boms. Senator, I would just add we should not discount 
the vibrancy and resilience of the U.S. market, which obviously 
stands way above other markets.
    That said, the lack of consistency and clarity in the 
regulatory and legal framework in the U.S. with regard to data 
access presents a potential future competitive risk for the 
U.S. market.
    Senator Perdue. Thank you very much.
    Thank you, Mr. Chairman.
    Chairman Crapo. Thank you.
    Senator Warner.
    Senator Warner. Thank you, Mr. Chairman.
    I want to follow up where Senator Perdue was at, Mr. Boms, 
with what the Europeans are doing, with what the Brits are 
doing. How does this affect, again, our market's ability to 
stay competitive in what is obviously a global field?
    Mr. Boms. Sure, Senator. It is very early days. PSD2 and 
Open Banking in Europe and the U.K. just went live on the 13th 
of January this year. There was a conformance period that will 
last until September of next year. So we are in this transition 
period. But we are seeing adoption of Open Banking APIs by 
consumers in the U.K., for example, increase 50 percent month 
over month. So, clearly, there is interest in adoption of these 
tools.
    We are seeing significant investment into the FinTech 
market in London. It is not because the cost of living or taxes 
are low. It is because there is a clear regulatory framework 
and a legal framework for how these tools can be deployed, 
proscriptive consent and disclosure flows that consumers have 
come to expect and are aware of.
    So I do not think it is an imminent threat, but I do think 
if we do not get our house in order in the relative near term, 
it could become a threat.
    Senator Warner. One of the things I--and related to this, 
while not the direct topic today, you know, there is a group of 
us, bipartisan, that have been working for now 3\1/2\, 4 years 
to try to at least standardize data breach legislation. The 
fact that we have got 49 or 47 different data breach 
legislative laws--this is different than data portability, but 
I would hope you would think that some level of Federal 
leadership on data breach would be important as well.
    Mr. Boms. Absolutely, Senator, so long as the floor that it 
establishes provides sufficient consumer protection.
    Senator Warner. Right, and that is, I think, what we have 
done. Frankly, it has been some of--I was from the telecom 
business before. It is my old industry that has been some--
everybody is for data breach legislation, but then they all 
want a carveout for their specific industry, and that is not 
going to end up being, I think, the way we get there. 
Unfortunately, those efforts have lagged a little bit in the 
last 8 or 9 months, and I think as we think about this, we have 
got to think holistically. And, Ms. Omarova, that is where I 
want to go to my question with you. I am a big advocate around 
data portability, and I think Senator Brown may have indirectly 
raised this question already. In my efforts on the Intelligence 
Committee, where we are looking at the social media firms who 
have these platforms, who have enormous, enormous power and 
growing power, if we deal with data portability in the FinTech 
space alone but do not deal with data portability in terms of 
our individual personal data, if we are not able to move from 
Facebook to another enterprise and make it easy and allow our 
cat videos to move easily as well, we are really not going to 
be able to have the type of competitive market, I think, in 
that field.
    I would just like you to comment on the need to not only 
get this right in the FinTech, in the financial arena, but more 
broadly based.
    Ms. Omarova. You are absolutely correct. Information is the 
currency in the digital economy, and, you know, it takes many 
forms and it flows through many, many markets for many, many 
goods and services, not just financial markets but markets for 
other types of data. And it is a structural problem. I 
understand the concerns with competitiveness, and I am 
completely in favor of allowing consumers to move freely 
between different apps and utilize various information in ways 
that serve their interests. But the problem here is that you 
have to understand that, structurally speaking, financial 
institutions are sitting on the type of information that 
presents, you know, a much heightened danger of misuse, and 
this is where we should be particularly careful with respect to 
FinTech and how the financial information is moving 
structurally in these markets and probably deal with the 
broader issues of data protection outside the financial sector 
and perhaps antitrust issues as well, because those are serious 
structural issues that exist everywhere in the big tech sector 
separately.
    Senator Warner. My concern is that what--and this Committee 
has looked in terms of Russia sanctions, what happened in 2016, 
where Russia intervened, but what I see as the next iteration 
is that someone will come in and break into nonprotected 
personal financial data, as they did with Equifax, and Senator 
Warren and I have a bill, and it is, I think, a travesty that 
we are a year later and there still has been no penalty paid by 
that company. But they will break in, get personal information, 
contact any of us as an individual, and then what will pop up 
with be what is called a ``fake video,'' and it will be 
somebody that looks like Senator Brown, but it is not actually 
Senator Brown live stream video. And the combination to wreak 
havoc there not only on the political side but on the market 
side is really huge, so we have to solve this issue not just 
for financial data portability but across the board.
    Ms. Omarova. Oh, that is absolutely correct. That is 
absolutely correct.
    Senator Warner. Thank you.
    Chairman Crapo. Thank you.
    Senator Cortez Masto.
    Senator Cortez Masto. Thank you, and thank you, Mr. Chair 
and Ranking Member. Obviously, this is an important discussion, 
and thank you all for being here today. It is a great 
conversation.
    I echo my colleague Senator Warner. I think we have to look 
at this in a holistic approach. I think what I have heard 
today, we all agree we have got to address the data privacy, 
security, and consumer protection piece of this, but this is 
emerging technology. It is not going away, and we are going to 
have to figure out at a Federal level how we address this, but 
also, I believe, incorporating State laws in the States as 
well. They have to be a part of this discussion.
    So let me ask you this, because we received a letter from 
the National Association of federally Insured Credit Unions, 
the Committee did. One statement the association makes is that, 
``As new companies emerge and compete in this area, it is 
important that they compete on a level playing field of 
regulation, from data security to consumer protection.'' Would 
each of you agree with that statement?
    Mr. Boms. Senator, yes.
    Mr. Rubinstein. Yes, absolutely. Whoever holds consumer 
data should be held to the same standards.
    Mr. Knight. Yes.
    Senator Cortez Masto. Thank you.
    Ms. Omarova. Well, yes, it is generally a good principle.
    Senator Cortez Masto. And that level playing field of 
regulation does not mean that we roll back regulation, does it?
    Mr. Boms. Senator, from my perspective, no, it does not. It 
means that we make the regulation consistent across the various 
regulators who have some stake in this.
    Senator Cortez Masto. Thank you.
    Mr. Rubinstein. Yes, I would agree.
    Senator Cortez Masto. Right. And I think you would all 
agree.
    Mr. Knight. Senator, I would say that when we talk about 
level playing field, we should be thinking about what is the 
risk that is generated that we are trying to regulate against, 
and so if that risk exists, comparable regulation should exist. 
If a new player comes along and offers a comparable service but 
does not generate a certain risk, then they should not be 
regulated in the same way vis-a-vis that risk. For example, a 
lender that does not fund their loans from federally insured 
deposits should not be regulated as a depository because they 
are just not generating the risks that go along with the 
deposit holding. They should be regulated vis-a-vis consumer 
protection in lending, for example.
    Senator Cortez Masto. OK.
    Ms. Omarova. Well, sometimes it is very difficult to figure 
out exactly what types of risks a particular lender or a 
particularly institution really poses. Sometimes we do not see 
how exactly they fund their loans and their services. We have 
learned that from this last crisis. And I think that in that 
sense, it is important that, if we are looking for leveling the 
playing field, we have to make sure that that common level is 
not the minimum regulatory level of oversight but the maximum 
one. And when we are looking at the maximum level of regulatory 
oversight in the interest of the American public, we should 
keep in mind the biggest players in those markets, not the 
smallest ones.
    Senator Cortez Masto. Thank you. And can I ask you, each 
one of you, when we are talking about banks and credit unions 
that allow data aggregators access to bank customers' accounts, 
if there is a violation of those customers' privacy information 
and that privacy information for those customers, who should be 
legally liable? Should the banks and credit unions be legally 
liable if they are working with those third-party aggregators 
and there is a breach?
    Mr. Boms. Senator, you have identified, I think, perhaps 
the largest, most significant obstacle in this ecosystem, which 
Mr. Rubinstein referenced in his opening statement. The members 
that I represent would say that he who breaches the data should 
be responsible for making the consumer whole.
    The catch to that and the issue with that is we have 
decades of regulation and consumer expectations that say that 
it is the financial institution that either should or must make 
the consumer whole. So on some level, even though our members 
have taken it upon themselves, are adopting this notion of he 
who breaches must make the consumer responsible, at some point 
we need to holistically take a look at the regulations that we 
have on the books and modernize them for the 21st century 
economy.
    Senator Cortez Masto. OK. Anyone else?
    Mr. Rubinstein. Senator, as Mr. Boms said, it is a very 
difficult topic, and we firmly believe that whoever causes harm 
to the consumer should make the consumer whole.
    Unfortunately, this is a chain. Consumer data starts at the 
financial institution. It moves to a financial data aggregator. 
Then it moves to a FinTech. It may continue to move beyond 
that.
    The financial institution only has a direct relationship in 
that first step of the chain with the financial aggregator. 
They need to look to that financial aggregator to make the 
financial institution whole if the financial institution has 
reimbursed the consumer and then they can deal with their own 
customer. Similar to getting into a car accident, right? You 
have auto insurance. You turn to your insurance company, and 
then your insurance company goes and subrogates with the others 
down the chain. It has been very difficult. The industry is not 
adopting that yet, and we can use a nudge in that direction.
    Senator Cortez Masto. Thank you. Please, whoever would like 
to go next.
    Ms. Omarova. I think that everybody in that chain should 
bear a responsibility and be exposed to the liability for data 
breaches of bank customer data. And what concerns me about the 
Treasury report in particular is that it never really addresses 
that issue directly, and it talks about, yes, we need to kind 
of have an appropriate liability regime, but it is not clear to 
me what that regime will be like.
    What I know, though, is as a practical matter, in order to 
incentivize banks to share their information, their bank 
customer information, with various technology companies, you 
are going to have to relax the actual liability constraints 
existing today on them, because, otherwise, they simply would 
not share it. So that is what concerns me a lot.
    Senator Cortez Masto. Thank you. And I know I am out of 
time, Mr. Chair. I do not know, Mr. Knight, if you wanted to 
say a few words--I do not want to take up any more time.
    Chairman Crapo. Briefly.
    Senator Cortez Masto. Thank you.
    Mr. Knight. So in addition to all that has been said, I 
would say that one threshold question we need to talk about is 
that Treasury takes the position in the report that Dodd-Frank 
Section 1033 compels the bank to make the information available 
to the consumer's chosen aggregator. I do not know if that is 
the position the Bureau will take, and if we are compelling the 
bank, then the normative argument for holding the bank liable 
if some accident happens down the chain with an aggregator they 
did not choose to partner with but were compelled to partner 
with weakens; whereas, if it is a matter of choice all the way 
down, then the principles discussed make more sense.
    Chairman Crapo. Senator Scott.
    Senator Scott. Thank you, Mr. Chairman. Thank you to the 
panel for investing the time to be here this morning.
    Things get complicated when a company is headquartered in 
Tennessee, does business in South Carolina, and is breached in 
Arkansas. Those States all have different laws on the books 
governing when and how companies must notify the public of a 
data breach.
    The reality is that a patchwork quilt of 50 different 
breach notification standards creates a race to the bottom in 
which breached parties will often comply with the lowest 
possible standard. Consumers are ultimately the ones that pay 
the price. They are the ones that lose out.
    I know that Senator Rounds touched on this question 
earlier, but let me ask you, Mr. Boms, is a State-by-State 
framework for breach notification effective? Who stands to 
benefit from a more uniformed approach?
    Mr. Boms. Senator, we think that there is certainly room 
for improvement. A Federal approach that lifts up what the 
ceiling is across the board would benefit consumers, it would 
benefit the industry. We think it would be a win-win for 
everybody involved.
    It is not simply an issue of regulatory complexity at the 
State level. Several of the FinTech firms that I work with have 
Federal supervision through third-party vendor risk management, 
and so there is a piece of prudential bank regulatory authority 
here as well on this score. This is another area where 
consistency among regulation, not deregulation, would be 
immensely helpful.
    Senator Scott. Thank you, sir.
    The Gramm-Leach-Bliley Act from 1999, we did business very 
differently then. I think we were all still using paper for 
most of our transactions. We probably had dial-up for our 
Internet connection, and we certainly did not have cell phones 
that could do anything other than call, and that was a pretty 
expensive venture as well.
    The bottom line is that the world has changed so 
significantly since GLBA was enforced, became law, but it is 
still the foundation of how we govern data aggregators for 
financial institutions. I am encouraged by the fact that we are 
moving to APIs from screen scraping, but it is happening fairly 
slowly.
    Mr. Boms, you mentioned Europe, Mexico, and Japan in your 
testimony. How are U.S. policymakers falling behind in crafting 
laws that foster FinTech innovation and protecting consumer 
data?
    Mr. Boms. Senator, I would answer in two parts. I think the 
first thing I would say is APIs in and of themselves are not a 
panacea. They will not solve everything. The API, in addition 
to being secure, as we have heard, also must be robust. So the 
API must include data fields like fees, for example, so that a 
consumer who is using a third-party tool that compares fees at 
one, for example, financial institution can compare what its 
fees would be for the same products or services at another 
financial institution. So making sure that the APIs with the 
direct feeds are robust is the first step.
    The second is there are no standards in the U.S. market. 
The Treasury report talks about data standardization, which we 
think is a very important area that other markets have 
addressed. In the U.K. open banking environment, the data 
elements are standardized. The Mexican central bank and 
securities regulator are currently working on an API that would 
standardize the data sets. This would be, we think, one place 
to start, but there are quite a few that regulators here could 
begin with.
    Senator Scott. Thank you.
    Almost 30 percent of Americans living in economically 
distressed communities are credit-invisible, meaning they have 
no credit score. An additional 15 percent are unscorable due to 
having an insufficient or old credit history. In South 
Carolina, that combined number is about 23 percent, or one out 
of every four adults.
    Senator Cortez Masto and I have worked diligently to find 
ways to bring that credit-invisible person to a place where 
their consistent habits of paying their bills, whether it is 
their electric bill or their cell phone or the rent from a 
place that they are renting, if they are paying those on time, 
they should get some credit for that.
    Mr. Knight, you testified that innovative underwriting can 
provide consumers with benefits such as lower interest rates. 
Can you speak to the benefits of using rent and utility 
payments in credit scoring and to other developments in 
underwriting that will benefit consumers?
    Mr. Knight. Thank you, Senator. Yes, I think that expanding 
access to the types of data that bear on the creditworthiness 
of a borrower, even if they have not traditionally been 
captured in traditional underwriting like a FICO score, has the 
potential to be valuable in allowing lenders to make an 
accurate assessment of the risk that they would take on by 
lending to a borrower. In some cases, that will make someone 
who is credit-invisible visible and, therefore, the lender has 
enough data they feel like they could make an offer.
    In other cases, it will indicate that people who are, in 
fact, good credit risks or better credit risks than they 
otherwise get credit for, because you are looking at data that 
has not otherwise been picked up. So I think that there is 
potential value there.
    Senator Scott. Thank you. I have another question on my 
legislation, the MOBILE Act, that I will submit for the record.
    Thank you, Mr. Chairman.
    Chairman Crapo. Thank you.
    Senator Warren.
    Senator Warren. Thank you, Mr. Chairman.
    So FinTech holds out a lot of promise for consumers and 
also raises a number of concerns. I think it is critical that 
the Government move methodically on a regulatory approach to 
FinTech, so we encourage productive innovation but we do not 
expose consumers to a lot of unnecessary risks.
    So the Treasury Department issued a report on FinTech 
earlier this year, and in almost every instance, it advocates 
for deregulation in an effort to stimulate the FinTech 
industry. And I am concerned about a lot of those 
recommendations.
    One set of recommendations is about rolling back the rules 
that govern how banks can share personal financial information 
with third-party data aggregators. So, Professor Omarova, I 
know you addressed this issue in your written testimony, and I 
just would like you, if you could very briefly, to explain what 
your concerns are with the Treasury Department's 
recommendations on this front.
    Ms. Omarova. So my main concern is that the Treasury's 
approach will essentially open the floodgate for the banks that 
are currently regulated to open up this treasure trove of 
sensitive financial data on the customers that they have for 
much broader types of uses by various tech companies. So my 
concern is about Facebook, it is about Google, it is about 
Amazon. And we do not know what they do with the data they 
touch, so they could use it, they could get access to that data 
in one capacity, let us say as a cloud service provider and the 
code writer, but then misuse it in order to sell something to 
the customer, and that is what I worry about. And the customer 
consent here could be obtained by the bank at the point when 
the customer is actually opening a deposit account with the 
bank, and that is what concerns me. This notion of consent and 
choice could be actually diminished.
    Senator Warren. All right. That is very important. Thank 
you. You know, given what just happened with the Equifax 
breach, I think a lot of my constituents and constituents for 
pretty much everybody here would be uncomfortable with the idea 
of even more companies getting access to our financial data 
without our effective consent and without strict rules on how 
they have to protect that data.
    Another set of Treasury recommendations would further 
weaken the wall between banking and commerce. They would allow 
our biggest banks and our huge technology platforms to join 
their corporate empires--you were just talking about this--and 
giant technology companies like Facebook and Google to buildup 
equity stakes in multiple smaller banks across the country.
    Again, could you go back to this, Professor, and describe 
some of the potential harms in allowing this kind of 
consolidation across different industries?
    Ms. Omarova. Right. So the Treasury basically seeks to 
weaken how control is defined in the Bank Holding Company Act. 
The Bank Holding Company Act currently subjects any company 
that controls a U.S. bank or is affiliated with a U.S. bank to 
various regulations and supervision, and it is essentially an 
antitrust law that seeks to prevent banks from abusing their 
control of immense power over public money and credit. And what 
the Treasury says is essentially we should make it much easier 
for the banks to acquire equity stakes in tech companies and 
vice versa. And I worry about the fact that it will not create 
greater competition; it will actually lead to extreme 
concentrations of power over money and information across the 
sectors. And it will take the ``too big to fail'' problem to an 
unprecedented level because in the next crisis we may have to 
save Facebook and Amazon because they would be so intertwined 
in the financial sector.
    Senator Warren. So, actually, this is powerfully important, 
and I appreciate your comments on this. You know, a lot of 
discussion in FinTech centers on the consumer to corporate part 
of this, but there is also the part about the effect it would 
have on wholesale banking. Can you just say a word more about 
that? You have talked about blowing up ``too big to fail.'' 
Just a bit more.
    Ms. Omarova. So remember with subprime mortgages, for 
example, it was also--the rhetoric was all about the right of 
the consumer to choose to take a very expensive loan, for 
example, but in reality, those mortgages were the fuel for the 
wholesale market speculation. And so I worry that allowing 
digitization of data and all of this sort of new FinTech 
innovation without proper controls will actually increase the 
potential for wholesale market speculation in the secondary 
markets that would make the system more volatile and more 
unstable, and we have to be aware of that danger.
    Senator Warren. Good. Thank you very much. You know, I know 
there is a lot that improving technology can do to reduce costs 
and improve service for customers. But I am concerned that this 
Treasury report consistently ignores real concerns that could 
arise both for consumers and for the industry and change the--
have an impact on protecting data, on reducing consumer 
choices, on maintaining safety in the financial system.
    So thank you very much, Mr. Chairman, for holding this 
hearing. I hope we will continue to dig into this issue. Thank 
you.
    Chairman Crapo. We definitely will. And I think there is 
lot of bipartisan agreement on a lot of these issues.
    I need to wrap up the hearing. However, Senator Brown has 
asked for one more round of 5 minutes.
    Senator Brown. I have a couple questions. Thanks.
    Chairman Crapo. Senator Brown, I will grant that to you, 
and I am sorry, then I am going to have to wrap the hearing up.
    Senator Brown. Mr. Chairman, thank you. We have had sort of 
private discussions about overlap and the common interests we 
see in some of this on privacy, and I am hopeful that we can 
come together on some things.
    I have a couple questions left. Professor Omarova and Mr. 
Knight, if I could direct the first one to you, starting with 
you, Professor Omarova. Should a nonfinancial company be 
allowed access to consumers' detailed financial data such as 
transactions or account balances? Or should the traditional 
separation of banking and commerce extend to data sharing as 
well?
    Ms. Omarova. I absolutely think that the traditional 
separation of banking and commerce should extend to everything 
that relates to data. I do not think that pure disclosure 
really cures the problem because the problem is structural. The 
problem is about the market power crossing over different 
sectors and essentially hurting all of us and the long-term 
competitiveness of our economy.
    Senator Brown. Thank you.
    Mr. Knight, any comments on that?
    Mr. Knight. So I am somewhat more optimistic. I think that 
there may be circumstances where allowing that sort of exchange 
can actually be beneficial to the consumer. I do think that 
meaningful disclosure, meaningful acceptance is critical to 
this, because we are talking about very sensitive information, 
and if the consumer is allowing that information to be shared, 
it should be used only for the purposes that the consumer has 
granted access to, and that consent should be periodically 
reacquired. It should not be something that you click ``yes'' 
on a splash screen when you first sign up and then never hear 
about it again. But I do think that there may be scenarios 
where that exchange actually is worth it.
    Senator Brown. Thank you.
    And the last question to Mr. Boms, and thank you, Mr. 
Chairman. What would be the impact of a successful hack of one 
of your members?
    Mr. Boms. Senator, it would depend on which of the members 
we are talking about. So if I could, I will separate them from 
the aggregator members and the end FinTech clients.
    For the aggregator members, there is a wide variety. They 
are mostly read-only platforms. You cannot execute transactions 
across them. While many do hold credentials as a way to get 
into the ecosystem, they employ best in class security systems, 
hardware encryption, elements of data security that I am not 
qualified to get into. That is not to say that more cannot be 
done, but, of course, they are not encumbered by----
    Senator Brown. And there have been successful hacks in the 
past, of course.
    Mr. Boms. Well, I would argue, respectfully, that the vast 
majority of the hacks that we see in the financial ecosystem 
are at the incumbent financial institutions, not the FinTech 
players, or at least the ones that I represent. That is not to 
say that one will not happen the second this hearing ends.
    For the end user--and I should also add, for the 
aggregators, many have adopted policies where they do not 
collect PII. So they are the pipeline; they connect one entity 
to the data that they acquire for the use case, but do not 
themselves retain the identifying information that the end user 
provides to their third party.
    But I think underlying the question, Senator, is there need 
to be standards for data security in this ecosystem, and that 
is why my members at least have come out and said, whether it 
is regulatorily prescribed or whether it is private sector 
driven, we are ready to have that conversation. And we have 
already started to deploy some of those standards across the 50 
companies that I work with.
    Senator Brown. Thank you.
    Chairman Crapo. All right. Thank you, Senator Brown, and I 
again want to thank the witnesses. I have a lot more questions 
I want to ask, and I do not know if I will pummel you with all 
of those, but over time we are going to dig much more deeply 
into this as a Committee. It is an incredibly important issue. 
And it is complex. It needs to be understood, and we appreciate 
your helping us to get a deeper understanding today.
    That concludes the Committee questioning. For Senators 
wishing to submit questions for the record, those questions 
will be due in 1 week, on Tuesday, September 25. Witnesses, we 
ask you, when you receive questions, if you would promptly 
respond to them. And, again, we thank you for your willingness 
to come and share your expertise with us today.
    With that, this hearing is adjourned.
    [Whereupon, at 11:21 a.m., the hearing was adjourned.]
    [Prepared statements, responses to written questions, and 
additional material supplied for the record follow:]
               PREPARED STATEMENT OF CHAIRMAN MIKE CRAPO
    Today, we will hear four very unique perspectives on a segment of 
financial technology, or ``FinTech.''
    Almost exactly one year ago, the Committee held a hearing to 
explore the various sectors and applications of FinTech.
    In the short time period between that hearing and this one, many 
developments and innovations have occurred, both in the private sector 
and on the regulatory front.
    Digitization and data, in particular, are constantly evolving, 
challenging the way we have traditionally approached and conducted 
oversight of the financial services sector.
    As technology has developed and the ability to readily and cheaply 
interact with and use data has flourished, we have experienced a sort 
of revolution into the digital era.
    This digital revolution brings with it the promise of increasing 
consumer choice, inclusion and economic prosperity, among other things.
    Less than a decade ago, the concept of mobile banking, a simple 
transaction, was relatively new.
    Now, consumers have countless options by which to interact with and 
access their financial information and conduct transactions.
    As this marketplace rapidly develops, so must we constantly 
evaluate our regulatory and oversight framework, much of which was 
designed prior to the digital era.
    To the extent that there are improvements that can be made to 
better foster and not stifle innovation, we should examine those.
    Although these technological developments are incredibly positive, 
the increased digitization and ease of collecting, storing and using 
data presents a new set of challenges and requires our vigilance.
    Many products and services in the FinTech sector revolve around big 
data analytics, data aggregation and other technologies that make use 
of consumer data.
    Oftentimes these processes operate in the background, and are not 
always completely transparent to consumers.
    It is important for consumers to know when their data is being 
collected and how it is being used.
    It is equally important for the companies and the Government alike 
to act responsibly with this data and ensure it is protected.
    As we have seen in recent years, this can be a challenging task.
    In order to fully embrace the immense benefits that can result from 
technological innovation, we must ensure that proper safeguards are in 
place and consumers are fully informed.
    Today, I hope to hear from our witnesses about: the ways in which 
FinTech is changing the financial sector and the improvements that can 
be made to ensure the regulatory landscape welcomes that innovation; 
what kind of data is being collected and used, and how such data is 
secured and protected; and what are the opportunities and challenges 
going forward?
                                 ______
                                 
              PREPARED STATEMENT OF SENATOR SHERROD BROWN
    In the run-up to the financial crisis, Wall Street banks bragged 
about innovations that they claimed made the financial system less 
risky and credit more affordable. Some of these innovations were in 
consumer products--like interest-only subprime mortgages. Other 
innovations were happening behind the scenes, like the growth in risky 
collateralized debt obligations and credit default swaps.
    According to the banks, technological advances like increased 
computing power and information sharing through the internet allowed 
financial institutions to calculate and mitigate the risks of these 
complex financial innovations. Here in Washington, banks told lawmakers 
that regulation would hold back progress and make credit more expensive 
for consumers. Rather than look at financial technology with an eye to 
the risks, Federal banking supervisors repealed safety and soundness 
protections and used their authority to override consumer protection 
laws in several States.
    Eventually, so-called financial innovations led to the biggest 
economic disaster in almost a century, costing millions of Americans 
their homes and their jobs.
    Criticizing the bankers and regulators who lost sight of the 
enormous risks that came with these new innovations, former Fed Chair 
Paul Volcker declared that ``the ATM has been the only useful 
innovation in banking for the past 20 years.''
    I am more optimistic about some new technologies benefiting 
consumers rather than just lining Wall Street's pockets, but I think we 
should look at this Treasury report with the same level of skepticism.
    Rather than learn from past mistakes, the Treasury report embraces 
the shortsightedness of precrisis regulators. It exalts the benefits of 
``financial innovation,'' describes Federal and State regulation as 
``cumbersome'' or as ``barriers to innovation,'' and recommends gutting 
important consumer protections, like the CFPB's payday lending rule. It 
even suggests stripping away what little control we have over our 
personal financial data, just a year after Equifax put 148 million 
Americans' identities at risk.
    Just like a dozen years ago, Wall Street banks and big companies 
are making record profits, but working families are struggling just to 
get by. Student loan debt is at record levels, and credit card defaults 
are rising. Worker pay isn't keeping up with inflation, but we've 
managed to cut taxes for the richest Americans while CEOs and 
shareholders have reaped huge windfalls through over half a trillion 
dollars in stock buybacks.
    Plenty of financial institutions are adopting new technologies 
without running afoul of the law. Rather than focusing on how we can 
weaken the rules for a handful of companies who prefer to be called 
``FinTechs'' rather than ``payday lenders'', or ``data aggregators'' 
rather than ``consumer reporting bureaus'', Treasury should be focused 
on policies that help working families.
    This isn't a partisan issue for me. I raised concerns about 
relaxing the rules for FinTech firms when Comptroller Curry, appointed 
by President Obama, suggested a special ``FinTech'' charter almost two 
years ago.
    The new leaders at the Federal Reserve, the OCC, the FDIC, and the 
CFPB have already made it clear that they're ready to give Wall Street 
whatever it asks for. And the recommendations in this report call for 
more handouts for financial firms, FinTech or otherwise.
    I am, however, interested to hear from our witnesses about how new 
financial technologies could increase our control over our own 
information, better protect against cyberattacks, or make it easier for 
lenders to ensure they're following the law. And as traditional banks 
partner with technology firms, I think it's important for the Committee 
to consider where gaps in regulation might lead to future systemic 
risks.
    Thank you to the Chairman for holding this hearing, and to the 
witnesses for their testimony today.
                                 ______
                                 
                   PREPARED STATEMENT OF STEVEN BOMS
 President, Allon Advocacy, LLC, on behalf of Consumer Financial Data 
                                 Rights
                           September 18, 2018
Introduction
    Chairman Crapo, Ranking Member Brown, and Members of the Committee, 
thank you for the opportunity to testify today on behalf of the 
Consumer Financial Data Rights, or CFDR, Group. The CFDR Group is a 
consortium of nearly 50 financial technology (FinTech) companies, 
including financial data aggregation companies and end user-facing 
technology tools, on whose services more than 100 million consumers and 
small businesses collectively depend for access to vital financial 
services and wellness applications that serve them at every stage of 
their financial lifecycles. CFDR Group member-companies provide, for 
example, automated savings services, no-fee credit cards, investment 
advisory services, retirement savings advice and critical small 
business capital. In the complex and often opaque financial services 
ecosystem, the CFDR Group strives to be the voice of consumers and 
small businesses before policymakers and market stakeholders alike.
    My testimony today also provides the perspective of the Financial 
Data and Technology Association (FDATA) of North America, a trade 
association for which I serve as Executive Director. FDATA North 
America is comprised of several financial services providers, some 
newer entrant FinTech firms and some incumbent, traditional providers, 
united behind the notion that standardization of consumer data access 
is both a fundamental consumer right and a market-driven imperative. 
FDATA North America is a regional chapter of FDATA Global, which was 
the driving force for Open Banking in the United Kingdom and which 
continues to provide technical expertise to regulators and policymakers 
in London, to the European Commission, and to regulatory bodies 
internationally contemplating many of the same issues identified in the 
Department of the Treasury's (``the Department'' or ``Treasury'') 
report released on July 31, A Financial System That Creates 
Opportunities: Nonbank Financials, FinTech, and Innovation.
    The CFDR Group and its members consulted frequently with the 
Department as it considered the current state of the FinTech market, 
the consumer and small business benefits it provides to Americans 
today, and how best to harness innovation in the FinTech ecosystem 
moving forward while ensuring that consumers, small businesses and the 
financial system itself are well protected. The CFDR Group's engagement 
with Treasury was principally focused on the crucial issue of consumer-
permissioned financial data, which ultimately was an area of emphasis 
in the Department's report.
    Ultimately, any provider of a technology-based financial tool, 
whether that provider is a FinTech firm or a longstanding market 
incumbent, depends on the ability to access and utilize, with the 
consumer's or small business' express permission, elements of that 
customer's financial data to offer its products or services. Financial 
data, including, for example, balances, fees, transactions, and 
interest charges, are essential to facilitating the technology tools on 
which millions of Americans depend. These data elements are typically 
held at the financial institution with which that customer holds a 
checking, savings, and/or lending account. Before providing an overview 
of how this data exchange works today in the United States, I would 
first like to underscore the immense need that the technology-based 
tools offered by CFDR Group and FDATA North America member firms are 
fulfilling.
The State of U.S. Consumer Finances
    Although the U.S. economy is performing well from a macroeconomic 
standpoint, there are unquestionably significant numbers of Americans 
who are being left behind and are financially invisible. The level of 
credit card debt in the United States is historically high and, earlier 
this year, exceeded $1 trillion for the first time ever, with the 
average American household holding approximately $8,200 in credit card 
debt. \1\ About half of American consumers have no retirement savings 
at all, and of those that do, the average retirement account balance is 
about $60,000. \2\ Approximately one-third of American adults have 
sufficient savings to last comfortably for more than a few months 
during their golden years. \3\
---------------------------------------------------------------------------
     \1\ Comoreanu, A. (2018, June 11). ``Credit Card Debt Study: 
Trends and Insights''. Retrieved from https://wallethub.com/edu/credit-
card-debt-study/24400/.
     \2\ Morrissey, M. (2016, March 3). ``The State of American 
Retirement: How 401(k)s Have Failed Most American Workers''. Retrieved 
from https://www.epi.org/publication/retirement-in-america/.
     \3\ ``1 in 3 Americans Have Less Than $5,000 in Retirement 
Savings''. (2018, May 8). Retrieved from https://
news.northwesternmutual.com/2018-05-08-1-In-3-Americans-Have-Less-Than-
5-000-In-Retirement-Savings.
---------------------------------------------------------------------------
    The crisis, of course, is not limited only to an accumulation of 
debt or a lack of retirement savings. The Federal Reserve Board of 
Governors determined earlier this year that 40 percent of American 
consumers could not afford a surprise $400 expense without either 
selling an asset or taking on additional debt. \4\ And, unsurprisingly, 
many of us do encounter these surprise expenses. According to a recent 
study by CIT Bank, while half of Americans experience a financial 
emergency, such as a major health event or an unforeseen home repair, 
every year, more than one in four do not save for these unexpected 
events. \5\
---------------------------------------------------------------------------
     \4\ ``Report on the Economic Well-Being of U.S. Households in 
2017''. (2018, May 22). Retrieved from https://www.federalreserve.gov/
publications/files/2017-report-economic-well-being-us-households-
201805.pdf.
     \5\ ``Summer Survey: Trends on Saving for Life's Planned and 
Unplanned Events''. (2018, August 1). Retrieved from https://
bankoncit.com/blog/2018-summer-savings-survey/.
---------------------------------------------------------------------------
    It is no wonder, then, that 85 percent of Americans report feeling 
anxious about their financial state, with more than two-thirds 
believing that their financial anxiety is negatively impacting their 
overall health. \6\
---------------------------------------------------------------------------
     \6\ ``Planning and Progress Study 2016''. (2016, June 8). 
Retrieved from https://news.northwesternmutual.com/planning-and-
progress-study-2016.
---------------------------------------------------------------------------
    Compounding this economic predicament is the growing complexity of 
most consumers' and small business' relationships with the American 
financial system. The vast majority of Americans have multiple 
different accounts across a variety of products providers. The most 
basic, fundamental first step towards financial health--simply 
understanding what one has and what one owes--is often intimidating and 
logistically difficult for all but the most financially savvy. The 
technology-powered tools on which millions of Americans have come to 
depend, provide intuitive, accessible platforms that enable even the 
least financially savvy among us to manage their finances and improve 
their economic outcomes. In addition to allowing Americans to see the 
totality of their financial accounts in one place, these applications 
empower consumers and small businesses to find lower loan rates or 
better loan terms, to avoid predatory products and services, to compare 
fees across different product offerings, to receive personalized 
investment and wealth management advice, to find and secure capital 
that otherwise may not be extended, or to take advantage of budgeting 
and savings tips to secure their financial future.
    This of course presumes that one has access to the system in the 
first place. Twenty percent of adult Americans are underbanked by the 
traditional financial services system and almost nine million American 
households are entirely unbanked. \7\ For these consumers, third-party, 
technology-based tools can provide vital, affordable access to a 
financial system that has left them behind.
---------------------------------------------------------------------------
     \7\ ``Financial Inclusion in the United States''. (2016, June 10). 
Retrieved from https://obamawhitehouse.archives.gov/blog/2016/06/10/
financial-inclusion-united-states.
---------------------------------------------------------------------------
    Regardless of the use case a consumer or a small business wishes to 
leverage, and irrespective of whether that technology-powered tool is 
offered by a FinTech firm or a traditional financial services provider, 
the lifeblood of these tools is user-permissioned data access: the 
right of the consumer or small business to affirmatively grant access 
to the third party of their choice to connect to or see the financial 
data required to provide them the product or service for which they 
have provided their consent.
The State of Consumer-Permissioned Financial Data
    Usage of third-party, FinTech tools in the U.S. is widespread: by 
2017, 87 percent of consumers preferred to adopt a FinTech application 
rather than use a product or service offered by a traditional financial 
services provider. \8\ To gain access, with the consumer's or small 
business' consent, to their customer's financial data in order to 
provide their products or services, the vast majority of technology-
based tools retain contractual relationships with financial data 
aggregators, such as Envestnet Yodlee, Quovo, or Morningstar 
ByAllAccounts, all of which are members of the CFDR Group. These 
aggregators, which have built data connectivity to thousands of U.S. 
financial institutions over many years, function as technology service 
providers for the consumer or small business-facing applications. Once 
the consumer or small business has affirmatively provided their consent 
to the application that they wish to utilize, that consent is 
transmitted to their financial institution and they are authenticated. 
Upon authentication, the aggregator utilizes one or more methods of 
data consumption to capture the financial data permissioned by the end 
user that is required to deliver the use case requested and delivers it 
to the application provider. The application provider then uses this 
data to provide its service or product to the consumer or small 
business.
---------------------------------------------------------------------------
     \8\ ``EY FinTech Adoption Index 2017''. (2017, June 28). Retrieved 
from https://www.ey.com/Publication/vwLUAssets/ey-fintech-adoption-
index-2017/$FILE/ey-fintech-adoption-index-2017.pdf.
---------------------------------------------------------------------------
    Because there are no overarching statutory, regulatory or market 
standards in the United States with regard to consumer or small 
business authentication, or with regard to the data consumption 
protocol used by aggregators to transmit the end user's data, with 
their permission, to their application of choice, there are several 
different methods used in the ecosystem today. To authenticate, end 
users typically provide their online banking credentials, either to the 
third-party application provider delivering them the service or product 
they have selected, or, through redirection, to their financial 
institution, which in turn issues an access token to the third party 
and the aggregator with which it partners. Once the consumer or small 
business is authenticated, the aggregator may use any of several data 
consumption methods to retrieve the financial data required for the use 
case. Some financial institutions have created direct feeds, such as 
Application Programming Interfaces (APIs), specifically for aggregators 
and third parties to utilize for the purpose of providing products or 
services to their customers; however, the vast majority of U.S. 
financial institutions have not. The significant capital investment 
required to build and maintain these feeds typically results in only 
the largest U.S. financial institutions deploying them. In the case 
where no direct data feed is available, aggregators employ proprietary 
software to retrieve the data required for the use case from the end 
user's native online banking environment. This data consumption method 
is colloquially referred to as ``screen scraping.''
    I note here a critical issue that underlies the entire FinTech 
ecosystem's ability to continue to deliver the products and services on 
which many consumers and small businesses now rely: There is no legal 
requirement in the United States stipulating that a financial 
institution must make the consumer's or small business' financial data 
it holds available to a third party in the event their customer 
provides affirmative consent for the institution to do so. Accordingly, 
a consumer's or small business' ability to take advantage of the 
benefits offered by third-party, technology-based tools rests almost 
entirely with the inclination of their financial institutions to allow 
them to do so. Not all financial institutions are disposed to allow 
third-party tools, some of which compete directly with their own 
products and services, complete access to their customers' data. The 
Treasury's report notes, for example, that ``access [to financial data] 
through APIs was frequently and unilaterally restricted, interrupted, 
or terminated by financial services companies.'' \9\ In many cases, 
these APIs also may not provide the full suite of data required by 
technology-powered tools to deliver their products or services. The 
market is therefore fundamentally dislocated; the ability of U.S. 
consumers and small businesses to utilize third-party technology tools 
is dependent on the financial services provider(s) with which they do 
business, with disparate outcomes for Americans who bank with different 
financial institutions. The unevenness of this playing field could 
materially worsen as many large U.S. financial institutions seek to 
impose on consumers and small businesses their view of how the 
ecosystem should function in the form of bilateral agreements with 
aggregation firms.
---------------------------------------------------------------------------
     \9\ ``A Financial System That Creates Economic Opportunities: 
Nonbank Financials, FinTech, and Innovation''. (2018, July 31). 
Retrieved from https://home.treasury.gov/sites/default/files/2018-08/A-
Financial-System-that-Creates-Economic-Opportunities---Nonbank-
Financials-Fintech-and-Innovation_0.pdf.
---------------------------------------------------------------------------
    The Bureau of Consumer Financial Protection (``BCFP'' or ``the 
Bureau'') engaged in a year-long process to address this issue, which 
ultimately culminated in the release in October 2017 of nonbinding 
principles for consumer-authorized financial data sharing and 
aggregation. \10\ Though the BCFP's engagement was earnest and well-
intentioned, the principles it ultimately released did not meaningfully 
shape or change market behavior, both because they were not legally 
binding and because the Bureau declined to forcefully stake out a 
position regarding consumer-permissioned data access. The BCFP 
asserted, for example, that consumers ``generally'' should be able to 
use ``trusted'' third parties to obtain information from account 
providers \11\ but provided no further detail regarding these 
qualifiers. As a result of this ambiguity, and despite the BCFP's much-
needed engagement in the market, the state of consumer-permissioned 
financial data access in the United States is not meaningfully 
different today than it was when the Bureau's nonbinding principles 
were released almost 1 year ago.
---------------------------------------------------------------------------
     \10\ ``Consumer Protection Principles: Consumer-Authorized 
Financial Data Sharing and Aggregation''. (2017, October 18). Retrieved 
from https://files.consumerfinance.gov/f/documents/cfpb_consumer-
protection-principles_data-aggregation.pdf.
     \11\ Ibid.
---------------------------------------------------------------------------
    While policymakers in the United States have not issued any 
regulation specific to consumer-permissioned financial data access, 
regulators and legislators abroad have sought to harness innovation. As 
these other jurisdictions implement frameworks that harness innovation, 
the U.S. market is at risk of losing pace internationally with the 
development and delivery of new, innovative financial tools for 
consumers. There is, accordingly, ``a huge risk the U.S. will fall 
behind, and with that a risk that jobs will go elsewhere.'' \12\
---------------------------------------------------------------------------
     \12\ Phillips, C. (2018, September 12). Remarks to the Exchequer 
Club of Washington. Speech, Washington, DC.
---------------------------------------------------------------------------
    The United Kingdom's Open Banking regime, under which consumers can 
utilize authorized third-party tools without restriction, began its 
implementation phase earlier this year, as did Europe's Second Payments 
Services Directive, or PSD2. In Mexico, following a recently passed new 
FinTech law, the Bank of Mexico and the National Banking and Securities 
Commission (CNBV) are in the midst of developing API standards that 
national financial institutions will be required to adopt in order to 
facilitate the use of third-party FinTech tools. The Australian 
Government has made public its intention to begin its implementation of 
an Open Banking regime in July 2019, and New Zealand, Canada, and 
Mexico are not far behind.
    In the preamble to its report, Treasury rightly notes that 
policymakers' engagement with the FinTech ecosystem--and the decisions 
that are made by the financial regulatory agencies in response to the 
Department's recommendations, particularly with regard to consumer-
permissioned data access--will have implications for U.S. global 
competitiveness. \13\ Developments such as the announcement earlier 
this month of a pact between the Monetary Authority of Singapore and 
the Dubai Financial Services Authority to work collaboratively on 
digital payments and blockchain projects are becoming increasingly 
common. While the U.S. market continues to consider the most 
fundamental policy issues regarding innovation in financial services, 
policymakers in other jurisdictions are assertively creating well-
regulated, innovative regulatory frameworks designed to attract and 
encourage large-scale innovation. The stakes are high: Globally, the 
FinTech market attracted more than $31 billion in 2017, with the United 
States attracting more than half the investment in the market. \14\
---------------------------------------------------------------------------
     \13\ ``A Financial System That Creates Economic Opportunities: 
Nonbank Financials, FinTech, and Innovation''. (2018, July 31). 
Retrieved from https://home.treasury.gov/sites/default/files/2018-08/A-
Financial-System-that-Creates-Economic-Opportunities---Nonbank-
Financials-Fintech-and-Innovation_0.pdf.
     \14\ ``The Pulse of FinTech--Q4 2017''. (2018, February 13). 
Retrieved from https://home.kpmg.com/xx/en/home/insights/2018/02/pulse-
of-fintech-q4-2017.html.
---------------------------------------------------------------------------
Treasury Report Recommendations
    Both the CFDR Group and FDATA North America strongly believe that 
the Department in its July report identified the key outstanding issues 
with regard to consumer and small business financial data access. I 
would respectfully highlight five of the Treasury recommendations for 
the Committee's consideration, as formalizing standards around these 
areas would significantly bolster the ability of Americans to utilize 
third-party technology tools to improve their financial well-being:

  1.  The Bureau should affirm that for purposes of Section 1033 [of 
        the Dodd-Frank Wall Street Reform and Consumer Protection Act], 
        third parties properly authorized by consumers . . . fall 
        within the definition of ``consumer'' under Section 1002(4) of 
        Dodd-Frank for the purpose of obtaining access to financial 
        account and transaction data.

    Treasury's assertion that the Dodd-Frank Act's inclusion of 
language in Section 1033 mandating that financial institutions provide 
their customers with electronic access to their data should be 
interpreted to ``cover circumstances in which consumers affirmatively 
authorize, with adequate disclosure, third parties such as data 
aggregators and consumer FinTech application providers to access their 
financial account and transaction data from financial services 
companies'' \15\ marks a significant step forward for consumers' and 
small businesses' financial rights. Though it may seem self-evident, 
because Section 1033 of Dodd-Frank provides that the BCFP has the 
authority to promulgate a rule to ensure end users have electronic 
access to their online data, and the Bureau has thus far declined to do 
so, Treasury's affirmation that the Dodd-Frank Act provides this right 
to consumers and small businesses, even in the absence of a Bureau 
rulemaking, represents a significant victory for innovation and for 
consumer and small business financial empowerment. The CFDR and FDATA 
North America both respectfully echo the Department's call for further 
action on this score by the BCFP.
---------------------------------------------------------------------------
     \15\ ``A Financial System That Creates Economic Opportunities: 
Nonbank Financials, FinTech, and Innovation''. (2018, July 31). 
Retrieved from https://home.treasury.gov/sites/default/files/2018-08/A-
Financial-System-that-Creates-Economic-Opportunities---Nonbank-
Financials-Fintech-and-Innovation_0.pdf.

  2.  All regulators . . . should recognize the benefits of consumer 
        access to financial account and transaction data in electronic 
        form and consider what measures, if any, may be needed to 
---------------------------------------------------------------------------
        facilitate such access for entities under their jurisdiction.

    One of the systemic disadvantages facing the FinTech ecosystem in 
the United States as compared with many other countries that have 
imposed standards with regard to consumer-permissioned data access is 
the immense relative regulatory fragmentation that exists in the U.S. 
financial system. In the United Kingdom, for example, two agencies, the 
Financial Conduct Authority and the Competition and Markets Authority, 
represent the totality of regulatory authorities that were required to 
implement an entirely new, innovative approach to harnessing FinTech 
under Open Banking. Mexico's CNBV and the Bank of Mexico are themselves 
responsible for developing and imposing financial API standards. The 
Australian Treasury and the Competition and Consumer Commission alone 
will deliver Open Banking in 2019.
    There are at least eight Federal regulatory agencies with 
jurisdiction over at least some portion of financial data access in the 
United States: the BCFP, the Office of the Comptroller of the Currency, 
the Federal Deposit Insurance Corporation, the National Credit Union 
Administration, the Federal Reserve Board of Governors, the Securities 
and Exchange Commission, the Commodity Futures Trading Commission, and 
the Federal Trade Commission. (Other Federal agencies, including the 
Financial Crimes and Enforcement Network and the Financial Industry 
Regulatory Authority, have also been involved in the issue of consumer-
permissioned data recently permissioned data recently. \16\) One 
commonly discussed regulatory constraint to the open transmission of 
permissioned consumer and small business financial data has been the 
prudential bank regulatory agencies' third-party vendor risk management 
guidance. \17\
---------------------------------------------------------------------------
     \16\ ``Know Before You Share: Be Mindful of Data Aggregation 
Risks''. (2018, March 29). Retrieved from http://www.finra.org/
investors/alerts/know-you-share-be-mindful-data-aggregation-risks.
     \17\ ``Third-Party Relationships''. (2017, June 7). Retrieved from 
https://www.occ.gov/news-issuances/bulletins/2017/bulletin-2017-
21.html.
---------------------------------------------------------------------------
    There are also, of course, regulatory authorities in each State 
that have jurisdiction over entities that play a role in the FinTech 
market, financial services providers and FinTech firms alike. While 
Treasury cannot address the intrinsic, structural disadvantages in the 
United States' regulatory regime as compared with other countries', its 
call for all of the agencies in this space to align behind the 
Department's interpretation of Section 1033 of the Dodd-Frank Act is an 
important step towards a level playing field, and one that could be 
hastened by Congressional engagement. While, interestingly, some U.S. 
regulatory agencies have begun to collaborate with their peers 
internationally, \18\ greater domestic coordination that provides 
harmonization, rather than divergence, would spur innovation and 
improved consumer and small business financial outcomes.
---------------------------------------------------------------------------
     \18\ ``BCFPB Collaborates With Regulators Around the World To 
Create Global Financial Innovation Network''. (2018, August 7). 
Retrieved from https://www.consumerfinance.gov/about-us/newsroom/bcfp-
collaborates-regulators-around-world-create-global-financial-
innovation-network.

  3.  The Bureau [should] work with the private sector to develop best 
        practices on disclosures and terms and conditions regarding 
        consumers' use of products and services powered by consumer 
        financial account and transaction data provided by data 
---------------------------------------------------------------------------
        aggregators and financial services companies.

    The CFDR Group and FDATA North America strongly believe that 
consumers and small businesses should be empowered to use their 
financial data for their own financial benefit. To fully realize this 
empowerment, however, end users must be able to clearly and easily 
understand to what data elements they are granting third parties access 
to and for what purpose, as well as how they can revoke their consent 
to access and use the data. Though several industry groups have 
previously sought to establish guidelines in this space--and others 
continue to seek to formulate best practices--given the vast scope of 
the financial services market, very little standardization has taken 
place.
    Fortunately, to the extent that the private sector, the BCFP and 
other regulatory agencies come together to develop best practices that 
could be adopted broadly across the industry, a market-tested framework 
already exists. The United Kingdom's Open Banking architecture includes 
prescriptive consent flows that ensure that a consumer's or small 
business' experience granting or revoking consent to access their data 
to any third party in the Open Banking environment is uniform. 
Accordingly, consumers in the Open Banking ecosystem experience the 
same consent-granting process across every third-party application they 
use, regardless of the financial institution with which they have their 
primary banking relationship. Offboarding is similarly uniform. The 
evidence suggests that end users of the Open Banking ecosystem are 
quickly becoming comfortable and familiar with these standards; three 
million Open Banking API calls were made this July, a month-over-month 
increase of 50 percent. \19\ Public and private sector participants 
would do well to use these Open Banking consent standards as a starting 
point for creating best practices in the U.S. market.
---------------------------------------------------------------------------
     \19\ ``Open Banking Progress Update 13 July-31 August''. (2018, 
September 3). Retrieved from https://www.openbanking.org.uk/about-us/
news/open-banking-progress-update-july-august-2018/.

  4.  Any potential solution [to move to more secure and efficient 
        methods of data access should] address resolution of liability 
        for data access. If necessary, Congress and financial 
        regulators should evaluate whether Federal standards are 
---------------------------------------------------------------------------
        appropriate to address these issues.

    The CFDR and FDATA North America believe that the issue of 
liability is the fundamental obstacle preventing the U.S. market from 
offering a more even, consumer-centric delivery of third-party tools 
powered by permissioned data connectivity. Decades-old regulations, 
such as Regulation E, create either the regulatory expectation or the 
consumer perception that financial institutions will largely make their 
customers whole in the event of any financial loss, including as a 
result of a data breach at a third party. \20\ Further, prudential bank 
regulators have told the FinTech community that the potential liability 
exposure to customers that nationally regulated banks face in the event 
of a data breach for which customers experience a financial loss 
represents a safety and soundness concern.
---------------------------------------------------------------------------
     \20\ 12 CFR 205.
---------------------------------------------------------------------------
    Largely as a result, some of the financial institutions seeking 
bilateral agreements with data aggregators are seeking to place the 
aggregator in the position of holding full, unlimited liability for the 
FinTech ecosystem. These financial institutions hold that, because the 
aggregator is the only party with which they will have a bilateral 
agreement, the aggregator is the only entity from which they can recoup 
customer losses; however, this position is both impractical and 
untenable. Aggregators typically have no direct relationship with 
consumers or small businesses. Practically, they do not have the scale 
necessary to be in a position to provide their financial institution 
counterparties with boundless liability protection for the entire 
FinTech market, nor would that fairly apportion responsibility 
throughout the ecosystem. As responsible stewards of consumer data, 
however, aggregators are prepared to be liable for any direct consumer 
harm that arises as a result of a breach for which they are at fault.
    More broadly, the question of liability must also address the 
responsibility of the third party with which the consumer or small 
business has a relationship, whether it is a FinTech application or a 
technology tool delivered by a traditional financial institution. The 
CFDR earlier this year released a set of principles, Secure Open Data 
Access (SODA), which called for the implementation of traceability, 
minimum cyberliability insurance standards and other standards designed 
to ensure that the entity responsible for consumer financial loss as a 
result of a data breach--be it a bank, an aggregator, or a FinTech 
firm--is the entity charged with making the end user whole. While CFDR 
members are starting to implement the SODA principles with regard to 
liability, the financial regulatory agencies and Treasury could augment 
and assist this work by undertaking efforts to create a more vibrant 
and affordable cyberliability insurance market, similar to the steps 
taken by Her Majesty's Treasury in the United Kingdom last year.

  5.  Any potential solution [to move to more secure and efficient 
        methods of data access should] also address the standardization 
        of data elements as part of improving consumers' access to 
        their data.

    Treasury notes in its report that ``a standardized set of data 
elements and formats would help to foster innovation in services and 
products that use financial account and transaction data . . . '' \21\ 
While the CFDR Group and FDATA North America wholeheartedly agree with 
the Department's recommendation, I would respectfully submit an 
addendum to this recommendation. Standardization of data elements will 
only be impactful to American consumers and small businesses if they 
are able to grant access to all of the data required to power the use 
case they have selected. A standardized data set that, for example, 
does not allow end users to grant access to any data fields related to 
the fees or interest rates a financial institution assesses inherently 
restricts the ability of that customer to utilize fee comparison tools 
or to use a third-party tool to select an alternative, lower-cost 
provider.
---------------------------------------------------------------------------
     \21\ ``A Financial System That Creates Economic Opportunities: 
Nonbank Financials, FinTech, and Innovation''. (2018, July 31). 
Retrieved from https://home.treasury.gov/sites/default/files/2018-08/A-
Financial-System-that-Creates-Economic-Opportunities---Nonbank-
Financials-Fintech-and-Innovation_0.pdf.
---------------------------------------------------------------------------
    Therefore, with the appropriate consent, authentication, and 
liability safeguards in place, the standardized data elements made 
available to the consumer or small business to permit access to third 
parties of their choosing should include all of the data elements 
available to the end user in their native online banking environment. 
This approach would fully enable end users to leverage their own 
financial data to their economic benefit and it would allow for the 
realization of a competitive, free marketplace in which consumers have 
full transparency into financial products and services offered by 
FinTech providers and financial services firms alike.
Conclusion
    Though tens of millions of American consumers and small businesses 
are already utilizing third-party tools to improve their financial 
well-being, more can and should be done to harness the power of 
innovation and to give Americans full control of their own financial 
data and future. The Treasury's report provides an insightful overview 
of the outstanding issues facing the U.S. market that should be 
collaboratively addressed in order to better serve consumers and to 
ensure that the United States remains globally competitive as multiple 
countries implement comprehensive, consumer-centric financial data 
access frameworks. The CFDR Group and FDATA North America stand ready 
to work with the Department, the regulatory agencies, market 
stakeholders, and, of course, Congress, to implement the Treasury's 
recommendations.
                                 ______
                                 
                PREPARED STATEMENT OF STUART RUBINSTEIN
 President, Fidelity Wealth Technologies, and Head of Data Aggregation
                           September 18, 2018
    Chairman Crapo, Ranking Member Brown, and Members of the Committee: 
thank you for holding this important hearing. Fidelity is very 
interested in FinTech and data policy and has a unique perspective to 
share on financial data account access and aggregation used by many 
FinTech firms.
    My name is Stuart Rubinstein and I am President of Fidelity Wealth 
Technologies and Head of Data Aggregation. In this role, I oversee the 
team focused on helping Fidelity and other institutions enable 
consumers to securely share account data and documents with third 
parties. Fidelity is a leading provider of investment management, 
retirement planning, portfolio guidance, brokerage, benefits 
outsourcing, and other financial products and services to more than 30 
million individuals, institutions, and financial intermediaries with 
more than $7 trillion in assets under Administration. Our goal is to 
make financial expertise broadly accessible and effective in helping 
people live the lives they want.
    I will focus my testimony for this hearing on an issue I first 
worked on over 20 years ago: financial data aggregation services and 
ways we can make data sharing safer and more secure.
Fidelity's Perspective on Data Aggregation
    Fidelity has a unique perspective on financial data aggregation 
practices and necessary protections for customers. We are on all sides 
of this issue: we are an aggregator of data for third parties, \1\ we 
are a significant source of data for aggregators acting on behalf of 
our mutual customers, and we offer a data aggregation service for our 
retail customers and retirement plan participants. \2\ This perspective 
gives us a thorough understanding of the benefits of financial data 
aggregation, but also of the very real cybersecurity and privacy risks 
that current data aggregation industry practices create.
---------------------------------------------------------------------------
     \1\ Financial advisors can use eMoney Advisor, a Fidelity-owned 
business that provides account aggregation services along with software 
that helps them provide financial advice to their clients.
     \2\ Fidelity offers its FullView' services to retail 
customers through Fidelity.com and to retirement plan participants 
through NetBenefits.com, and developed its first account aggregation 
service over 15 years ago. Fidelity FullView provides a snapshot of 
customers' net worth in a simple format with an ability to do budgeting 
and financial planning.
---------------------------------------------------------------------------
    Financial data aggregation in this context refers to services that, 
with customers' consent, collect financial information from their 
various bank, brokerage, and retirement accounts, along with other 
sources, to be displayed and processed in an aggregated view. An 
example of this kind of service might be a budgeting and planning 
smartphone app. Consumers use third party applications that leverage 
data aggregation because they value tools to help manage financial 
planning, budgeting, tax preparation, and other services. As part of 
our focus on helping our customers, Fidelity works to make it possible 
for customers to access the services they want to use--including third 
party aggregation-based services. To that end, customers have been able 
to use their Fidelity data in third party applications for many years. 
However, the cybersecurity environment has significantly changed over 
that time and we have a responsibility to protect the very sensitive 
personal financial data and assets of our more than 30 million 
customers from misuse, theft, and fraud.
    Current data aggregation practices make this challenging, because 
they rely on consumers providing their financial institution log-in 
credentials (i.e., username and password) to third parties. Those third 
parties, typically data aggregators, then almost always employ a 
practice known as ``screen scraping.'' At its most basic, screen 
scraping involves the use of computerized ``bots'' to log-in to 
financial institution websites, mobile apps, or other applications as 
if they were the consumer. Once the bots have access to the site or 
app, they ``scrape'' customer data from the various screens to be 
presented on a consolidated basis, along with information scraped and 
collected from other sources.
    There are two consumer data security problems with this practice. 
First, as a matter of basic security consumers should not be asked or 
required to share their private log-in credentials in order to access a 
third party service. Doing so creates cybersecurity, identity theft, 
and data security risks for the consumer and financial institutions. 
Unfortunately, we know that due to years of this practice, financial 
institution log-in credentials are now held by a myriad of companies. 
Some are likely very secure, while others may not be secure at all. 
Given this, allowing third parties to log-in using these credentials as 
if they are the customer creates significant risk of cyberfraud. 
Because consumers go directly to data aggregators or their commercial 
clients and not their financial institution, the financial institutions 
never really know if the activity has in fact been authorized by the 
customers or if the customer credential has been compromised and a 
criminal is using the data aggregation service to test the credential's 
validity and illicitly gather data.
    Second, screen scraping may result in access to data fields far 
beyond the scope of the service a third party offers the consumer--
including personally identifiable information (PII) about consumers and 
in some cases their dependents. This means third parties have access to 
fields of information often used by financial institution call centers 
to identify customers. For example, if a consumer provides his or her 
log-in credentials to a budgeting app, that app potentially has access 
to sensitive personal information like customer dates of birth and 
dependent names and dates of birth, all of which might be data 
financial institutions use to verify customer identities online or over 
the phone. Collection of information beyond what is needed for the 
service the consumer has elected creates unnecessary risk. And all of 
this adds up to an array of risks financial institutions must navigate 
to protect the integrity of their systems and the assets of their 
customers.
    In considering the challenges described above, Fidelity developed 
the following five principles that we believe should guide industry in 
creating better data sharing solutions:

  1.  We strongly support consumers' right to access their own 
        financial data and provide that data to third parties. As a 
        provider of aggregation services ourselves, we know that 
        customers value these products, and the demand for aggregation 
        is likely to increase. We also believe that the concept of 
        access is broad enough to encompass security, transparency, and 
        cybersecurity protections for consumers.

  2.  Data access and sharing must be done in a safe, secure, and 
        transparent manner. We firmly believe credential sharing makes 
        the system less safe for consumers, aggregators, and financial 
        institutions alike. While we strongly support customer access, 
        the security of customer data, customer assets, and financial 
        institution systems must be our primary concern.

  3.  Consumers should provide affirmative consent and instruction to 
        financial institutions to share their data with third parties. 
        Rather than trust that third parties who use customer log-in 
        credentials to access a financial institution's website are 
        authorized, customers should tell financial institutions which 
        third parties have permission to access their financial data. 
        This eliminates the potential that unauthorized access using 
        credentials is mistaken for authorized access.

  4.  Third parties should access the minimum amount of financial data 
        they need to provide the service for which the customer 
        provided access. There should be a tight nexus between the 
        service provided and the information collected by third party 
        aggregators. For example, if a customer signs up for a tax 
        planning service that leverages aggregation, that service 
        should only access the information needed for tax planning.

  5.  Consumers should be able to monitor who has access to their data, 
        and access should be easily revocable by the consumer. We 
        believe data sharing and permissioning should be an iterative 
        process, with customers engaged continuously. Moreover, many 
        customers believe revoking access is as easy as deleting an app 
        from their phone--this is not the case. Customers should be 
        able to easily instruct their financial institution to revoke 
        access when they no longer want or need the aggregation-based 
        service.

    We believe that embracing these principles will better protect 
consumers, aggregators, and financial institutions, and facilitate more 
efficient data sharing practices.
How Do We Solve This for Consumers?
    Fortunately, although the risks and challenges of the current 
system are serious, there are steps financial institutions and 
aggregators can take together to improve the data sharing ecosystem. 
The financial services industry is employing technological solutions 
for the secure exchange and access of financial information. These 
technologies involve the implementation and use of application 
programming interfaces (APIs), which are provided by the financial 
institution to aggregators and other third parties. An API works in 
conjunction with an authentication process that is handled by the 
financial institution. There are authentication processes, for example 
``open authorization'' (OAuth), that do not involve sharing of account 
access credentials with third parties. Consumers who want their data 
aggregated sign into their accounts at the financial institution's 
website and provide authorization for third party aggregators to access 
their financial data. The financial institution and the data aggregator 
then manage that connection through secure, encrypted tokens that are 
provisioned for the specific connection.
    There are several compelling consumer and data security benefits 
for moving to APIs. First, it keeps log-in credentials private and 
secure by eliminating the need for consumers to share log-in 
credentials with third parties. This reduces the cyber, identity, and 
personal data security risks that exist when a consumer shares private 
log-in details with a third-party. Second, it puts the consumer in the 
driver's seat by giving consumers greater transparency and control of 
their data by allowing consumers to provide unequivocal consent and 
instruction to share their data with third parties. Third, it allows 
financial institutions and aggregators to agree on what data should be 
shared and avoid over-scraping. Fourth, it eliminates the need to 
reconfigure aggregators' systems every time a consumer changes his or 
her username or password or the financial institution updates its 
webpage. Fifth, it removes the traffic-intensive screen scraping 
activity from financial institutions' web sites and other digital 
properties, returning that capacity to the individual consumers for 
whom those sites were created. Finally, it enables the consumer to 
monitor the ongoing access and instruct their financial institution to 
revoke the consent if desired.
Fidelity Access
    In November 2017, Fidelity announced its own API solution for data 
sharing called Fidelity Access. Fidelity Access will allow Fidelity 
customers to provide third parties access to customer data through a 
secure connection without providing log-in credentials. Fidelity Access 
will include a control center, where customers can grant, monitor, and 
revoke account access at any time. We have been working closely with 
aggregators and other third parties on adoption of this solution.
    Of particular note, eMoney Advisor, Fidelity's affiliate that 
offers its own aggregation service, is committed to working with other 
financial institutions that offer APIs. By championing the exclusive 
use of APIs to facilitate customers providing third parties access to 
their financial data, we hope to show leadership by taking action to 
better secure our customers' data.
Industry Standards and Policymaker Guidance
    In addition to our own efforts to address the problems with data 
aggregation, we have been working with a wide array of industry and 
public sector stakeholders. We support many of the data sharing and 
aggregation principles that have been put forth:

    In October 2017, after a year-long inquiry into the topic, 
        the Bureau of Consumer Financial Protection (BCFP) released 
        nonbinding financial data sharing and aggregation principles, 
        which helpfully emphasized the importance of access, security, 
        transparency, and consent. \3\
---------------------------------------------------------------------------
     \3\ Available at https://files.consumerfinance.gov/f/documents/
cfpb--consumer-protection-principles--data-aggregation.pdf. Fidelity 
commented on the Request for Information that culminated in these 
principles (https://www.regulations.gov/document?D=CFPB-2016-0048-
0053).

    In February 2018, the Financial Services Information 
        Sharing and Analysis Center (FS-ISAC), a cybersecurity 
        information sharing group focused on the financial services 
        industry, published a standard durable data API free of charge 
        to help facilitate safer transfer of financial data. \4\ The 
---------------------------------------------------------------------------
        Fidelity Access API is based on this standard.

     \4\ See https://www.fsisac.com/article/fs-isac-enables-safer-
financial-data-sharing-api. Fidelity is a member of FS-ISAC and 
contributed to the development of the durable data API.
---------------------------------------------------------------------------
    In March 2018, the Financial Industry Regulatory Authority 
        (FINRA) published an investor alert that explained the risks 
        associated with aggregation-based services and noted that many 
        firms are moving toward APIs. \5\
---------------------------------------------------------------------------
     \5\ Available at http://www.finra.org/investors/alerts/know-you-
share-be-mindful-data-aggregation-risks.

    In April 2018, the Securities Industry and Financial 
        Markets Association (SIFMA) released data aggregation 
        principles that focused on similar themes. \6\
---------------------------------------------------------------------------
     \6\ Available at https://www.sifma.org/resources/general/data-
aggregation-principles/. Fidelity is a member of SIFMA and worked 
closely with other member firms in developing these principles.

    In July 2018, the U.S. Department of the Treasury released 
        a report on Nonbank Financials, FinTech, and Innovation that 
        includes a lengthy discussion of financial data aggregation and 
        helpful recommendations, including simplified disclosures, 
        moving away from screen scraping, and eliminating log-in 
        credential sharing. \7\
---------------------------------------------------------------------------
     \7\ Available at https://home.treasury.gov/sites/default/files/
2018-08/A-Financial-System-that-Creates-Economic-Opportunities---
Nonbank-Financials-Fintech-and-Innovation_0.pdf.

    These efforts to provide guidance have brought many of the 
challenges and risks associated with data aggregation to the fore and 
encouraged healthy debate on how to solve them.
Continuing Challenges
    Despite the general consensus that the status quo is untenable and 
the industry should move to safer data sharing technologies, there are 
roadblocks that prevent wider adoption of APIs and other solutions. 
Here are what we see as the most challenging:

    Inertia: One force working against adoption of safer data 
        sharing technologies is simple inertia. Existing practices have 
        been the norm for close to two decades. Getting firms to adopt 
        new technologies can be challenging no matter what the 
        benefits. However, given the stakes, with headlines replete 
        with examples of cybersecurity events and data breaches, this 
        is not an adequate reason to resist better data sharing 
        technology.

    Cost: Another countervailing force is cost. One of the 
        unfortunate truths about screen scraping is that it is cheap 
        and effective. While safer technologies like APIs have become 
        less costly as technology advances, building one does incur 
        costs. We believe the incremental increase in cost is well 
        worth the substantial security and transparency improvements 
        for consumers. Still, financial institutions should be 
        sensitive to this reality, which is why we are providing 
        Fidelity Access to third parties free of charge.

    Liability: Liability is the most stubborn blocker to wider 
        adoption of safer data sharing technologies. Third party 
        aggregators want to limit their potential liability in the 
        event that financial data is illicitly obtained. We have seen 
        firms try to limit their liability to low dollar amounts. These 
        kinds of limits are untenable for financial firms like Fidelity 
        that have a duty to protect client assets. Fidelity believes 
        firms that obtain and handle consumer data should be held 
        responsible to protect that data from unauthorized use, just as 
        we are. Any other standard creates moral hazard and does not 
        incentivize aggregators to take their data stewardship 
        responsibilities seriously.

    Until all industry participants--aggregators, FinTech firms, and 
financial institutions--are prepared to overcome these challenges in a 
responsible manner, we will not move as swiftly as we otherwise could 
to adopt safer data sharing technologies.
    Thank you again for the opportunity to testify and I look forward 
to answering your questions.
                                 ______
                                 
                   PREPARED STATEMENT OF BRIAN KNIGHT
Director, Innovation and Governance Program, Mercatus Center at George 
                            Mason University
                           September 18, 2018
    Good morning, Chairman Crapo, Ranking Member Brown, and Members of 
the Committee. I thank you for inviting me to testify.
    My name is Brian Knight, and I am the director of the Innovation 
and Governance Program and a senior research fellow at the Mercatus 
Center at George Mason University. My research focuses primarily on the 
role technological innovation plays in financial services. Any 
statements I make reflect only my opinion and do not necessarily 
reflect the opinions of the Mercatus Center or my colleagues.
    I would like to begin by thanking Chairman Crapo and Ranking Member 
Brown for their leadership in holding this hearing. The role of 
financial technology (or FinTech) in changing the market for financial 
services is continuing to grow, with innovations permeating all 
financial markets. The importance of these technological changes is 
reflected by the fact that the Treasury Department chose to devote 
almost an entire report to the topic in its series of reports on core 
principles in financial regulation. \1\ I also appreciate your 
collecting speakers from a broad array of experiences and viewpoints 
for what I expect will be a productive discussion. I am honored to be 
part of it.
---------------------------------------------------------------------------
     \1\ Steven T. Mnuchin and Craig S. Phillips, U.S. Dep't of the 
Treasury, ``A Financial System That Creates Economic Opportunities: 
Nonbank Financials, FinTech, and Innovation'' (2018) [hereinafter 
Treasury Report].
---------------------------------------------------------------------------
    Given the limited amount of time, I have focused my testimony on a 
handful of areas centered on the collection, aggregation, and use of 
data. I am happy, however, to answer any other questions you may have 
to the best of my ability.
    I want to leave you with three main points:

  1.  FinTech innovation has significant potential to improve the 
        quality of, and access to, financial services.

  2.  While there are potential risks, these risks should be judged 
        against the status quo, not an unobtainable perfection.

  3.  Existing law can mitigate risk to some degree, and changes to the 
        law should be considered only if existing law is proven to be 
        inadequate and the benefits of changing the law will outweigh 
        the costs.
The Potential for a Better Financial Services Market
    Changes in technology have the potential to improve the financial 
services markets. Specifically, the collection, use, and aggregation of 
consumer data may allow consumers to enjoy more choice, more 
competition, and higher-quality services. Likewise, the use of 
artificial intelligence, machine learning, and other advanced 
algorithmic techniques to process data present the possibility of more 
accurate, fair, and inclusive underwriting and risk management.
    While there are reasons to be excited, there are also potential 
risks. More granular data collection and broader access might increase 
the risk and harm of data breaches to consumers. There are concerns 
that the enhanced use of algorithms may lead to more discrimination, a 
lack of transparency, or diminished access to essential services like 
credit. \2\ There are also fears that the existing legal and regulatory 
environment is unable to address the risks introduced by technology.
---------------------------------------------------------------------------
     \2\ See, e.g., U.S. Fed. Trade Comm'n, ``Big Data: A Tool for 
Inclusion or Exclusion'' 8-11 (2016) (summarizing findings of public 
workshop on big data regarding potential risks).
---------------------------------------------------------------------------
    While these concerns merit consideration and the risks they 
describe should be monitored, it is premature to panic. First, the 
early data are promising, in many cases finding that financial 
technology and the competition and innovation it fosters are improving 
financial services. Second, existing law and regulation might mitigate 
some of the major risks already. Although this area is often presented 
as a lawless Wild West, it is incorrect to think that these areas are 
unregulated. As discussed below, existing regulations apply, and in 
general, we should see how well the existing laws and regulations work 
with new technology before we impose new restrictions. Indeed, we 
should consider the possibility that, in fact, we already have too much 
regulation that affects these new technologies. Otherwise we risk 
forestalling innovations that can lead to more competitive, efficient, 
and inclusive financial markets--to the detriment of the American 
consumer.
Data Collection
    As the Treasury Report notes, the ability of financial service 
providers to collect and utilize a broader and more diverse selection 
of consumer data has the potential to improve the provision of 
financial services, especially to consumers who are poorly served by 
the status quo. \3\ Not only could cost-effective access to more data 
help established firms improve their offerings, it could also encourage 
competition and innovation from new entrants.
---------------------------------------------------------------------------
     \3\ Treasury Report, supra note 1, at 17.
---------------------------------------------------------------------------
    While the ability to access and utilize more data has a significant 
upside, it also presents risks. For example, it is possible that the 
more granular a dataset a financial institution collects on a consumer, 
the more harm a security breach could cause. Data that might be 
relatively harmless at one level of detail could become highly 
sensitive at another. What could be labeled ``professional or medical 
services'' at one level of detail could be labeled ``marriage 
counseling'' at another. While obtaining more information could allow 
financial services providers to offer better products, we should also 
be alert to the risks that could develop.
    Additionally, as the Treasury Department notes, there are divergent 
regulations at the State level regarding data security and breach 
notification. \4\ These different requirements can increase compliance 
costs for firms and result in citizens being regulated by sets of rules 
put in place without consultation with them, the consumers. \5\ Given 
the predominantly interstate nature of cybersecurity, there is little 
question that Congress could constitutionally preempt State law to 
create consistent national standards, and given the costs of the status 
quo, it may want to consider doing so.
---------------------------------------------------------------------------
     \4\ Treasury Report, supra note 1, at 39-41.
     \5\ For further discussion of the potential costs of State-by-
State regulation on FinTech, including the costs of inefficiency and 
political inequity among citizens of different States, please see Brian 
Knight, ``Federalism and Federalization on the FinTech Frontier'', 20 
Vand. J. Ent. and Tech. L. 129, 185-99 (2017).
---------------------------------------------------------------------------
Data Aggregation
    Third-party aggregators, acting on a consumer's behalf, can now 
allow consumers to see all of their accounts from different financial 
services providers at a glance. This convenient display of information 
can help consumers more effectively assess and manage their finances. 
Third-party aggregation can also be used by applications, again acting 
at the request of the consumer, to collect the consumer's financial 
data in order to allow the consumer to use the application's service. 
Such applications are gaining in popularity; a recent survey conducted 
by the Clearing House found that about a third of banking customers use 
financial technology applications. \6\
---------------------------------------------------------------------------
     \6\ The Clearing House, ``FinTech Apps and Data Privacy: New 
Insights From Consumer Research'' 4 (2018).
---------------------------------------------------------------------------
    While there are real potential benefits to data aggregation, the 
practice is not without controversy. Banks and other financial 
institutions have expressed concern that data aggregators, particularly 
those using ``screen scraping,'' \7\ place consumers' data at risk and 
potentially expose consumers to fraud and the bank to liability. \8\ As 
the Treasury Department's FinTech report notes, the banks' fears are 
not outlandish, as there is an open question as to the scope of the 
banks' liability under existing law, even if the customer willingly 
granted access to a third party that was responsible for the data 
breach. \9\
---------------------------------------------------------------------------
     \7\ Screen scraping generally refers to an aggregator using a 
customer's login credentials to log into a financial institution's 
webpage on behalf of the customer and extracting data from the webpage.
     \8\ See, e.g., The Clearing House, ``Ensuring Consistent Consumer 
Protection for Data Security: Major Banks vs. Alternative Payment 
Providers'' (2015).
     \9\ Treasury Report, supra note 1, at 35-36.
---------------------------------------------------------------------------
    This concern is part of why section 1033 of the Dodd-Frank Act is 
so controversial. As the Treasury Department report notes, there is a 
plausible reading of the act (one that the Treasury endorses) that 
requires financial institutions covered by Dodd-Frank to, subject to 
rules promulgated by the Bureau of Consumer Financial Protection 
(Bureau), make account records available in an electronic form not only 
to consumers themselves but also to a consumer's agent, including a 
FinTech application. \10\ Paired with potential legal liability, this 
provides banks with few options to protect themselves.
---------------------------------------------------------------------------
     \10\ Treasury Report, supra note 1, at 31.
---------------------------------------------------------------------------
    Understandably, this presents some significant issues that the 
Bureau, and potentially Congress, should consider. Among them are the 
following:

    The extent of the burden placed on covered financial 
        institutions. Must a covered financial institution make data 
        available to all comers, or may it place limits on the basis of 
        safety or data security?

    The standards for data transmission. As mentioned in the 
        Treasury Report, there has been a shift from screen scraping to 
        the use of application programming interfaces (APIs) that may 
        provide a more secure method of communicating data. However, 
        there is not a mandatory standard that would allow 
        interoperability. While there are ongoing industry efforts to 
        bring standardization, \11\ questions remain as to whether 
        covered financial institutions must accommodate all requests 
        and who will set standards for data transmission methods.
---------------------------------------------------------------------------
     \11\ See, e.g., ``NACHA, API Standardization--Shaping the 
Financial Services Industry'' (2018) (discussing efforts by NACHA to 
develop standards for financial services APIs to allow 
interoperability).

    The scope of data transmission. One of the major concerns 
        expressed by covered financial institutions is that data 
        aggregators can obtain data in excess of what is needed to 
        perform the service the consumer has authorized them to do. 
        Conversely, data aggregators express frustration that financial 
        service providers prevent them from accessing needed data via 
        financial-service-provider-approved APIs. \12\ While the 
        availability of more data may allow applications to offer 
        better services, it could also increase consumer harm if there 
        were a breach. The scope of data that aggregators will be able 
        to obtain from financial institutions, and what factors control 
        that scope, will need to be determined.
---------------------------------------------------------------------------
     \12\ Treasury Report, supra note 1, at 34.

    Consumer control of data transmission. The amount of 
        control consumers will have over the amount of data that is 
        obtained by aggregators, and how that control must be 
        exercised, will need to be determined. According to the same 
        survey by the Clearing House, a majority of consumers would 
        like to be required to provide explicit consent to any third 
        party seeking data. \13\ However, what that might look like in 
        practice (e.g., when that consent must be provided or how 
        granular the consent must be), and whether that standard is 
        even practical, remain to be determined.
---------------------------------------------------------------------------
     \13\ The Clearing House, supra note 8, at 7.
---------------------------------------------------------------------------
    Liability for data breaches. As the Treasury Report 
        discusses, there is a question regarding the scope of liability 
        for a financial institution in the event consumer data is lost 
        owing to a failure on the part of a data aggregator or a 
        downstream application. Financial institutions feel at risk 
        that they will ultimately be forced to compensate customers, 
        even if the financial institution was not at fault, because the 
        aggregator or application lacks sufficient resources to make 
        aggrieved customers whole. This concern is heightened if 
        financial institutions are forced to make data available to 
        aggregators, rather than choosing to enter into contracts that 
        allow the financial institutions to perform due diligence and 
        make demands of the aggregator.

    If the Bureau adopts the Treasury Department's view regarding 
section 1033, it will need to craft a rule that provides meaningful 
access while addressing the legitimate concerns of covered financial 
institutions. However, the Bureau should also leave as many of the 
details as possible to market participants so as to not impede 
innovation or risk enshrining requirements that will become outdated or 
suboptimal far faster than the regulatory process can adapt. Congress 
should monitor these developments to determine whether any subsequent 
adjustment is necessary.
Innovative Underwriting
    As the Treasury Department notes, credit underwriting is one area 
where data, in conjunction with artificial intelligence, are being used 
to potentially great effect. There is optimism that algorithmic 
underwriting may increase inclusion and improve the quality of 
underwriting, making it more accurate and efficient. However, there are 
also concerns that it could exacerbate discrimination and exclusion, 
because the algorithms may exacerbate existing discrimination or be so 
opaque that humans lose the ability to discern what is driving the 
algorithm's results, preventing humans from excluding improper 
variables. \14\ These concerns are particularly acute with regard to 
unintentional discrimination through the use of facially neutral 
variables that nonetheless have a ``disparate impact'' on protected 
classes of persons.
---------------------------------------------------------------------------
     \14\ Treasury Report, supra note 1, at 57-8.
---------------------------------------------------------------------------
    While these concerns should be taken seriously, there are also 
reasons to believe they are at least somewhat overstated. First, it 
must be remembered that the appropriate standard to judge innovative 
underwriting is not perfection. Rather, we should judge whether it is 
an improvement over the status quo. In this regard, there is evidence 
that innovative underwriting may prove to be less discriminatory than 
current practices. Second, there are reasons to believe that the 
current legal and regulatory environment for financial services may be 
well situated to mitigate these risks.
    As Professor Anupam Chander points out, there are several reasons 
why algorithms may prove to be less prone to discrimination than human 
decision making. To the extent that discrimination is driven by 
subconscious or unconscious bias, those biases are less likely to 
survive the process of being written down in an intentional 
underwriting algorithm compared to a ``gut decision'' by a lending 
officer. \15\ Additionally, to the extent there is concern that 
algorithms may present a ``black box'' that cannot be audited, they 
nonetheless present less of a black box than the human mind. \16\ 
Further, to the extent human decision making incorporates inaccurate 
stereotypes when making decisions, algorithms, with access to more and 
better data, and without the baggage of inaccurate stereotypes, may be 
able to do a better job. \17\
---------------------------------------------------------------------------
     \15\ Anumpam Chander, ``The Racist Algorithm?'', 115 Mich. L. Rev. 
1023, 1028 (2017).
     \16\ Id. at 1030.
     \17\ Id.
---------------------------------------------------------------------------
    Early evidence of the use of innovative underwriting is promising. 
For example, researchers at the Federal Reserve Banks of Chicago and 
Philadelphia looked at a leading marketplace lender's use of innovative 
underwriting and found that the lender was able to offer many borrowers 
better rates than they would have received from a traditional lender. 
These loans also seemed to age reasonably well, indicating that the 
underwriting did not present an undue risk of default. \18\ Likewise, 
scholars at the University of California, Berkley, found evidence 
indicating that FinTech lenders using innovative underwriting for 
mortgages were significantly less likely to discriminate on the basis 
of race than traditional lenders. \19\ While we are still in the early 
days and more research is necessary, there are good indications that 
innovative underwriting, as applied, may have significant benefits.
---------------------------------------------------------------------------
     \18\ See Julapa Jagtiani and Catharine Lemieux, ``FinTech Lending: 
Financial Inclusion, Risk Pricing, and Alternative Information'' (Fed. 
Res. Bank of Phila., Working Paper No. 17-17, 2017); Julapa Jagtiani 
and Catharine Lemieux, ``The Roles of Alternative Data and Machine 
Learning in FinTech Lending: Evidence From the Lending Club Consumer 
Platform'' (Fed. Res. Bank of Phila., Working Paper No. 18-15, 2018).
     \19\ See Robert P. Bartlett, Adair Morse, Richard Stanton, and 
Nancy Wallace, ``Consumer Lending Discrimination in the FinTech Era'' 
(2018).
---------------------------------------------------------------------------
    Additionally, certain existing regulatory requirements may 
encourage firms developing innovative underwriting tools to avoid some 
of the concerns expressed by pessimists. For example, while there are 
concerns about the opacity of algorithms, the Equal Credit Opportunity 
Act and Fair Credit Reporting Act require lenders to be able to provide 
prospective borrowers with adverse action notifications explaining why 
the borrower was denied or charged a higher rate and detail the 
information the lender used to make that determination. \20\ Complying 
with this requirement will be difficult if the lender's algorithm is 
truly opaque, giving lenders an incentive to maintain auditability and 
explainability. \21\
---------------------------------------------------------------------------
     \20\ Matthew Bruckner, ``The Promise and Perils of Algorithmic 
Lenders' Use of Big Data'', 93 Chicago-Kent L. R. 1, 38-39, 51 (2018).
     \21\ Id. at 40.
---------------------------------------------------------------------------
    Further, while lenders have an economic incentive to ensure that 
their algorithms are accurate and not irrational, there are also 
existing regulatory reasons to do so. To the extent that underwriting 
algorithms generate lending decisions that create the ``artificial, 
arbitrary, and unnecessary barriers'' that disparate impact theory is 
meant to address, \22\ the lender may, depending on the unique 
circumstances and the relevant applicable statutes, also find itself 
subject to liability for lending decisions that, while relying on 
facially neutral criteria, have a disparate impact on protected classes 
of borrowers, unless those decisions are driven by a legitimate 
business purpose and cannot be accomplished with less discriminatory 
means. While lenders have a strong profit motive to make certain their 
underwriting is as accurate as possible, potential liability should 
also encourage lenders to actively monitor and improve their 
algorithms.
---------------------------------------------------------------------------
     \22\ Tex. Dep't of Hous. and Cmty. Affairs v. Inclusive Cmtys. 
Project, Inc., 135 S. Ct. 2507, 2522 (2015).
---------------------------------------------------------------------------
Conclusion
    The advance of technology has shown significant promise for 
improving the market for financial services. Specifically, the 
collection, aggregation, and use of consumer data has significant 
potential to allow consumers to enjoy the benefits of a more 
competitive and innovative market. Of course, there is no such thing as 
a free lunch, and increased risks may accompany the benefits. However, 
at present there is no reason to panic, and rash regulatory 
intervention may frustrate proconsumer innovation, leaving consumers 
worse off.
    Congress should carefully monitor and evaluate developments in the 
FinTech arena and intervene only when existing law and regulation--
including market regulation--prove inadequate to address a problem and 
where the costs of intervening would not be worse than the problem the 
intervention seeks to solve. When Congress does intervene, it should do 
so in a technologically agnostic manner and refrain from imposing 
specific technical requirements on market participants because such 
solutions are likely to become obsolete in short order.
    A specific area Congress may want to monitor is whether concerns 
about potential liability are chilling innovations in underwriting that 
might otherwise benefit society. Congress should consider tools such as 
``regulatory sandboxes,'' which can allow firms to experiment in a way 
that encourages innovation while maintaining appropriate consumer 
protection. While some regulators have announced their intention to 
undertake such activities under their existing authority, given the 
fragmented nature of financial regulation, it may require Congress to 
provide sufficient authority to allow for meaningful experiments.
    Another area Congress should consider is the question of whether 
the current allocation of regulatory authority regarding data security 
and breach notification is appropriate. As mentioned earlier, the laws 
governing data security and data breach notification, especially those 
at the State level, may be unduly burdening market participants and 
forcing consumers to pay for rules they had no say in. Therefore, 
Congress should consider whether establishing consistent, preemptive 
Federal standards would be appropriate.
    Technology presents the opportunity for market actors to more 
effectively gather, aggregate, and use data to provide customers with 
better, cheaper, and more effective financial services. While there are 
potential risks that should be monitored, there is also the potential 
for significant benefits. Intelligent regulatory choices, including the 
possibility of exercising forbearance, can help create an environment 
where consumers are able to enjoy the maximum benefits of innovation 
and competition while enjoying adequate protection.
    Thank you again for the invitation to testify. I look forward to 
your questions.
                                 ______
                                 
                 PREPARED STATEMENT OF SAULE T. OMAROVA
    Professor of Law, and Director, Jack Clarke Program on Law and 
 Regulations of Financial Institutions and Markets, Cornell University
                           September 18, 2018
    Dear Chairman Crapo, Ranking Member Brown, Members of the 
Committee: Thank you for inviting me to testify at this hearing. My 
name is Saule Omarova. I am Professor of Law at Cornell University, 
where I teach subjects related to U.S. and international banking law 
and financial sector regulation. Since entering the legal academy in 
2007, I have written numerous articles examining various aspects of 
U.S. financial sector regulation, with a special focus on systemic risk 
containment and structural aspects of U.S. bank regulation. Prior to 
becoming a law professor, I practiced law in the Financial Institutions 
Group of Davis Polk and Wardwell. I also served in the George W. Bush 
administration as a Special Advisor on Regulatory Policy to the U.S. 
Treasury's Under Secretary for Domestic Finance. I am here today solely 
in my academic capacity and am not testifying on behalf of any entity. 
I have not received any Federal grants or any compensation in 
connection with my testimony, and the views expressed here are entirely 
my own.
    FinTech--an umbrella term that refers to a variety of digital 
technologies applied to the provision of financial services--is by far 
the hottest topic in finance today. Recent advances in computing power, 
data analytics, cryptography, and machine learning are visibly changing 
the way financial transactions are conducted and financial products are 
used. New financial technologies promise to make transacting in 
financial markets infinitely faster, cheaper, easier to use, and more 
widely accessible. Reaching across generational and political lines, 
technology is bringing tech-savvy millennials, utopian anarchists, and 
computer scientists into the mainstream debate on the future of 
finance, infusing it with a new sense of excitement about the game-
changing potential of the unfolding FinTech ``revolution.'' As usual, 
financial markets translate these expectations into massive and rapidly 
growing flows of capital into FinTech-related ventures.
    This is, of course, not the first time in modern history that these 
market dynamics are being played out. \1\ As history keeps teaching us, 
in such periods of rising investor optimism, it is especially critical 
that policymakers and regulators remain cautious, cool-headed and even-
handed in their assessment of FinTech. On the one hand, there is no 
doubt that technological progress creates previously unimaginable 
opportunities for improving the functioning of financial markets and, 
more broadly, the quality of our financial lives. On the other hand, 
there is no guarantee that any of these expected benefits will, in 
fact, materialize--or whether they will generate any real long-term 
benefits for the Nation's economy and society as a whole.
---------------------------------------------------------------------------
     \1\ See Charles P. Kindleberger and Robert Aliber, ``Manias, 
Panics, and Crashes: A History of Financial Crises'' (2005).
---------------------------------------------------------------------------
    In this context, it is especially commendable that the Committee is 
taking a closer look at the current state of FinTech and the current 
Administration's strategic priorities in this area laid out in the U.S. 
Treasury Department's recent report to President Trump, ``A Financial 
System That Creates Economic Opportunities: Nonbank Financials, 
FinTech, and Innovation'' (hereinafter, the ``Treasury Report'' or 
``Report''). \2\
---------------------------------------------------------------------------
     \2\ U.S. Department of the Treasury, ``Report to President Trump: 
A Financial System That Creates Economic Opportunities: Nonbank 
Financials, FinTech, and Innovation'' (July 2018), [hereinafter, 
Treasury Report] available at https://home.treasury.gov/sites/default/
files/2018-07/A-Financial-System-that-Creates-Economic-Opportunities---
Nonbank-Financi....pdf.
---------------------------------------------------------------------------
    At this early stage in the development and adoption of many FinTech 
applications, it is difficult to come up with an exhaustive list of 
specific policy concerns associated with each specific technology use. 
It is also difficult to identify the full spectrum of changes in the 
existing legal and regulatory regimes needed to accommodate specific 
uses of new technologies in financial transactions. It is both possible 
and necessary, however, to start taking a broader systemic view of 
FinTech and identifying key public policy issues arising in connection 
with the continuing growth of FinTech.
    A comprehensive analysis of the macrolevel, systemic implications 
of FinTech is provided in my new working paper, ``New Tech v. New Deal: 
FinTech as a Systemic Phenomenon'', attached separately as an Appendix 
hereto. In this testimony, I will take a broader look at a few 
overarching themes that arise directly out of the Treasury Report and, 
in my view, deserve the Committee's special attention.
    The key point here is that the Treasury Report understates or even 
ignores a number of critically important public policy issues and 
concerns raised by the unfolding digital ``revolution'' in finance. My 
testimony identifies a few such high-level public policy concerns that 
both (1) merit full consideration by the Committee, and (2) are not 
adequately discussed or acknowledged in the Treasury Report. It is not 
intended as a detailed critique of the Treasury's conclusions and 
recommendations, nor does it claim to analyze the full risks and 
benefits of any particular FinTech application discussed in the Report. 
The purpose of my testimony is to widen the lens beyond the seemingly 
value-neutral and narrowly technocratic ``solutions''--and to introduce 
the necessary note of caution with respect to potentially crucial 
systemic implications of the Treasury's approach to FinTech innovation.
The Treasury Report: The FinTech Strategy Outlined
    The Treasury Report addresses a wide range of important trends in 
today's FinTech sector and discusses a long list of legal and 
regulatory challenges such trends present. The Treasury's numerous 
conclusions and recommendations span across multiple issues and vary 
greatly in the level of specificity. The Report's primary public policy 
significance, however, is that it outlines the current Administration's 
strategic approach to FinTech--and, more generally, financial sector--
regulation. Thus, understanding the Report's programmatic content is 
the key first step in the process of examining FinTech as a public 
policy challenge.
Underlying Narrative: FinTech as a Technical Phenomenon
    From the outset, the Treasury clearly states its view of data 
digitization and the corresponding growth in the use of digital 
technologies in financial and commercial transactions as the 
fundamental drivers of innovation and economic growth in the modern 
economy. \3\ The Report asserts that recent advances in core computing 
and data storage capacity dramatically reduced the cost of 
transmitting, keeping, and managing financial information--thus greatly 
increasing operational efficiencies and reducing the overall cost of 
delivering financial services. \4\ It claims further that digitization 
allows financial institutions to satisfy consumers' and companies' 
demand for increased convenience and speed of transacting and to scale 
up their services to reach a greater number of customers. \5\
---------------------------------------------------------------------------
     \3\ Treasury Report, at 6-8.
     \4\ Id. at 7.
     \5\ Id.
---------------------------------------------------------------------------
    On the basis of this optimistic narrative, the Treasury concludes 
that ``[t]he availability of capital, the large scale of the financial 
services market, and continued advancements in technology make 
accelerating innovation nearly inevitable.'' \6\ Accordingly, the 
Report defines the Administration's overarching strategic policy 
priority in terms of actively facilitating the ``inevitable'' march of 
FinTech innovation.
---------------------------------------------------------------------------
     \6\ Id. at 8.
---------------------------------------------------------------------------
    To the extent this approach conveys a basic recognition of the need 
to accept and facilitate socially beneficial technological change, the 
Report's contribution is both timely and important. Technological 
progress and financial innovation, however, are not ``natural'' and 
value-neutral ``win-win'' phenomena: they have significant long-term 
distributional and systemic stability-related--and thus political--
consequences. Technology is a tool that can be used in socially harmful 
ways that advance the interests of the few rather than those of the 
many.
    This basic fact makes it especially important to keep in mind that 
the Treasury's conclusions and recommendations directly reflect, and 
are shaped by, certain fundamentally normative preferences and 
assumptions. These underlying normative choices are often hidden behind 
the technical idiom and deliberately technocratic discussions filling 
the Report's 223 pages. An unbiased evaluation of the Treasury's 
proposed FinTech strategy, therefore, requires a clear understanding of 
what that strategy actually calls for--and whose economic and political 
interests it prioritizes.
Normative Baseline: Regulatory Accommodation of Private Sector 
        Innovation
    Two principal themes run through the long list of Treasury's 
recommendations: (1) an explicit and strong commitment to promoting 
private sector-led financial innovation; and (2) an implicit but 
equally strong commitment to minimizing regulatory interference with 
private firms' efforts to scale up FinTech operations. These 
fundamentally normative choices form the basis of the Treasury's 
overall FinTech strategy.
    The Treasury Report envisions financial innovation as both (1) 
presumptively socially beneficial; and (2) a fundamentally and 
inherently private sector-led initiative. The Report consistently 
emphasizes private firms' leading role in digitization of financial 
data and services. Even where the Report advocates establishing 
``public-private partnerships'' (PPP), its envisioned PPP model clearly 
places control over the nature and pace of technological change in 
private firms' hands. Throughout the Report, the principal role of the 
Federal and State lawmakers and regulators is effectively confined to 
providing the necessary logistical and infrastructural support for 
private firms' FinTech activities, while otherwise ``staying out'' of 
their way.
    Accordingly, the Treasury's strategic emphasis is on 
``modernizing'' the existing legal and regulatory regimes in order to 
accommodate, rather than control, the process of privately led 
financial innovation. In that sense, the Treasury's normative stance is 
fundamentally deregulatory.
Rhetorical Focus: ``All About Consumers''
    As a rhetorical matter, the Report justifies this inherently 
reactive and accommodating regulatory posture by stressing that new 
FinTech products are (1) created in response to consumer demand for 
better financial services, and (2) offer important benefits to 
consumers. \7\
---------------------------------------------------------------------------
     \7\ See, e.g., Id. at 17-19.
---------------------------------------------------------------------------
    These consumer benefits include greater speed and convenience of 
transacting; easier access to financial markets and services; and 
greater freedom of consumer choice with respect to financial products 
and service providers. \8\ By offering these benefits, the Treasury's 
argument goes, FinTech serves equally the interests of all segments of 
America's population, from digitally savvy millennials to the under-
served poor, from pragmatic bargain-hunters to ideological 
libertarians. Put simply, the Treasury's argument is that all of us, 
ordinary consumers of retail financial services, are the principal 
beneficiaries of the proposed regulatory unshackling and unfettered 
FinTech innovation.
---------------------------------------------------------------------------
     \8\ Id. at 17.
---------------------------------------------------------------------------
    This is, of course, a well-known mode of arguing consistently 
employed by the proponents of deregulation in the financial sector. The 
financial industry and its representatives have a long historical 
record of justifying their demands for regulatory easing by reference 
to consumer benefits. As discussed below, in the years before the 2008 
crisis, the same rhetoric was widely used to avoid legislative or 
regulatory ``interference'' with predatory subprime lending practices 
that were at the core of the unsustainable speculative asset boom and 
the resulting economic devastation. It is therefore important to 
contextualize the Treasury's claims.
Practical Focus: Relaxing Bank Regulation To Enable Certain Structural 
        Changes
    To operationalize its programmatic goals--promoting private sector-
led financial innovation and minimizing regulatory ``interference'' 
with that process--the Treasury adopts what may be viewed as a 
structural approach. Many of the Treasury's various recommendations 
target, directly or indirectly, the organizational and operational 
``walls'' that currently prevent or slow down FinTech companies' full-
scale entry into the banking sector.
    Thus, the Treasury Report strongly calls for financial regulators 
to ``modernize''--or, more precisely, to relax or remove--some of the 
key rules and regulations governing banking institutions' relationships 
with unaffiliated technology companies. The unstated goal of the 
Treasury's ``modernization'' strategy is to enable regulated banks to 
form large-scale de facto partnerships with technology companies, 
without subjecting the latter to bank-like oversight.
    Three examples of this deregulatory approach are particularly 
noteworthy. Thus, the Treasury Report lists a variety of specific 
recommendations that seek to:

  1.  enable banking institutions to enter into open-ended, large-scale 
        data-sharing and information-management partnerships with 
        technology companies;

  2.  enable mutual equity investments and direct affiliations between 
        banks and nonbank technology companies; and

  3.  facilitate ``rent-a-charter'' arrangements allowing online 
        marketplace lenders to take advantage of national banks' 
        exemptions from State usury laws.

    These recommendations raise a number of potentially significant 
public policy concerns that do not receive attention in the Report. In 
broad terms, these policy concerns arise in three interconnected but 
conceptually separate areas:

  1.  consumer financial data privacy and safety;

  2.  market structure and potential concentration of economic power; 
        and

  3.  systemic financial stability and economic growth

    Below, I will examine each of these high-level public policy 
issues--or systemic concerns--in the context of the three groups of 
Treasury recommendations outlined above.
Systemic Concern Number One: Consumer Protection
    The Treasury Report advocates for a significant relaxation, if not 
elimination, of the existing rules governing banking institutions' 
relationships with third-party vendors, in order to make it easier for 
regulated banks to form large-scale data-sharing and data-management 
partnerships with data aggregators and cloud service providers. \9\
---------------------------------------------------------------------------
     \9\ Id. at 73-77.
---------------------------------------------------------------------------
    Data aggregators--or data miners--are technology companies that 
collect and ``share'' (i.e., sell to interested businesses) vast 
amounts of online business and personal user data. So far, banking 
institutions have been reluctant to share their customers' financial 
information--including personal bank account types and balances, 
history of late fees and charges, detailed transaction records, and so 
forth--with unaffiliated data aggregators. Bound by their legal and 
regulatory obligations to safeguard customer information handled by 
third-party vendors, banks typically insist on controlling their 
bilateral relationships with individual data aggregators and often 
impose unilateral restrictions on their access to banks' customer data.
    The Treasury Report views this situation as an example of 
undesirable regulatory obstacles to financial innovation and, 
accordingly, calls for a concerted regulatory effort to allow data 
aggregators a greater direct access to banking customers' financial 
data. The Report maintains that it is critical to ease legal and 
regulatory requirements that currently ``hold back'' financial 
institutions from entering in unrestricted data-sharing agreements with 
data aggregators. In particular, the Report calls for a universal 
adoption of Application Programming Interfaces (APIs) that would give 
data aggregators direct access to customer account and transaction data 
in possession of either any particular bank or all participating 
financial institutions. \10\ Relieving banks from legal liability for 
third-party service providers' handling of customer data is key to this 
industrywide shift to APIs that is, in turn, critical to scaling up the 
flow of financial information from banks to data aggregators. \11\
---------------------------------------------------------------------------
     \10\ Id. at 26-27.
     \11\ Id. at 73-77.
---------------------------------------------------------------------------
    The Treasury Report adopts the same approach to promoting large-
scale partnering between banks and cloud computing service providers, 
The Treasury recommends that Federal financial regulators ``modernize 
their requirements and guidance (e.g., vendor oversight)'' to reduce 
regulatory barriers to large-scale migration of banks' data and 
information management activities to the cloud managed by third 
parties. \12\ As the Report emphasizes, facilitating a massive shift to 
cloud computing would ``increase the speed of innovation'' in the 
financial sector. \13\ Enabling banks and other regulated financial 
institutions to outsource their integrated data management and 
information technology functions to large cloud service providers, 
without exposing themselves to potentially extensive liability, is 
critical to this industrywide shift. \14\
---------------------------------------------------------------------------
     \12\ Id. at 52.
     \13\ Id. at 49.
     \14\ Id. at 49-50.
---------------------------------------------------------------------------
    To justify shielding banks from liability--among other things, by 
relaxing existing bank service provider regulations--the Treasury 
points to banks' efficiency gains and their customers' greater 
convenience and freedom of choice. The basic claim is that allowing 
unaffiliated tech companies to access, host, and manage bank data will 
(1) render financial services faster and cheaper for all consumers; and 
(2) give consumers unfettered control over their own financial data and 
their own financial affairs.
    There is no doubt that wholesale outsourcing of banks' customer and 
enterprise data storage and management to specialized technology 
companies would greatly reduce banks' operating costs and regulatory 
compliance headaches--and even enhance banks' revenues by enabling them 
to charge data aggregators for direct feeds of their customers' account 
data. It would also potentially enable individuals to access their bank 
accounts and other financial records via the same device they use for 
downloading music and rating restaurants. As the Report emphasizes, 
data-sharing through APIs would create a seamlessly integrated virtual 
data management space for individuals seeking this kind of click-
through convenience.
    However, the Treasury Report ignores potentially significant public 
harms of allowing an industrywide wholesale migration of core bank 
activities and highly sensitive financial data to the cloud and/or data 
aggregation platforms run by third parties. What is breezily portrayed 
as ``financial data freedom'' for consumers, in practice, may lead to 
potentially irreversible erosion of consumer rights and meaningful 
freedom of choice in the financial marketplace.
    While it is difficult to present a comprehensive list of potential 
harms to consumers likely to result from the proposed data-sharing 
expansion, two basic issues deserve the Committee's consideration.
Privacy and Safety of Bank Customers' Financial Data
    One reason for concern is that, despite the attractive rhetoric of 
``financial data freedom,'' an easy and direct access to banking 
institutions' data creates both the opportunity and the incentive for 
tech platform companies to engage in unauthorized commercial uses of 
bank customers' personal data.
    Giving consumers ``unfettered'' access to their personal financial 
data, in the way advocated in the Treasury Report, would simultaneously 
give technology platform operators an equally unfettered access to the 
same data. These platform operators, however, are not regulated or 
supervised in the interest of consumer financial privacy as banks 
currently are. \15\ Unlike banks, these companies are not required to 
maintain any particular levels of liquid assets or equity capital to 
ensure their safety and soundness. They don't have any explicit legal 
obligations to make customers whole in case of unauthorized withdrawals 
of money from customers' accounts. They don't have a corps of dedicated 
Federal and State agency staff--such as bank examiners--monitoring 
closely their daily operations for compliance with the applicable 
consumer protection and business conduct standards. In other words, 
these companies are regular private entities seeking to maximize their 
own private profits in a free capitalist market, governed by the basic 
principle of ``caveat emptor'' (``buyer, beware''). In this sense, they 
are not fundamentally different from used car salesmen.
---------------------------------------------------------------------------
     \15\ See Karen Petrou, ``The Crisis Next Time: The Risk of New-Age 
FinTech and Last-Crisis Financial Regulation'' (Sept. 6, 2018), 
available at http://www.fedfin.com/images/stories/client--reports/
FedFin%20Policy%20Paper%20on%20The%20Risk%20of%20New-
Age%20Fintech%20and%20Last-Crisis%20Financial%20Regulation.pdf.
---------------------------------------------------------------------------
    Unlike used car salesmen, however, these tech platform companies 
will now be able to get direct access to your bank account and 
transaction data--and thus invisibly monitor your earnings and your 
expenses, your daily Starbucks coffee purchases and your annual 
political campaign contributions. That will give these professional 
information merchants an extraordinary advantage over you, the 
consumer. They will be able to ``harvest'' a valuable asset--your 
personal financial information--without paying you for it. They can 
then use it to make you buy the products they want to sell you. They 
can also sell your financial information to other salesmen who can, in 
turn, use it to make you buy what they want to sell you. And all of 
this ``free commerce'' can happen without your knowledge or informed 
consent. In fact, the only action required on the part of an individual 
to become a captive participant in this spiral of ``free commerce'' may 
be as simple as opening a deposit account at a local bank--and perhaps 
signing a boilerplate ``consent'' form. \16\
---------------------------------------------------------------------------
     \16\ Treasury Report, at 26.
---------------------------------------------------------------------------
    If this is a plausible hypothetical, the Treasury's proposed method 
of ``embracing digitization'' by relaxing existing regulatory 
constraints on banks' data-sharing has to be subjected to the strictest 
scrutiny. Instead of giving consumers meaningful ``financial data 
freedom,'' it would give a massive gift of ``free financial data'' to 
data aggregators, cloud providers, various FinTech companies, and other 
businesses set up to capitalize on it. This is a deeply troubling 
prospect. As a recent study found, ``the FinTech ecosystem is 
predicated on little to no privacy protections for consumer data housed 
outside regulated financial institutions.'' \17\ But it is also 
intuitively easy to understand the obvious dangers of allowing large 
tech platform companies such an easy access to bank customers' personal 
financial data. A strong public reaction to the recent news of 
Facebook--one of the world's largest and most notorious data 
aggregators--requesting access to large banks' customer data shows that 
consumers care deeply about keeping their financial information 
private, safe, and secure from all manner of unauthorized use. \18\
---------------------------------------------------------------------------
     \17\ Petrou, supra note 15, at 3.
     \18\ See Emily Glazer et al., ``Facebook to Banks: Give Us Your 
Data; We'll Give You Our Users'', Wall St. J. (Aug. 6, 2018).
---------------------------------------------------------------------------
    The Treasury Report does not address the heightened risk of 
unauthorized commercial uses of consumer data by tech platforms allowed 
to access it. Instead, it confines the discussion to issues of data 
security, or unauthorized access to data.
    While acknowledging the importance of data protection in general 
terms, the Report generally seems content leaving the necessary 
adjustments to the private sector. Thus, it refers to the fact that the 
Federal Trade Commission (FTC) imposes certain information security 
requirements on data aggregators that are ``significantly engaged in 
financial services,'' and are therefore subject to its so-called 
Safeguards Rule. \19\ In the Treasury's view, that rule ``appropriately 
addresses'' all concerns about the security of customers' financial 
information managed by data aggregators and other FinTech firms. \20\ 
Accordingly, the conclusion is that no further legislative or 
regulatory action is needed in order to bolster consumer data 
protection. It is not clear, however, to what extent the FTC's 
Safeguards Rule is sufficiently effective in practice. The Rule may not 
even apply to giant platform conglomerates whose financial activities 
do not technically constitute a ``significant'' portion of their 
overall operations. \21\ Moreover, a recent massive data security 
breach at Equifax, which affected over 143 million people, is a vivid 
example of what can happen even on the FTC's watch. \22\
---------------------------------------------------------------------------
     \19\ Treasury Report, at 38.
     \20\ Id. at 39.
     \21\ See Petrou, supra note 15, at 5.
     \22\ See https://www.ftc.gov/equifax-data-breach.
---------------------------------------------------------------------------
    Of course, any meaningful discussion of data security has to 
address the critical issue of apportioning liability for security 
breaches. While the Treasury acknowledges the importance of this issue, 
it does not provide a clear answer to the fundamental question: Who 
will be liable to the consumer whose bank account is hacked? It seems 
clear that, as a practical matter, the only way banks would be willing 
to share their customer data with tech platforms is if they are not 
held liable for the platform operators' failures to protect the data. 
But, if banks are not liable, then who is going to make the account 
holder whole? Unless this question has a clear--and satisfactory--
answer, the notion of ``facilitating innovation'' through unrestricted 
data-sharing is inimical to the objective of protecting consumers' 
interests.
Predatory and Discriminatory Pricing of Financial Services
    The Report's rhetoric of consumer choice and financial data freedom 
implies the existence of a perfectly competitive and transparent market 
in which individual consumers have the power to choose the best FinTech 
service provider. Reality, however, is far more complicated and a lot 
less benign.
    In particular, the market for cloud computing and data analytics is 
both highly concentrated and inherently opaque. Only four megatech 
companies currently dominate the worldwide market for cloud services: 
Amazon, Microsoft, Alibaba, and Google. \23\ These four ``hyperscale'' 
service providers hold approximately 73 percent of the global cloud 
infrastructure services. \24\ Apple, Amazon, Google, Microsoft, and 
Facebook--five of the largest publicly traded U.S. companies by market 
capitalizations--are the pioneers of megascale data aggregation and 
``integral drivers of the digital economy'' as a whole. \25\ Even 
though the Treasury Report refers to data aggregators and cloud service 
providers in generic terms, it is these megacompanies that define the 
dynamics in the tech sector.
---------------------------------------------------------------------------
     \23\ ``Gartner Says Worldwide IaaS Public Cloud Services Market 
Grew 29.5 Percent in 2017'', Press Release (Aug. 1, 2008), available at 
https://www.gartner.com/en/newsroom/press-releases/2018-08-01-gartner-
says-worldwide-iaas-public-cloud-services-market-grew-30-percent-in-
2017.
     \24\ Id.
     \25\ Treasury Report, at 23.
---------------------------------------------------------------------------
    It is no coincidence that today's giant technology conglomerates 
are aggressively growing, diversifying, and continuously expanding 
their market shares. As recent studies show, this constant quest for 
size and market power is the built-in economic imperative in this 
business so intimately dependent on network effects. \26\ These 
companies' critical reliance on complex proprietary analytical tools 
renders their business models, and the markets in which they operate, 
fundamentally nontransparent. Put simply, nobody really knows what 
exactly these companies can see or what they can do with the data they 
touch.
---------------------------------------------------------------------------
     \26\ See, e.g., John M. Newman, ``Digital Antitrust'' (June 22, 
2018), available at https://papers.ssrn.com/sol3/
papers.cfm?abstract_id=3201004; Lina Khan, ``Amazon's Antitrust 
Paradox'', 126 Yale L. J. 710 (2017); Frank Pasquale, ``Paradoxes of 
Digital Antitrust'' (2013), available at https://jolt.law.harvard.edu/
assets/misc/Pasquale.pdf.
---------------------------------------------------------------------------
    In this context, the Treasury's proposed strategy of enabling 
megatech companies to ``get inside'' banks' customer data raises a 
number of significant consumer protection concerns. If that happens, 
the dominant players in the financial data and services market will be 
perfectly positioned to abuse their enormous market power, among other 
things, by engaging in predatory or unfair pricing of financial 
products and consumer discrimination.
    The basic blueprint for such abuses is already there. For example, 
Amazon's unprecedented market power in online commerce and command of 
digitized consumer data enable it to adjust its prices almost 
instantaneously, in response to fluctuations in current demand for 
specific goods. \27\ For example, if more people are buying a 
particular brand of baby food in the morning, Amazon can raise its 
price by noon. \28\ This type of ``dynamic pricing'' is difficult for 
any outsider to detect, as only Amazon has control of its algorithms 
and data. This algorithmic opacity makes consumers extremely vulnerable 
to predatory or unfair pricing, and not only by Amazon but also by 
other companies widely emulating its practices. \29\
---------------------------------------------------------------------------
     \27\ Alberto Cavallo, ``More Amazon Effects: Online Competition 
and Pricing Behaviors'', Harvard Business School and NBER (Aug. 10, 
2018), available at https://kansascityfed.org//media/files/publicat/
sympos/2018/papersandhandouts/825180810cavallopaper.pdf?la=en.
     \28\ David Dayen, ``Does Amazon Have More Power Than the Federal 
Reserve?'' New Republic (Aug. 28, 2018), available at https://
newrepublic.com/article/150938/amazon-power-federal-reserve.
     \29\ Id.; Rana Foroohar, ``Amazon's Pricing Tactic Is a Trap for 
Buyers and Sellers Alike'', FT.Com (Sept. 2, 2018).
---------------------------------------------------------------------------
    In the context of financial services, this technical capacity for 
nontransparent ``dynamic pricing'' can easily translate into the highly 
questionable practice of ``micro-targeting'' consumers. Amazon, Google, 
and other FinTech companies will be able to use the vast amounts of 
data gained from monitoring consumers' behavioral patterns and 
commercial transactions--and now the detailed real-time bank account 
data--to ``up-price'' financial products and services offered to 
individual consumers. \30\ In essence, they will be able to charge 
individual borrowers not the fair market price but the maximum price 
each of them is able to pay.
---------------------------------------------------------------------------
     \30\ See Petrou, supra note 15, at 4.
---------------------------------------------------------------------------
    This microtargeting may be presented to the public under the benign 
guise of ``product customization.'' In practice, however, it will 
effectively destroy consumers' ability to make informed decisions and 
to gauge whether they are being overcharged, underserved, or even 
entirely excluded from certain product markets. The opacity of the 
pricing process, the service provider's control of the customer's data, 
and the practical difficulty of switching providers will fundamentally 
skew the balance of power in favor of the service provider. \31\
---------------------------------------------------------------------------
     \31\ See Foroohar, supra note 29.
---------------------------------------------------------------------------
    Importantly, the same factors will also make it difficult, if not 
impossible, for any regulatory agencies to detect and punish abusive 
behavior in financial markets. The growing deficit of regulatory 
capacity is likely to leave consumers to fend for themselves--precisely 
at a time when they acutely need Government protection. This is 
particularly poignant, given the current efforts to weaken the Bureau 
of Consumer Financial Protection and to limit its enforcement 
capabilities. \32\
---------------------------------------------------------------------------
     \32\ See Renae Merle, ``Trump Administration Strips Consumer 
Watchdog Office of Enforcement Powers in Lending Discrimination 
Cases'', Wash. Post (Feb. 1, 2018), available at https://
www.washingtonpost.com/news/business/wp/2018/02/01/trump-
administration-strips-consumer-watchdog-office-of-enforcement-powers-
against-financial-firms-in-lending-discrimination-cases/
?utm_term=.4c83cde19b28.
---------------------------------------------------------------------------
    In sum, simply relaxing existing bank regulations in order to allow 
wholesale migration of the highly sensitive and valuable financial 
information currently controlled by banks to data aggregators, cloud 
providers, and other FinTech companies would expose consumers to 
potentially massive data privacy and safety risks. Rather than gaining 
meaningful control over their personal financial data, American 
consumers will be an easy target for unscrupulous salesmen of the 
digital era. A prudent public policy approach to safe and secure 
financial data-sharing in the digital age requires a deeper and more 
balanced analysis of these risks, as well as the means of preempting 
them.
Systemic Concern Number Two: Structural Shifts in the Economy
    Under the headings of ``aligning'' and ``modernizing'' the 
regulatory framework, the Treasury Report makes a number of specific 
recommendations intended to remove or relax the existing restrictions 
on permissible business activities and organizational affiliations of 
banking organizations. While framed as a narrowly technical issue, this 
effort goes directly to the long-standing U.S. policy of separation of 
banking from commerce. It also raises a broader spectrum of concerns 
related to potentially far-reaching structural shifts in the U.S. 
economy.
    The principle of separation of banking and commerce is one of the 
core principles underlying and shaping the elaborate regulatory regime 
applicable to all U.S. banking organizations. \33\ Under the National 
Bank Act of 1863, U.S. commercial banks generally are not permitted to 
conduct any activities that fall outside the statutory concept of ``the 
business of banking.'' \34\ Moreover, under the Bank Holding Company 
Act of 1956 (the BHC Act), bank holding companies (BHCs)--companies 
that own or ``control'' U.S. banks--are generally restricted in their 
ability to engage in any business activities other than banking, 
managing banks, or certain activities ``closely related'' to banking. 
\35\
---------------------------------------------------------------------------
     \33\ See Bernard Shull, ``Banking and Commerce in the United 
States'', 18 J. Banking and Fin. 255 (1994); Bernard Shull, ``The 
Separation of Banking and Commerce in the United States: an Examination 
of the Principal Issues'', 8 Fin. Markets, Inst. and Instr. 1 (Aug. 
1999).
     \34\ 12 U.S.C. 24 (Seventh).
     \35\ 12 U.S.C. 1841-43.
---------------------------------------------------------------------------
    Since the 1980s, the scope of banks' and BHCs' permissible 
activities has been steadily and gradually expanding. \36\ The Office 
of the Comptroller of the Currency (OCC) has been especially aggressive 
in its interpretations of the statutory term ``business of banking'' to 
allow banks to engage, among other things, in data storage and certain 
software-related activities. \37\ In 1999, Congress passed the Gramm-
Leach-Bliley Act (the GLB Act), which partially repealed the Glass-
Steagall Act and authorized certain qualifying BHCs to become 
``financial holding companies'' (FHCs) and to conduct a wide range of 
financial and even some commercial activities. \38\
---------------------------------------------------------------------------
     \36\ See Saule T. Omarova, ``The Quiet Metamorphosis: How 
Derivatives Changed the `Business of Banking' '' 63 U. Miami L. Rev. 
1041 (2009); Saule T. Omarova, ``The Merchants of Wall Street: Banking, 
Commerce, and Commodities'', 98 Minn. L. Rev. 265 (2013).
     \37\ Id.
     \38\ 12 U.S.C. 1843(k).
---------------------------------------------------------------------------
    These developments notwithstanding, however, U.S. banks' and BHCs' 
activities, investments, and organizational affiliations remain subject 
to significant limitations. Citing with approval the OCC's aggressively 
expansive approach, the Treasury Report recommends that all banking 
regulators interpret banking organizations' scope of activities ``in a 
harmonized manner as permitted by law wherever possible and in a manner 
that recognizes the positive impact that changes in technology and data 
can have in the delivery of financial services.'' \39\
---------------------------------------------------------------------------
     \39\ Treasury Report, at 80.
---------------------------------------------------------------------------
    The Treasury also recommends that the Federal Reserve ``consider 
how to reassess'' the definition of ``control'' in the BHC Act, in 
order to make it easier for banking institutions and FinTech companies 
invest in each other's equity. \40\ The BHC Act defines ``control'' in 
deliberately broad terms: in addition to specifying a quantitative 
threshold (direct or indirect ownership of 25 percent or more of any 
class of voting securities), it grants the Federal Reserve discretion 
to make the requisite findings of ``controlling influence'' in a wide 
range of circumstances. \41\ The Treasury Report criticizes the Federal 
Reserve's accumulated interpretations of ``control'' as ``not 
sufficiently transparent'' and thus discouraging--instead of 
facilitating--the formation of extensive business partnerships and 
close organizational relationships between BHCs and FinTech companies. 
The practical worry here is that unregulated technology companies may 
be deemed either to ``control'' a U.S. bank or to be ``controlled'' by 
a BHC--and thus subject to the BHC Act's activity restrictions and 
supervisory oversight. \42\
---------------------------------------------------------------------------
     \40\ Id.
     \41\ 12 U.S.C. 1841(a).
     \42\ Treasury Report, at 80.
---------------------------------------------------------------------------
    Although the Treasury does not explicitly direct the Federal 
Reserve to adopt any specific definition of ``control,'' the main 
thrust of its recommendation is clear: a properly ``modernized'' 
definition should be significantly narrowed and uniformly applied. In 
contrast to the Treasury's usual calls for ``tailored'' FinTech 
regulation, the Federal Reserve's tailoring of ``control'' 
determinations to the circumstances of each individual case is deemed 
undesirable as hindering bank partnerships with and acquisitions of 
(and by) nonbank technology companies.
Separation of Banking and Commerce
    Adopting a systematic policy of aggressively pushing the legal and 
statutory boundaries of bank-permissible business activities and 
affiliations, as advocated by the Treasury, will significantly 
undercut--if not completely incapacitate--the operation of the 
foundational U.S. principle of separation of banking and commerce. In 
this sense, it will weaken the overall integrity and efficacy of the 
U.S. bank regulation and supervision.
    It is important to remember why the entire system of U.S. bank and 
BHC regulation is designed to keep institutions engaged in deposit-
taking and commercial lending activities from conducting, directly or 
through some business combination, any significant nonfinancial 
activities, or from holding significant interests in any general 
commercial enterprise. There are three main public policy reasons for 
maintaining this legal wall between the ``business of banking'' and 
purely commercial businesses: (1) preserving the safety and soundness 
of federally insured depository institutions; (2) eliminating potential 
conflicts of interest and ensuring a fair and efficient flow of credit 
to productive economic enterprise; and (3) preventing excessive 
concentration of financial and economic power in the financial sector. 
\43\
---------------------------------------------------------------------------
     \43\ See Omarova, ``The Merchants of Wall Street'', supra note 36, 
at 274-278.
---------------------------------------------------------------------------
    Of course, each of these traditional concerns may be more or less 
pronounced in the context of a particular commercial activity. It is 
also clear that banks' involvement in certain nonfinancial activities 
may--and often does--produce financial benefits to their clients and, 
indirectly, to society as a whole. Yet, after decades of unquestioning 
acceptance of private firms' self-interested depiction of such 
benefits, it is critical that policymakers fully address and appreciate 
potential social costs of mixing banking and commerce--especially, 
digital commerce.
    The key point here is simple: allowing banks and BHCs to form wide-
ranging business partnerships with technology firms--either through 
global contractual arrangements or through outright combinations--would 
critically undermine all of the public policy goals at the heart of the 
U.S. bank regulation.
    For example, it would expose banking institutions to a wide variety 
of nontypical and potentially excessive economic, operational, and 
legal risks associated with tech companies' rapidly evolving commercial 
activities. Banks are ``special'' business actors in that they perform 
critical public functions, enjoy direct public support, and are 
inherently vulnerable to runs that can trigger systemic financial 
crises. For these reasons, banks' safety and soundness remains the 
cornerstone of bank regulation and supervision. \44\ Expanding banking 
entities' economic activities to encompass global e-commerce, ``big 
data'' management, and AI development will diversify and magnify not 
only their potential revenues but also their potential losses and 
vulnerabilities. It will also render banking organizations' internal 
governance and regulatory oversight far more challenging, if not 
outright impossible, propositions.
---------------------------------------------------------------------------
     \44\ See E. Gerald Corrigan, ``Are Banks Special?'' 1982 Fed. Res. 
Bank of Minn. Ann. Rep., available at http://www.minneapolisfed.org/
pubs/ar/ar1982a.cfm. For a systematic exposition of banks' special 
function as sovereign public's ``franchisees,'' see Robert C. Hockett 
and Saule T. Omarova, ``The Finance Franchise'', 102 Cornell L. Rev. 
1143 (2017).
---------------------------------------------------------------------------
    Furthermore, it would give rise to new patterns of conflicts of 
interest, potentially systematic misallocation of credit, and other 
cross-sectoral abuses of market power. Some of these abuses of market 
power are discussed above, in the context of consumer protection. 
However, this type of bank-tech conglomeration would also pose an 
immediate and tangible threat to all other businesses, especially those 
competing with banks' technology affiliates or partners. These types of 
structurally determined distortion in the economywide credit flows 
would critically impede economic growth and cause a host of socio-
economic and political problems.
Market Structure, Antitrust, and ``Too Big To Fail'' Concerns
    Perhaps the most far-reaching potential consequence of opening the 
door for direct cross-sectoral acquisitions and affiliations between 
banking institutions and tech firms is the dangerous increase in the 
overall concentration of the economic and political power likely to 
result from it.
    The U.S. financial services industry is already heavily 
concentrated. The passage of the GLB Act, which officially removed the 
long-standing prohibition on affiliations between commercial and 
investment banks, has elevated the pace of industry consolidation to a 
qualitatively new level. \45\ The level of industry concentration 
increased further in the wake of the global financial crisis of 2008, 
so that the top five banks in the U.S. now control approximately half 
of all assets in the sector. \46\ Large BHCs control over 80 percent of 
all banking assets. \47\
---------------------------------------------------------------------------
     \45\ See Arthur E. Wilmarth, Jr., ``The Transformation of the U.S. 
Financial Services Industry, 1975-2000: Competition, Consolidation, and 
Increased Risks'', 2002 U. Ill. L. Rev. 215 (2002).
     \46\ https://fred.stlouisfed.org/series/DDOI06USA156NWDB
     \47\ See NAFCU, ``Modernizing Financial Services: The Glass-
Steagall Act Revisited'' (2018), at 14, available at http://
stilltoobigtofail.org/wp-content/uploads/2018/09/Glass-Steagall-Act-
White-Paper_R4.pdf.
---------------------------------------------------------------------------
    The same trend is strongly evident in the tech sector. Despite the 
great number and diversity of what we call ``technology'' companies, a 
few giants at the core of the tech industry undoubtedly dominate it. 
Thus, only two companies, Apple and Google, currently provide the 
software for 99 percent of all smartphones, the indispensable devices 
for mobile payments. \48\ Facebook and Google capture between 59 and 73 
cents of every dollar spent on online advertising in the U.S. \49\ 
Amazon takes 49 cents of every e-commerce dollar in the U.S. \50\ This 
dominance is clearly reflected in the stock markets. Earlier this year, 
both Apple and Amazon exceeded $1 trillion in market capitalization. 
And the largest tech companies--including Apple, Amazon, Facebook, and 
Google--lead the longest stock market rally in decades. \51\
---------------------------------------------------------------------------
     \48\ See Matt Phillips, ``Apple's $1 Trillion Milestone Reflects 
Rise of Powerful Megacompanies'', N.Y. Times (Aug. 2, 2018).
     \49\ See id.; Lina M. Khan, ``Sources of Tech Platform Power'', 2 
Geo. L. Tech. Rev. 325, 326 (2018).
     \50\ See David Streitfeld, ``Amazon Hits $1,000,000,000,000 in 
Value, Following Apple'', N.Y. Times (Sept.4, 2018).
     \51\ See Phillips, supra note 48.
---------------------------------------------------------------------------
    It is against this background that the Treasury Report's seemingly 
low-key, technocratic recommendation to ``correct'' or ``clarify'' a 
specific regulatory interpretation of the statutory definition of 
``control'' in the BHC Act should be evaluated.
    The existing body of the Federal Reserve's interpretations of what 
constitutes ``control'' for purposes of the BHC Act is fundamentally 
fact-driven and thus inevitably complex. While that may complicate 
private firms' efforts to structure their investments so as to avoid 
being subject to the BHC Act, it preserves the necessary flexibility 
enabling the Federal Reserve to safeguard the principles underlying the 
Act. This is especially critical in light of the fact that the BHC Act 
was originally designed to operate as an antitrust, antimonopoly law. 
\52\
---------------------------------------------------------------------------
     \52\ See Omarova, ``The Merchants of Wall Street'', supra note 36, 
at 276-277.
---------------------------------------------------------------------------
    By contrast, what the Treasury calls ``a simpler and more 
transparent standard to facilitate innovation-related investments'' 
would effectively enable large U.S. financial holding companies to take 
significant equity stakes in various FinTech ventures, alongside large 
tech companies. It would also enable the tech giants to acquire 
significant equity stakes in U.S. banks and BHCs of varying sizes, 
without becoming subject to BHC regulation. The Treasury Report 
carefully frames its recommendations to create an impression that such 
a regulatory pullback would make financial markets more efficient and 
competitive by enabling a myriad of small investments by a myriad of 
banks in a myriad of competing tech companies--and vice versa. What 
remains unsaid, however, is that the dominant players in both markets--
including JPMorgan Chase, Citigroup, Bank of America, Goldman Sachs, 
Morgan Stanley, Wells Fargo, Facebook, Amazon, Google, Apple, 
Microsoft, and IBM--will also be able to take advantage of such 
explicitly permissive regulatory standards. Given the importance of 
scale and network effects for both tech platforms and financial 
institutions, they will be remiss not to.
    Thus, in practice, ``simplifying'' the Federal Reserve's 
interpretation of the BHC Act's ``control'' requirements for purposes 
of ``facilitating FinTech innovation'' is likely to trigger a wave of 
unprecedented cross-sectoral consolidation. Because of the 25 percent 
threshold built into the BHC Act's definition of ``control,'' this new-
generation consolidation wave will likely take new transactional forms, 
potentially resulting in a Byzantine system of corporate ownership and 
de facto management interlocks. In this web of formal and informal 
corporate control linkages, detecting and punishing collusive behavior 
and other abuses of market power will be even more difficult than it is 
today.
    One additional point bears emphasis here. In both sectors, 
companies' size and market share are key to profitability and success. 
In the financial sector, the quest for scale and scope is also driven 
by the presence of the bank public subsidy. The well-known phenomenon 
of ``too big to fail''--a de facto suspension of market discipline with 
respect to systemically important entities--presents one of the 
greatest public policy challenges in the financial sector. \53\ 
Drastically curtailing the regime of separation of banking from 
commerce would facilitate a potentially massive transfer of banks' 
public subsidy to the tech sector. In that sense, it is virtually 
guaranteed to take the ``too big to fail'' problem to an entirely 
different--perhaps even unimaginable--level. In the next crisis, the 
sheer scale of the Government bailouts required to keep the hypersized 
FinTech conglomerates from failing might make the taxpayer cost of 
saving Wall Street in the last one look like small change.
---------------------------------------------------------------------------
     \53\ See Matt Egan, ``Too-Big-To-Fail Banks Keep Getting Better'', 
CNN Money (Nov. 21, 2017), available at https://money.cnn.com/2017/11/
21/investing/banks-too-big-to-fail-jpmorgan-bank-of-america/index.html.
---------------------------------------------------------------------------
    Of course, money is not the only thing that matters to the American 
public in this scenario. The increasing concentration of economic power 
in a small club of corporate giants is a direct threat to American 
democracy. \54\ It perpetuates and exacerbates deep socio-economic 
inequality, which inevitably undermines political order premised on 
ideals of equal participation and voice. Big corporations' ability to 
``buy'' political influence fundamentally corrupts political process 
and corrodes public confidence in the democratic system as a whole. 
\55\ This is an unacceptably high societal price for the personal 
convenience of accessing one's bank accounts and digital wallets via a 
single iPhone click.
---------------------------------------------------------------------------
     \54\ See Omarova, ``The Merchants of Wall Street'', supra note 36, 
at 349-351; Julie Cohen, ``Technology, Political Economy, and The 
Role(s) of Law'' (June 8, 2018), available at https://lpeblog.org/2018/
06/08/technology-political-economy-and-the-roles-of-law/.
     \55\ See generally Rana Foroohar, ``A Light Shines on the 
Concentration of Power in Silicon Valley'', FT.Com (July 22, 2018); 
Buttonwood, ``Political Power Follows Economic Power'', Economist.com 
(Feb. 3, 2016), available at https://www.economist.com/buttonwoods-
notebook/2016/02/03/political-power-follows-economic-power.
---------------------------------------------------------------------------
    In sum, it is critical to keep in mind that, without proactive and 
appropriately applied public oversight, data digitization, cloud 
computing, and other seemingly value-neutral and science-driven FinTech 
innovations may operate as hidden channels for the formation of 
economywide FinTech platform conglomerates.
Systemic Concern Number Three: Financial Stability and Economic Growth
    The Treasury Report uses a direct reference to the ``bank 
partnership model'' in its discussion of marketplace lending. Among 
other things, the Treasury makes a very specific recommendation for 
Federal legislation overruling the Second Circuit's decision in Madden 
v. Midland Landing LLC, which held that the National Bank Act did not 
preempt State usury rules with respect to the interest charged by a 
third-party nonbank purchaser of loans from a national bank. \56\
---------------------------------------------------------------------------
     \56\ Madden v. Midland Funding, LLC, 786 F. 3d 246 (2d Cir. 2015).
---------------------------------------------------------------------------
    The Madden decision directly affects marketplace lenders operating 
under the so-called rent-a-charter model, in which the online lender 
markets the loans and runs its proprietary algorithms but the actual 
loan is initially extended and funded by a chartered bank. The bank 
typically holds the loan for a few days and then sells it back to the 
online lender. \57\ In effect, the online lender buys the originating 
bank's ability to ``export'' its home-State's favorable (or 
nonexistent) usury rate nationwide. In this sense, the bank is 
``renting out'' its bank charter--or, more accurately, selling a 
special legal privilege the Government grants exclusively to chartered 
banks--to an entity that does not qualify for a bank charter and is not 
entitled to any privileges that come with it. \58\
---------------------------------------------------------------------------
     \57\ See Michael S. Barr, et al., ``Financial Regulation: Law and 
Policy'' 185 (2nd ed., 2018).
     \58\ For a discussion of why bank charters are special and 
different from regular corporate charters, see Robert C. Hockett and 
Saule T. Omarova, `` `Special', Vestigial, or Visionary? What Bank 
Regulation Tells Us About the Corporation--and Vice Versa'', 39 Seattle 
U. L. Rev. 453 (2016).
---------------------------------------------------------------------------
    The ``rent-a-charter'' model is not a recent invention; it was 
widely used by predatory payday lenders and subprime mortgage companies 
in the run-up to 2008. \59\ At the time, Federal bank regulators did 
not interfere with this unseemly charter-arbitrage practice in the name 
of promoting ``financial innovation,'' ``freedom of consumer choice,'' 
and ``access to credit'' for high-risk/low-income borrowers. The OCC's 
aggressive Federal preemption strategy, the Federal Reserve's laxity, 
and the absence of a dedicated Federal financial consumer protection 
agency contributed to the rampant growth of subprime debt that 
ultimately triggered a major financial crisis. \60\
---------------------------------------------------------------------------
     \59\ See Consumer Federation of America and U.S. Public Interest 
Research Group, ``Rent-A-Bank Payday Lending: How Banks Help Payday 
Lenders Evade State Consumer Protections'' (Nov. 2001), available at 
https://consumerfed.org/pdfs/paydayreport.pdf.
     \60\ See, e.g., Kathleen C. Engel and Patricia A. Mccoy, ``The 
Subprime Virus: Reckless Credit, Regulatory Failure and Next Steps'' 
(2011).
---------------------------------------------------------------------------
    In this context, the Treasury's insistence that Congress 
legislatively overrule Madden brings into bold relief the broader 
concerns about systemic financial stability and the threat of recurring 
financial crises. All too often, the familiar rhetoric of 
``facilitating consumer access to cheap credit'' obscures the 
underlying systemwide dynamics that drive the emergence and growth of 
specific ``innovations.'' The Treasury Report's normatively inflected 
rhetoric also diverts attention from the significant potential impact 
of proposed deregulatory measures on the financial markets as a whole. 
To avoid repeating the costly mistakes of the pre-2008 period, 
therefore, policymakers must look behind the Report's technocratic 
gloss and examine FinTech developments from a systemic, public 
interest-driven perspective.
Financial Asset Speculation in the Digitized Marketplace
    Contrary to the Treasury Report's baseline narrative, FinTech is 
not simply a matter of applying computer and information science to 
financial transactions and finding ``win-win'' technical solutions to 
various market ``frictions.'' It is trivially true that new 
technological tools are designed to make financial transactions faster, 
cheaper, and easier to use and adjust to transacting parties' 
individual needs and preferences. But that is only part of the story. 
The rise of FinTech is an integral part, and a logical stage in the 
development, of the broader financial system. Therefore, FinTech's 
overall normative significance cannot be simply postulated on the basis 
of its intended microtransactional efficiencies. It has to be assessed 
in the context of the financial system's stability and ability to 
perform its core social function: effectively and reliably channeling 
capital flows to their most productive uses in the real, i.e., 
nonfinancial, economy. \61\
---------------------------------------------------------------------------
     \61\ For an in-depth analysis of the systemic significance of 
FinTech, see Saule T. Omarova, ``New Tech v. New Deal: FinTech As a 
Systemic Phenomenon'', 36 Yale J. Reg. (forthcoming 2019), available at 
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3224393.
---------------------------------------------------------------------------
    From this systemic perspective, the rapid digitization of data and 
financial services presents a far more complex public policy challenge 
than the Treasury Report is willing to acknowledge. FinTech innovations 
are driven not only--and perhaps not even mainly--by the financial 
institutions' and tech companies' desire to improve retail financial 
services. Despite the consumer-centric rhetoric surrounding FinTech, 
digital technologies are likely to have their greatest systemic impact 
in the highly volatile and speculative secondary financial markets 
dominated by professional traders, dealers, and institutional 
investors. Fixing the focus of policy discussions on the expected 
benefits of FinTech to retail consumers, however, diverts attention 
from potentially crucial developments in wholesale financial markets. 
It accordingly creates a dangerous blind spot for policymakers and 
regulators.
    The pre-2008 subprime mortgage and securitization boom provides a 
vivid illustration of just how dangerous it can be. It is well-known 
that the rapid growth of risky subprime mortgage lending in the early 
2000s--a predominantly retail market phenomenon--was fundamentally 
driven by the insatiable demand on the part of yield-hungry 
institutional investors for tradable asset-backed securities. Subprime 
mortgage loans served as the perfect raw material for the creation of 
high-yielding yet highly (and wrongly) rated mortgage-backed securities 
(MBS), collateralized debt obligations (CDOs), and other complex 
structured products. \62\ As speculative demand for these products 
grew, mortgage lenders used increasingly deceptive and discriminatory 
tactics to generate greater volumes of such raw material, among other 
things, by targeting the most vulnerable borrower populations. \63\
---------------------------------------------------------------------------
     \62\ See generally Engel and McCoy, supra note 60; ``Fin. Crisis 
Inquiry Comm'n, The Financial Crisis Inquiry Report: Final Report of 
the National Commission on the Causes of Financial and Economic Crisis 
in the United States'' (2011), https://www.gpo.gov/fdsys/pkg/GPO-
FCIC.pdf; S. Permanent Subcomm. on Investigations, 112th Cong., ``Wall 
Street and the Financial Crisis: Anatomy of a Financial Collapse'' 
(2011), http://hsgac.senate.gov/public/_files/Financial_Crisis/
FinancialCrisisReport.pdf.
     \63\ Id.
---------------------------------------------------------------------------
    Ironically, in the public arena, these predatory subprime loans 
were often touted as a great benefit for low-income borrowers. This is 
how a senior executive of now infamous Countrywide Financial described 
his company's subprime lending activities to Congress in early 2004, a 
year in which some of the worst subprime mortgages were originated:

        ``[ . . . ] Countrywide entered the nonprime lending market in 
        1996 as part of our effort to make homeownership possible for 
        the largest number of American families and individuals. We 
        believed then, as we believe now, that nonprime lending is a 
        natural extension of our commitment to bring Americans who have 
        traditionally been outside mainstream mortgage markets into 
        their first homes. Our nonprime lending programs also have 
        helped these families and individuals build equity and use this 
        equity to send their children to colleges, start their own 
        businesses, and gain control over their financial destiny.'' 
        \64\
---------------------------------------------------------------------------
     \64\ Testimony of Sandy Samuels, Senior Managing Director and 
Chief Legal Officer of Countrywide Financial Corporation and the 
Housing Policy Council of the Financial Services Roundtable before the 
Subcommittees on Financial Institutions and Housing, U.S. House of 
Representatives (March 30, 2004), available at https://www.gpo.gov/
fdsys/pkg/CHRG-108hhrg94689/pdf/CHRG-108hhrg94689.pdf.

        ``Nonprime products give borrowers more choices and make credit 
        more readily available, because we and other lenders can price 
        according to the level of risk.'' \65\
---------------------------------------------------------------------------
     \65\ Id.

    Millions of Americans who either lost their homes in the crisis or 
are forced to carry the heavy burden of underwater mortgage debt would 
strongly disagree. \66\
---------------------------------------------------------------------------
     \66\ See Robert C. Hockett, ``Accidental Suicide Pacts and 
Creditor Collective Action Problems'', 98 Cornell L. Rev. 55 (2013).
---------------------------------------------------------------------------
    In reality, of course, Countrywide flooded the market with risky 
loans not because it cared for its poor borrowers' economic rights, but 
because it was reaping huge profits in the wholesale securitization 
markets. Its executive's remarkably self-serving statements illustrate 
how the financial industry used--indeed abused--consumers not only as 
the unwitting captive source of fuel for its high-stakes speculation 
game, but also as the ``sympathetic beneficiary'' legitimizing and 
shielding that game from public scrutiny.
    Today, similar consumer-centric rhetoric is being deployed to 
justify various deregulatory moves, among other things, in the context 
of FinTech innovation. It is, of course, too early to draw definitive 
conclusions as to what exactly this rhetoric may be obscuring from 
policymakers' and the broader public's view. The recent history tells 
us, however, that whenever a powerful private industry demands 
deregulation in the name of consumers' ``freedom of choice'' or 
``access to credit,'' something a lot bigger and much less altruistic 
is driving these demands. It is, therefore, both timely and necessary 
to start identifying some of the ways in which FinTech is likely to 
impact the ``big-picture'' issues related to systemic financial 
stability.
    The basic point here is simple: In the current environment of 
global investment capital glut, the rapid digitization of financial 
data and transactions is bound to amplify the underlying structural 
incentives for excessive speculation in secondary markets for financial 
instruments. By making financial transactions infinitely faster, 
cheaper, and easier to use and to customize, FinTech innovations 
potentially empower wholesale market participants to engage in 
financial asset speculation on an unprecedented level. Armed with new 
digital tools, financial and FinTech firms will be able to synthesize 
potentially endless chains of virtual assets, tradable in potentially 
infinitely scalable virtual markets. This FinTech-driven qualitative 
growth in the volume and velocity of speculative trading, in turn, 
potentially amplifies the financial system's vulnerability to sudden 
shocks and cascading loss effects. In short, a fully digitized and 
frictionless financial marketplace is bound to grow not only much 
bigger and faster but also more complex, opaque, and volatile. \67\
---------------------------------------------------------------------------
     \67\ For a detailed discussion, see Omarova, supra note 61.
---------------------------------------------------------------------------
    It is worth emphasizing that advances in technology are 
increasingly enabling private market participants to create tradable 
cryptoassets effectively out of thin air. These cryptoassets--digital 
tokens or bits of data representing some value--can have such an 
attenuated connection to productive activity in the real economy as to 
be practically untethered from it. By potentially rendering the 
financial system entirely self-referential, this type of unchecked 
private sector ``innovation'' can fundamentally undermine--rather than 
promote--the long-term growth on the part of the American economy. On a 
macrolevel, therefore, the key risk posed by FinTech lies in its--still 
not fully known--potential to exacerbate the financial system's 
dysfunctional tendency toward unsustainably self-referential growth. 
\68\ (For a detailed discussion of these and related issues, see 
Appendix to this testimony.)
---------------------------------------------------------------------------
     \68\ Id.
---------------------------------------------------------------------------
Regulatory and Supervisory Capacity
    Understanding some of the potentially destabilizing systemic 
effects of unchecked FinTech innovation brings into a sharp relief the 
crucial importance of strengthening the capacity of the relevant 
regulatory agencies to effectively oversee this process.
    FinTech's ability to bring about massive increases in the volume 
and velocity of speculative trading in financial assets inevitably 
magnifies the systemic role of--and amplifies the pressure on--central 
banks and other public instrumentalities charged with ensuring 
financial and macroconomic stability. Hyperfast, hyperexpansive 
financial markets require a hyperfast and hypercapacious public actor 
of ``last resort''--one of the central bank's core functions. 
Similarly, substantial new risks to consumers, posed by the 
digitization of personal financial data and the rise of the digital 
platform economy, dramatically elevate the role of Government agencies 
in protecting consumers' data privacy and safety. And, of course, the 
growing concern with potentially excessive concentrations of economic 
and political power in the hands of hypersized FinTech conglomerates 
underscores the need for a far more proactive approach to Government 
enforcement of antitrust principles.
    This, however, runs contrary to the Treasury Report's overall 
deregulatory strategy and the emphasis on an inherently passive and 
accommodative regulatory posture. As a general matter, the Report 
supports, and even insists on, proactive--or ``agile''--regulatory 
action only where such action is necessary to ``expedite regulatory 
relief'' under existing laws in order to facilitate private 
experimentation with new digital technology.
    The Treasury's recommendation to form a State and Federal 
``regulatory sandbox'' should be read in this normative context. \69\ 
Several foreign jurisdictions, including Singapore and the United 
Kingdom, have already established such regulatory sandboxes, which 
essentially refer to the practice of allowing certain FinTech companies 
to operate for a period of time without having to comply with various 
otherwise applicable laws and regulations. The purpose of this 
arrangement is to conduct a controlled test of FinTech products, which 
should then help the regulators decide how beneficial and safe these 
products are for the rest of the market.
---------------------------------------------------------------------------
     \69\ Treasury Report, at 168.
---------------------------------------------------------------------------
    The idea of a regulatory sandbox as a way to generate usable 
empirical data for better regulatory decision making is not necessarily 
a bad one. In each particular case, however, the efficacy of this 
effort depends fundamentally on the specific design features of the 
``sandbox.'' Thus, if the specific assessment criteria for FinTech 
products in the ``sandbox'' are insufficiently capturing potentially 
problematic effects of these products on consumer interests or systemic 
financial stability, the resulting data will not be a reliable 
indicator of how that product will fare outside the ``sandbox.'' 
Furthermore, some of the most significant systemic implications of a 
particular product may be inherently impossible or difficult to test in 
a controlled ``sandbox'' environment. \70\
---------------------------------------------------------------------------
     \70\ See, e.g., Hilary Allen, ``A U.S. Regulatory Sandbox?'' (Feb. 
2018), available at file:///C:/Users/sto24/Downloads/SSRN-
id3056993.pdf.
---------------------------------------------------------------------------
    In any event, a ``regulatory sandbox'' is not a substitute for a 
well-coordinated and well-resourced regulatory apparatus, capable of 
devising and dynamically implementing a comprehensive and balanced 
approach to overseeing FinTech activities. In this moment of great 
change in financial markets, the American public needs such an 
apparatus: it needs capable regulators and supervisors who show their 
true ``agility'' by staying in front of, rather than behind or away 
from, the market.
    For all of the foregoing reasons, I urge the Committee to apply the 
healthy dose of skepticism to the Treasury Report's and the interested 
industry actors' consumer-centric rhetoric and deregulatory demands. 
The systemic significance of FinTech innovations must be assessed in 
the broader public policy context, with a special focus on the need to 
protect American consumers from abusive market practices on the part of 
megasized corporate conglomerates, to safeguard the structural 
integrity of the U.S. financial market, and to ensure long-term 
systemic stability and sustainable growth of the Nation's economy. 
Technology is not an end in and of itself, it is merely a tool: it can 
be used to improve our collective future or to destroy it. The 
Committee's task is to ensure that the latter does not happen, while 
everybody is looking the other way.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

        RESPONSES TO WRITTEN QUESTIONS OF SENATOR BROWN
                        FROM STEVEN BOMS

Q.1. Given that companies like Google and Facebook collect 
enormous amounts of information, and are also in a position to 
influence what information consumers are exposed to. For 
example, Facebook might show payday loan or private student 
loan advertisements to servicemembers or to minorities but not 
its other users.
    Should fair lending laws be updated to cover not just the 
provision of credit, but also targeted advertisement of such 
products on social media platforms?

A.1. CFDR members believe that fair lending laws represent 
important public policy. The content of those laws, however, is 
determined solely by Congress and, when authority is delegated, 
to regulatory agencies. Each company in the CFDR membership--
which does not include Google, Facebook, or any similar ``big 
tech'' company that operates a social media platform--strives 
to abide by all applicable fair lending laws, at both the State 
and Federal levels, and will continue to abide by fair lending 
laws if they should change in response to your concerns 
addressed in the predicate to this question.
                                ------                                


        RESPONSES TO WRITTEN QUESTIONS OF SENATOR SCOTT
                        FROM STEVEN BOMS

Q.1. My ``Making Online Banking Initiation Legal and Easy''--or 
MOBILE--Act allowed banks and credit unions to use a scan of a 
driver's license through a mobile device to verify a customer's 
identity when opening an account.
    Approximately 16 million adults live in households without 
a checking or savings account and an additional 51 million 
adults live in households that rely on nonbank lenders with 
sky-high interest rates.
    Yet about 90 percent of unbanked and underbanked adults own 
a mobile phone, of which 75 percent are smartphones.
    Please answer the following with specificity:
    What impact does linking personal finance with mobile and 
data technologies have on the financial well-being of 
consumers?

A.1. The ability to link personal finance with mobile and data 
technologies could significantly decrease the number of 
unbanked or underbanked households in the United States. The 
first step in analyzing the impact of a more seamless flow of 
data transfer through mobile technology would be to asses why 
these householders are unbanked or underbanked. For some, 
including those who live in rural communities, it may be that 
the nearest branch bank has closed and that the next closest 
bank is tens of miles away. For others, it may be a distrust of 
the traditional banking system, informed perhaps by prior bad 
experiences or lack of knowledge about the services and 
solutions offered. Either way, having access to--and actually 
availing oneself of--financial services products is critical to 
consumer financial wellness as it helps families manage 
budgets, establish credit, pay bills, and save for the future.
    The mobility of technology driven by the near ubiquity of 
modern mobile telephones and digital networking holds great 
promise to reach underserved areas of the country with tailored 
financial services solutions. The MOBILE Act is a great example 
of a forward-thinking legislative approach that embraces new 
ways of using and transmitting data. CFDR supports Congress's 
building on this success to further erode barriers to the free 
flow of consumer-permissioned data across interfaces so that 
all consumers, whether presently underserved or not, can make 
the best use of a 21st century, mobile, data-driven financial 
services marketplace.
                                ------                                


        RESPONSES TO WRITTEN QUESTIONS OF SENATOR BROWN
                       FROM BRIAN KNIGHT

Q.1. Given that companies like Google and Facebook collect 
enormous amounts of information, and are also in a position to 
influence what information consumers are exposed to. For 
example, Facebook might show payday loan or private student 
loan advertisements to servicemembers or to minorities but not 
its other users.
    Should fair lending laws be updated to cover not just the 
provision of credit, but also targeted advertisement of such 
products on social media platforms?

A.1. It is reasonable and appropriate to prohibit social media 
platforms from enabling lenders to use prohibited 
characteristics to target or withhold credit offers, and 
regulators should have the ability to enforce this prohibition. 
An illustrative example in a related area is found in the 
Assistant Secretary for Fair Housing and Equal Opportunity 
filing's of a housing discrimination complaint against Facebook 
for violations of the Fair Housing Act. \1\ In its complaint, 
the assistant secretary alleges that Facebook allowed 
advertisers of housing and housing-related services to directly 
target or withhold ads on the basis of protected classes such 
as race, religion, age, and gender. Such conduct should be 
prohibited. \2\
---------------------------------------------------------------------------
     \1\ Anna Maria Farias, ``Housing Discrimination Complaint: 
Assistant Secretary for Fair Housing and Equal Opportunity v. Facebook, 
Inc.'', August 13, 2018, https://www.hud.gov/sites/dfiles/PIH/
documents/HUD_01-18-0323_Complaint.pdf.
     \2\ Facebook has not been found liable for any such acts, and to 
my knowledge it has not admitted to the allegations in the Assistant 
Secretary's complaint.
---------------------------------------------------------------------------
    The question of whether social media sites should be 
prohibited from using neutral data that may correlate with 
protected classes is more complex. Concerns about disparate 
impact must be balanced with the fact that accurate algorithms 
based on neutral data may also be the most effective way to 
communicate useful information to potential customers. 
Additionally, seeking to prohibit the use of algorithms using 
neutral data for conveying ads to customers could face 
potential constitutional issues. \3\ Beyond identifying these 
potential issues, I have not done sufficient study to come to a 
conclusion on the issue.
---------------------------------------------------------------------------
     \3\ Some courts have found that algorithms like those used by 
Google are speech protected by the First Amendment. See Langdon v. 
Google, Inc., 474 F. Supp. 2d 622, 629-30, (D. Del. 2007). 
Additionally, the Supreme Court in Texas Department of Housing and 
Community Affairs v. Inclusive Communities Project, Inc., acknowledged 
that disparate impact liability must be limited to avoid ``serious 
constitutional questions.'' See Texas Department of Housing and 
Community Affairs v. Inclusive Communities Project, Inc., 135 S. Ct. 
2507, 2512 (2015).
---------------------------------------------------------------------------
                                ------                                


        RESPONSES TO WRITTEN QUESTIONS OF SENATOR HELLER
                       FROM BRIAN KNIGHT

Q.1. In Nevada, Industrial Loan Companies (ILCs) play an 
important role in our economy. There is a growing demand for 
ILCs which have proven to meet consumer needs throughout the 
country. The current FDIC Chair has said that she welcomes ILC 
applications. Do you believe that a FinTech company that meets 
FDIC requirements should be allowed to be chartered as an ILC?

A.1. Expanding competition and innovation in banking services 
will benefit consumers. Therefore, we should have a presumption 
that a FinTech firm that meets the statutory and regulatory 
requirements for an ILC charter should be granted a charter. 
Risks created by granting a charter could likely be addressed 
through existing regulation and competition protection 
mechanisms. To the extent that additional protections or 
limitations are needed to handle unique circumstances, Congress 
should pass legislation to create those protections or 
limitations.
                                ------                                


         RESPONSES TO WRITTEN QUESTIONS OF SENATOR REED
                     FROM SAULE T. OMAROVA

Q.1. In your testimony, you state that ``Technology is not an 
end in and of itself, it is merely a tool: it can be used to 
improve our collective future or to destroy it. The Committee's 
task is to ensure that the latter does not happen, while 
everybody is looking the other way.'' You also mention 
elsewhere in your testimony that FinTech could lead to 
``potentially systematic misallocation of credit, and other 
cross-sectoral abuses of market power.''
    Could you please provide us with a couple of concrete 
examples of precisely what we should be trying to avoid? Do you 
have any suggestions for how to avoid these examples?

A.1. Finance is the lifeblood of the economy, and information 
is the lifeblood of the digital economy. By definition, 
``FinTech'' combines both. That means that FinTech firms, 
either individually or as a group, can potentially exercise an 
unprecedented degree of control over the flow of money, 
information, and physical goods in e-commerce--all at the same 
time. This potential for extreme concentrations of power across 
previously separate economic markets raises a spectrum of 
significant public policy concerns, including concerns about 
dominant FinTech conglomerates stifling (instead of promoting) 
competition in affected markets and misallocating financial and 
other economic resources throughout the economy.
    More narrowly, it also implicates the venerable U.S. 
principle of separating banking from commerce. Goldman Sachs' 
recent foray into metals warehousing provides a recent real-
life example of how a large financial institution can combine 
and abuse market power across different, seemingly unrelated, 
markets. Thus, it has been well-documented how Goldman Sachs' 
acquisition of Metro, a metals warehousing company, allowed it 
to control supply--and therefore price--of aluminum in North 
America, by creating artificial bottlenecks in the delivery of 
physical aluminum to purchaser-companies. Goldman Sachs' 
control over the critically important storage facilities gave 
it both the incentive and the ability to drive up the price of 
aluminum to benefit its own physical commodities trading and 
financial derivatives operations. The artificial rise in the 
price of aluminum, however, significantly increased American 
companies' production costs and ultimately resulted in higher 
consumer prices for a wide range of products, from soft drinks 
to automobiles.
    Big FinTech conglomerates are well-positioned to commit 
similar abuses of market power on a far larger scale. This is 
one of the principal reasons why the direct or indirect 
formation of such conglomerates, in any organizational from, 
should not be permitted as a matter of public policy and public 
interest.
    Here is a simple hypothetical example of what can happen 
if, among other things, the Federal Reserve narrows its 
presently flexible interpretation of what constitutes 
``controlling influence'' under the Bank Holding Company Act of 
1956 (the ``BHC Act''). Thus, Amazon Inc. can buy 24.9 percent 
of voting equity in multiple U.S. deposit-taking banks, without 
technically being deemed a ``bank holding company'' (or 
``BHC''). As a result of the Federal Reserve's newly 
``clarified'' interpretive approach, Amazon can easily 
structure these equity acquisitions in a way that leaves it 
free to continue all of its online commerce, logistics, cloud 
warehousing, and other data management businesses. Yet, 
Amazon's size and power in these markets will effectively 
guarantee it a de facto ability to exercise outsized control 
over each individual bank's management and business decisions. 
Amazon's heft as a potential business client, a service 
provider, or a strategic partner will put it in the driver's 
seat with respect to the banks in which it technically holds 
``noncontrolling'' stakes (let us call them ``Amazon-owned 
banks,'' for simplicity's sake).
    Amazon can then use its outsized de facto power over these 
Amazon-owned banks to do the following:

    It can get sensitive financial or other information 
        on its competitors--i.e., various nonfinancial 
        companies that also happen to be Amazon-owned banks' 
        banking clients--and then uses that information either 
        to drive those companies out of business or to force 
        them to do business with Amazon on unfavorable terms.

    Amazon can also pressure Amazon-owned banks to 
        extend credit to businesses affiliated with or favored 
        by Amazon, which will give it additional leverage over 
        those ``favored'' companies and thus increase its 
        market power in the affected sectors.

    Amazon can also make Amazon-owned banks refuse 
        credit to its direct competitors or to any other ``un-
        favored'' local companies.

    In each case, Amazon's self-interested behavior will result 
in significant market distortions and inefficiencies and 
compromise federally insured banks' ability to perform the 
critical task of channeling capital to its more productive uses 
in the real economy. From this perspective, allowing the 
formation of big FinTech (or TechFin) conglomerates will pose a 
grave danger to the country's long-term economic growth--and, 
ultimately, its social and political stability.
    To prevent this and many other similarly dangerous 
outcomes, it is crucial that policymakers always place the 
arguments that, in one way or another, call for ``facilitating 
innovation'' or ``modernizing financial regulation'' in the 
context of how they impact the broader financial and economic 
market structure and integrity. Rhetoric notwithstanding, no 
FinTech-related proposals and arguments that could potentially 
result in the creation of large finance-technology (or tech-
finance) conglomerates should be adopted into actual policy.
              Additional Material Supplied for the Record
  LETTER FROM THE AMERICAN ACADEMY OF ACTUARIES SUBMITTED BY CHAIRMAN 
                               MIKE CRAPO
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                   [all]