[House Hearing, 116 Congress] [From the U.S. Government Publishing Office] BANKING ON YOUR DATA: THE ROLE OF BIG DATA IN FINANCIAL SERVICES ======================================================================= HEARING BEFORE THE TASK FORCE ON FINANCIAL TECHNOLOGY OF THE COMMITTEE ON FINANCIAL SERVICES U.S. HOUSE OF REPRESENTATIVES ONE HUNDRED SIXTEENTH CONGRESS FIRST SESSION __________ NOVEMBER 21, 2019 __________ Printed for the use of the Committee on Financial Services Serial No. 116-69 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] __________ U.S. GOVERNMENT PUBLISHING OFFICE 42-477 PDF WASHINGTON : 2020 -------------------------------------------------------------------------------------- HOUSE COMMITTEE ON FINANCIAL SERVICES MAXINE WATERS, California, Chairwoman CAROLYN B. MALONEY, New York PATRICK McHENRY, North Carolina, NYDIA M. VELAZQUEZ, New York Ranking Member BRAD SHERMAN, California ANN WAGNER, Missouri GREGORY W. MEEKS, New York PETER T. KING, New York WM. LACY CLAY, Missouri FRANK D. LUCAS, Oklahoma DAVID SCOTT, Georgia BILL POSEY, Florida AL GREEN, Texas BLAINE LUETKEMEYER, Missouri EMANUEL CLEAVER, Missouri BILL HUIZENGA, Michigan ED PERLMUTTER, Colorado STEVE STIVERS, Ohio JIM A. HIMES, Connecticut ANDY BARR, Kentucky BILL FOSTER, Illinois SCOTT TIPTON, Colorado JOYCE BEATTY, Ohio ROGER WILLIAMS, Texas DENNY HECK, Washington FRENCH HILL, Arkansas JUAN VARGAS, California TOM EMMER, Minnesota JOSH GOTTHEIMER, New Jersey LEE M. ZELDIN, New York VICENTE GONZALEZ, Texas BARRY LOUDERMILK, Georgia AL LAWSON, Florida ALEXANDER X. MOONEY, West Virginia MICHAEL SAN NICOLAS, Guam WARREN DAVIDSON, Ohio RASHIDA TLAIB, Michigan TED BUDD, North Carolina KATIE PORTER, California DAVID KUSTOFF, Tennessee CINDY AXNE, Iowa TREY HOLLINGSWORTH, Indiana SEAN CASTEN, Illinois ANTHONY GONZALEZ, Ohio AYANNA PRESSLEY, Massachusetts JOHN ROSE, Tennessee BEN McADAMS, Utah BRYAN STEIL, Wisconsin ALEXANDRIA OCASIO-CORTEZ, New York LANCE GOODEN, Texas JENNIFER WEXTON, Virginia DENVER RIGGLEMAN, Virginia STEPHEN F. LYNCH, Massachusetts WILLIAM TIMMONS, South Carolina TULSI GABBARD, Hawaii ALMA ADAMS, North Carolina MADELEINE DEAN, Pennsylvania JESUS ``CHUY'' GARCIA, Illinois SYLVIA GARCIA, Texas DEAN PHILLIPS, Minnesota Charla Ouertatani, Staff Director TASK FORCE ON FINANCIAL TECHNOLOGY STEPHEN F. LYNCH, Massachusetts, Chairman DAVID SCOTT, Georgia TOM EMMER, Minnesota, Ranking JOSH GOTTHEIMER, New Jersey Member AL LAWSON, Florida BLAINE LUETKEMEYER, Missouri CINDY AXNE, Iowa FRENCH HILL, Arkansas BEN McADAMS, Utah WARREN DAVIDSON, Ohio JENNIFER WEXTON, Virginia BRYAN STEIL, Wisconsin C O N T E N T S ---------- Page Hearing held on: November 21, 2019............................................ 1 Appendix: November 21, 2019............................................ 31 WITNESSES Thursday, November 21, 2019 Cardinal, Don, Managing Director, Financial Data Exchange (FDX).. 10 Gilliard, Christopher, Professor of English, Macomb Community College, and Digital Pedagogy Lab Advisor...................... 8 Kamara, Seny, Associate Professor of Computer Science, Brown University, and Chief Scientist, Aroki Systems................. 6 Pozza, Duane, Partner, Wiley Rein................................ 11 Saunders, Lauren, Associate Director, National Consumer Law Center (NCLC).................................................. 4 APPENDIX Prepared statements: Cardinal, Don................................................ 32 Gilliard, Christopher........................................ 42 Kamara, Seny................................................. 48 Pozza, Duane................................................. 54 Saunders, Lauren............................................. 62 Additional Material Submitted for the Record Lynch, Hon. Stephen: Written statement of the American Bankers Association........ 83 Written statement of the Credit Union National Association... 92 Written statement of the Electronic Transactions Association. 94 Written statement of the Financial Data and Technology Association................................................ 96 Written statement of Fidelity Investments.................... 99 Written statement of Finicity................................ 106 Written statement of Plaid................................... 115 Written statement of Public Knowledge........................ 117 Hill, Hon. French: Written responses to questions submitted to Don Cardinal..... 122 McAdams, Hon. Ben: Written responses to questions submitted to Don Cardinal..... 124 Written responses to questions submitted to Duane Pozza...... 128 Written responses to questions submitted to Lauren Saunders.. 130 BANKING ON YOUR DATA: THE ROLE OF BIG DATA IN FINANCIAL SERVICES ---------- Thursday, November 21, 2019 U.S. House of Representatives, Task Force on Financial Technology, Committee on Financial Services, Washington, D.C. The task force met, pursuant to notice, at 9:30 a.m., in room 2128, Rayburn House Office Building, Hon. Stephen F. Lynch [chairman of the task force] presiding. Members present: Representatives Lynch, Scott, Gottheimer, Lawson, Axne, McAdams; Emmer, Luetkemeyer, Hill, Davidson, and Steil. Also present: Representatives Tlaib, Gonzalez of Ohio, and Hollingsworth. Chairman Lynch. Good morning. The Task Force on Financial Technology will now come to order. Without objection, the Chair is authorized to declare a recess of the task force at any time. Also, without objection, members of the full Financial Services Committee who are not members of the task force are authorized to participate in today's hearing. Today's hearing is entitled, ``Banking on Your Data: The Role of Big Data in Financial Services.'' Before we get started, I want to take a moment to recognize our new ranking member, Mr. Tom Emmer, from the great State of Minnesota. Welcome. Mr. Emmer has a keen interest in the fintech space and has been active in this area for some time, and I am looking forward to learning from and working with him going forward. I also want to thank my friend and colleague, Mr. French Hill of Arkansas, who escaped this task force, and is now the ranking member on the National Security Subcommittee, which I Chair. I wish him the best of luck in that endeavor, and I am glad to still have his voice on this task force. I now recognize myself for 4 minutes to give an opening statement. In July, our task force examined the potential benefits and the risks associated with the use of alternative data in credit underwriting. We noted that the use of alternative data can expand access to credit for those who might otherwise be turned away from lenders. And we also discussed the possibility of that data being linked to disparate impacts on the unfair credit decisions that might be made. But in financial services, the use of data goes far beyond consumer or small business lending. The rise of financial and consumer data has enabled an explosion of financial products and services for consumers to use. Because of the volume and transferability of this data, consumers have access to applications to manage their finances, change their savings habits, or pay their friends in a way that wasn't possible a few years ago. However, the prevalence of financial applications has led to more and more personal financial data being transmitted and held outside of the traditional financial system. While most companies want to protect their customers' data, this trend has caused many to question whether our existing statutory protections are indeed adequate for the new circumstances. Consumers rightly expect their financial data to be kept secure by institutions and applications they use, but unfortunately, their expectations don't always match reality. Large-scale breaches of consumer data, like those at Equifax and Capital One, serve as a vivid reminder that even legacy institutions can be vulnerable to security lapses. They also remind us how painful it can be for a consumer to have their personal information stolen through no fault of their own. As consumers use their financial data in more ways and in more places, it becomes increasingly difficult for them to know exactly how their data is being used and, making it worse, many applications come with lengthy terms-of-service agreements which are not conducive to being read on the mobile devices consumers are using to agree to them. So we all tend to just click, ``I agree,'' without realizing the consequences. According to recently released research by the Clearing House, 79 percent of users said they did not read all the terms and conditions, and only 11 percent said they both read and understood them. Most of those people are lying. Further, the technical aspects of data security are opaque and complex. This makes it even more important for Congress and our financial regulators to get this right. The future of connected or open banking, the process of transmitting the data necessary to enable the success of these financial applications, depends on the industry's ability to do so in a safe and secure way. While there is undeniable potential in this space, today we will discuss some of the questions and concerns about how to achieve the benefits, while mitigating consumer risk. We need to know if everybody who handles financial data is adequately protecting the privacy of their users. How do we ensure consumers aren't being misled about the acquisition and use of their data? And how do we empower consumers so they are in control of their data? Today's discussion has never been more relevant, and I look forward to hearing our witnesses' testimony, and input from my colleagues. With that, I recognize my friend, the new ranking member, Mr. Emmer, for 5 minutes for an opening statement. Mr. Emmer. Thank you, Mr. Chairman. Thank you for your warm welcome. As you said, be careful what you wish for, right? You might just get it. I want to thank you for convening this hearing as well. As the new FinTech Task Force ranking member, I look forward to working with you to bring more education and awareness to Congress about the new innovations in financial services. I very much appreciate this opportunity to help lead the task force in an effort to better educate Members of Congress on the emerging developments in technology that already have and certainly will continue to influence the entire financial services industry. Today's hearing is about data, an individual's ability to control their data, and the practices that are utilized with this data. The Majority titled this hearing, ``Banking on Your Data,'' and I expect we will have a lot of discussion today relating to privacy and security concerns, which are very important. But let's keep in mind that data can also benefit consumers and can empower individuals to own their own data and to leverage it when seeking services from companies. The amount of data being generated is astounding. It is estimated that every day, we create 2.5 quintillion bytes of data, and that 90 percent of the data in the world today has been created in just the last 2 years. Not surprisingly, given Congress' inability to keep up with new technology, a TED Talk about how big data can produce insights on the work of Members of Congress and their interactions with each other was already featured more than 3 years ago. As we have seen with the internet, information can be power. And when we are generating this amount of data, the owners and possessors of that data may gain that power. With that power may come increased responsibility and may impose an ethical duty use the data properly. Many companies have already realized these duties on their own and are benefiting from listening to their customers' demands. Standard-setting bodies like Financial Data Exchange are already bringing together fintech companies to create standards and limits to accessing data. I appreciate, again, this opportunity for Members to learn about data practices and to increase the level of knowledge in Congress about the policies that companies use to innovate and to develop better services for their customers. A broad unspecific definition of ``big data'' could also include the work that is already underway to digitize the services that the financial services industry already offers to all of us. This is the future, and there is no going back from here. We have seen this in several industries already, like music and other commerce. The future is in digital services. The question is, how do we empower the individual, as opposed to the government, to make the choices that are best for them? I am hopeful this hearing will educate Members of Congress on the downside of big data but also about the benefits of data. Our job is to make sure that data helps empower the consumer and enables them to know what they are disclosing, when, and where. I hope this is a conversation more than a critique, and at the end of the day, I hope this session is informative for members of this committee. And I thank the chairman again for holding the hearing and looking at this issue objectively. I look forward to working together in a nonpartisan fashion to help Americans realize the benefits of this digital revolution and the help it can provide to each and every one of us. And I yield back. Chairman Lynch. The gentleman yields back, and I thank him for his remarks. And I do believe that this is an area where we can have great bipartisan cooperation and success. Today, we welcome the testimony of our accomplished panel of witnesses. First, Ms. Lauren Saunders is associate director of the National Consumer Law Center (NCLC). NCLC is headquartered in Boston, in part of my district. And this year, it is celebrating 50 years of advocating for consumer justice and economic security. Second, Dr. Seny Kamara is associate professor of computer science at Brown University, and chief scientist at Aroki Systems. His primary research focus has been cryptography and its applications to everyday problems in privacy and security. And at Aroki, he helps design encrypted data management systems. Third, Dr. Christopher Gilliard is professor of English at Macomb Community College, and lab advisor at Digital Pedagogy. His work focuses on privacy and technology policy and the risk of discriminatory practices in algorithmic decision-making. Fourth, Mr. Don Cardinal is managing director of the Financial Data Exchange, FDX, which is a nonprofit working group to set an industry standard for the secure transmission of sensitive financial data. FDX is an independent subsidiary of the Financial Services Information Sharing and Analysis Center. And finally, Mr. Duane Pozza is a partner at Wiley Rein, where he advises on issues of privacy and data governance. Prior to joining Wiley Rein, Mr. Pozza was an Assistant Director in the Division of Financial Practice at the Federal Trade Commission's Bureau of Consumer Protection. I want to thank you all for being here today. Our witnesses are reminded that your oral testimony will be limited to 5 minutes. And without objection, your written statements will be made a part of the record. Ms. Saunders, you are now recognized for 5 minutes for an oral presentation of your testimony. STATEMENT OF LAUREN SAUNDERS, ASSOCIATE DIRECTOR, NATIONAL CONSUMER LAW CENTER (NCLC) Ms. Saunders. Thank you. Chairman Lynch, Ranking Member Emmer, members of the task force, thank you for inviting me to testify today on behalf of the low-income clients of the National Consumer Law Center. I am going to focus my testimony today on the growing use of data aggregators to access consumers' bank account and other types of account transaction data, but my comments will also have applicability to other forms of data. The use of consumers' transaction data has the potential to help consumers in a number of ways: to improve access to affordable forms of credit; to prevent fraud; to encourage savings; and to help consumers better manage their finances. Companies are using transaction data to address problems that banks are not and to encourage banks to improve their own services. I am especially intrigued by the use of cash flow data, which can help assess whether the consumer regularly has sufficient residual income at the end of the month to handle an additional expense. Cash flow data may especially help those with limited credit histories or those who have recovered from a temporary setback that is still reflected on their credit report. Cash flow data is currently only being used with consumers' explicit permission and generally to improve access or pricing, but I am concerned whether transaction data may become more routinely added to already robust credit reports, may be used to increase pricing, or may be monetized by the credit bureaus for other uses. These uses should be prohibited. I appreciate that this data is being used today with consumer permission, but we should not put too much stake on consumer permissioning, which may be no more voluntary than clicking, ``I agree,'' or saying yes to a potential employer who asks to review your credit report. The intensely detailed personal and sensitive data inside consumers' accounts could also be used for less beneficial purposes. It may help predatory lenders refine their ability to make and collect unaffordable loans or it could enable targeting of consumers for harmful products. Transaction data can also be fed into algorithms and machine learning that may have results that lead to discriminatory impacts. The use of data aggregators also poses concerns regarding security, privacy, and compliance with the Fair Credit Reporting Act (FCRA). A number of efforts are underway to address many of these issues, including the work of my fellow panelist, Mr. Cardinal from FDX, which we are in the process of joining. We support these voluntary efforts and dialogue, but ultimately, consumers cannot be confident that their data will be used appropriately unless the law clearly protects them across these different dimensions industrywide. First, security and protection. We need enhanced data security requirements and Federal supervision of entities that store significant amounts of consumer data. Second, we need strong privacy laws that impose substantive limits on the use of information in ways that consumers would not expect, that ensure consumer choice and control are meaningful, and that do not preempt stronger State protections that may address new problems not yet addressed on the Federal level. Third, we need to address misinterpretations of the Fair Credit Reporting Act by courts. New forms of information are essentially a consumer report that--if they are used for credit or other FCRA purposes, and consumers have a right to know what information is being used about them, to demand accuracy, to obtain corrections, and to be told if the information leads to adverse consequences. Fourth, we must actively look for and prevent discriminatory impacts in the forms of new data. As recent news shows, computers can discriminate too. To paraphrase the words of one fintech lending club, the disparate impact regime is an innovation-friendly approach that addresses concerns about discriminatory impact, while flexibly accommodating innovations without onerous compliance. Beyond fair lending, we need laws to prevent discriminatory impact in areas other than credit. Finally, the Consumer Financial Protection Bureau (CFPB) can and should play a bigger role by supervising data aggregators for compliance with all laws within their jurisdiction, which should be expanded to include privacy and data security standards. Thank you for inviting me to testify. I look forward to your questions. [The prepared statement of Ms. Saunders can be found on page 62 of the appendix.] Chairman Lynch. Thank you very much. Dr. Kamara, you are now recognized for 5 minutes. STATEMENT OF SENY KAMARA, ASSOCIATE PROFESSOR OF COMPUTER SCIENCE, BROWN UNIVERSITY, AND CHIEF SCIENTIST, AROKI SYSTEMS Mr. Kamara. Chairman Lynch, Ranking Member Emmer, and distinguished members of the Task Force on Financial Technology, I appreciate the opportunity to testify at today's hearing on the role of big data in financial services. I will speak about how data is transforming the financial industry and how this transformation holds great promise but, unless it is carefully guided, also has the potential to erode consumer privacy and increase discrimination. The financial industry is using new data sources called alternative data. For example, credit reporting agencies are using data about utility bills to create new credit scores. Insurance companies are using internet of things (IoT) data from homes and cars to better predict risks. Insurance companies have used Facebook posts and psychometric tests to assess people's risk profiles. Payday lending apps track location to determine how much time their users spend at work. Microlending apps are using location data, social media contact lists, and the behavior of Facebook friends to estimate people's creditworthiness. An app made in California that operates in Kenya even accesses call history under the belief that people who regularly call their mothers are more likely to repay their loans. In addition to leveraging new sources of data, the financial industry is processing data in new ways using machine-loading models to make automated decisions quickly and at scale. While classical algorithms are designed by domain experts and expresses a series of rules and explicit choices, machine-loading models are produced by algorithms that learn from data. The models produced in this manner can be very effective in certain contexts but suffer from important limitations. The first is a lack of transparency. We often do not know and, therefore, cannot explain why a machine-loading model makes a particular decision. This is a serious concern in the context of credit since the Equal Credit Opportunity Act (ECOA) and the Fair Credit Reporting Act (FCRA) require creditors to explain the reason an application was denied. The second important limitation of machine-loading models is bias in decision-making. While this kind of algorithmic discrimination has been well-publicized, it is important to note that we are only in the very early stages of understanding the behavior of these algorithms. In fact, in that space, there are currently more questions than answers, so it is important to tread carefully. Fintech apps can make use of multiple sources of consumer data, ranging from financial records provided by a bank to location data provided by a mobile device. Traditionally, financial apps have shared data through a practice called screen scraping. It is widely accepted that this practice is substandard from a privacy and security perspective, which has motivated the financial industry to develop Application Programming Interfaces (APIs). Roughly speaking, an API is a standard interface between apps that allows for easier interoperability and improved security. APIs are a considerable improvement over screen scraping, but they are far from enough to guarantee consumer privacy. With an API-based design, apps can still access, lose, exploit, and abuse raw user data, and as long as consumers have to trust data-hungry apps that scour their sensitive data under vague privacy policies, they will never have real privacy. But what if consumers did not have to give up their data in order to benefit from financial and technological innovations? What if financial apps and services never had to see raw data? This might sound impossible but, in fact, it is possible. Over the last 30 years, cryptography researchers in academia and in industry labs have developed a wide array of cryptographic techniques to process encrypted data. This gives us the ability to run algorithms, including machine-loading algorithms, over encrypted data, to search through encrypted files, and to query encrypted databases, all without ever decrypting the data. The set of privacy technologies, which includes secure multiparty computation, private set intersection, homomorphic encryption, and encrypted search algorithms, can enable truly private data processing. I want to stress here that this is not science fiction. These technologies are already in use today. By leveraging these advances in cryptography, financial technologies could deliver on their promise to improve the financial health of their customers without them having to sacrifice their privacy. The financial industry is being transformed by technology, and in the wake of this transformation, it is easy to get carried away on a wave of technological optimism. As a computer scientist, I believe in the power of technology, but I am also acutely aware of its potential harms. As a cryptographer, I worry deeply about the erosion of privacy that these financial apps and services can cause. We are all aware of the constant occurrence of data breaches, of the weaponization of private data to micro-target people and affect their behaviors. Do we want another Equifax? Do we want another Cambridge Analytica? Moving fast and breaking things is not sound engineering practice, and it is not sound policy. It is imperative that we proceed carefully and that we oversee this transformation with strong privacy laws and strong privacy technologies. Thank you, and I look forward to answering your questions. [The prepared statement of Dr. Kamara can be found on page 48 of the appendix.] Chairman Lynch. Thank you, Dr. Kamara. Dr. Gilliard, you are now recognized for 5 minutes. STATEMENT OF CHRISTOPHER GILLIARD, PROFESSOR OF ENGLISH, MACOMB COMMUNITY COLLEGE, AND DIGITAL PEDAGOGY LAB ADVISOR Mr. Gilliard. Chairman Lynch, Ranking Member Emmer, and members of the task force, thank you for inviting me to appear before you and provide testimony. My name is Dr. Chris Gilliard, and I have spent the last 6 years studying, teaching, and writing about digital privacy and surveillance. I focus on the ways that digital technologies perpetuate and amplify historical systems of discrimination. Too often, digital technologies render systems invisible and inscrutable under the guise of proprietary code, black box algorithms, or artificial intelligence. There are now countless documented examples of algorithmic discrimination, data breaches, violation of consumer privacy, and extractive practices on the part of platforms. Moving forward, the onus for addressing these problems should be shifted onto companies so that, before they move their product to market, they provide evidence that they will not bring harm to the consumer, much in the same way food and drug safety operate now. It may not be possible or useful to define the distinction between financial big data and all other data. Financial big data plays a role not only in finance, insurance, and real estate, but also in employment, transportation, education, retail, and medicine. In addition, third-party data brokers accumulate all manner of data to the point that even if there are categories of data that are protected, processing massive amounts of data often creates the existence of proxies that allow for discrimination against protected classes within or among systems that may not appear to be financial. The primary reasons that many remain unbanked are because of historical inequality. While new forms of banking and credit may provide access to systems those people have traditionally not had access to, many of these technologies also offer these benefits in exchange for people's privacy or create opaque systems that offer consumers little opportunity for redress. It is telling that the Apple Goldman Sachs card received so much interest, because opaque algorithms affect marginalized populations all the time. Yet, they do not have the reach and power to trigger massive media attention and an investigation by the State. For rich folks, algorithmic opacity may mean being denied a larger credit limit. For the poor, this may mean paying for medicine, shelter, or food. The notion that companies like Facebook, Google, or Amazon are entering into banking in order to benefit the unbanked or people who do not have access to traditional credit markets is absurd on its face. As one recent report stated, for Google, the bank partnerships will give the tech behemoth a better ability to show advertisers how marketing dollars spent on its system can drive purchases. There are two crucial frameworks for understanding these technologies and their impacts on marginalized communities: digital redlining; and predatory inclusion. Digital redlining is the creation and maintenance of technology practices that further entrench discriminatory practices against already marginalized groups. One example would be that Facebook ad targeting could be used to prevent Black people from seeing ads for housing. ``Predatory inclusion'' is a term used to refer to a phenomenon whereby members of a marginalized group are offered access to a good, service, or opportunity from which they have historically been excluded, but under conditions that jeopardize the benefits of that access. The process of predatory inclusion is often presented as providing marginalized individuals with opportunities for social and economic progress; but in the long term, predatory inclusion reproduces inequality and insecurity for some, while allowing already dominant social actors to derive significant profits. As an example, we might look at the report on the cash advance app Earnin, which offers loans for which users are able to tip the app. As reported in the New York Post, if the service was deemed to be a loan, the $9 tip suggested by Earnin for a $100, 1-week loan, would amount to a 469 percent APR. As Princeton Professor Ruha Benjamin has argued, our starting assumption should be that automated systems will deepen inequality unless proven otherwise. Because of how algorithms are created and trained, historical biases make their way into systems even when computational tools don't use identity markers as metrics for decision-making. Further, the notions of consent, notice consent, or informed consent as they are currently constructed are not sufficient for a number of reasons. Privacy policies mainly serve to protect companies. Credit scoring companies operate without the express consent of the consumers they purportedly serve. Data is extracted, collected, combined, processed, and used in ways that go beyond the stated purpose to provide consumers. There is often limited accountability for when they have been irresponsible with consumer data. Companies rarely disclose and consumers even more rarely understand the full range and uses for their data. We must reject the notion that regulations stifle innovation, as those harmed during innovation phases tend to be the most marginalized, and only later are policies addressed with no repairing of harms. The idea that corporate innovation, rather than the rights of historically marginalized groups, is an interest that Congress must protect turns ideas of citizenship and civil rights upside down. That these systems are proprietary often make the harms more difficult to detect. Thank you. [The prepared statement of Dr. Gilliard can be found on page 42 of the appendix.] Chairman Lynch. Thank you, Dr. Gilliard. Mr. Cardinal, you are now recognized for 5 minutes. STATEMENT OF DON CARDINAL, MANAGING DIRECTOR, FINANCIAL DATA EXCHANGE (FDX) Mr. Cardinal. Chairman Lynch, Ranking Member Emmer, and members of the task force, thank you for the opportunity to offer testimony at this hearing. My name is Don Cardinal. I am the managing director of Financial Data Exchange (FDX). FDX was formed just a little over a year ago as an industry-led collaboration that includes financial institutions, financial data aggregators, fintechs, industry organizations, consumer advocacy groups, and permission users of financial data. The mission of FDX is to unify the financial services industry around a common and interoperable royalty- free standard for the secure sharing and convenient sharing of financial data with financial technology applications, fintech apps. We are guided by five core principles: control; access; transparency; traceability; and, of course, security. Over the last decade, technological innovations in financial services have empowered consumers to better understand where and how they spend their money, increase their credit scores, prepare their taxes, verify accounts and balances, and aggregate disparate financial accounts. While consumers have benefited immensely from these innovations, they primarily come through a mechanism known as screen scraping, and only done through the sharing of consumers' IDs and passwords at their financial institution. Screen scraping is the automated process of collecting the text that appears on a website for the purposes of another application. For example, online banking websites display customers' account balances and transactions, and this data can be retrieved through a permission fintech app or a data aggregator by an automated login on the customers' behalf and present that data in some other application. And while screen scraping has provided a useful avenue for consumers to use and share their own financial data, it is very inefficient and can lead to poor data quality. This technology also places undue stress on financial institutions' tech stack through the sheer volume of automated logins. And, finally, the needed sharing of sensitive login credentials and the lack of consumer control over the amount of data they share with other parties means it is really time to move on from screen scraping. In recognition of these challenges, FDX was formed to promote a better way forward, namely, moving the financial services industry away from screen scraping and to the adoption of the use of APIs for access for consumers' financial data. Now, API simply means ``application programming interface'', and in layman's terms, it is just a way for computers to talk to each other with a common format. They also make consumer- permission data sharing easier, more accurate, and more secure, because they lay out in detail the rules for how to request data and exactly what data will be returned. Our chosen standard is aptly named the FDX API. It allows for users within the financial data ecosystem to be security- authenticated but without sharing or storing of the login credentials with third parties. So instead of a fintech or aggregator logging in on behalf of a customer with their shared credentials, an API allows the consumer to log in themselves, and be authenticated by their own financial institution. It gives the consumer the ability to permission their data for the chosen app. In fact, through the broad adoption of the FDX API, screen scraping will eventually cease, but the flow of user permission data will encounter less friction and be even more secure and reliable than ever. So with that overview out of the way, I want to use my remaining time to highlight a few key points for the task force this morning, and I have attempted to expand upon these in my written testimony. First, the only consumer financial data that will be accessed with the FDX API is that which the consumer has expressly consented to, and permission to share with fintech apps. This eliminates access for so-called data brokers who collect vast amounts of data, often without consumers' knowledge or consent. Second, FDX is working towards specific-use cases for fintech apps to minimize the amount of data that consumers require to share for a given use. While screen scraping currently allows really any data on a consumer's website to be collected, defined-use cases through the FDX API limits the collection of data to only that which is needed to fulfill a specific purpose; and by minimizing data in play, you maximize privacy. And, third, FDX represents the entire consumer financial services ecosystem, which includes small fintechs, local banks, credit unions, all the way up to the largest financial institutions, and consumer advocacy groups. Further, the FDX API provides a framework necessary to provide scaleable technology solutions so that even the smallest financial institutions will be offered the same goods and services as the largest financial institutions, but at a fraction of the cost. The FDX API is, after all, royalty-free in perpetuity for all parties. In sum, FDX represents the financial services ecosystem coming together to put the consumer in the driver's seat regarding the use and sharing of their own data. Demand has been a leading force for this massive innovation that has taken place, and we believe the entire financial system ecosystem is best positioned to ensure that these consumers are empowered but have the tools to share and use their own data in the most secure manner possible. Thank you for the opportunity to speak this morning. [The prepared statement of Mr. Cardinal can be found on page 32 of the appendix.] Chairman Lynch. Thank you, Mr. Cardinal. Mr. Pozza, you are now recognized for 5 minutes. STATEMENT OF DUANE POZZA, PARTNER, WILEY REIN Mr. Pozza. Chairman Lynch, Ranking Member Emmer, and members of the task force, thank you for the opportunity to appear today to discuss the role of big data in financial services. I am a partner at Wiley Rein, where my practice includes advising companies on the legal and regulatory framework for collecting, using, and managing consumer data, including in financial services and counseling on U.S. and global privacy laws. This includes emerging regulatory approaches around machine-learning technologies which depend on large and sophisticated data sets. I previously worked at the Federal Trade Commission on financial technology issues. Data-driven financial services hold enormous potential to improve consumers' financial lives. Companies can use consumer data responsibly to expand access to credit, provide customized financial advice, detect and prevent fraudulent behavior, and provide financial services at a lower cost, among other advantages. Companies are already using large and robust data sets to accomplish these objectives, and the development of machine learning and AI technologies will further advance what these technology innovators can accomplish. Companies using consumer data in innovative ways for financial decisions operate in an area that already has many significant laws and regulations on the books and multiple regulatory authorities. Companies must comply with well- established financial services laws, many of which implicate the use of consumer data, in addition to Federal Trade Commission (FTC) guidance on data privacy and security. Applicable Federal laws include the Fair Credit Reporting Act, the Equal Credit Opportunity Act, the Gramm-Leach-Bliley Act, and the FTC Act Section 5 authority and prohibitions against deceptive or unfair practices, all of which also apply in the context of big data. The companies must also comply, to varying degrees, with consumer privacy laws that reach across sectors, both on the international level--for example, the European Union's General Data Protection Regulation--and on the State level--for example, the California Consumer Privacy Act. State laws, in particular, threaten to create a piecemeal compliance framework and burden businesses that already have substantial compliance obligations, including in the area of big data. The experience with California's law illustrates some of the challenges that companies face. As consumer data is increasingly used to provide better financial services, it is important to carefully consider consumer expectations and preferences around use of their information and weigh the benefits that better financial services can bring and the cost of added regulation. The use of advanced data for credit decision-making is particularly promising. Large data sets can enable lenders to better analyze credit risk and potentially expand access to credit to those who find it difficult to obtain credit when evaluating using traditional credit models. Many consumers are thin-file or no-file consumers who lack an adequate credit history to generate a reliable credit score, and others have relatively low scores that do not accurately reflect their level of creditworthiness. The nonprofit, FinRegLab, recently released the results of a promising study that illustrates the ability of large-scale data analytics to responsibly expand access to credit without raising issues related to bias. FinRegLab analyzed data from six non-bank financial services providers that used cash flow information as part of their credit decision-making. The organization study concluded that participants appeared to be serving substantial numbers of borrowers who may have historically faced constraints on their ability to access credit and, in regard to fair lending, that the degree to which the cash flow data predicted credit risk appeared to be relatively consistent across subpopulations of race, ethnicity, and gender, and appeared to provide independent predictive value across all groups rather than acting as proxies for a demographic group. Top officials at the Consumer Financial Protection Bureau (CFPB) also recently announced the results of the Bureau's data analysis conducted in connection with its no-action letter to Upstart Network. Upstart's underwriting model uses a range of data and machine learning in making credit underwriting and pricing decisions. The agency found that the company's tested model approved 27 percent more applicants than the traditional model, and yielded 16 percent lower average APRs for approved loans. It also showed no disparities that the CFPB found to require further fair lending analysis under the company's compliance plan. These are just some examples of how financial services companies are using consumer data responsibly to provide better financial services for the benefit of consumers. Thank you. I look forward to your questions. [The prepared statement of Mr. Pozza can be found on page 54 of the appendix.] Chairman Lynch. Thank you very much. I now yield myself 5 minutes for questions. One of the most helpful books in this area is a book called, ``The Age of Surveillance Capitalism,'' by Professor Shoshana Zuboff. I think she is at Harvard. She talks about how all of these platforms are soaking up what she calls behavioral surplus, everything we do, what we read, who our friends are, how we drive. Our cars are now hooked up. Some insurance companies are actually monitoring our driving so they know when you are driving like a nut to get your kids to school in the morning, and they jack up your rates subsequent to that. One of the things that she pointed out was the pernicious terms of agreement that a lot of these apps have, that they might be framed as privacy agreements, but they are actually a lack of privacy agreement. In other words, you give away your privacy. In order to get on that site and get access, you click, ``I agree,'' to very long, very complicated terms of agreement, an access contract. And I have a few of them here. Mint, which is a somewhat popular financial management tool, I scrolled down that to see what I had agreed to, to get on that site--37 pages long, 11,312 words. Ridiculous. Venmo, which is really popular, I use that on occasion. I just clicked, ``I agree,'' because I couldn't--13,196 words, 40 pages, and really dense legalese. I am an attorney, and it was tough to get through. Qapital, with a ``Q,'' that is a savings application-- almost 10,000 words, 10 pages, but really, really dense. Dr. Kamara--actually, for any of you, I think you all get a sense of this. How do we instill in consumers the knowledge of what they are agreeing to in terms of clicking, ``I agree?'' I have two young girls. One is in college, and one is just graduating college. And that iPhone in their life is just absolutely necessary. So, they are going to click, ``I agree.'' I just know they are. Like millions of other American kids and kids all around the world, they are just going to--in order to get on that site, you have to click, ``I agree,'' and you have to let them take your data and resell it. How do we convince consumers of the seriousness of what they are doing? And what rules might we put in place to balance the scales here so that you don't have to sign away your firstborn in order to get access to some of these sites? How do we challenge that? Ms. Saunders? Ms. Saunders. I think ultimately, these are not issues that can be disclosed. At the end of the day, I don't really think it is possible for consumers to fully understand how their data is going to be used or, frankly, have the option. I may understand what happens when an employer checks my credit report, but if I want the job, I am going to have to say, yes, you can check it. As use of data becomes more widespread, we are not going to have the choice. I, too, have spent some time looking at privacy policies, and I thought I was a relatively sophisticated consumer, but I can't understand them. And even if you simplify them, even if you use the model form, at the end of the day, what does it mean, well, we only use your data to the extent necessary to provide our service? I don't know what that means. I think at the end of the day, people need to have confidence that the data is going to be used in ways that people would expect, that would be logical for the service at hand, that a minimum amount of data is being used. And that is some of the efforts that FDX is undertaking to try to figure out use cases. They don't have-- Chairman Lynch. All right. Thank you. I only have 45 seconds left. Dr. Kamara, so does that mean we have to basically surrender all our data in order to just--we lose control of all of our data and that is just a fact of life? Mr. Kamara. No, it doesn't--it is not required. We have technology. We have ways of designing apps and services so that consumers don't have to give up their data, so that services can be provided without having to see raw data. This is technology that has existed for about a decade that is practical today, but because companies never really had an incentive to improve their privacy practices, it has been underinvested in, but it is not necessary. Chairman Lynch. Thank you. Dr. Gilliard? Mr. Gilliard. The onus should not be on the consumer to ensure that they are not being exploited. Chairman Lynch. Okay. My time has expired. I am going to yield to the ranking member, Mr. Emmer, for 5 minutes. Mr. Emmer. Thank you, Mr. Chairman. And thanks again to this great panel. Mr. Cardinal, does the average consumer utilizing fintech services know to what extent their financial and personal data is being stored and shared? Mr. Cardinal. Let me take that in a couple of different ways. Our key principles are control, access, and transparency, and I want to talk about transparency. The idea that a consumer should know what data elements they are sharing, for what purpose, and for what duration, is key to what we are doing. And as NCLC pointed out, I think that is a driving principle. Customers should be able to make an informed decision about what data they are sharing, whether they are trying to get a discount at the grocery store or for other purposes. At the end of the day, it is their data. The customer should remain in control, and an informed consumer, I think, makes the whole industry better. Thank you. Mr. Emmer. Yes, but they don't know. At the end of the day, they don't know how much of it is being taken and how much of it is being shared. Mr. Cardinal. I believe if you disclose exactly the purpose--I want to file my taxes and I am going to download my tax forms, I think that is fairly clear. To the extent we can disclose it, we can do that initial piece. Now, where it goes from there after, we really can't be responsible, I think, as Ms. Saunders pointed out. Mr. Emmer. So when consumers--Mr. Cardinal, let's just continue on this. When consumers authorize screen scraping by giving away their user name and password, what risks are they exposing themselves to? Mr. Cardinal. Again, we are moving away from screen scraping. The whole idea is to get away from that, get away from what we call held-away IDs and passwords, because if you don't share it, you can't lose it, the whole idea of reducing the whole risk envelope. So screen scraping, again, also is access, as I mentioned in my testimony. You have access to the entire scope of data, it is visible to the naked eye, whereas the use cases that we are developing minimize data, and the NIST standards that the government follows stress data minimization as a way to reduce risk. So we are trying to go to an API with defined-use cases with minimized data and without held-away credentials to really reduce that entire risk surface for everybody. Mr. Emmer. Thank you. Ms. Saunders, how does the Gramm-Leach-Bliley Act define financial institutions? Do fintech companies, data aggregators, and data brokers clearly fit the definition? Ms. Saunders. I am not an expert on the Gramm-Leach-Bliley Act. I do know that it covers traditional financial institutions such as banks and credit unions and also some other entities that are not banks and credit unions, but it is not nearly broad enough to cover the wide range of companies that do have our data and implicate data security and privacy concerns. Mr. Emmer. Should a consumer be able to make portable all of the data available to them via their native online banking account or is that on their paper statement to a third-party service provider, or do you believe that only a subset of that data may be leveraged by a consumer? Ms. Saunders. I think it really depends on the use case. I think one potential future use of accessing account data would be to make it easier to port over your data to a new account, comparison shop and to--it is very difficult to unenroll in all of your online bill pay. On the other hand, there are uses today where people should be able to use it for cash flow underwriting and other things. Mr. Emmer. Okay. For the panel, I am a huge supporter, as I believe probably everybody up here is, of individual privacy, and I have some concerns about some firms' data hygiene practices. What do you see in the next 5 to 10 years in terms of how big data is going to transform financial services? Any of you may answer. Or was that too broad? Was that the ocean? And if that is too difficult, let's narrow it. Do smaller banks have the resources to comply with the new regulatory regime under data privacy laws like the Gramm-Leach-Bliley Act? And maybe this is for Mr. Pozza? Mr. Pozza. I would say that what experience with the California Consumer Privacy Act is showing is that smaller companies in general are having difficulties with compliance. I think that the law itself has some ambiguities and is not written in a very straightforward manner, and illustrates the problem of regulating around this space in a broad brush, and the smaller companies are incurring compliance costs. Mr. Cardinal. Ranking Member Emmer, I would like to add on, since the FDX API is royalty-free, it levels the playing field. A mom-and-pop credit union can offer the same access to data as a top-four universal bank. And a lot of these credit unions rely on core processors, and one of them is on our board. We are working with the other ones. So once the cores get onboard and offer this API, a lot of the credit unions in your district, and in my district, will be able to offer this same type of royalty-free access that is secure and is much more reliable than screen scraping. Mr. Emmer. Thank you. I see my time has expired. Chairman Lynch. The gentleman yields back. The gentleman from Utah, Mr. McAdams, is now recognized for 5 minutes. Mr. McAdams. Thank you, Mr. Chairman, for holding this hearing. And thank you to the witnesses for your testimony today. I am fascinated by this topic and the myriad of connecting issues related to it--big data, data security, privacy, data ownership--and how all of this interacts with innovations in financial services, as well as potential risks to consumers, because I do see great potential benefits but I also recognize the potential risks in terms of data security, and discrimination in lending, for instance, among other issues. So first question, Mr. Cardinal, I know in the various testimonies or even in many of the conversations that occur in Congress, definitions matter, and being specific with what companies we are referring to, that also matters. Can you explain or maybe even highlight the difference between a data aggregator and the role that they play in the financial services industry and the role a data broker plays? Mr. Cardinal. Thank you for that question, and I appreciate the chance to straighten out or expand upon some ambiguity in the press. A ``data aggregator'' is simply a data service company that allows any third party that is permissioned to reach out and extract, with consumers' consent, data from a variety of sources, whether it be a bank, a brokerage, or an investment company. A ``data broker'' is someone who is gathering data, harvesting quite a bit of data, often without the customers' knowledge or even consent. So, there is a clear difference, and that has to do with customer awareness and permission. Mr. McAdams. How do the regulatory or legal obligations of those two entities differ? Mr. Cardinal. I will leave the technology standards bias. I really couldn't comment on that part. I'm sorry. Mr. McAdams. Do any of the other witnesses have any thoughts on that? Okay. I just want to maybe ask a further question. Does whether the data is consumer-permissioned or even revocable access change how we should view the data and the entities holding or transmitting the data? Because that seems to be fundamental in the distinction between those two, the data aggregator and the data broker. Mr. Cardinal. You are spot on. Consumers should be in control. We are all here to serve the consumers, and the idea that they should have clear knowledge of what data they are sharing, for what purpose, and for what duration--and I will give you an example. I am a CPA by trade, and the idea that, yes, I want to share my tax forms with TurboTax through April 15th is very clear and very conspicuous versus data that I don't even know is being used. Mr. McAdams. I guess that leads to my next question, and it would be for anybody on the panel. I have an iPhone and have numerous apps and websites that I use, some infrequently, and some on a regular basis. And I am positive that I have given access to various bank accounts or financial data, other personal data, to dozens of different companies. That is probably a conservative estimate. But as a consumer, I honestly don't know and probably can't even easily locate who has access to my data and how it is being used right now. I don't even know how long ago I may have given access or how long that access may be for. So how should we as policymakers think about this issue? And are there ways, either through the government or through private sector standards that could better promote consumer awareness and/or consumer control over this information? Ms. Saunders. I can address that. Mr. McAdams. Thank you. Ms. Saunders. Ultimately, I think that we need to have rules that data is used in ways that consumers expect, so that you don't have to decipher how it is going to be used. I think permission should also expire after 1 year. I was surprised when I got an email alerting me to some access for something I signed up for years ago. So often, if you apply for credit, you think that is going to be used at the moment of the credit application, and you don't realize it may be used on an ongoing basis. There may be uses that you just have no idea about. So, minimizing the amount of data, requiring it to be used in ways that are logical for the use, and putting an end point so consumers can have control and decide whether to reauthorize the use or not. Mr. McAdams. And is that a place that we should look at as policymakers, as Members of Congress, to ensure that those standards are equal and fair and apply across the industry? Ms. Saunders. Yes, I think so. There are voluntary efforts to address principles like that, which is great in the current situation, but ultimately, we want this applying across all uses and not just those who choose to comply. Mr. McAdams. Mr. Kamara? Mr. Kamara. I would just like to add, the principles that Ms. Saunders describes can be embedded in the technology. They can be embedded cryptographically so that data is always protected mathematically. So it is possible to design these services and these apps so that your data will never be seen by any of the data aggregators or financial services that need it in order to build their products. Mr. McAdams. Dr. Gilliard? Mr. Gilliard. As Chairman Lynch noted, this is sort of the age of surveillance capitalism, so most companies generally operate from a collect-it-all, keep-it-as-long-as-possible perspective. And, again, I think that there do need to be more regulations, because it is an unfair burden on consumers to take weeks or months to read the dense kind of language that is in these policies. Mr. McAdams. Thank you. I see my time has expired. I yield back. Chairman Lynch. The gentleman yields back. The Chair now recognizes the gentleman from Missouri, Mr. Luetkemeyer, for 5 minutes. Mr. Luetkemeyer. Thank you, Mr. Chairman. And I thank the panel today. It is quite interesting. Mr. Pozza, your testimony states that the California attorney general is currently accepting comments on rules to enforce the California Consumer Privacy Act (CCPA), and those rules are scheduled to go into place in July of 2020. However, the CCPA's date of enactment is January of 2020, so they are getting the rules after the enactment. I am not sure how that works, but hopefully you can explain it to me here in a second. In addition, you highlight how financial institutions are unclear what personal information they possess is covered by this vague law. Lastly, I heard from financial institutions that some provisions of CCPA are in direct conflict with other State laws regarding data security and privacy. All that being said, I have a simple question: How are financial institutions supposed to comply with CCPA? Mr. Pozza. I think it has been difficult for financial institutions to navigate CCPA compliance. As I point out in my testimony, and as you state, the law has an effective date of January 1st, but the regulations are still being finalized. We are in the middle of a comment period for the draft attorney general regulations, which would go into effect, at the latest, on July 1st. This means there is a current set of rules that are themselves a bit unclear. They are in the law, and then those can change or become more detailed or even be expanded, depending on what the attorney general does in the regulations. That makes it very difficult for financial institutions and other companies to figure out how to essentially manage their data practices, because this is really a broader issue of sort of data governance. It is what obligations are you going to have to consumers about their certain data to respond to certain requests and how you deal with it with third parties. So, these are difficult issues to go through and think ahead to how the law could be changing over the next-- obligations could change over the next 6 months. Mr. Luetkemeyer. Thank you for that. I know that all of this data--the world of technology is wonderful. It allows us to do so many wonderful things and speed things up and give people more access to their own information, but it is also scary from the standpoint of what can happen to it. The data aggregators are really something that I am very concerned about. As somebody who comes from the other generation--I still have a rotary phone, by the way. So for those of you, any millennials in the audience, and maybe some of you on the panel, if you can figure out how to do a text message on that, I would sure appreciate it. I'll be glad to see you after this hearing. But I was discussing it the other day with an entity who lost hundreds of millions of dollars because of the data aggregator doing some nefarious things. They had access to individuals' information because they had given it to somebody along the way, whether--Mr. Cardinal, you talked about tax preparers a while ago--and suddenly, they use a third party to be able to access all that. And now, they can go in and they can scrape the screen and get--and nightly, what this entity was telling me, was that 80 percent of the transactions that go on in there overnight are from data aggregators. They have had to up the amount of computer power in their business to be able to accommodate the data aggregators that are coming in every night and scraping all the information off. It is not their own customers; it is the date aggregators. This has gone way beyond access to information. And so, while I am not a big fan of regulation, there is a whole system out there right now that looks to me to be out of control, and we are going to have to figure out how to put the genie back in the bottle so we can protect our consumers and allow them to access their information. I know you have talked at length here about this, but do you want to elaborate a little bit more on that, Mr. Cardinal? Mr. Cardinal. Yes. Thank you for the opportunity to address that. That was part of the reason FDX has stood up. And we have banks, brokerages, investment firms, data aggregators, and fintechs, the whole ecosystem working together on this issue. Nobody likes screen scraping. It is inefficient. It is expensive. It can lead to inaccuracy in data occasionally. The API is much more secure, and my colleagues here have mentioned that several times. You limit and control the amount of data. It is an order of magnitude and more efficient. The hardware costs alone that you referred to come down by an order of 100X, and it makes the front-door defense also a lot easier by ceasing screen scraping. That means anything hitting your front door should only be human. So, that helps your cyber posture. It helps your data risk posture. It helps your hardware cost posture. And again, it limits the data out there in play and, of course, it removes IDs and passwords held away. This is the end state that everyone is working toward, whether you are a bank or a brokerage or you are an aggregator or a fintech. Mr. Luetkemeyer. The chairman asked a while ago the question about, how do we get consumers to understand the seriousness of this. We have had former Director Cordray of the CFPB in this very room, and he indicated that the CFPB was collecting 80 percent of all the credit card transactions in the country. They are collecting that data. That should scare the bejeebers out of every single person here today. My time is up, but I want to thank the panel for being here today. You have been very informative, and I sure appreciate your efforts. Thank you very much. And I yield back. Chairman Lynch. Great questions. Thank you. The gentleman from Florida, Mr. Lawson, is now recognized for 5 minutes. Mr. Lawson. Thank you, Mr. Chairman. And I welcome the witnesses today. Are there any examples in the market today to which consumers and our small businesses might not be permitted to access the financial data which might impact their products or services? This is for anyone who cares to respond. So, there is none? Tell me this, how does big data collection impact consumer profiling? Ms. Saunders. I would say we don't know, and that is the problem. We have all sorts of data that is fed into big black boxes and algorithms, and we don't know how it is being churned and correlated and conclusions are being drawn, and we really don't understand how it is being used. Mr. Lawson. Okay. A little bit of a follow-up, with the increase of big data comes an issue of security. Can you share how consumers will know who has access to their data and how the information will be shared? Ms. Saunders. Again, I don't think it is something that consumers are equipped to know, and we shouldn't put that onus on the consumer. We should have rules about what can be shared and rules about how data is held securely and not put it on consumers to figure out who is holding their data securely or not. Mr. Lawson. Mr. Cardinal? Mr. Cardinal. We are seeing some innovation in the industry around making the data sharing more transparent. If you look at Wells Fargo's control tower, you can see--and I will pick on TurboTax again, because I am an accountant and I like to do that. You can see, yes, I have permission from TurboTax to pull my data down, and you see other firms standing up dashboards where consumers can see very clearly whom they permissioned, and it gives them the ability to kill that connectivity at any time. So, you have firms like USAA or Bank of America or Citibank, and they are also standing up those dashboards because they want to inform consumers well and give the consumer the ability to kill that connectivity at any time. Mr. Lawson. Mr. Gilliard? Mr. Gilliard. As Ms. Saunders has said, there is very little ability--I know a lot of computer scientists, cryptographers, people in privacy and surveillance, and even people with advanced skills, and it is very difficult for them to know the answer to that question. But the other thing that is important--and Dr. Kamara alluded to this--it is very hard, and it is, in fact, impossible for people to know how that data is combined, processed, repurposed, and what kinds of correlations or connections will be made by companies who do this. As Dr. Kamara said, so there is some correlation between calling your mom and paying your bills. So, only the people inside that system, and sometimes not even them, would know that correlation exists. People outside of it have absolutely no ability to know that. Mr. Lawson. Okay. Mr. Kamara? Mr. Kamara. I would also add that a lot of this data that is collected is used in ways which we really don't understand, and that the designers may not understand, because the machine- running algorithms can be inscrutable. But also, this data oftentimes is kept even after the service has been rendered. And the data is kept longer and it is kept to improve the systems of the companies that are providing these services, but we don't necessarily know how long this data is kept and for what purpose. Mr. Lawson. Okay. And whether this is appropriate or not, but recently in this committee, we talked about debt collectors. So, when there is outstanding debt and the data then is transferred over to the debt collector, how long are they able to keep the consumer information? Do you know that, Ms. Saunders? Ms. Saunders. I am not aware of any limits. And that was one of our concerns about the debt collection proposal. If debt collectors are texting people through WhatsApp, and Facebook actually sees those messages, are they going to use that data? Are they going to target people for debt settlement scams and other problems? We don't know what information gets collected and how it gets turned around and used. Mr. Lawson. When consumers sign affidavits, let's say getting a loan or have a substantial debt--and my time is about to run out--is there always something that they sign at the bottom which allows them to transfer all of the information to other collectors? Ms. Saunders. I think that information may be in the fine print. But consumers don't really know what is going to happen. Mr. Lawson. So it is as if the fine print is so small until people just really want to get credit or anything they want, forget about reading it until later on. Ms. Saunders. When consumers take on a loan, they don't expect to be hit by a debt collector. They take out a loan expecting they are going to repay it. And what happens later on is something that people aren't focused on at the moment. Mr. Lawson. Okay. I yield back, Mr. Chairman. Mr. Lynch. I thank the gentleman. The Chair now recognizes the gentleman from Arkansas, Mr. Hill. Welcome back. And you are recognized for 5 minutes. Mr. Hill. Thank you, Mr. Chairman. I appreciate you holding this hearing. This is such a fundamental hearing, I think, for all of us in fintech, because big data is the fundamental building block for financial services now, and the providing of health services now. So, getting this right is very important. And I have said since the beginning of our work in this Congress, that we can't really have a digital future in health or financial services or any other endeavor unless we get the data piece right so that we as individuals own our data, it is our data and we--as our panelists talked about, and we permission that data use individually for a health provider or financial services provider to provide us services, and that we also have an authentication system that values cyber protections and privacy and is not tied to a user name and my pet's name and my birthday year. And all about that, we have heard this year that that is fundamental. So we control our data. It is our personal data. We use that data with our financial services providers. In turn, it is authenticated in a way that protects privacy and cyber risk. And those are just critical. This gets to my friend from Missouri's line of questioning about--I want to talk as well about California and what we see. But we have one company in Arkansas that is called Acxiom, and for 50 years, they have sort of been a data bank for financial services companies. They have worked hard to do that in an ethical, secure, and legal way to protect consumers along the way. They have innovated there. They have used a lot of that data with financial services. They are now working on the California privacy law and how it can be implemented for their clients. And so a question I have about California, probably following up on Mr. Luetkemeyer, Mr. Pozza, what do you think are the biggest shortcomings in that statute? Mr. Pozza. I think one of the biggest issues around it is the sort of lack of clarity around the specific obligations, as I talked about before. A second piece of it is the way it treats financial institutions. It carves out data that is subject to Gramm-Leach-Bliley (GLB), but it does not carve out financial institutions, which means that it is layering another level of unclear regulation on top of data that is treated a certain way under GLB. So what that means for a financial institution is they have to parse through, is this particular piece of data covered under GLB; and, if not, is it then covered under CCPA if it is related to California? That, I think, is confusing both to consumers and to companies to have data treated different ways under this piecemeal approach. I think, in thinking about California, it is also instructive to look at the chance of other State legislation happening over the next year, and certainly there will be lots of bills introduced. So there is also a level of uncertainly there looking not just at what is California going to look like in a year, but what is any other State going to look like and is it going to build on top? Mr. Hill. I support a national standard for privacy, and we have tried that here. I know Mr. Scott and I talk about this on a regular basis. We have to create a consensus to do that, and I think it is an important policy, as I say, not just in financial services, but across the government. Mr. Cardinal, you suggest that APIs are critical to protecting this authentication piece and improving privacy. So in your work, are 100 percent of the consumers in your portfolio all covered by APIs? Mr. Cardinal. We are getting there. We are at-- Mr. Hill. What percent are covered by APIs? Mr. Cardinal. I would say, at this early stage, we just have raw numbers. I am not sure what the actual overall percentage is. I would say probably under a quarter. We surveyed our members and they indicated that 5\1/4\ million had made the switch from old screen scraping tech to the new APIs, and they have estimated we will be at 12 million by April of next year. It is hard to know what the entire population is. Mr. Hill. Do you think the bank regulators, the financial services regulators in the investments and banking should require all financial services data be covered by an API and not permit any form of screen scraping? Mr. Cardinal. We are a tech standards body. We are not going to comment on policy regulation, although we do inform the regulators on our progress and what we are doing on a voluntary basis. We were here just a few weeks ago, talking to the OCC, the CFPB, and Treasury, and they-- Mr. Hill. But it is a best practice, right? An API is a best practice? Mr. Cardinal. The Treasury said last year that APIs represented a big risk reduction over screen scraping, and we agree with them. Mr. Hill. Thank you, Mr. Chairman. I yield back. Chairman Lynch. The gentleman yields back. The Chair now recognizes one of our most active and thoughtful members on this task force, the gentleman from Georgia, Mr. Scott, for 5 minutes. Mr. Scott. Thank you. Thank you very much, Chairman Lynch, and I appreciate those kinds words that you had to say, and I appreciate your leadership on this. Mr. Hill is right, big data and privacy are critical to fintechs. Our technology now is moving at warp speed. Every day, it seems like there is something else we have to adjust, and I will tell you why: It has been 20 years since the enactment of Gramm-Leach-Bliley, which is the law predominantly governing the treatment of big data and privacy protection in all of the financials here. But since that time, we have seen extraordinary technological development that has changed the way consumers interact with financial services. And just in recent days, members of the Senate's Committees on Commerce, Science and Transportation, and Judiciary have released a set of privacy and data protection principles to underpin a broad privacy framework. And I am sure you all are probably aware of what the Senate has done. But among these principles are the minimization of the data collected, limitations on the way data can be shared between service providers and third parties. So thinking about the way that our financial technology has evolved, and understanding how the value of data itself has increased, how can our great financial technology grow in a way that incorporates key privacy protections? Mr. Cardinal, let me start with you. Mr. Cardinal. Thank you for the question. And I go back to our five core principles of control, where you put the customer in control of their data; transparency, so they know and see what is going on; and in a real way, traceability, access, and, of course, security. Earlier, I talked about the National Institute of Standards and Technology (NIST). NIST sets a lot of the government framework for data control and cybersecurity, and one of their core principles is data minimization. And good risk governance mandates data minimization, and we have that in our security principles as well. And the use cases we are defining set out that you should only return the data necessary to achieve a particular purpose, for example, again, a tax return or doing budgeting. Only get the data you need to do that one thing. So those five key principles really guide what we do, and I think they fit hand-in-glove with the points you raise. Mr. Scott. Okay. Mr. Kamara, in recent years, we have seen two major pieces of privacy legislation pass in California and in the European Union. These two pieces of legislation appear to shift towards what we call a bill of rights model in which a consumer can have a certain expectation of what privacy protections exist. Do you agree with this assessment? Mr. Kamara. Yes, I do. I also think that the excitement around financial technologies is great, but what I would like to see is as much excitement around privacy technologies. APIs are definitely an improvement over screen scraping, but I think we can still do better. We can bring minimization. We can minimize the amount of data collected down to zero if we invest in the right technologies. Mr. Scott. In your opinion, in these two areas where this legislation impacted, how would you assess their progress? Mr. Kamara. I am a computer scientist. I am a cryptographer. So, this is not exactly what I work on every day. I think, from my vantage point, one of the benefits is that it is forcing industry to actually have to put in real, practical technological measures to protect consumers' privacy, and I think that is a very positive outcome. Mr. Scott. And do any of you feel, in addition to you, Mr. Kamara, that any challenges have arisen with the implementation of these laws that may be helpful to us and instructive on a national basis? Mr. Kamara. I think there are surely challenges to implementing any policy, but I think these challenges are surmountable. We can use technology to do incredible things. We can use technology to provide privacy as well, so-- Mr. Scott. Do you feel comfortable that we are-- Chairman Lynch. The gentleman's time has expired. Mr. Scott. Thank you. Chairman Lynch. I thank the gentleman. The Chair now recognizes the gentleman from Ohio, Mr. Davidson, for 5 minutes. Mr. Davidson. Thank you, Mr. Chairman. This is an exciting time, because not all the time in this room do you have a near-uniform sense of what ought to be done. I haven't heard anyone say that the status quo with respect to privacy is just great. Everyone has said that it is broken, and everyone has said that there is a need to fix it. I just listened to Mr. Scott and Mr. Hill speak about their common ground that they shared in terms of a Federal approach. We haven't yet seen that bill and, unfortunately, this committee doesn't have full jurisdiction over everything. But what does have full jurisdiction over privacy? We don't need a new bill of rights with respect to privacy. I don't think there is an expiration data on the Fourth Amendment. Let me read it for you: ``The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.'' This was originally a restriction on the Federal Government doing these things but, of course, as we know, the Fourteenth Amendment ruled that out through all of the States. And I believe that Louis Brandeis in Griswold v. Connecticut expounded upon this. Unfortunately, what we have seen is a retrenching on the Fourth Amendment through a long period of time, both with respect to the government, with surveillance powers massively expanded with the Patriot Act, with renewed efforts to do that with ill-conceived ideas like the Corporate Transparency Act. And then we have seen, really over the past 30 years, as technology has gone around, most of the billionaires in Silicon Valley and, frankly, Mr. Bloomberg, have accumulated their wealth by monetizing data. It is quite valuable. In fact, it is more valuable than financial transactions. We do have a small segment carved out by Gramm-Leach-Bliley, but we are seeing even more fragmented. We have different standards that apply to different entities. When a bank collects credit card data, for example, we see different things than, say, Google Pay. One of my colleagues, a Member who gives great advice to me, recently pointed out that he purchased an airline ticket using Google's product Chrome. And Google, being the great customer service entity that it is, decided that they should store that credit card information in Google Pay. It had nothing to do with Google Pay he had no intention of signing up for Google Pay. It is all just part of the great customer experience. And I am sure that is in the fine print somewhere--I don't know how many pages or words are contained in Google's documents or how many times they are updated. I am sure we have all read them, right, printed them out, and checked each phrase before we clicked, ``accept.'' And we can all take solace that when they went public, they promised not to be evil, right? But we see the other thing. They are going to monetize. So when we talk about data minimization, Mr. Cardinal, you spoke of data minimization. You could minimize your data or at least attempt to. I only meant to share this with the airline, my credit card, when I entered it; or I only meant to share my health records with my health provider, yet Google has found a way to sell it. Going down the panel, do people believe consumers should have to give consent for transference of that data to third parties? Just yes or no, please? Ms. Saunders. It should not happen. It should not happen in ways consumers would not expect. If you didn't expect Google to keep your credit card, they just shouldn't do it. Mr. Davidson. Thank you. Mr. Kamara. I think that would be the minimum standard, yes. Mr. Davidson. Thank you. Mr. Gilliard. Absolutely minimum standard. Mr. Davidson. Thank you. Mr. Cardinal. Someone has to consent. Mr. Davidson. Thank you. Mr. Pozza. I think, taking out the aspect of a specific company, that there is--the consumer cannot be deceived under current law about what is going on with the data, and then if you are thinking about approaching it from, are you going to-- Mr. Davidson. So they can't lie, cheat or steal, or deceive them. Right now, the problem is no one really enforces it, right? Google promised they weren't going to track you with their location services; and in theory, since they said they weren't going to do that in their terms of service, there would be a way to do it. The reality is that they are so sophisticated, the average consumer can't know whether they have stopped doing it, and the regulator right now would be the Federal Trade Commission, and they clearly do not have a way to monitor whether the companies are complying with the terms of service. In the financial sector, we have regulators that do that. And at subsequent hearings, I would hope to get to who should actually oversee the regulatory framework in the United States of America, because conformance is not going to happen in the stated nature. It leads towards decay and abuse, unfortunately, and it is way past time for us to update our laws. My time has expired, and I yield back. Chairman Lynch. I thank the gentleman. The gentleman yields back. It is my pleasure to recognize the gentlewoman from Michigan, Ms. Tlaib, for 5 minutes. Ms. Tlaib. Thank you, Mr. Chairman. There are going to be very few times that you will see a lot of us agree, especially on issues that are so critically important to civil liberties, civil rights issues, but in this particular issue, I think you can find a lot of bipartisan support about the great concern in protecting our residents at home, their privacy, and so forth. I want to kind of take this in a little different direction. I don't know how many of you all know, in Detroit, there is over $1 million spending on a facial scanning system called Project Green Light, which enables police to identify and track residents, capturing hundreds of private and public surveillance cameras installed at parks, schools, health centers, gas stations, women's clinics, fast food restaurants, and even addiction treatment centers. It has been expanded to also even include churches and low-income housing. Overall, this aggressive City-wide surveillance system has reached more than 500 of our City's businesses and institutions and community organizations. Ms. Saunders, are citizens even aware that they are being recorded and that their images are being captured? Ms. Saunders. No, I am sure that they are not. Ms. Tlaib. What are some of the implications of this technology being used in low-income housing specifically? Ms. Saunders. This is not an area of our expertise, but I am sure people would be concerned to know that they are being tracked and that their individual identities are in government databases being used in ways that they wouldn't expect. Ms. Tlaib. Dr. Gilliard, do you have anything to comment about this? Mr. Gilliard. I do. I think particularly for marginalized populations, this is especially onerous, because they are already subject to lots of surveillance in their daily lives that they are not able to escape. They don't have the means either to avoid this kind of surveillance, but also, maybe there are questions of if they are on public assistance, have they had run-ins with law enforcement, things like that. And that level of scrutiny on anyone is harmful, but I think the physical, emotional, and psychological effects on people to think that they are constantly being watched or to know that they are constantly being watched, I think is very pernicious. Ms. Tlaib. These are for-profit entities coming to sell to cities like Detroit, and other communities of color, technology that hasn't even been tested properly, and is flawed. Studies over and over again have shown that it is flawed. I think the ACLU even did a sample of Members of Congress, and I believe they misidentified the majority of the folks who are in there, especially the Brown/Black Members within the United States Congress. Given that Black men, and boys especially, are already more than twice as likely to die in an encounter at the hands of police, there are really strong implications of what this would mean, but also the fact that these are low-income families, people who are being surveilled. One of my residents told me the green light that flashes-- they actually put a green light outside of their building. And when I asked the mayor about this, he said, ``What do you mean?'' I said, no, just you are telling this person that they are unsafe. You are letting the world know, as people are passing by, don't come here. It is unsafe. It is very counterproductive to trying to make people feel safe. It is saying, if you are poor, you deserve to feel less safe and to have kind of the stigma to be on you for living in public housing. Currently, my colleagues, Representative Ayanna Pressley and Representative Yvette Clarke, and I introduced the No Biometric Barriers to Housing Act, which would prohibit completely any use of real facial recognition technology in Federal housing. What would you all feel, is this something that you all would be able to support? Mr. Gilliard. Absolutely. I think more surveillance does not equal more safety. I think imperfect surveillance is bad, but perhaps perfect surveillance is even worse. Mr. Kamara. Yes, absolutely. Biometric data is very intrusive. It is very difficult to store and protect. If it gets leaked, if there is a data breach, biometric data is very hard to revocate. So, that is another issue. And a lot of these surveillance databases are connected with DMV data. They are connected with other datasets as well. There are also a lot of problems with, if you end up in one of these databases, it is very difficult to get off of it. That is another issue as well. So, absolutely. Ms. Saunders. That particular bill is a bit outside our organizational expertise, but as a general matter, we certainly are concerned about the collection of personal data about people without their consent, and also especially about data that may be used differently against different populations. And, as you note, there could be mistakes, especially if you don't test it for how it works for people of-- Ms. Tlaib. No, there are actually documented mistakes. I know I am out of time, but thank you, Mr. Chairman. And thank you all so much for being here to testify. Chairman Lynch. Very insightful observations. Thank you. The gentleman from Wisconsin, Mr. Steil, is recognized for 5 minutes. Mr. Steil. Thank you very much, Mr. Chairman. Mr. Pozza, I would like to dive into some of your testimony. The European Union's General Data Protection Regulation gives individuals the right to be forgotten. This is kind of intuitive as to what this might mean as it relates to Facebook, and maybe as it relates to Google. I think where some of the struggle comes in is, in particular, financial services products, loans, and insurance. I can think of a life insurance product where that is very challenging, if somebody comes in and asks for the right to be forgotten, but they are the beneficiary of someone else's life insurance product. It gets a bit complicated. Could you comment and provide some insight as to how the right to be forgotten and other digital deletions impact common financial products? And then, what other implications should policymakers be thinking of in this context? Mr. Pozza. I think that is a great question. I think that the deletion right, as it is sort of known under California, or the right to be forgotten, needs to be assessed in a way that is contextual. The examples that you point out are the kinds of things that maybe under California's law could be business exemptions, right? So, it can't just be a broad brush. You should be able to delete your data in a way that the business can no longer function, or it needs it to use for other sorts of analytical tools to make sure that it is not discriminating or something like that. There are lots of reasons why you would need to cabin something like that to be practical in terms of business. And I think that goes to just the general approach of being sensitive to the business concerns when making and creating these sorts of rights. The second piece of this is, the ABA recently released a report--it is in my testimony--that talks about the way that these deletion rights might impact sort of data models that would then be incomplete if they're used for things like fraud detection. So, again, you could potentially have something in the law that carves out these uses where it makes sense to make sure that companies have robust access to these datasets so they can use things like detecting fraud. Mr. Steil. Let me dig in here for a second. In particular, as it relates to this, where sometimes you have these conflicting regulations, where you are trying to work in multiple jurisdictions, and businesses and consumers, I think, face increasingly complicated sets of overlapping and conflicting rules. As you mentioned in your testimony, GDPR affects us since many of the services we are using are offered in Europe. CCPA, as you noted, is sometimes overlapping on this. Could you comment how the complexity impacts businesses and consumers and how Congress should respond to the costly and complicated overlapping system of regulations? Mr. Pozza. I think it is clearly costly for businesses, as I have talked about, to have multiple different regimes governing different kinds of data. I would also reiterate that I think it is difficult for consumers to have these different regimes because they don't necessarily have clear expectations about how their data will be treated, which is a lot of what we talked about today. When it comes to looking at something possibly on a Federal level, I think the U.S. Chamber has some pretty good principles they have outlined that talk about things like a risk-based approach and being sort of technology-neutral as much as possible and realizing that there are these tradeoffs, that consumer control of their information clearly is an important value, and that there are other sorts of things, as you point out, where it intersects with other kinds of regulations that you just sort of need to balance those. Mr. Steil. I appreciate your time and testimony today. Mr. Chairman, I yield back. Chairman Lynch. The gentleman yields back. First of all, I would like to thank our witnesses for your testimony today and for helping the task force with its work. Without objection, the following documents will be submitted for the record. We have received submissions from the American Bankers Association, the Electronic Transaction Association, Fidelity Investments, Finicity, Public Knowledge, and Plaid, P-l-a-i-d. The Chair notes that some Members may have additional questions for this panel, which they may wish to submit in writing. Without objection, the hearing record will remain open for 5 legislative days for Members to submit written questions to these witnesses and to place their responses in the record. Also, without objection, Members will have 5 legislative days to submit extraneous materials to the Chair for inclusion in the record. I wish you all a very happy and safe Thanksgiving. This hearing is now adjourned. [Whereupon, at 11:00 a.m., the hearing was adjourned.] A P P E N D I X November 21, 2019 [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] [all]