[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]


                   PRESERVING THE RIGHT OF CONSUMERS
                   TO ACCESS PERSONAL FINANCIAL DATA

=======================================================================

                             HYBRID HEARING

                               BEFORE THE

                   TASK FORCE ON FINANCIAL TECHNOLOGY

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           SEPTEMBER 21, 2021

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 117-46
                           
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

                              __________

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
45-863 PDF                 WASHINGTON : 2021                     
          
-----------------------------------------------------------------------------------   
   

                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                 MAXINE WATERS, California, Chairwoman

CAROLYN B. MALONEY, New York         PATRICK McHENRY, North Carolina, 
NYDIA M. VELAZQUEZ, New York             Ranking Member
BRAD SHERMAN, California             FRANK D. LUCAS, Oklahoma
GREGORY W. MEEKS, New York           BILL POSEY, Florida
DAVID SCOTT, Georgia                 BLAINE LUETKEMEYER, Missouri
AL GREEN, Texas                      BILL HUIZENGA, Michigan
EMANUEL CLEAVER, Missouri            ANN WAGNER, Missouri
ED PERLMUTTER, Colorado              ANDY BARR, Kentucky
JIM A. HIMES, Connecticut            ROGER WILLIAMS, Texas
BILL FOSTER, Illinois                FRENCH HILL, Arkansas
JOYCE BEATTY, Ohio                   TOM EMMER, Minnesota
JUAN VARGAS, California              LEE M. ZELDIN, New York
JOSH GOTTHEIMER, New Jersey          BARRY LOUDERMILK, Georgia
VICENTE GONZALEZ, Texas              ALEXANDER X. MOONEY, West Virginia
AL LAWSON, Florida                   WARREN DAVIDSON, Ohio
MICHAEL SAN NICOLAS, Guam            TED BUDD, North Carolina
CINDY AXNE, Iowa                     DAVID KUSTOFF, Tennessee
SEAN CASTEN, Illinois                TREY HOLLINGSWORTH, Indiana
AYANNA PRESSLEY, Massachusetts       ANTHONY GONZALEZ, Ohio
RITCHIE TORRES, New York             JOHN ROSE, Tennessee
STEPHEN F. LYNCH, Massachusetts      BRYAN STEIL, Wisconsin
ALMA ADAMS, North Carolina           LANCE GOODEN, Texas
RASHIDA TLAIB, Michigan              WILLIAM TIMMONS, South Carolina
MADELEINE DEAN, Pennsylvania         VAN TAYLOR, Texas
ALEXANDRIA OCASIO-CORTEZ, New York   PETE SESSIONS, Texas
JESUS ``CHUY'' GARCIA, Illinois
SYLVIA GARCIA, Texas
NIKEMA WILLIAMS, Georgia
JAKE AUCHINCLOSS, Massachusetts

                   Charla Ouertatani, Staff Director
                   TASK FORCE ON FINANCIAL TECHNOLOGY

               STEPHEN F. LYNCH, Massachusetts, Chairman

JIM A. HIMES, Connecticut            WARREN DAVIDSON, Ohio, Ranking 
JOSH GOTTHEIMER, New Jersey              Member
AL LAWSON, Florida                   PETE SESSIONS, Texas
MICHAEL SAN NICOLAS, Guam            BLAINE LUETKEMEYER, Missouri
RITCHIE TORRES, New York             TOM EMMER, Minnesota
NIKEMA WILLIAMS, Georgia             BRYAN STEIL, Wisconsin
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    September 21, 2021...........................................     1
Appendix:
    September 21, 2021...........................................    27

                               WITNESSES
                      Tuesday, September 21, 2021

Carpenter, Tom, Director, Public Affairs, Financial Data Exchange 
  (FDX)..........................................................     4
Carrillo, Raul, Associate Research Scholar, Yale Law School, and 
  Deputy Director, Law and Political Economy Project.............     6
Cochran, Kelly Thompson, Deputy Director, FinRegLab..............     8
Smith, Steve, Co-Founder and CEO, Finicity.......................    12
Wu, Chi Chi, Staff Attorney, National Consumer Law Center (NCLC).    10

                                APPENDIX

Prepared statements:
    Carpenter, Tom...............................................    28
    Carrillo, Raul...............................................    47
    Cochran, Kelly Thompson......................................    67
    Smith, Steve.................................................    83
    Wu, Chi Chi..................................................    85

              Additional Material Submitted for the Record

Lynch, Hon. Stephen F.:
    Written statement of Acorns..................................    99
    Written statement of Akoya...................................   102
    Written statement of the American Bankers Association........   106
    Written statement of the Bank Policy Institute...............   119
    Written statement of Envestnet Yodlee........................   123
    Written statement of the Financial Data and Technology 
      Association of North America...............................   127
    Written statement of the Financial Technology Association....   135
    Written statement of Pinwheel................................   138
    Written statement of Plaid, Inc..............................   145
    Written statement of The Clearing House......................   149
Williams, Hon. Nikema:
    Written responses to questions for the record submitted to 
      Chi Chi Wu.................................................   172

 
                   PRESERVING THE RIGHT OF CONSUMERS
                   TO ACCESS PERSONAL FINANCIAL DATA

                              ----------                              


                      Tuesday, September 21, 2021

             U.S. House of Representatives,
                Task Force on Financial Technology,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The task force met, pursuant to notice, at 10:03 a.m., in 
room 2128, Rayburn House Office Building, Hon. Stephen F. 
Lynch, [chairman of the task force] presiding.
    Members present: Representatives Lynch, Himes, Gottheimer, 
Lawson, San Nicolas, Torres, Williams of Georgia; Davidson, 
Sessions, Luetkemeyer, Emmer, and Steil.
    Ex officio present: Representative Waters.
    Chairman Lynch. Good morning. The Task Force on Financial 
Technology will come to order.
    Without objection, the Chair is authorized to declare a 
recess of the task force at any time. Also, without objection, 
Members of the full Financial Services Committee who are not 
members of this task force are authorized to participate in 
today's hearing.
    As a reminder, I ask all Members to keep themselves muted 
when they are not being recognized by the Chair. The staff has 
been instructed not to mute Members, except when a Member is 
not being recognized by the Chair and there is inadvertent 
background noise.
    Members are also reminded that they may only participate in 
one remote proceeding at a time. If you are participating 
today, please keep your camera on, and if you choose to attend 
a different remote proceeding, please turn your camera off.
    Today's hearing is entitled, ``Preserving the Right of 
Consumers to Access Personal Financial Data.''
    I will now recognize myself for 4 minutes to give an 
opening statement.
    Good morning, and welcome to this hearing of the Financial 
Services Committee's Financial Technology Task Force. Today's 
hearing will discuss various issues surrounding the gathering, 
usage, and protection of consumer financial data.
    I would like to begin by thanking our distinguished panel 
of witnesses who have agreed to testify and offer their diverse 
perspectives as Congress and regulators grapple with the 
rapidly changing landscape in this area.
    The collection and utilization of consumer financial data 
has exploded in the past decade as the usage of smart phones, 
myriad devicesx, and the Internet of Things, enhanced 
computational power and algorithms, and artificial intelligence 
and robotic process automation have been combined to transform 
the way consumers manage their finances and conduct the most 
basic economic activities, while also changing the way 
financial services providers have responded to consumers' 
desires and preferences.
    Whether using a payment processor to split a dinner bill, 
employing a personal financial management app to track 
spending, or accessing a mobile lending platform for a personal 
loan, consumers and financial services providers rely more 
keenly on the data flow that underpins the delivery of those 
services.
    The consumer financial data ecosystem has also expanded 
beyond traditional banks and insurers to include data 
aggregators, payment processors, neobanks, and mobile lenders 
employing technologies that were not necessarily anticipated in 
earlier legislation and regulation.
    While there is little doubt that recent emerging financial 
services innovations have real potential to improve the 
efficiency and accuracy of those services, while reducing costs 
and fostering greater inclusion, the relentless full spectrum 
cultivation of consumer data and the manipulation of that data 
raises important policy questions about personal data 
protections, user control, and meaningful consent to sharing 
that data, as well as the ultimate contours of personal 
privacy.
    In fairness, many financial services providers, both 
traditional and Fintechs, have requested regulatory guidance 
and greater clarity in this area.
    While some current laws governing financial data--the 
Gramm-Leach-Bliley Act, the Dodd-Frank Act, the Fair Credit 
Reporting Act, and the Equal Credit Opportunity Act--are 
generally instructive, there are serious gaps that leave much 
uncertainty, given the transformational technology and 
advancements as well as changing relationships and customer 
preferences that we face today.
    Again, I want to thank our witnesses for your willingness 
to help the task force with this work. I look forward to our 
discussion.
    And the Chair now recognizes the ranking member of the task 
force, the gentleman from Ohio, Mr. Davidson, for 5 minutes for 
an opening statement.
    Mr. Davidson. Thank you, Chairman Lynch.
    I truly appreciate that you are conducting this hearing 
today on a very important and prevalent issue. Financial 
technology seems to be developing at the speed of light in 
recent years, so it is encouraging to see this task force and 
the committee keep up with the industry, or attempt to do so.
    As I said 2 years ago when this task force held a similar 
hearing on personal financial data, it is great that there is 
common ground across the aisle on this topic. I think we all 
agree on the importance of protecting consumers' control over 
their own financial data.
    But does this mean that we both, regulators and 
policymakers alike, are moving fast enough to address the 
uncertainties in this area? I am not convinced that we are.
    However, it is encouraging to see the Consumer Financial 
Protection Bureau (CFPB) continuing to make progress towards a 
rulemaking under Section 1033 of the Dodd-Frank Act. Section 
1033 provides the opportunity to strengthen consumer control 
over their personal data. When a consumer grants consent for 
any party to access or hold their personal financial data, it 
is vital that this consent is read narrowly. I am optimistic 
that the CFPB can adequately define the proper scope of that 
consent.
    Whether this involves limiting the specific financial 
activity for which the data is needed, or the length of time it 
is authorized, I expect these types of questions to be at the 
forefront of the CFPB's process as they undertake the 
rulemaking.
    Ideally, they will conclude, as I have, that individuals 
have a property right to their own data, much like a songwriter 
would have protection for their lyrics or music as composed. 
Individuals own the data that they create.
    As things currently stand, I believe that consumers do not 
fully appreciate what they are consenting to whenever they 
utilize third-party financial services providers.
    Please note that this is not meant as a swipe at Fintech. 
Applying for personal loans, conducting peer-to-peer payments, 
getting mortgages, receiving financial product recommendations, 
just to name a few examples, has never been easier. Fintech 
companies have made financial services more accommodative than 
ever before.
    Despite this financial revolution, we need better 
transparency regarding the relationships between financial 
institutions, third-party service providers, and the consumers 
who are providing the data.
    It is encouraging to see some progress within the industry 
to shift away from practices such as screen scraping, which 
essentially circumvents any need for consent between a 
financial services provider and a third party, and towards 
application program interfaces.
    However, I believe policymakers and regulators retain the 
authority to properly shape these relationships and protect 
consumers' financial privacy, moving forward.
    I am not going to say that regulators need to impose 
regulations with technical guidance. It is best to leave those 
details to industry. However, regulators can still provide 
consumer-focused principle-based frameworks that will allow for 
innovation and competition.
    I would be remiss if I didn't acknowledge that we have some 
industry-specific standards in place to address consumer 
privacy data. These policies can largely be found within the 
Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the 
Electronic Fund Transfer Act. While Section 1033 of the Dodd-
Frank Act is a step in the right direction, we are left with a 
fragmented regulatory framework when it comes to consumer data 
privacy protection.
    I know this hearing is more narrowly focused on the 1033 
rulemaking and open banking, but I think it is important that 
Congress continues to hold the broader conversation as well.
    We are in the process of developing a bill that will be 
called, ``It's Your Data,'' which we hope will secure that 
property right in law for American citizens.
    While we can all agree on the general outcome, reaching 
that outcome is a complicated endeavor through Congress. I am 
certain many questions here today will be rather specific and 
potentially complex.
    Consumer data has become so leveraged and holds so much 
value that it has, ultimately, become a very large business 
asset. No matter how big the financial industry gets or how 
much financial technology evolves, the monetary value of 
consumer data will never be worth more than the fundamental 
right to privacy.
    Our Constitution is supposed to protect the right to 
privacy for every American citizen, and it is our duty to do 
that.
    I very much look forward to hearing our witnesses' 
testimony today, and I yield back.
    Chairman Lynch. The gentleman yields back.
    Today, we are pleased to welcome the testimony of our 
distinguished witnesses: Mr. Tom Carpenter, the director of 
public affairs with the Financial Data Exchange; Mr. Raul 
Carrillo, an associate research scholar at Yale Law School, and 
the deputy director of the Law and Political Economy Project; 
Ms. Kelly Thompson Cochran, the deputy director of FinRegLab; 
Ms. Chi Chi Wu, a staff attorney with the National Consumer Law 
Center; and Mr. Steve Smith, the CEO and co-founder of 
Finicity.
    Witnesses are reminded that their oral testimony will be 
limited to 5 minutes. You should be able to see a timer on your 
screen that will indicate how much time you have left, and a 
chime will go off at the end of your time. I would ask that you 
be mindful of the timer, and quickly wrap up your testimony if 
you hear the chime, so that we can be respectful of both the 
witnesses' and the committee members' time.
    And without objection, your written statements will be made 
a part of the record.
    Mr. Carpenter, you are now recognized for a 5-minute 
summation of your written testimony.
    Thank you.

    STATEMENT OF TOM CARPENTER, DIRECTOR OF PUBLIC AFFAIRS, 
                 FINANCIAL DATA EXCHANGE (FDX)

    Mr. Carpenter. Thank you.
    Chairman Lynch, Ranking Member Davidson, and members of the 
Task Force on Financial Technology, thank you for the 
opportunity to testify at today's hearing.
    My name is Tom Carpenter, and I serve as director of public 
affairs at the Financial Data Exchange, or FDX. I must begin by 
saying that FDX is currently barred from taking positions on 
most legislative or regulatory policy issues. FDX does advocate 
for market-led API standards for data sharing.
    Please consider the rest of my comments today as 
educational and intended to inform the task force about FDX and 
the way that our work interacts with policy and legislation.
    The best analog to understand FDX is the Bluetooth 
standard. As consumers now know today, Bluetooth brought 
together many different consumer electronics manufacturers to 
create standard specifications so that consumers could use 
differently branded products in an interoperable manner.
    In the same way, FDX brings together diverse financial 
industry players under a common application programming 
interface (API) standard. This allows consumers to share and 
move financial data between financial institutions, Fintechs, 
and intermediaries in a secure and transparent manner, and one 
which is not dependent on where one banks or which Fintech app 
a consumer may choose to use.
    And most importantly, adoption of the FDX API is replacing 
the need for data sharing that relies on shared consumer login 
credentials and screen scraping.
    A few additional details about FDX. FDX is a nonprofit 
body. The FDX API is also royalty-free. FDX currently has 200 
members across the financial sector globally, including 
Fintechs, banks, data aggregators, consumer groups, payment 
networks, financial industry groups, and other stakeholders, 
and I am pleased to be joined in this hearing at the witness 
table by Chi Chi Wu and Steve Smith, who both represent FDX 
member organizations.
    And in case you thought FDX was just an interesting 
concept, I am pleased to tell you that 22 million consumer 
accounts have been transitioned from screen scraping to the FDX 
API so far. That is 22 million consumer accounts.
    As this task force is aware, Fintech innovations are 
allowing consumers to use their own financial data to lower 
costs, for more efficient processes, better rates, and lower 
fees, expanding credit access to thin-file or no-file borrowers 
when a traditional credit score is limited or incomplete, and 
to empower better decision-making via a consumer's own big 
data, just like large companies have done for years, so they 
can actually see all of their accounts in one place.
    With this in mind, here are a few key points I would like 
to make the task force aware of today.
    First, it is critical for the task force and regulators to 
draw a bright-line distinction between user permission 
financial data sharing versus data brokerage or data 
harvesting.
    Consumer permission data sharing, all data sharing using 
the FDX API is fully controlled by the consumer and must 
include explicit consumer consent. Data brokers or harvesters 
instead collect and sell data about consumers, often without 
expressed consumer consent, control, or awareness.
    Second, FDX is committed to and believes that five core 
principles must be present in any system of financial data 
sharing or open banking to ensure the industry serves the needs 
of consumers.
    These principles are control, access, transparency, 
traceability, and security. I expand upon these in my written 
testimony, and I would be happy to answer any questions about 
them.
    Third, FDX believes that technical API standards are best 
left to the financial industry rather than defined by 
regulators.
    For a host of reasons and, again, expanded upon in my 
written testimony, we believe the industry is best suited to 
maintain and continually adapt standards to the needs of the 
market and consumer demand.
    As for the potential CFPB rulemaking, FDX submitted 
comments to the CFPB's Advance Notice of Proposed Rulemaking 
(ANPR) earlier this year, and FDX was actually mentioned or 
referenced in almost half of the comments the CFPB received.
    As above, our comments stressed to the CFPB the importance 
of FDX's five principles, as well as our core belief that 
technical data-sharing standards should be left to the 
industry.
    FDX also believes a potential CFPB rulemaking would need to 
find a good balance. Consumers must be able to access and share 
the full extent of their own financial data with third parties 
via APIs in the same way they can today via screen scraping, 
including some third parties who may have no relationship with 
a consumer's data provider.
    At the same time, data providers like banks must be able to 
maintain sound risk management practices and activities 
consistent with applicable laws and regulations. FDX is hopeful 
that its own certification of FDX API implementations will be 
helpful here.
    Finally, FDX encourages the CFPB to do more to prioritize 
the adoption of market-led API standards, and to reference or 
acknowledge these standards to further amplify the work and 
also to harmonize industry standards and regulation as much as 
possible so the standards are not caught between competing or 
overlapping or disjointed requirements.
    Thank you again for the opportunity to testify today.
    [The prepared statement of Mr. Carpenter can be found on 
page 28 of the appendix.]
    Chairman Lynch. Thank you, Mr. Carpenter.
    Mr. Carrillo, you are now recognized for 5 minutes to give 
an oral presentation of your testimony.

 STATEMENT OF RAUL CARRILLO, ASSOCIATE RESEARCH SCHOLAR, YALE 
  LAW SCHOOL, AND DEPUTY DIRECTOR, LAW AND POLITICAL ECONOMY 
                            PROJECT

    Mr. Carrillo. Thank you.
    Chairman Lynch, Ranking Member Davidson, and distinguished 
members of the task force, thank you for inviting me to testify 
this morning.
    I offer my testimony as an associate research scholar at 
Yale Law School, but I previously worked as an attorney for 
low-end consumers in New York City, and as special counsel to 
the enforcement director of the CFPB.
    This morning, I repeat previous calls for policymakers to 
adopt a bright-line approach to financial data regulation, 
recognizing both the benefits and harms of collecting highly 
personal information.
    Today, a payment made with a mobile money account typically 
includes a merchant, bank, payments processor, mobile device 
maker, internet service provider, and an app provider.
    Additionally, roughly, 50 percent of U.S. consumers and 95 
percent of U.S. deposit accounts are estimated to have signed 
up for financial apps that frequently rely on unregulated or 
underregulated data aggregators. All of these companies can 
share data widely with other corporations and law enforcement 
agencies. I agree with the National Consumer Law Center that 
consumers deserve more control over their data relative to 
banks and other financial institutions.
    That being said, consumer rights to access, review, manage, 
correct, and delete data can only be meaningful with a broader 
policy that minimizes data collection and inappropriate usage 
as a first-order principle.
    Although we should able to entrust Fintechs and aggregators 
to collect data on our behalf, this collection process itself 
must be subject to greater accountability. Section 1033 
rulemaking should promote consumer control of information but 
in the broader context of data minimization, rather than 
maximization.
    Just as the CFPB offers more control to consumers via their 
agents using technologies like APIs, they must enforce Federal 
consumer protection, including fair credit reporting laws, in 
this space.
    If consumers are harmed, and either banks, Fintechs, or 
aggregators have not provided accurate records of existing 
financial information and, just as importantly, not included an 
explanation of how account data has been shared, the CFPB 
should take appropriate action with the presumption that 
noncompliance with Section 1033 rulemaking has led to 
unfairness to consumers and the broader purpose of Dodd-Frank, 
with which the CFPB was entrusted, has not been upheld.
    Beyond this, we must upgrade Federal consumer data and 
privacy and security laws from the notice and consent paradigm. 
There are limits to the ways in which individual consumers can 
meaningfully make choices about how their personal data is 
used.
    As legal scholar Salome Viljoen argues, the very point of 
data protection in the digital economy is to put people into 
population-based relations with one another and predict broader 
trends in social and collective behavior.
    Corporate and government actors frequently do not even know 
the purpose of collection until after they analyze an 
aggregated data set and identify proxies.
    Meaningful consent cannot exist when people do not know 
what information they are reviewing or to what end. As a matter 
of public policy then, we should not be able to forfeit our 
general rights to data privacy and security simply by clicking, 
``agree,'' as industry would often have us believe.
    Ultimately, Congress must shift the burden of data 
protection from consumers, courts, and litigators to regulators 
and tech companies. The collusion of big tech and Wall Street 
in this space and the continuing blurring of distinctions 
between financial and nonfinancial data demand especially 
careful scrutiny.
    Legislation should limit processing to only the minimum 
amount of data strictly necessary to carry out an explicit 
narrow purpose, such as the provision of a good or service 
requested by individuals, and then intentional interaction. 
This principle itself demands a robust form of transparency 
that Section 1033 rulemaking can help provide.
    I agree with Ranking Member Davidson's earlier comment that 
privacy concerns should trump property concerns in this space. 
Privacy and security are especially important as we consider 
policies of financial inclusion into poor communities and 
communities of color.
    People may volunteer payments and credit data that, when 
aggregated, confers sensitive information about disadvantaged 
groups in unpredictable ways. Public benefits, family, 
criminal, immigration, and national security law already 
provide a channel for policing troubled by civil rights 
concerns that is further exacerbated by surveillance.
    Moreover, mass data collection does not solve our deeper 
issues of financial exclusion. Apps are solutions to certain 
problems, acute problems, but not structural problems.
    The erosion of data security and privacy law and consumer 
finance should encourage us to move away from overreliance on 
credit as a method of social provisioning, growth, and poverty 
reduction, and focus on better jobs, higher incomes, and more 
equitable economic policies.
    Thank you.
    [The prepared statement of Mr. Carrillo can be found on 
page 47 of the appendix.]
    Chairman Lynch. Thank you, Mr. Carrillo.
    Ms. Cochran, you are now recognized for 5 minutes to give 
an oral presentation of your testimony.

STATEMENT OF KELLY THOMPSON COCHRAN, DEPUTY DIRECTOR, FINREGLAB

    Ms. Cochran. Good morning, and thank you again to Chairman 
Lynch, Ranking Member Davidson, and the members of the task 
force.
    My name is Kelly Thompson Cochran. I am the deputy director 
of FinRegLab, an independent research organization that 
evaluates the use of data and technology to create a more 
responsible and inclusive financial marketplace.
    We have published a number of reports on customer data 
access issues, including a groundbreaking evaluation--empirical 
evaluation--of the use of cash flow data for underwriting small 
business and consumer credit.
    Our research finds that the system for consumer-directed 
transfers is benefiting many consumers and small businesses 
today, but it is also creating risks and burdens that reduce 
its ability to create greater customer-friendly innovation and 
competition.
    Efforts to meet the financial services needs of underserved 
populations may be particularly sensitive to these risks and 
burdens, for instance, where providers' margins are already 
thin, or particular populations are particularly sensitive to 
concerns about privacy and data security.
    Thus, improving the market and regulatory infrastructure 
for customer-directed transfers has critical implications for 
competition, customer protection, and financial inclusion, 
going forward.
    We are encouraged to see several Federal regulators 
beginning initiatives to address critical threshold issues. 
While additional work by industry and Congress will be needed 
to improve the broader data ecosystem, the regulatory 
initiatives are critical to help sharpen the focus of these 
complementary efforts.
    The market today is moving towards more safer and more 
efficient technologies for data transfers, both through 
bilateral agreements between large players and through broader 
standardization initiatives.
    But progress has been slowed by competitive tensions, 
coordination challenges, and regulatory uncertainty. While 
industry-led standardization efforts can be highly beneficial, 
particularly on technical issues that are hard to enshrine in 
regulation, historical experience suggests that such efforts 
will be far more efficient and effective if regulators set 
certain basic parameters.
    Three such initiatives are currently underway. In addition 
to the CFPB's 1033 rulemaking, which we have already discussed, 
the Federal Trade Commission is modernizing information 
security standards for nonbank financial services providers 
under the Gramm-Leach-Bliley Act, and prudential regulators are 
harmonizing third-party service provider guidance as it applies 
to customer information data transfers.
    We believe that the industry efforts will be substantially 
strengthened if the regulators address five key sets of issues 
in their proceedings.
    First, the deadline for particular groups of financial 
service providers to make data available upon consumer request 
under 1033.
    Second, the scope of the data that is subject to 1033 data 
access rights, the application of exceptions to that statute, 
and whether financial data sources can impose additional 
conditions on data transfers.
    Third, the obligations of companies that are acting on 
behalf of a consumer in connection with a 1033 data transfer 
and the requirements for data recipients to safeguard that 
information.
    Fourth, the CFPB's plans to begin supervision of data 
aggregators and other nonbank financial service providers that 
compile large amounts of customer permission data.
    And fifth, the scope of banks' oversight responsibilities 
concerning aggregators or aggregators' customers in their 
downstream handling of customer data.
    Interagency coordination is critical between these various 
initiatives because they are deeply interconnected. For 
instance, CFPB's supervision of aggregators could reduce third-
party risks to banks, and third-party service provider guidance 
can affect the technical infrastructure and processes for 1033 
data transfers.
    These regulatory initiatives will also help to pinpoint the 
need for specific congressional actions. For instance, 1033 
does not affirmatively define protections for data transferred 
under its provisions, and while other Federal laws potentially 
provide safeguards, they were not crafted specifically for this 
transfer system and may not apply to all of its use cases.
    More broadly, as others have discussed, there are other 
gaps showing up in the financial regulatory ecosystem as 
players and data practices and technologies change.
    Our written testimony discusses this in more depth, things 
like meaningful consumer permission while also dealing with the 
fact that there is evidence of customer overload, information 
overload, in trying to manage all of the permissions with which 
they are faced.
    The CFPB and other Federal agencies will likely grapple 
with many of these cross-cutting issues in the course of these 
proceedings. But Congress has a critical role to play in 
creating consistency across statutes.
    Modernizing customer data protections would help to reduce 
risk to consumers and small businesses, create a more level 
playing field among financial services providers, and encourage 
greater innovation and competition, going forward.
    Thank you again for the opportunity to speak today.
    [The prepared statement of Ms. Cochran can be found on page 
67 of the appendix.]
    Chairman Lynch. Thank you very much.
    Ms. Wu, you are now recognized for 5 minutes to give an 
oral presentation of your testimony.

STATEMENT OF CHI CHI WU, STAFF ATTORNEY, NATIONAL CONSUMER LAW 
                         CENTER (NCLC)

    Ms. Wu. Thank you. Thank you, Mr. Chairman, Ranking Member 
Davidson, and members of the task force for the opportunity to 
testify. I am testifying on behalf of the low-income clients of 
the National Consumer Law Center.
    The topic of this hearing is preserving the right of 
consumers to access personal financial data, and I absolutely 
agree. We support the President's Executive Order on 
competition and its call for the CFPB to continue the Section 
1033 rulemaking.
    Access to personal financial data, in particular bank 
account transaction data, has a lot of potential to benefit 
consumers. In particular, it could benefit the 45 million 
credit-invisible consumers who lack a credit history or have a 
file so skimpy that a credit score can't be generated.
    But any access to personal financial data must be subject 
to what I call, ``the three Cs and one D'': consumer choice and 
control, competition, and consumer protection; and the ``D'' is 
data security.
    Think about the data that is being accessed, how sensitive 
and revealing it is. Think about your own bank statements or 
credit card statements, and remember, a lot of credit-invisible 
consumers won't have a credit card so they will be using their 
debit card a lot.
    Bank account transaction data might show when the consumer 
gets paid, where they shop, what advocacy organizations they 
support, or which health care providers they use.
    So, consumers need control. Consumers are tired of not 
having control over our own personal data. We are tired of tech 
giants silently collecting data about us to show creepy 
personalized ads, and the original privacy-invading tech giants 
are the big three credit bureaus--Experian, Equifax, and 
TransUnion--which started collecting our information and 
monetizing it over 50 years ago without our permission.
    We need a better system with strong provisions for consumer 
control, not just whether it is consented sharing, but for what 
purposes, for how long, and control over exactly what data 
elements get shared.
    And no mice-type, click-wrap, pro-forma consent. It must be 
real, meaningful, informed, and knowing. Dashboards such as the 
ones developed by FDX are a good start. What is not good are 
efforts to access bank account data without consumer control, 
which, unfortunately, we are starting to see, including a 
current pilot for this company called Early Warning Services, 
to supply bank account information without consumer consent.
    Competition. After the Equifax data breach, there was a lot 
of discussion about how consumers have no control over credit 
bureaus because we are not the customers; we are the commodity. 
And it is true. The credit reporting system is an oligopoly, 
really a functional monopoly where we can't choose between the 
big three or walk away.
    Data aggregators and financial account data could serve as 
potential competition to the credit bureaus, and it could be 
more accurate precisely because of consumer control. If an 
aggregator does a terrible job with the accuracy of data, 
consumers should have the ability to revoke consent and delete 
their data from the aggregator's database.
    Of course, one risk we are already beginning to see is that 
the big three have started purchasing alternative data 
providers. For example, all three have bought consumer 
reporting agencies specializing in subprime credit. We would be 
really worried if the big three started buying up data 
aggregators as well.
    Consumer protection. New entrants to a market love to claim 
they are the best thing since sliced bread and existing 
regulation doesn't apply to them because they are so innovative 
or novel. But, not so much.
    Even though they were drafted several decades ago, the 
Federal consumer laws were written pretty broadly. So if it is 
used for credit underwriting, the Fair Credit Reporting Act 
applies and the Equal Credit Opportunity Act is implicated. And 
since deposit accounts are involved, the Electronic Fund 
Transfer Act is implicated.
    I very much appreciate that my fellow witness, Finicity, 
has taken a similar position with respect to the Fair Credit 
Reporting Act.
    In addition, we have urged, as part of the Section 1033 
rulemaking, that the CFPB should establish supervision 
authority over larger participant data aggregators.
    Data security. Speaking of supervision, we need supervision 
for data security. Since the Equifax data breach in 2017, we 
have urged Congress to transfer the data security authority in 
Gramm-Leach-Bliley to the CFPB for credit bureaus, and we would 
urge the same with respect to data aggregators.
    At a minimum, the FTC should complete its rulemaking to 
strengthen the safeguards rule under that Act. Financial 
account information holds great promise, but also great risk. 
It could open doors to credit from millions of underserved 
Americans.
    But the nightmare scenario is a system where every 
consumer, thick or thin file, high FICO score or not, is forced 
to give up their privacy and allow each creditor, employer, 
insurer, landlord, and government agency a direct and permanent 
digital pipeline to their bank account data.
    It is up to the regulators and, ultimately, Congress to 
make sure that this data promotes consumer welfare without 
hurting our interests.
    Thank you for the opportunity to testify. I look forward to 
your questions.
    [The prepared statement of Ms. Wu can be found on page 85 
of the appendix.]
    Chairman Lynch. Thank you, Ms. Wu.
    And Mr. Smith, you are now recognized for 5 minutes for a 
summation of your written testimony. Thank you.

     STATEMENT OF STEVE SMITH, CO-FOUNDER AND CEO, FINICITY

    Mr. Smith. Thank you. I would like to thank Chairwoman 
Waters, Ranking Member McHenry, Chairman Lynch, Ranking Member 
Davidson, and the FinTech Task Force for the opportunity to 
speak with all of you today.
    My name is Steve Smith, and I am the co-founder and CEO of 
Finicity, a MasterCard company. Finicity allows financial 
account holders, typically consumers and small and midsize 
businesses, to easily connect their accounts to a wide range of 
financial apps and services.
    This is often called, ``data aggregation.'' I spent the 
past 30 years working in the technology industry. In that time, 
there has been remarkable technological innovation. From the 
internet to mobility to cloud computing, we have experienced 
massive advancements impacting virtually every industry.
    One notable technology disruption has been the use of data 
and analytics. Large enterprises have leveraged powerful data 
and analytics tools to gain insights on business operations, 
improve efficiency, enhance consumer experiences, and much 
more.
    All of this has enabled significant cost reductions 
combined with enhanced revenue opportunities. For too long, we, 
as individuals, families, and small and midsize businesses have 
not reaped the same benefits of using our data.
    Why? The technology has been too expensive or the ability 
to collect and analyze our data has been exceptionally 
difficult or cumbersome. This is where the advent of open 
banking or open finance powered by data aggregation is flipping 
the data experience to one that empowers consumers and small 
and midsize businesses with access control and the consented 
use of their data.
    Open banking is enabling a wide range of financial products 
and services that are transforming how consumers manage their 
money, prepare their taxes, apply for loans, make real-time 
payments, and better understand and improve their credit.
    All of this is leading to more consumer choices and better 
experiences, along with increased financial literacy, financial 
inclusion, and improved financial fitness.
    Finicity has been at the center of many of these empowering 
experiences. For example, we have enabled consumers to 
contribute more data to their credit scores through Experian 
Boost and through the UltraFICO score. These solutions use cash 
flow data explicitly permissioned by users to help them build 
or improve credit and achieve their financial goals.
    So with all of this positive movement, why am I here? This 
is a technological shift that is still very much in the early 
innings. As it emerges and matures, Federal policymakers will 
play a meaningful role in the direction and pace of this 
transformation by providing clarity on data protection 
expectations, data privacy requirements, and consumer data 
rights.
    Clearly, consumer data protection is a must throughout the 
data access and sharing process. Safeguarding the data is 
foundational to accelerating innovation while protecting the 
consumers from data theft.
    Equally, I believe we all agree that the privacy of 
personally identifiable information is important to further 
consumer empowerment. In many respects, data privacy is about 
consent.
    With clear and explicit consent, consumers will know where, 
how, and for what purpose their data is being used. Putting 
them in control enhances privacy. Data should not be shared 
across or among organizations without direct and transparent 
consent.
    Finally, and I think, most importantly, consumer data 
rights must start and end with an individual's ability to 
access, use, and benefit from their data. This is foundational 
to open banking.
    It is essential that consumers have reasonable access to 
all of their financial data in possession of the data holders 
in a format that they can permission for use in financial 
services and app providers of their choosing.
    It is critical to safeguard data rights. Otherwise, the 
great progress we have made so far will fade. Data rights, 
privacy, and protection are an [inaudible] policy goals, each 
deserving focus and critical thinking.
    Trade-offs may have to be made to balance competing 
objectives. Even adopting newer and better technologies can 
have unintended consequences by curtailing data access. We 
should bear in mind that these three goals are not equal. The 
consumers' right to their data must always be prioritized and 
maintained.
    We need a clear regulatory framework to protect and 
continue open banking in the United States. That is why we are 
encouraged by the CFPB finally moving forward on a rulemaking 
under Section 1033 of the Dodd-Frank Act.
    When we started Finicity, we started with one simple 
thought: Data is the heart of good decision-making. It is 
incumbent upon all involved in this data-sharing ecosystem that 
consumers in small and midsize businesses are empowered with 
the data they need to make the best decisions for themselves, 
their families, and their organizations.
    Thank you again for the opportunity to address the task 
force, and I would be happy to answer any questions you may 
have.
    [The prepared statement of Mr. Smith can be found on page 
83 of the appendix.]
    Chairman Lynch. Thank you, Mr. Smith.
    I now yield 5 minutes to myself for questions.
    Let me ask the entire panel this, although I will select 
individuals at various times. The General Data Protection 
Regulation (GDPR) in the European Union has indicated that they 
have done it from a general policy approach.
    They have recognized the right to be informed, the right to 
access data by individuals, the right to rectification if there 
is a flaw or a mistaken statement there, the right to restrict 
processing, the right to portability so that it encourages 
competition that an individual can move their data, and also 
the right to erasure or the right to be forgotten, so-called.
    From a policy perspective, did they get that right, Ms. Wu? 
Have they gotten it right or are there gaps in what we have 
seen them attempt to accomplish?
    Ms. Wu. Thank you, Congressman Lynch, for the question.
    Many of the principles in the GDPR are reflective of fair 
information principles and, in fact, some of them are reflected 
in the Fair Credit Reporting Act. Some of them were adopted in 
California with their consumer privacy law.
    The devil is always in the details. When you talk about 
principles-based regulation, you want to drill down to the 
details. But, in general, GDPR has put in place a stronger 
framework than exists in the United States and has served as a 
model, as you can see, for some States.
    Chairman Lynch. Thank you.
    Mr. Carpenter, what are your thoughts? You are trying to 
develop this uniform standard on APIs. Would your suggested 
structure embrace those rights that have been articulated in 
the GDPR?
    Mr. Carpenter. Thank you, Chairman Lynch.
    I think a couple of things are at play. Technical API 
standards defined by the industry will always be subservient to 
any regulatory or policy actions that are put in place. So, 
whatever the industry defines, that the CFPB or other 
regulators define as principles or specifics, then standards 
will meet those obligations as needed.
    I think it is important to think a little bit about the 
complexity of the U.S. market as compared to the EU or some of 
the other countries that have gone with a strong regulatory 
model for open banking or data sharing.
    A lot of those countries have a single financial regulator. 
We have a myriad of them, a lot of times with overlapping 
jurisdiction in these areas. A lot of those countries also 
have--the financial services industry is held by just a few 
banks. We have well over 10,000 financial institutions in this 
country.
    I think the U.S. is unique in its complexity and there will 
need to be a balance between what the regulators do as well as 
what the industry does.
    So, I can't comment specifically on exactly what regulators 
should do or where that dividing line is. But we typically look 
at open banking as a, ``how,'' and a, ``what.''
    The, ``what,'' is really up to regulators and policymakers. 
The, ``how,'' is how is this accomplished? How does data move 
from point A to point B? And that is what we think is best left 
to the industry.
    Chairman Lynch. Thank you.
    Ms. Cochran?
    Ms. Cochran. I think that the GDPR framework is extremely 
helpful in the sense of thinking through the elements that need 
to be decided in, really, creating robust consumer and small 
business control over their own data.
    But the exact policy balancing depends on the particular 
use case that you are doing. For instance, we have really 
focused on credit, which I think is one of the hardest cases, 
because while the existing credit information system--
traditional credit bureaus--often don't require consumer 
consent to access data, the new system under 1033 does.
    That creates an opportunity to create a much more robust 
system where consumers have more control over what is 
happening. At the same time, you have to balance that against 
the need of creditors to be able to access representative 
historical data so that they can develop models that are fair 
and predictive and do a good job for both the customer and the 
lender.
    So, balancing both the individual rights and the public 
interests are complicated. GDPR is really helpful because it 
starts to think through those questions, although I think often 
that the balance may be different for particular use cases in 
particular situations.
    Chairman Lynch. Doesn't much depend on consent? Meaningful, 
real consent?
    Ms. Cochran. Yes. That is one of the things that I didn't 
get much time to talk about in my main testimony.
    A lot of our system today in the U.S. does depend on notice 
and consent to data activities, but it is kind of a take-it-or-
leave-it process. And what GDPR does is a much more robust 
thought process about how can consent be revoked, can data be 
deleted, and other questions.
    Thinking about consent is more than a one-time transaction. 
But we also know that there is a great deal of evidence that 
consumers are already overloaded by the decisions they are 
being asked to make, and by the notices they are being asked to 
read.
    One of the things that I think GDPR is struggling with and 
that would come up as the U.S. looks at this is how do you make 
some of those decisions simpler so that consumers can really 
focus on the critical things that they need to decide, and 
strip away some of the surrounding things that may be more 
secondary, could be more consistent, and then make the decision 
more meaningful and more powerful, in addition to those rights.
    Chairman Lynch. Thank you.
    The Chair now yields to the ranking member of the task 
force, the gentleman from Ohio, Mr. Davidson, for 5 minutes for 
his questions.
    Mr. Davidson. I thank the chairman. And I thank our 
witnesses. I appreciate not only your verbal testimony but the 
written testimony as well and the preparation you have done for 
this hearing.
    Mr. Smith, a November 2019 survey by The Clearing House 
found that 80 percent of financial app users were not aware 
that apps may use third parties to access consumer financial 
information.
    From your personal experience, can you speak to the 
progress that has been made within the Fintech industry that 
would improve customers' awareness of how their financial data 
is being used?
    Mr. Smith. Yes. Thank you very much.
    With respect to the issues surrounding consent and 
knowledge of consent, a lot of progress has been made. 
Finicity, for example, makes it very clear that Finicity is a 
services provider in the middle of the consented process 
between the consumer and the financial institution or financial 
services provider that holds their data.
    They see the FDX organization has also put in place a 
working group and has promoted standards, UI standards, that 
make it very clear how to use consent or how to apply consent 
in a best-practices format that also makes very clear the 
players that are involved in that.
    And then I would just say that Finicity, together with 
several others in the industry, both data holders and 
technology providers, has started implementing at-pace 
dashboards that allow consumers to understand who is involved 
in the consent process.
    Mr. Davidson. Yes. Thank you for that, and for just 
highlighting the user-friendliness.
    Ms. Cochran, your testimony in particular highlighted the 
consumer-friendly nature that is really so important. A lot of 
times, people will say in industry, in particular, well, it is 
in our terms and conditions, and if you print it out, it is 400 
pages in a 6-point font, and sure, you just acknowledged it.
    Could you elaborate on that, and how we could do this? I 
will come to you next, Mr. Carpenter, because of some of the 
things you have both dealt with deal with how GDPR is being 
applied versus, really, our inaction in America on privacy.
    Ms. Cochran. Yes. There is some academic research that I 
think suggests that consumers would have to spend 25 days a 
year reading all of the disclosures that they get on digital 
data across all sectors, not just financial services. But it is 
really incredible.
    Clearly, we need to get much crisper about and much more 
customer-friendly about the disclosures that are being done to 
make them really effective just in time, adapted to digital 
formats. A lot of people are reading things over their phones 
and really thinking through those questions.
    At the same time, as I said before, we also need to think 
about how many questions are we asking consumers to answer in 
one shot, and do you divide those into maybe smaller chunks to 
give consumers more control as they think through their process 
and different questions at different times?
    So, there is a real challenge ahead. The CFPB has 
disclosure authority that can be really helpful in this space. 
Consumer testing, obviously, is going to be hugely important. I 
think there are already some industry efforts that are moving 
in that direction.
    But we know that there is this broader question about 
overload that is really one of the biggest challenges in this 
space is to make that meaningful and manageable and quick, in a 
way that is helpful to consumers.
    Mr. Davidson. Yes. Thank you. And I think you also touched 
on the fact that some things just have to be off the table 
because none of us want to use an interface that is just a 
relentless series of pop-up ads.
    It is a tactic. It is not actually a real consent or choice 
for consumers.
    Mr. Carpenter, one concept, I think, that is key to the 
discussion is the idea of data minimization or the idea that 
companies should collect minimal data to provide the product or 
service.
    On the other hand, many businesses collect data that is not 
directly tied to providing the service and, of course, they 
want to use it maybe someday in the future, perhaps even for 
resale. Who knows? There is no end to the amount of data that 
some companies want to collect.
    Mr. Smith, you made that reference that there are trade-
offs. But I was really pleased that you concluded that we are 
never--the Fourth Amendment is not for sale, another bill that 
we are going to try to deal with in a bipartisan way.
    Could you touch on how to strike that balance and where 
regulators can help do that?
    Mr. Smith. Yes, thank you, Congressman Davidson.
    I would say, first of all, on data minimization, it is 
something that FDX is looking at in terms of defining and, 
really, APIs as opposed to screen scraping, provide far more 
consumer control over your data sharing.
    With screen scraping, you are sharing everything you can 
see, and with APIs, you do have the ability to potentially 
limit data that you share for a given purpose.
    We have internal use cases that are used for certification 
on the back end to ensure that the implementation of an FDX API 
is actually certifiable.
    The question is, what can we do on the consumer front end 
to possibly provide that? So, that is an area that we are 
looking into.
    I will say, just to touch on your prior question as well, 
awareness is one of our five principles, consumer awareness, 
and we are defining user experience.
    And per the other witnesses' testimony, we are looking at 
it both on the front end--what does the enrollment look like, 
how many screens does it take before a consumer just drops out, 
because there are too many questions--but then also, through 
these dashboards. So, it is not just a one-time awareness but 
an ongoing awareness.
    Mr. Davidson. Thank you for that. My time has expired. I 
yield back.
    Chairman Lynch. The gentleman yields back.
    The Chair now recognizes the gentleman from New York, Mr. 
Torres, for 5 minutes.
    Mr. Torres. Thank you, Mr. Chairman.
    I have a real concern that the biggest banks, in opposing a 
Section 1033 rulemaking, are stifling competition and choice 
under the guise of consumer protection and cybersecurity.
    There are, to be sure, legitimate cybersecurity concerns 
surrounding the consumer-authorized use of data. But it seems 
to me those concerns are best addressed not by allowing the big 
banks to hoard financial information for themselves but by 
regulating data aggregators and by protecting consumers.
    I disagree with Mr. Carpenter's earlier statement that the 
standard should be left to the industry because the big banks 
are not disinterested arbiters of what is best for consumers.
    The banks do have a vested interest in maintaining their 
oligopoly on consumer information.
    So my first question is to Ms. Wu and Ms. Cochran. Is it 
fair to say that the big banks have a conflict of interest and, 
therefore, cannot be trusted to make disinterested 
determinations about what data to share, when to share it, and 
with whom to share it?
    Ms. Wu. Thank you for the question, Representative.
    Certainly, consumer advocates are very concerned about 
ensuring that consumers do have the ability to share the data 
when they have a meaningful opportunity to consent.
    One of the things that banks early on used as a tactic to 
try to prevent data sharing is to tell consumers, if you share 
this data via screen scraping and there is some sort of 
unauthorized use, you will be on the hook, which we thought was 
just terrible.
    The last person who should suffer a loss if there is some 
sort of data breach or unauthorized access is the consumer 
themselves, and we thought that Regulation E didn't allow for 
that, and, fortunately, the CFPB, in a recent FAQ, took that 
position as well. It is not the consumer who is going to suffer 
the loss.
    So we do think that a 1033 rulemaking needs to go forward, 
and we are encouraged that there has been more cooperation. 
But, ultimately, I think there needs to be some regulatory 
teeth, especially if we are going to get rid of screen scraping 
because we can't get rid of screen scraping, until we have the 
ability for consumers at all banks to share the data, and that 
is not going to happen until you have these agreements with all 
institutions.
    Ms. Cochran. I would just add a couple of thoughts.
    As I said in my main testimony, there are competitive 
tensions all over this market--both banks and nonbanks--and 
they intersect in very complicated ways.
    I think it is one of the reasons why it is so important for 
the regulators to set certain parameters to settle certain 
questions so that industry can focus on then implementing in an 
efficient way that actually benefits everyone once those 
decisions are made.
    The other thing that I think is really important here is 
the interagency coordination that I talked about, because 
concerns about liability are legitimate open questions in this 
marketplace that affect everyone, and getting better answers to 
those questions and getting better answers to third-party 
service obligations, for instance, intersect with competitive 
interests.
    So if we can settle the regulatory questions, that kind of 
decouples these dynamics that can feed on each other in ways 
that tend to slow the process of the overall system and reduce 
the benefits for innovation and competition that Section 1033 
potentially offers.
    Mr. Torres. Thank you.
    And I certainly agree that there should be regulation. As I 
said, there are legitimate concerns about cybersecurity and 
there is a legitimate concern that data regulators are, 
largely, unregulated and unsupervised.
    I guess my question is for Mr. Smith. I am curious to know 
your obligations as a data aggregator. Do you have an 
obligation to provide accurate data and to correct inaccuracies 
and errors in data? Do you have a legal obligation to do so?
    Mr. Smith. As an aggregator, we also maintain a Community 
Reinvestment Act (CRA) status and are regulated under the Fair 
Credit Reporting Act (FCRA). We also have signed a number of 
bilateral agreements with leading financial institutions that 
require us to maintain compliance to certain aspects of the 
Gramm-Leach-Bliley Act (GLBA), and we maintain compliance to 
both State and Federal consumer privacy regulations today and 
also maintain compliance to GLBA.
    So, that is the scope of the regulatory framework that we 
fall under.
    Mr. Torres. And I have a question for Mr. Carpenter. I am 
concerned about screen scraping because it involves the use of 
login credentials. What is the timeline, in your opinion, for a 
full transition to API?
    Mr. Carpenter. That is a great question. I wish I had a 
clear answer to give to you. I think you have to think about 
the fact that, and Ms. Cochran talked about this a little bit 
and Ms. Wu did as well, there is a long tail in the United 
States.
    And so, while the biggest financial institutions who 
usually invest in their own technology stock are quickly able 
to move to APIs, a lot of the community financial institutions 
or minority-owned financial institutions usually use a 
technology core provider, so they are waiting for that core 
provider to give API access or to, essentially, level the 
playing field across all of the financial institutions.
    So, I would just say bringing the core providers in, and we 
have several that are members of FDX, to ensure that there is 
not a gap between the large and the small will help that 
timeline get accomplished.
    But I think with any technology transition--we often talk 
about the chip card--the magnetic stripe, the chip card 
transition. There were a lot of different waypoints along the 
way that had to be accomplished before you could declare 
success.
    Mr. Torres. My time has expired. Thank you.
    Chairman Lynch. The gentleman from New York yields back.
    The Chair now recognizes the gentleman from Missouri, Mr. 
Luetkemeyer, for 5 minutes.
    Mr. Luetkemeyer. Thank you, Mr. Chairman, and thank you to 
all of our witnesses today.
    This is an interesting discussion we are having here. 
Whenever I discuss screen scraping with my constituents and 
explain to them what it is, they are aghast. They are 
absolutely horrified that when they give an okay to a third 
party to--or to their utility company to direct draft off their 
bank account, they wind up with a third party having access to 
their account. They are absolutely horrified that this is 
happening.
    So, why do we allow that? Why do we not have a separate 
agreement which says that if you are going to be able to screen 
scrape and take that information and sell it, then the 
individual has to have a separate agreement with the different 
company, or with a company that is going to have a separate 
agreement with them that allows them to do that and then pay 
them for that information? Why is that not a viable option?
    Mr. Carpenter?
    Mr. Carpenter. Thank you, Congressman Luetkemeyer.
    I think it is helpful to think about the context of screen 
scraping. It is an old technology. It is not a perfect 
technology. It has a lot of issues.
    It is also what has delivered the innovation that we have 
today in the competitive financial services market, and I would 
argue that without the ability for a consumer to access and 
share their own data via screen scraping, again, while not 
perfect, we would not have had the explosion in competition in 
the financial services industry.
    Mr. Luetkemeyer. Yes, but Mr. Carpenter, let's be honest 
here. This is all done without the consumer's knowledge. Most 
of your consumers, I will guarantee you--Mr. Smith, you made a 
comment a while ago that 84 percent of people didn't know what 
was going on or they didn't approve of who had access to their 
information.
    Mr. Smith. Yes, I think that was referring to a TCH survey 
from 2 years ago.
    Mr. Luetkemeyer. But most people don't approve of what you 
are doing. They don't approve of screen scraping. We are 
sitting here making the assumption that everybody thinks it is 
okay. I am telling you that people don't believe it is okay 
and, therefore, we need to take a different perspective on this 
and say, whoa.
    The first way you protect people's privacy and their 
information is to be honest with them up front, and say, this 
is what is happening with your information and how people are 
accessing it, unbeknownst to you.
    We are approaching this from the wrong angle, I think. If 
people want to allow their accounts to be screen scraped, that 
is fine. That is an individual decision. They want to be able 
to have other people, other companies, have access to it so 
they can prevent, and with other options and other services. 
That is fine.
    But most people do not know what is going on and would be 
very reluctant to sign a form that says it is okay to do that. 
So my question is, why can't we do that? Why can't we have the 
company be honest with them up front and sign a separate, 
completely different form--yes, I understand, Ms. Cochran, we 
are going to have another screen you have to go through and 
sign off on something .
    But this should be in bright red letters, a whole new 
screen that says when you sign this agreement you are going to 
give access to the screen scrapers of the world to go with 
this, and this has to be something completely different than 
having a third party be able to have access to your account to 
make payments for you.
    Mr. Carpenter. Congressman, that is exactly what we are 
doing as fast as we possibly can to move to an API realm where 
instead of giving your login credentials, you are actually 
being taken to your financial data provider or financial 
institution, you are logging in, you are permissioning your 
data there at your bank on your mobile app. You are then being 
handed back with a token or a key so that an API does 
completely circumvent the sharing of login credentials.
    So, the industry is rapidly moving in that direction. As I 
mentioned, 22 million consumers have currently been 
transitioned to the FDX API. It is just a matter of, it does 
take time. You can't flip that switch overnight and cut off 
access to the consumer data sharing that they have, and I think 
we are also working--
    Mr. Luetkemeyer. Whoa, whoa, whoa. Mr. Carpenter?
    Mr. Carpenter. Yes, sir?
    Mr. Luetkemeyer. You missed my whole point by your last 
comment. People aren't aware that this is going on. Why are you 
allowing it to continue? Shouldn't we as Congress, or the CFPB 
as a regulator, say, whoa, people are not aware that this is 
going on?
    They should be told. There should be options presented to 
them. Why can't that be done right now? Why is this allowed to 
continue to go on, when we know that people don't know what is 
going on?
    Mr. Carpenter. And I would just say--
    Ms. Wu. Congressman, if I may, this is one area where we 
completely agree. You and I are on the same page. We think that 
this sort of mice-type consent is not acceptable. We need 
meaningful, informed, separate dashboard, separate web page 
consent. And not just a yes or no, but how much information to 
share and for how long.
    I understand the concern about information overload. It is 
something we are worried about, too, and how you design the 
consent is very important and that is something that FDX and 
others are working on, so that it is easy.
    But yes, a yes/no decision would be easy, would prevent 
overload, but it wouldn't maximize the control, and we think 
the consumer should have maximum control over their own data.
    Mr. Luetkemeyer. I see my time is expired, Mr. Chairman. I 
yield back. Thank you.
    Chairman Lynch. The gentleman yields back.
    The Chair is very pleased to welcome the Chair of the full 
Financial Services Committee, the gentlelady from California, 
Chairwoman Waters, for 5 minutes.
    Chairwoman Waters. Thank you so very much, Mr. Lynch. I 
certainly appreciate this hearing. It is very important. And it 
seems as if I am agreeing with Mr. Luetkemeyer for the first 
time since we have served on this committee together.
    Mr. Luetkemeyer. Isn't that an overwhelming feeling, Madam 
Chairwoman?
    Chairwoman Waters. I want to make sure, and this may have 
been discussed before I came in, but I want to know about opt-
out as opposed to opt-in. I get, from the people I do business 
with, something in small writing on page 15 somewhere, that 
says, if you want to opt-out, you have to let us know.
    And people don't pay any attention to that. They don't even 
know what is meant by it. And if you don't opt-out, your 
information is shared with a third party, the third party 
shares the information with somebody else, somebody else shares 
the information, and then you get all these solicitations, 
people who are not only soliciting you for their products, and 
we don't know anything about those firms, and what protections 
we have, et cetera.
    So, this is very simple to me. Mr. Luetkemeyer asked, why 
don't we just change it, why don't we just make sure the 
consumer knows? He talked about it a little bit differently, 
but my question is very simple: Why don't we just change the 
law, or make a law that says you cannot simply offer to opt-out 
on page 31, and if you don't do it, your information is going 
to be shared?
    Mr. Carpenter?
    Mr. Carpenter. Yes, ma'am. Madam Chairwoman, thank you for 
the question. I want to be very clear up front that I am not in 
any way sticking up for screen scraping in its current manner. 
Our entire organization's mission is to move to a new API 
standard.
    In terms of your question, everything that happens through 
consumer permission data sharing is directed. It is that opt-
in, as you say, directed by the consumer. They are the one who 
downloads the app to start with. They are the one who goes to 
their financial institution to permission their data. So, none 
of what we are doing with FDX is taking a consumer's data 
without permission or consent.
    Chairwoman Waters. Ms. Cochran?
    Ms. Cochran. Yes. I think this is an incredibly important 
issue, and it cuts across 1033, Gramm-Leach-Bliley, and the 
Fair Credit Reporting Act. Right now, we have Federal laws that 
don't require consent at all. They just set permissible 
purposes and say companies can use it within those bounds. We 
have laws that rely on opt-out consent, which means the data 
flows unless the consumer says no. And now, with 1033, we have 
a regime where the consumer has to say yes to turn it off.
    So, we have all three in our current system. We know 
consumers are overloaded with the choices they are making. And 
so the balance between both how do we do sent well, where 
consumers really understand and are making the decisions they 
intend to make, and how do we, in some cases, maybe define the 
permissible purposes so they don't have to decide everything on 
a company-by-company or product-by-product basis. That is why 
this is so complicated, and it really requires looking more 
broadly, even beyond the 1033, to get to the answers to some of 
these questions.
    Chairwoman Waters. And what is your recommendation?
    Ms. Cochran. There is a lot of evidence that opt-out 
consent is very sticky, that consumers don't tend to see it, 
they may not be reading those regimes. And so, I think that one 
in the middle is a particularly tricky category. We know, in 
GDPR and some other jurisdictions, that people are starting to 
look harder at purposeful purpose regulations so that consumers 
don't have to decide everything, or that there are gradations 
and tiers to how many things that they are asked to decide 
quickly in one setting. And I think looking closer at both of 
those options is potentially really helpful.
    Chairwoman Waters. I want to be very clear that on the opt-
out opportunity, if you do nothing, that means that you opted 
in, is that correct?
    Ms. Cochran. Right.
    Chairwoman Waters. Something is wrong with that. Thank you. 
I yield back the balance of my time.
    Chairman Lynch. Madam Chairwoman, I am going to yield to 
Mr. Carrillo to ask him to offer his observations on this.
    Mr. Carrillo. Thank you very much. Thank you very much, 
Chairman Lynch, and thank you for the question, Chairwoman 
Waters. I think that permissible purpose regulation is 
necessary at this point and we need to go beyond the notice and 
consent paradigm. It is possible, within notice and consent 
laws, to allow for click-wrap contracts, as the National 
Consumer Law Center has noted, that give companies the ability 
to harvest data based on the agreements, but data that is far 
more than what was intended by the consumer.
    So, the agreement between the consumer and a company is not 
the appropriate site of regulation. We need to establish a 
longer list of how companies can use data, and to what end. 
There are still tricky questions as to intent, but it is a 
better frame to look at this from a broader perspective of 
public policy rather than identifying what consumers understand 
or not at the point of sale or point of agreement. Thank you.
    Chairman Lynch. I thank the gentleman.
    The Chair now recognizes the gentlewoman from Georgia, Ms. 
Williams, who is also the Vice Chair of our Subcommittee on 
Oversight and Investigations, for 5 minutes.
    Ms. Williams of Georgia. Thank you, Mr. Chairman. Thank you 
for holding this hearing today for this important task force.
    Anyone who follows my work in Congress knows that closing 
the racial wealth gap, which in my home of Atlanta, 
unfortunately is the worst in the nation, is the goal that I 
infuse into all of my policy work, especially my work here on 
the Financial Services Committee. In Congress, we have to be 
sure that financial innovation proceeds in a way that doesn't 
just deliver benefits to a few but to all, especially those 
most marginalized.
    Today, I would like to focus on how we ensure personal 
consumer data is not used to reinforce racial and other biases. 
The discussions that we have here and the policy that we pursue 
will determine the level of progress that we make toward 
building an economy that is inclusive and fair for all.
    Ms. Wu, in your testimony you mentioned that we need to be 
looking out for and preventing disparate impact when it comes 
to data used for credit purposes. Could you elaborate on what 
best practices Congress can employ to make sure that we're 
picking up on any broad patterns of disparate impact? How can 
Congress be sure we are addressing any issues through 
legislation as needed, and making sure that the CFPB and other 
agencies are writing appropriate and timely rules of the road?
    Ms. Wu. Thank you for the question, Congresswoman Williams. 
Certainly whenever big datasets are used, whether it's new 
data, like cash flow information, or old-fashioned data, like 
credit reports, one of the things that you really want to look 
for is racial disparities and disparate impact. We know, as a 
baseline, that credit reports and credit scores exhibit huge 
racial disparities.
    Cash flow information and the work by FinRegLab shows that 
it may be more promising as a source of information, but it is 
still going to show racial disparities. Why? For a number of 
reasons. First, it still reflects fundamental underlying racial 
disparities in economics in our society, and second, 
overdrafts. Cash flow information will never truly be able to 
benefit consumers of color until we get rid of overdraft 
abuses, because that is one of the key things that they look 
for in cash flows, and we know overdrafts hit minority 
consumers a lot harder. We have to deal with the overdraft 
abuses.
    With respect to big datasets and artificial intelligence 
and machine learning, one of the things we have seen is that 
they are not free of racial disparities. They reflect back what 
exists. If you take a dataset that inherently has racial 
disparities, and you have the AI or machine-learning model 
learn from it, it is just going to replicate it. And the 
problem is, people think, oh, AI and machine learning, there is 
no bias, but there is. It is all a reflection of the underlying 
data that is a reflection of the inequalities in our society.
    And so, we need to be cognizant of that. We need to be 
aware of that. The unequal position of African Americans and 
Latinx consumers in this society was built from decades and 
centuries of intentional discrimination, and we are not going 
to deal with those disparities until we intentionally try to 
address them consciously. If you just say, let's treat everyone 
equal, that is not equity and that is not going to do it.
    Ms. Williams of Georgia. Ms. Wu, you just mentioned that 
Black consumers are desperately impacted by bank overdraft 
practices, and that we should keep this in mind when related to 
consumer data, to whom consumer data is employed. So, how could 
greater use of no-fee accounts address the underlying disparity 
informing the data, going forward? Can you tell us the 
importance of simultaneously addressing concerns with the data 
used and disparities that inform the data being used?
    Ms. Wu. Certainly, there have been a lot of efforts to 
provide bank accounts for folks who have struggled with 
overdrafts, accounts that don't impose overdrafts and overdraft 
fees, that don't allow people to overdraft with their debit 
cards, which is a huge problem, that don't reorder 
transactions. And efforts by organizations to promote banking 
are very helpful. And you can't get cash flow bank account 
information if you don't even have a bank account, and we know 
there are also disparities on who has a bank account. And we 
know that lots of consumers, low-income and minority consumers 
are driven out of the banking system by overdraft abuses.
    So yes, efforts to get unbanked consumers into bank 
accounts that are low-fee and safe are really important, but 
what is really more important is congressional action to just 
tamp down on those overdraft abuses and make sure that they do 
not hit all consumers, not just the ones who are able to 
benefit from no-fee and safe bank accounts.
    Ms. Williams of Georgia. Thank you, Ms. Wu. I am out of 
time, Mr. Chairman, but I do have another question around 
technology and broadband access that I will submit for the 
record, and hope that one of our esteemed panelists can provide 
some answers on that as we continue to move forward in this 
work.
    Thank you, and I yield back.
    Chairman Lynch. I thank the gentlelady, and we welcome her 
question.
    The Chair now recognizes the gentleman from Wisconsin, Mr. 
Steil, for 5 minutes.
    Mr. Steil. Thank you very much, Mr. Chairman. I would like 
to dive in, Mr. Carpenter, if I can, with you. In your 
testimony, you talked about the, ``what,'' and the, ``how,'' of 
open banking. I thought it was well said, the, ``what,'' being 
the question of which data fields are shared and under what 
agreements or restrictions, and the, ``how,'' more of the 
technological question.
    I think another really appropriate question for us, and I 
would love to have you speak to it, is what is the appropriate 
role of the Federal Government in helping to address those two 
questions that you posed?
    Mr. Carpenter. It is a good question. I wish that I had the 
perfect dividing line for you. I tried to set it up. I think 
what has happened in the U.S. is many will say, oh, the U.S. is 
so behind in open banking. The truth is, we are actually in 
front. If you look at the number of consumers who have access 
to their data, and the ability to use it in innovative Fintech 
services, we are actually leading the world in that regard. And 
so, I would argue that the CFPB and other regulators have 
actually taken an appropriate time to watch the industry mature 
in this area.
    That said, where there are friction points, the Federal 
Government may need to step in to decide some of these issues. 
Industry standards can do a lot, but we are not a silver 
bullet. We cannot answer every single sticky policy question. I 
think where the government might see friction between the 
industry or the inability to come to a decision on, say, the 
scope of data or the like, it may be a role for the Federal 
Government to step in.
    Mr. Steil. Thank you. Mr. Smith, I would like to hear your 
thoughts on the same thing. Hearing kind of his take, could you 
give us any thoughts as to what the appropriate role is for the 
Federal Government?
    Mr. Smith. Yes. I think when you take a look at some of the 
conflicting aspects of this, as I spoke to in my oral 
testimony, you often run into situations where underregulation 
of financial institutions are, and rightly so, very concerned 
and very focused on safety and soundness. Safety and soundness 
gives way to data security, data privacy, gives way to 
limitations on the types of data that might be accessible.
    So, when you look at rights to access, regulation would be 
helpful, clarity would be helpful to determine the types of 
data and scope of data that can be accessed for particular use 
cases, for example.
    These are the kinds of things that, as a data aggregator--
and I would just say, we've been leading the industry and 
signing bilateral agreements with financial institutions. By 
the end of this year, we will have greater than 60 percent of 
our data, 60 percent of the data flowing through our access 
pipes, integrations, through API integrations, that use a lot--
there is an authentication methodology and do not collect 
credentials. And we further will have, in the pipeline, another 
20 percent of the market coverage in integration development.
    And so, these are some of the key issues with which we 
deal.
    Mr. Steil. Let me build on that a little bit, because I 
think in your written testimony you comment on some other 
countries and their open banking policies, and I want to get 
back to Mr. Carpenter as well on the same question. Looking at 
what other governments have done as far as government 
intervention in the private market in this space, what lessons 
have been learned about the appropriate role of government 
regulation in this space?
    Mr. Smith. Yes, I think Mr. Carpenter's comment was that 
the U.S. has certainly been leading from an innovation 
perspective and has more of a wait-and-see attitude from a 
regulatory perspective, where other countries have been a bit 
more aggressive or proactive, from a regulatory perspective.
    Mr. Steil. And knowing that they have been more aggressive 
or more proactive, your term, what do you think the lesson 
learned is from that?
    Mr. Smith. Yes, I think there is a benefit to understanding 
what the use case and the value proposition is to consumers and 
forming regulation around ensuring that consumers are not 
harmed in any way and that the value proposition associated 
with open access to data is maintained.
    Mr. Steil. Okay. Let me jump back to you, Mr. Carpenter, on 
the same topic. What lessons learned do you see from government 
intervention, in particular in foreign countries?
    Mr. Carpenter. I would argue that the lesson learned is 
that you can't really go with all one approach or the other. 
There really does probably need to be a hybrid approach. When 
you have an entirely regulatory-dictated system, you end up 
with compliance versus actually meeting the needs of the 
market.
    What standards are able to do is actually follow the 
consumer: Where is the demand? Where does the market actually 
need definition and standardization? It doesn't mean that there 
may not be room for principles-based regulation or regulation 
or government action that solves some tough questions. So, I 
would argue that what we have seen is that you probably do need 
a little bit of a mix of everything.
    Mr. Steil. Thank you very much. I apologize that with the 
time, we couldn't get to all of the witnesses. I yield back.
    Chairman Lynch. The gentleman yields back.
    Well, together with the ranking member, the gentleman from 
Ohio, Mr. Davidson, I would like to thank our witnesses for 
their testimony today.
    The Chair notes that some Members may have additional 
questions for these witnesses, which they may wish to submit in 
writing. Without objection, the hearing record will remain open 
for 5 legislative days for Members to submit written questions 
to these witnesses and to place their responses in the record. 
Also, without objection, Members will have 5 legislative days 
to submit extraneous materials to the Chair for inclusion in 
the record.
    This hearing is now adjourned. Thank you.
    [Whereupon, at 11:21 a.m., the hearing was adjourned.]

                            A P P E N D I X


                           September 21, 2021
                           
                                [all]