[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]
PRESERVING THE RIGHT OF CONSUMERS
TO ACCESS PERSONAL FINANCIAL DATA
=======================================================================
HYBRID HEARING
BEFORE THE
TASK FORCE ON FINANCIAL TECHNOLOGY
OF THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTEENTH CONGRESS
FIRST SESSION
__________
SEPTEMBER 21, 2021
__________
Printed for the use of the Committee on Financial Services
Serial No. 117-46
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
__________
U.S. GOVERNMENT PUBLISHING OFFICE
45-863 PDF WASHINGTON : 2021
-----------------------------------------------------------------------------------
HOUSE COMMITTEE ON FINANCIAL SERVICES
MAXINE WATERS, California, Chairwoman
CAROLYN B. MALONEY, New York PATRICK McHENRY, North Carolina,
NYDIA M. VELAZQUEZ, New York Ranking Member
BRAD SHERMAN, California FRANK D. LUCAS, Oklahoma
GREGORY W. MEEKS, New York BILL POSEY, Florida
DAVID SCOTT, Georgia BLAINE LUETKEMEYER, Missouri
AL GREEN, Texas BILL HUIZENGA, Michigan
EMANUEL CLEAVER, Missouri ANN WAGNER, Missouri
ED PERLMUTTER, Colorado ANDY BARR, Kentucky
JIM A. HIMES, Connecticut ROGER WILLIAMS, Texas
BILL FOSTER, Illinois FRENCH HILL, Arkansas
JOYCE BEATTY, Ohio TOM EMMER, Minnesota
JUAN VARGAS, California LEE M. ZELDIN, New York
JOSH GOTTHEIMER, New Jersey BARRY LOUDERMILK, Georgia
VICENTE GONZALEZ, Texas ALEXANDER X. MOONEY, West Virginia
AL LAWSON, Florida WARREN DAVIDSON, Ohio
MICHAEL SAN NICOLAS, Guam TED BUDD, North Carolina
CINDY AXNE, Iowa DAVID KUSTOFF, Tennessee
SEAN CASTEN, Illinois TREY HOLLINGSWORTH, Indiana
AYANNA PRESSLEY, Massachusetts ANTHONY GONZALEZ, Ohio
RITCHIE TORRES, New York JOHN ROSE, Tennessee
STEPHEN F. LYNCH, Massachusetts BRYAN STEIL, Wisconsin
ALMA ADAMS, North Carolina LANCE GOODEN, Texas
RASHIDA TLAIB, Michigan WILLIAM TIMMONS, South Carolina
MADELEINE DEAN, Pennsylvania VAN TAYLOR, Texas
ALEXANDRIA OCASIO-CORTEZ, New York PETE SESSIONS, Texas
JESUS ``CHUY'' GARCIA, Illinois
SYLVIA GARCIA, Texas
NIKEMA WILLIAMS, Georgia
JAKE AUCHINCLOSS, Massachusetts
Charla Ouertatani, Staff Director
TASK FORCE ON FINANCIAL TECHNOLOGY
STEPHEN F. LYNCH, Massachusetts, Chairman
JIM A. HIMES, Connecticut WARREN DAVIDSON, Ohio, Ranking
JOSH GOTTHEIMER, New Jersey Member
AL LAWSON, Florida PETE SESSIONS, Texas
MICHAEL SAN NICOLAS, Guam BLAINE LUETKEMEYER, Missouri
RITCHIE TORRES, New York TOM EMMER, Minnesota
NIKEMA WILLIAMS, Georgia BRYAN STEIL, Wisconsin
C O N T E N T S
----------
Page
Hearing held on:
September 21, 2021........................................... 1
Appendix:
September 21, 2021........................................... 27
WITNESSES
Tuesday, September 21, 2021
Carpenter, Tom, Director, Public Affairs, Financial Data Exchange
(FDX).......................................................... 4
Carrillo, Raul, Associate Research Scholar, Yale Law School, and
Deputy Director, Law and Political Economy Project............. 6
Cochran, Kelly Thompson, Deputy Director, FinRegLab.............. 8
Smith, Steve, Co-Founder and CEO, Finicity....................... 12
Wu, Chi Chi, Staff Attorney, National Consumer Law Center (NCLC). 10
APPENDIX
Prepared statements:
Carpenter, Tom............................................... 28
Carrillo, Raul............................................... 47
Cochran, Kelly Thompson...................................... 67
Smith, Steve................................................. 83
Wu, Chi Chi.................................................. 85
Additional Material Submitted for the Record
Lynch, Hon. Stephen F.:
Written statement of Acorns.................................. 99
Written statement of Akoya................................... 102
Written statement of the American Bankers Association........ 106
Written statement of the Bank Policy Institute............... 119
Written statement of Envestnet Yodlee........................ 123
Written statement of the Financial Data and Technology
Association of North America............................... 127
Written statement of the Financial Technology Association.... 135
Written statement of Pinwheel................................ 138
Written statement of Plaid, Inc.............................. 145
Written statement of The Clearing House...................... 149
Williams, Hon. Nikema:
Written responses to questions for the record submitted to
Chi Chi Wu................................................. 172
PRESERVING THE RIGHT OF CONSUMERS
TO ACCESS PERSONAL FINANCIAL DATA
----------
Tuesday, September 21, 2021
U.S. House of Representatives,
Task Force on Financial Technology,
Committee on Financial Services,
Washington, D.C.
The task force met, pursuant to notice, at 10:03 a.m., in
room 2128, Rayburn House Office Building, Hon. Stephen F.
Lynch, [chairman of the task force] presiding.
Members present: Representatives Lynch, Himes, Gottheimer,
Lawson, San Nicolas, Torres, Williams of Georgia; Davidson,
Sessions, Luetkemeyer, Emmer, and Steil.
Ex officio present: Representative Waters.
Chairman Lynch. Good morning. The Task Force on Financial
Technology will come to order.
Without objection, the Chair is authorized to declare a
recess of the task force at any time. Also, without objection,
Members of the full Financial Services Committee who are not
members of this task force are authorized to participate in
today's hearing.
As a reminder, I ask all Members to keep themselves muted
when they are not being recognized by the Chair. The staff has
been instructed not to mute Members, except when a Member is
not being recognized by the Chair and there is inadvertent
background noise.
Members are also reminded that they may only participate in
one remote proceeding at a time. If you are participating
today, please keep your camera on, and if you choose to attend
a different remote proceeding, please turn your camera off.
Today's hearing is entitled, ``Preserving the Right of
Consumers to Access Personal Financial Data.''
I will now recognize myself for 4 minutes to give an
opening statement.
Good morning, and welcome to this hearing of the Financial
Services Committee's Financial Technology Task Force. Today's
hearing will discuss various issues surrounding the gathering,
usage, and protection of consumer financial data.
I would like to begin by thanking our distinguished panel
of witnesses who have agreed to testify and offer their diverse
perspectives as Congress and regulators grapple with the
rapidly changing landscape in this area.
The collection and utilization of consumer financial data
has exploded in the past decade as the usage of smart phones,
myriad devicesx, and the Internet of Things, enhanced
computational power and algorithms, and artificial intelligence
and robotic process automation have been combined to transform
the way consumers manage their finances and conduct the most
basic economic activities, while also changing the way
financial services providers have responded to consumers'
desires and preferences.
Whether using a payment processor to split a dinner bill,
employing a personal financial management app to track
spending, or accessing a mobile lending platform for a personal
loan, consumers and financial services providers rely more
keenly on the data flow that underpins the delivery of those
services.
The consumer financial data ecosystem has also expanded
beyond traditional banks and insurers to include data
aggregators, payment processors, neobanks, and mobile lenders
employing technologies that were not necessarily anticipated in
earlier legislation and regulation.
While there is little doubt that recent emerging financial
services innovations have real potential to improve the
efficiency and accuracy of those services, while reducing costs
and fostering greater inclusion, the relentless full spectrum
cultivation of consumer data and the manipulation of that data
raises important policy questions about personal data
protections, user control, and meaningful consent to sharing
that data, as well as the ultimate contours of personal
privacy.
In fairness, many financial services providers, both
traditional and Fintechs, have requested regulatory guidance
and greater clarity in this area.
While some current laws governing financial data--the
Gramm-Leach-Bliley Act, the Dodd-Frank Act, the Fair Credit
Reporting Act, and the Equal Credit Opportunity Act--are
generally instructive, there are serious gaps that leave much
uncertainty, given the transformational technology and
advancements as well as changing relationships and customer
preferences that we face today.
Again, I want to thank our witnesses for your willingness
to help the task force with this work. I look forward to our
discussion.
And the Chair now recognizes the ranking member of the task
force, the gentleman from Ohio, Mr. Davidson, for 5 minutes for
an opening statement.
Mr. Davidson. Thank you, Chairman Lynch.
I truly appreciate that you are conducting this hearing
today on a very important and prevalent issue. Financial
technology seems to be developing at the speed of light in
recent years, so it is encouraging to see this task force and
the committee keep up with the industry, or attempt to do so.
As I said 2 years ago when this task force held a similar
hearing on personal financial data, it is great that there is
common ground across the aisle on this topic. I think we all
agree on the importance of protecting consumers' control over
their own financial data.
But does this mean that we both, regulators and
policymakers alike, are moving fast enough to address the
uncertainties in this area? I am not convinced that we are.
However, it is encouraging to see the Consumer Financial
Protection Bureau (CFPB) continuing to make progress towards a
rulemaking under Section 1033 of the Dodd-Frank Act. Section
1033 provides the opportunity to strengthen consumer control
over their personal data. When a consumer grants consent for
any party to access or hold their personal financial data, it
is vital that this consent is read narrowly. I am optimistic
that the CFPB can adequately define the proper scope of that
consent.
Whether this involves limiting the specific financial
activity for which the data is needed, or the length of time it
is authorized, I expect these types of questions to be at the
forefront of the CFPB's process as they undertake the
rulemaking.
Ideally, they will conclude, as I have, that individuals
have a property right to their own data, much like a songwriter
would have protection for their lyrics or music as composed.
Individuals own the data that they create.
As things currently stand, I believe that consumers do not
fully appreciate what they are consenting to whenever they
utilize third-party financial services providers.
Please note that this is not meant as a swipe at Fintech.
Applying for personal loans, conducting peer-to-peer payments,
getting mortgages, receiving financial product recommendations,
just to name a few examples, has never been easier. Fintech
companies have made financial services more accommodative than
ever before.
Despite this financial revolution, we need better
transparency regarding the relationships between financial
institutions, third-party service providers, and the consumers
who are providing the data.
It is encouraging to see some progress within the industry
to shift away from practices such as screen scraping, which
essentially circumvents any need for consent between a
financial services provider and a third party, and towards
application program interfaces.
However, I believe policymakers and regulators retain the
authority to properly shape these relationships and protect
consumers' financial privacy, moving forward.
I am not going to say that regulators need to impose
regulations with technical guidance. It is best to leave those
details to industry. However, regulators can still provide
consumer-focused principle-based frameworks that will allow for
innovation and competition.
I would be remiss if I didn't acknowledge that we have some
industry-specific standards in place to address consumer
privacy data. These policies can largely be found within the
Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the
Electronic Fund Transfer Act. While Section 1033 of the Dodd-
Frank Act is a step in the right direction, we are left with a
fragmented regulatory framework when it comes to consumer data
privacy protection.
I know this hearing is more narrowly focused on the 1033
rulemaking and open banking, but I think it is important that
Congress continues to hold the broader conversation as well.
We are in the process of developing a bill that will be
called, ``It's Your Data,'' which we hope will secure that
property right in law for American citizens.
While we can all agree on the general outcome, reaching
that outcome is a complicated endeavor through Congress. I am
certain many questions here today will be rather specific and
potentially complex.
Consumer data has become so leveraged and holds so much
value that it has, ultimately, become a very large business
asset. No matter how big the financial industry gets or how
much financial technology evolves, the monetary value of
consumer data will never be worth more than the fundamental
right to privacy.
Our Constitution is supposed to protect the right to
privacy for every American citizen, and it is our duty to do
that.
I very much look forward to hearing our witnesses'
testimony today, and I yield back.
Chairman Lynch. The gentleman yields back.
Today, we are pleased to welcome the testimony of our
distinguished witnesses: Mr. Tom Carpenter, the director of
public affairs with the Financial Data Exchange; Mr. Raul
Carrillo, an associate research scholar at Yale Law School, and
the deputy director of the Law and Political Economy Project;
Ms. Kelly Thompson Cochran, the deputy director of FinRegLab;
Ms. Chi Chi Wu, a staff attorney with the National Consumer Law
Center; and Mr. Steve Smith, the CEO and co-founder of
Finicity.
Witnesses are reminded that their oral testimony will be
limited to 5 minutes. You should be able to see a timer on your
screen that will indicate how much time you have left, and a
chime will go off at the end of your time. I would ask that you
be mindful of the timer, and quickly wrap up your testimony if
you hear the chime, so that we can be respectful of both the
witnesses' and the committee members' time.
And without objection, your written statements will be made
a part of the record.
Mr. Carpenter, you are now recognized for a 5-minute
summation of your written testimony.
Thank you.
STATEMENT OF TOM CARPENTER, DIRECTOR OF PUBLIC AFFAIRS,
FINANCIAL DATA EXCHANGE (FDX)
Mr. Carpenter. Thank you.
Chairman Lynch, Ranking Member Davidson, and members of the
Task Force on Financial Technology, thank you for the
opportunity to testify at today's hearing.
My name is Tom Carpenter, and I serve as director of public
affairs at the Financial Data Exchange, or FDX. I must begin by
saying that FDX is currently barred from taking positions on
most legislative or regulatory policy issues. FDX does advocate
for market-led API standards for data sharing.
Please consider the rest of my comments today as
educational and intended to inform the task force about FDX and
the way that our work interacts with policy and legislation.
The best analog to understand FDX is the Bluetooth
standard. As consumers now know today, Bluetooth brought
together many different consumer electronics manufacturers to
create standard specifications so that consumers could use
differently branded products in an interoperable manner.
In the same way, FDX brings together diverse financial
industry players under a common application programming
interface (API) standard. This allows consumers to share and
move financial data between financial institutions, Fintechs,
and intermediaries in a secure and transparent manner, and one
which is not dependent on where one banks or which Fintech app
a consumer may choose to use.
And most importantly, adoption of the FDX API is replacing
the need for data sharing that relies on shared consumer login
credentials and screen scraping.
A few additional details about FDX. FDX is a nonprofit
body. The FDX API is also royalty-free. FDX currently has 200
members across the financial sector globally, including
Fintechs, banks, data aggregators, consumer groups, payment
networks, financial industry groups, and other stakeholders,
and I am pleased to be joined in this hearing at the witness
table by Chi Chi Wu and Steve Smith, who both represent FDX
member organizations.
And in case you thought FDX was just an interesting
concept, I am pleased to tell you that 22 million consumer
accounts have been transitioned from screen scraping to the FDX
API so far. That is 22 million consumer accounts.
As this task force is aware, Fintech innovations are
allowing consumers to use their own financial data to lower
costs, for more efficient processes, better rates, and lower
fees, expanding credit access to thin-file or no-file borrowers
when a traditional credit score is limited or incomplete, and
to empower better decision-making via a consumer's own big
data, just like large companies have done for years, so they
can actually see all of their accounts in one place.
With this in mind, here are a few key points I would like
to make the task force aware of today.
First, it is critical for the task force and regulators to
draw a bright-line distinction between user permission
financial data sharing versus data brokerage or data
harvesting.
Consumer permission data sharing, all data sharing using
the FDX API is fully controlled by the consumer and must
include explicit consumer consent. Data brokers or harvesters
instead collect and sell data about consumers, often without
expressed consumer consent, control, or awareness.
Second, FDX is committed to and believes that five core
principles must be present in any system of financial data
sharing or open banking to ensure the industry serves the needs
of consumers.
These principles are control, access, transparency,
traceability, and security. I expand upon these in my written
testimony, and I would be happy to answer any questions about
them.
Third, FDX believes that technical API standards are best
left to the financial industry rather than defined by
regulators.
For a host of reasons and, again, expanded upon in my
written testimony, we believe the industry is best suited to
maintain and continually adapt standards to the needs of the
market and consumer demand.
As for the potential CFPB rulemaking, FDX submitted
comments to the CFPB's Advance Notice of Proposed Rulemaking
(ANPR) earlier this year, and FDX was actually mentioned or
referenced in almost half of the comments the CFPB received.
As above, our comments stressed to the CFPB the importance
of FDX's five principles, as well as our core belief that
technical data-sharing standards should be left to the
industry.
FDX also believes a potential CFPB rulemaking would need to
find a good balance. Consumers must be able to access and share
the full extent of their own financial data with third parties
via APIs in the same way they can today via screen scraping,
including some third parties who may have no relationship with
a consumer's data provider.
At the same time, data providers like banks must be able to
maintain sound risk management practices and activities
consistent with applicable laws and regulations. FDX is hopeful
that its own certification of FDX API implementations will be
helpful here.
Finally, FDX encourages the CFPB to do more to prioritize
the adoption of market-led API standards, and to reference or
acknowledge these standards to further amplify the work and
also to harmonize industry standards and regulation as much as
possible so the standards are not caught between competing or
overlapping or disjointed requirements.
Thank you again for the opportunity to testify today.
[The prepared statement of Mr. Carpenter can be found on
page 28 of the appendix.]
Chairman Lynch. Thank you, Mr. Carpenter.
Mr. Carrillo, you are now recognized for 5 minutes to give
an oral presentation of your testimony.
STATEMENT OF RAUL CARRILLO, ASSOCIATE RESEARCH SCHOLAR, YALE
LAW SCHOOL, AND DEPUTY DIRECTOR, LAW AND POLITICAL ECONOMY
PROJECT
Mr. Carrillo. Thank you.
Chairman Lynch, Ranking Member Davidson, and distinguished
members of the task force, thank you for inviting me to testify
this morning.
I offer my testimony as an associate research scholar at
Yale Law School, but I previously worked as an attorney for
low-end consumers in New York City, and as special counsel to
the enforcement director of the CFPB.
This morning, I repeat previous calls for policymakers to
adopt a bright-line approach to financial data regulation,
recognizing both the benefits and harms of collecting highly
personal information.
Today, a payment made with a mobile money account typically
includes a merchant, bank, payments processor, mobile device
maker, internet service provider, and an app provider.
Additionally, roughly, 50 percent of U.S. consumers and 95
percent of U.S. deposit accounts are estimated to have signed
up for financial apps that frequently rely on unregulated or
underregulated data aggregators. All of these companies can
share data widely with other corporations and law enforcement
agencies. I agree with the National Consumer Law Center that
consumers deserve more control over their data relative to
banks and other financial institutions.
That being said, consumer rights to access, review, manage,
correct, and delete data can only be meaningful with a broader
policy that minimizes data collection and inappropriate usage
as a first-order principle.
Although we should able to entrust Fintechs and aggregators
to collect data on our behalf, this collection process itself
must be subject to greater accountability. Section 1033
rulemaking should promote consumer control of information but
in the broader context of data minimization, rather than
maximization.
Just as the CFPB offers more control to consumers via their
agents using technologies like APIs, they must enforce Federal
consumer protection, including fair credit reporting laws, in
this space.
If consumers are harmed, and either banks, Fintechs, or
aggregators have not provided accurate records of existing
financial information and, just as importantly, not included an
explanation of how account data has been shared, the CFPB
should take appropriate action with the presumption that
noncompliance with Section 1033 rulemaking has led to
unfairness to consumers and the broader purpose of Dodd-Frank,
with which the CFPB was entrusted, has not been upheld.
Beyond this, we must upgrade Federal consumer data and
privacy and security laws from the notice and consent paradigm.
There are limits to the ways in which individual consumers can
meaningfully make choices about how their personal data is
used.
As legal scholar Salome Viljoen argues, the very point of
data protection in the digital economy is to put people into
population-based relations with one another and predict broader
trends in social and collective behavior.
Corporate and government actors frequently do not even know
the purpose of collection until after they analyze an
aggregated data set and identify proxies.
Meaningful consent cannot exist when people do not know
what information they are reviewing or to what end. As a matter
of public policy then, we should not be able to forfeit our
general rights to data privacy and security simply by clicking,
``agree,'' as industry would often have us believe.
Ultimately, Congress must shift the burden of data
protection from consumers, courts, and litigators to regulators
and tech companies. The collusion of big tech and Wall Street
in this space and the continuing blurring of distinctions
between financial and nonfinancial data demand especially
careful scrutiny.
Legislation should limit processing to only the minimum
amount of data strictly necessary to carry out an explicit
narrow purpose, such as the provision of a good or service
requested by individuals, and then intentional interaction.
This principle itself demands a robust form of transparency
that Section 1033 rulemaking can help provide.
I agree with Ranking Member Davidson's earlier comment that
privacy concerns should trump property concerns in this space.
Privacy and security are especially important as we consider
policies of financial inclusion into poor communities and
communities of color.
People may volunteer payments and credit data that, when
aggregated, confers sensitive information about disadvantaged
groups in unpredictable ways. Public benefits, family,
criminal, immigration, and national security law already
provide a channel for policing troubled by civil rights
concerns that is further exacerbated by surveillance.
Moreover, mass data collection does not solve our deeper
issues of financial exclusion. Apps are solutions to certain
problems, acute problems, but not structural problems.
The erosion of data security and privacy law and consumer
finance should encourage us to move away from overreliance on
credit as a method of social provisioning, growth, and poverty
reduction, and focus on better jobs, higher incomes, and more
equitable economic policies.
Thank you.
[The prepared statement of Mr. Carrillo can be found on
page 47 of the appendix.]
Chairman Lynch. Thank you, Mr. Carrillo.
Ms. Cochran, you are now recognized for 5 minutes to give
an oral presentation of your testimony.
STATEMENT OF KELLY THOMPSON COCHRAN, DEPUTY DIRECTOR, FINREGLAB
Ms. Cochran. Good morning, and thank you again to Chairman
Lynch, Ranking Member Davidson, and the members of the task
force.
My name is Kelly Thompson Cochran. I am the deputy director
of FinRegLab, an independent research organization that
evaluates the use of data and technology to create a more
responsible and inclusive financial marketplace.
We have published a number of reports on customer data
access issues, including a groundbreaking evaluation--empirical
evaluation--of the use of cash flow data for underwriting small
business and consumer credit.
Our research finds that the system for consumer-directed
transfers is benefiting many consumers and small businesses
today, but it is also creating risks and burdens that reduce
its ability to create greater customer-friendly innovation and
competition.
Efforts to meet the financial services needs of underserved
populations may be particularly sensitive to these risks and
burdens, for instance, where providers' margins are already
thin, or particular populations are particularly sensitive to
concerns about privacy and data security.
Thus, improving the market and regulatory infrastructure
for customer-directed transfers has critical implications for
competition, customer protection, and financial inclusion,
going forward.
We are encouraged to see several Federal regulators
beginning initiatives to address critical threshold issues.
While additional work by industry and Congress will be needed
to improve the broader data ecosystem, the regulatory
initiatives are critical to help sharpen the focus of these
complementary efforts.
The market today is moving towards more safer and more
efficient technologies for data transfers, both through
bilateral agreements between large players and through broader
standardization initiatives.
But progress has been slowed by competitive tensions,
coordination challenges, and regulatory uncertainty. While
industry-led standardization efforts can be highly beneficial,
particularly on technical issues that are hard to enshrine in
regulation, historical experience suggests that such efforts
will be far more efficient and effective if regulators set
certain basic parameters.
Three such initiatives are currently underway. In addition
to the CFPB's 1033 rulemaking, which we have already discussed,
the Federal Trade Commission is modernizing information
security standards for nonbank financial services providers
under the Gramm-Leach-Bliley Act, and prudential regulators are
harmonizing third-party service provider guidance as it applies
to customer information data transfers.
We believe that the industry efforts will be substantially
strengthened if the regulators address five key sets of issues
in their proceedings.
First, the deadline for particular groups of financial
service providers to make data available upon consumer request
under 1033.
Second, the scope of the data that is subject to 1033 data
access rights, the application of exceptions to that statute,
and whether financial data sources can impose additional
conditions on data transfers.
Third, the obligations of companies that are acting on
behalf of a consumer in connection with a 1033 data transfer
and the requirements for data recipients to safeguard that
information.
Fourth, the CFPB's plans to begin supervision of data
aggregators and other nonbank financial service providers that
compile large amounts of customer permission data.
And fifth, the scope of banks' oversight responsibilities
concerning aggregators or aggregators' customers in their
downstream handling of customer data.
Interagency coordination is critical between these various
initiatives because they are deeply interconnected. For
instance, CFPB's supervision of aggregators could reduce third-
party risks to banks, and third-party service provider guidance
can affect the technical infrastructure and processes for 1033
data transfers.
These regulatory initiatives will also help to pinpoint the
need for specific congressional actions. For instance, 1033
does not affirmatively define protections for data transferred
under its provisions, and while other Federal laws potentially
provide safeguards, they were not crafted specifically for this
transfer system and may not apply to all of its use cases.
More broadly, as others have discussed, there are other
gaps showing up in the financial regulatory ecosystem as
players and data practices and technologies change.
Our written testimony discusses this in more depth, things
like meaningful consumer permission while also dealing with the
fact that there is evidence of customer overload, information
overload, in trying to manage all of the permissions with which
they are faced.
The CFPB and other Federal agencies will likely grapple
with many of these cross-cutting issues in the course of these
proceedings. But Congress has a critical role to play in
creating consistency across statutes.
Modernizing customer data protections would help to reduce
risk to consumers and small businesses, create a more level
playing field among financial services providers, and encourage
greater innovation and competition, going forward.
Thank you again for the opportunity to speak today.
[The prepared statement of Ms. Cochran can be found on page
67 of the appendix.]
Chairman Lynch. Thank you very much.
Ms. Wu, you are now recognized for 5 minutes to give an
oral presentation of your testimony.
STATEMENT OF CHI CHI WU, STAFF ATTORNEY, NATIONAL CONSUMER LAW
CENTER (NCLC)
Ms. Wu. Thank you. Thank you, Mr. Chairman, Ranking Member
Davidson, and members of the task force for the opportunity to
testify. I am testifying on behalf of the low-income clients of
the National Consumer Law Center.
The topic of this hearing is preserving the right of
consumers to access personal financial data, and I absolutely
agree. We support the President's Executive Order on
competition and its call for the CFPB to continue the Section
1033 rulemaking.
Access to personal financial data, in particular bank
account transaction data, has a lot of potential to benefit
consumers. In particular, it could benefit the 45 million
credit-invisible consumers who lack a credit history or have a
file so skimpy that a credit score can't be generated.
But any access to personal financial data must be subject
to what I call, ``the three Cs and one D'': consumer choice and
control, competition, and consumer protection; and the ``D'' is
data security.
Think about the data that is being accessed, how sensitive
and revealing it is. Think about your own bank statements or
credit card statements, and remember, a lot of credit-invisible
consumers won't have a credit card so they will be using their
debit card a lot.
Bank account transaction data might show when the consumer
gets paid, where they shop, what advocacy organizations they
support, or which health care providers they use.
So, consumers need control. Consumers are tired of not
having control over our own personal data. We are tired of tech
giants silently collecting data about us to show creepy
personalized ads, and the original privacy-invading tech giants
are the big three credit bureaus--Experian, Equifax, and
TransUnion--which started collecting our information and
monetizing it over 50 years ago without our permission.
We need a better system with strong provisions for consumer
control, not just whether it is consented sharing, but for what
purposes, for how long, and control over exactly what data
elements get shared.
And no mice-type, click-wrap, pro-forma consent. It must be
real, meaningful, informed, and knowing. Dashboards such as the
ones developed by FDX are a good start. What is not good are
efforts to access bank account data without consumer control,
which, unfortunately, we are starting to see, including a
current pilot for this company called Early Warning Services,
to supply bank account information without consumer consent.
Competition. After the Equifax data breach, there was a lot
of discussion about how consumers have no control over credit
bureaus because we are not the customers; we are the commodity.
And it is true. The credit reporting system is an oligopoly,
really a functional monopoly where we can't choose between the
big three or walk away.
Data aggregators and financial account data could serve as
potential competition to the credit bureaus, and it could be
more accurate precisely because of consumer control. If an
aggregator does a terrible job with the accuracy of data,
consumers should have the ability to revoke consent and delete
their data from the aggregator's database.
Of course, one risk we are already beginning to see is that
the big three have started purchasing alternative data
providers. For example, all three have bought consumer
reporting agencies specializing in subprime credit. We would be
really worried if the big three started buying up data
aggregators as well.
Consumer protection. New entrants to a market love to claim
they are the best thing since sliced bread and existing
regulation doesn't apply to them because they are so innovative
or novel. But, not so much.
Even though they were drafted several decades ago, the
Federal consumer laws were written pretty broadly. So if it is
used for credit underwriting, the Fair Credit Reporting Act
applies and the Equal Credit Opportunity Act is implicated. And
since deposit accounts are involved, the Electronic Fund
Transfer Act is implicated.
I very much appreciate that my fellow witness, Finicity,
has taken a similar position with respect to the Fair Credit
Reporting Act.
In addition, we have urged, as part of the Section 1033
rulemaking, that the CFPB should establish supervision
authority over larger participant data aggregators.
Data security. Speaking of supervision, we need supervision
for data security. Since the Equifax data breach in 2017, we
have urged Congress to transfer the data security authority in
Gramm-Leach-Bliley to the CFPB for credit bureaus, and we would
urge the same with respect to data aggregators.
At a minimum, the FTC should complete its rulemaking to
strengthen the safeguards rule under that Act. Financial
account information holds great promise, but also great risk.
It could open doors to credit from millions of underserved
Americans.
But the nightmare scenario is a system where every
consumer, thick or thin file, high FICO score or not, is forced
to give up their privacy and allow each creditor, employer,
insurer, landlord, and government agency a direct and permanent
digital pipeline to their bank account data.
It is up to the regulators and, ultimately, Congress to
make sure that this data promotes consumer welfare without
hurting our interests.
Thank you for the opportunity to testify. I look forward to
your questions.
[The prepared statement of Ms. Wu can be found on page 85
of the appendix.]
Chairman Lynch. Thank you, Ms. Wu.
And Mr. Smith, you are now recognized for 5 minutes for a
summation of your written testimony. Thank you.
STATEMENT OF STEVE SMITH, CO-FOUNDER AND CEO, FINICITY
Mr. Smith. Thank you. I would like to thank Chairwoman
Waters, Ranking Member McHenry, Chairman Lynch, Ranking Member
Davidson, and the FinTech Task Force for the opportunity to
speak with all of you today.
My name is Steve Smith, and I am the co-founder and CEO of
Finicity, a MasterCard company. Finicity allows financial
account holders, typically consumers and small and midsize
businesses, to easily connect their accounts to a wide range of
financial apps and services.
This is often called, ``data aggregation.'' I spent the
past 30 years working in the technology industry. In that time,
there has been remarkable technological innovation. From the
internet to mobility to cloud computing, we have experienced
massive advancements impacting virtually every industry.
One notable technology disruption has been the use of data
and analytics. Large enterprises have leveraged powerful data
and analytics tools to gain insights on business operations,
improve efficiency, enhance consumer experiences, and much
more.
All of this has enabled significant cost reductions
combined with enhanced revenue opportunities. For too long, we,
as individuals, families, and small and midsize businesses have
not reaped the same benefits of using our data.
Why? The technology has been too expensive or the ability
to collect and analyze our data has been exceptionally
difficult or cumbersome. This is where the advent of open
banking or open finance powered by data aggregation is flipping
the data experience to one that empowers consumers and small
and midsize businesses with access control and the consented
use of their data.
Open banking is enabling a wide range of financial products
and services that are transforming how consumers manage their
money, prepare their taxes, apply for loans, make real-time
payments, and better understand and improve their credit.
All of this is leading to more consumer choices and better
experiences, along with increased financial literacy, financial
inclusion, and improved financial fitness.
Finicity has been at the center of many of these empowering
experiences. For example, we have enabled consumers to
contribute more data to their credit scores through Experian
Boost and through the UltraFICO score. These solutions use cash
flow data explicitly permissioned by users to help them build
or improve credit and achieve their financial goals.
So with all of this positive movement, why am I here? This
is a technological shift that is still very much in the early
innings. As it emerges and matures, Federal policymakers will
play a meaningful role in the direction and pace of this
transformation by providing clarity on data protection
expectations, data privacy requirements, and consumer data
rights.
Clearly, consumer data protection is a must throughout the
data access and sharing process. Safeguarding the data is
foundational to accelerating innovation while protecting the
consumers from data theft.
Equally, I believe we all agree that the privacy of
personally identifiable information is important to further
consumer empowerment. In many respects, data privacy is about
consent.
With clear and explicit consent, consumers will know where,
how, and for what purpose their data is being used. Putting
them in control enhances privacy. Data should not be shared
across or among organizations without direct and transparent
consent.
Finally, and I think, most importantly, consumer data
rights must start and end with an individual's ability to
access, use, and benefit from their data. This is foundational
to open banking.
It is essential that consumers have reasonable access to
all of their financial data in possession of the data holders
in a format that they can permission for use in financial
services and app providers of their choosing.
It is critical to safeguard data rights. Otherwise, the
great progress we have made so far will fade. Data rights,
privacy, and protection are an [inaudible] policy goals, each
deserving focus and critical thinking.
Trade-offs may have to be made to balance competing
objectives. Even adopting newer and better technologies can
have unintended consequences by curtailing data access. We
should bear in mind that these three goals are not equal. The
consumers' right to their data must always be prioritized and
maintained.
We need a clear regulatory framework to protect and
continue open banking in the United States. That is why we are
encouraged by the CFPB finally moving forward on a rulemaking
under Section 1033 of the Dodd-Frank Act.
When we started Finicity, we started with one simple
thought: Data is the heart of good decision-making. It is
incumbent upon all involved in this data-sharing ecosystem that
consumers in small and midsize businesses are empowered with
the data they need to make the best decisions for themselves,
their families, and their organizations.
Thank you again for the opportunity to address the task
force, and I would be happy to answer any questions you may
have.
[The prepared statement of Mr. Smith can be found on page
83 of the appendix.]
Chairman Lynch. Thank you, Mr. Smith.
I now yield 5 minutes to myself for questions.
Let me ask the entire panel this, although I will select
individuals at various times. The General Data Protection
Regulation (GDPR) in the European Union has indicated that they
have done it from a general policy approach.
They have recognized the right to be informed, the right to
access data by individuals, the right to rectification if there
is a flaw or a mistaken statement there, the right to restrict
processing, the right to portability so that it encourages
competition that an individual can move their data, and also
the right to erasure or the right to be forgotten, so-called.
From a policy perspective, did they get that right, Ms. Wu?
Have they gotten it right or are there gaps in what we have
seen them attempt to accomplish?
Ms. Wu. Thank you, Congressman Lynch, for the question.
Many of the principles in the GDPR are reflective of fair
information principles and, in fact, some of them are reflected
in the Fair Credit Reporting Act. Some of them were adopted in
California with their consumer privacy law.
The devil is always in the details. When you talk about
principles-based regulation, you want to drill down to the
details. But, in general, GDPR has put in place a stronger
framework than exists in the United States and has served as a
model, as you can see, for some States.
Chairman Lynch. Thank you.
Mr. Carpenter, what are your thoughts? You are trying to
develop this uniform standard on APIs. Would your suggested
structure embrace those rights that have been articulated in
the GDPR?
Mr. Carpenter. Thank you, Chairman Lynch.
I think a couple of things are at play. Technical API
standards defined by the industry will always be subservient to
any regulatory or policy actions that are put in place. So,
whatever the industry defines, that the CFPB or other
regulators define as principles or specifics, then standards
will meet those obligations as needed.
I think it is important to think a little bit about the
complexity of the U.S. market as compared to the EU or some of
the other countries that have gone with a strong regulatory
model for open banking or data sharing.
A lot of those countries have a single financial regulator.
We have a myriad of them, a lot of times with overlapping
jurisdiction in these areas. A lot of those countries also
have--the financial services industry is held by just a few
banks. We have well over 10,000 financial institutions in this
country.
I think the U.S. is unique in its complexity and there will
need to be a balance between what the regulators do as well as
what the industry does.
So, I can't comment specifically on exactly what regulators
should do or where that dividing line is. But we typically look
at open banking as a, ``how,'' and a, ``what.''
The, ``what,'' is really up to regulators and policymakers.
The, ``how,'' is how is this accomplished? How does data move
from point A to point B? And that is what we think is best left
to the industry.
Chairman Lynch. Thank you.
Ms. Cochran?
Ms. Cochran. I think that the GDPR framework is extremely
helpful in the sense of thinking through the elements that need
to be decided in, really, creating robust consumer and small
business control over their own data.
But the exact policy balancing depends on the particular
use case that you are doing. For instance, we have really
focused on credit, which I think is one of the hardest cases,
because while the existing credit information system--
traditional credit bureaus--often don't require consumer
consent to access data, the new system under 1033 does.
That creates an opportunity to create a much more robust
system where consumers have more control over what is
happening. At the same time, you have to balance that against
the need of creditors to be able to access representative
historical data so that they can develop models that are fair
and predictive and do a good job for both the customer and the
lender.
So, balancing both the individual rights and the public
interests are complicated. GDPR is really helpful because it
starts to think through those questions, although I think often
that the balance may be different for particular use cases in
particular situations.
Chairman Lynch. Doesn't much depend on consent? Meaningful,
real consent?
Ms. Cochran. Yes. That is one of the things that I didn't
get much time to talk about in my main testimony.
A lot of our system today in the U.S. does depend on notice
and consent to data activities, but it is kind of a take-it-or-
leave-it process. And what GDPR does is a much more robust
thought process about how can consent be revoked, can data be
deleted, and other questions.
Thinking about consent is more than a one-time transaction.
But we also know that there is a great deal of evidence that
consumers are already overloaded by the decisions they are
being asked to make, and by the notices they are being asked to
read.
One of the things that I think GDPR is struggling with and
that would come up as the U.S. looks at this is how do you make
some of those decisions simpler so that consumers can really
focus on the critical things that they need to decide, and
strip away some of the surrounding things that may be more
secondary, could be more consistent, and then make the decision
more meaningful and more powerful, in addition to those rights.
Chairman Lynch. Thank you.
The Chair now yields to the ranking member of the task
force, the gentleman from Ohio, Mr. Davidson, for 5 minutes for
his questions.
Mr. Davidson. I thank the chairman. And I thank our
witnesses. I appreciate not only your verbal testimony but the
written testimony as well and the preparation you have done for
this hearing.
Mr. Smith, a November 2019 survey by The Clearing House
found that 80 percent of financial app users were not aware
that apps may use third parties to access consumer financial
information.
From your personal experience, can you speak to the
progress that has been made within the Fintech industry that
would improve customers' awareness of how their financial data
is being used?
Mr. Smith. Yes. Thank you very much.
With respect to the issues surrounding consent and
knowledge of consent, a lot of progress has been made.
Finicity, for example, makes it very clear that Finicity is a
services provider in the middle of the consented process
between the consumer and the financial institution or financial
services provider that holds their data.
They see the FDX organization has also put in place a
working group and has promoted standards, UI standards, that
make it very clear how to use consent or how to apply consent
in a best-practices format that also makes very clear the
players that are involved in that.
And then I would just say that Finicity, together with
several others in the industry, both data holders and
technology providers, has started implementing at-pace
dashboards that allow consumers to understand who is involved
in the consent process.
Mr. Davidson. Yes. Thank you for that, and for just
highlighting the user-friendliness.
Ms. Cochran, your testimony in particular highlighted the
consumer-friendly nature that is really so important. A lot of
times, people will say in industry, in particular, well, it is
in our terms and conditions, and if you print it out, it is 400
pages in a 6-point font, and sure, you just acknowledged it.
Could you elaborate on that, and how we could do this? I
will come to you next, Mr. Carpenter, because of some of the
things you have both dealt with deal with how GDPR is being
applied versus, really, our inaction in America on privacy.
Ms. Cochran. Yes. There is some academic research that I
think suggests that consumers would have to spend 25 days a
year reading all of the disclosures that they get on digital
data across all sectors, not just financial services. But it is
really incredible.
Clearly, we need to get much crisper about and much more
customer-friendly about the disclosures that are being done to
make them really effective just in time, adapted to digital
formats. A lot of people are reading things over their phones
and really thinking through those questions.
At the same time, as I said before, we also need to think
about how many questions are we asking consumers to answer in
one shot, and do you divide those into maybe smaller chunks to
give consumers more control as they think through their process
and different questions at different times?
So, there is a real challenge ahead. The CFPB has
disclosure authority that can be really helpful in this space.
Consumer testing, obviously, is going to be hugely important. I
think there are already some industry efforts that are moving
in that direction.
But we know that there is this broader question about
overload that is really one of the biggest challenges in this
space is to make that meaningful and manageable and quick, in a
way that is helpful to consumers.
Mr. Davidson. Yes. Thank you. And I think you also touched
on the fact that some things just have to be off the table
because none of us want to use an interface that is just a
relentless series of pop-up ads.
It is a tactic. It is not actually a real consent or choice
for consumers.
Mr. Carpenter, one concept, I think, that is key to the
discussion is the idea of data minimization or the idea that
companies should collect minimal data to provide the product or
service.
On the other hand, many businesses collect data that is not
directly tied to providing the service and, of course, they
want to use it maybe someday in the future, perhaps even for
resale. Who knows? There is no end to the amount of data that
some companies want to collect.
Mr. Smith, you made that reference that there are trade-
offs. But I was really pleased that you concluded that we are
never--the Fourth Amendment is not for sale, another bill that
we are going to try to deal with in a bipartisan way.
Could you touch on how to strike that balance and where
regulators can help do that?
Mr. Smith. Yes, thank you, Congressman Davidson.
I would say, first of all, on data minimization, it is
something that FDX is looking at in terms of defining and,
really, APIs as opposed to screen scraping, provide far more
consumer control over your data sharing.
With screen scraping, you are sharing everything you can
see, and with APIs, you do have the ability to potentially
limit data that you share for a given purpose.
We have internal use cases that are used for certification
on the back end to ensure that the implementation of an FDX API
is actually certifiable.
The question is, what can we do on the consumer front end
to possibly provide that? So, that is an area that we are
looking into.
I will say, just to touch on your prior question as well,
awareness is one of our five principles, consumer awareness,
and we are defining user experience.
And per the other witnesses' testimony, we are looking at
it both on the front end--what does the enrollment look like,
how many screens does it take before a consumer just drops out,
because there are too many questions--but then also, through
these dashboards. So, it is not just a one-time awareness but
an ongoing awareness.
Mr. Davidson. Thank you for that. My time has expired. I
yield back.
Chairman Lynch. The gentleman yields back.
The Chair now recognizes the gentleman from New York, Mr.
Torres, for 5 minutes.
Mr. Torres. Thank you, Mr. Chairman.
I have a real concern that the biggest banks, in opposing a
Section 1033 rulemaking, are stifling competition and choice
under the guise of consumer protection and cybersecurity.
There are, to be sure, legitimate cybersecurity concerns
surrounding the consumer-authorized use of data. But it seems
to me those concerns are best addressed not by allowing the big
banks to hoard financial information for themselves but by
regulating data aggregators and by protecting consumers.
I disagree with Mr. Carpenter's earlier statement that the
standard should be left to the industry because the big banks
are not disinterested arbiters of what is best for consumers.
The banks do have a vested interest in maintaining their
oligopoly on consumer information.
So my first question is to Ms. Wu and Ms. Cochran. Is it
fair to say that the big banks have a conflict of interest and,
therefore, cannot be trusted to make disinterested
determinations about what data to share, when to share it, and
with whom to share it?
Ms. Wu. Thank you for the question, Representative.
Certainly, consumer advocates are very concerned about
ensuring that consumers do have the ability to share the data
when they have a meaningful opportunity to consent.
One of the things that banks early on used as a tactic to
try to prevent data sharing is to tell consumers, if you share
this data via screen scraping and there is some sort of
unauthorized use, you will be on the hook, which we thought was
just terrible.
The last person who should suffer a loss if there is some
sort of data breach or unauthorized access is the consumer
themselves, and we thought that Regulation E didn't allow for
that, and, fortunately, the CFPB, in a recent FAQ, took that
position as well. It is not the consumer who is going to suffer
the loss.
So we do think that a 1033 rulemaking needs to go forward,
and we are encouraged that there has been more cooperation.
But, ultimately, I think there needs to be some regulatory
teeth, especially if we are going to get rid of screen scraping
because we can't get rid of screen scraping, until we have the
ability for consumers at all banks to share the data, and that
is not going to happen until you have these agreements with all
institutions.
Ms. Cochran. I would just add a couple of thoughts.
As I said in my main testimony, there are competitive
tensions all over this market--both banks and nonbanks--and
they intersect in very complicated ways.
I think it is one of the reasons why it is so important for
the regulators to set certain parameters to settle certain
questions so that industry can focus on then implementing in an
efficient way that actually benefits everyone once those
decisions are made.
The other thing that I think is really important here is
the interagency coordination that I talked about, because
concerns about liability are legitimate open questions in this
marketplace that affect everyone, and getting better answers to
those questions and getting better answers to third-party
service obligations, for instance, intersect with competitive
interests.
So if we can settle the regulatory questions, that kind of
decouples these dynamics that can feed on each other in ways
that tend to slow the process of the overall system and reduce
the benefits for innovation and competition that Section 1033
potentially offers.
Mr. Torres. Thank you.
And I certainly agree that there should be regulation. As I
said, there are legitimate concerns about cybersecurity and
there is a legitimate concern that data regulators are,
largely, unregulated and unsupervised.
I guess my question is for Mr. Smith. I am curious to know
your obligations as a data aggregator. Do you have an
obligation to provide accurate data and to correct inaccuracies
and errors in data? Do you have a legal obligation to do so?
Mr. Smith. As an aggregator, we also maintain a Community
Reinvestment Act (CRA) status and are regulated under the Fair
Credit Reporting Act (FCRA). We also have signed a number of
bilateral agreements with leading financial institutions that
require us to maintain compliance to certain aspects of the
Gramm-Leach-Bliley Act (GLBA), and we maintain compliance to
both State and Federal consumer privacy regulations today and
also maintain compliance to GLBA.
So, that is the scope of the regulatory framework that we
fall under.
Mr. Torres. And I have a question for Mr. Carpenter. I am
concerned about screen scraping because it involves the use of
login credentials. What is the timeline, in your opinion, for a
full transition to API?
Mr. Carpenter. That is a great question. I wish I had a
clear answer to give to you. I think you have to think about
the fact that, and Ms. Cochran talked about this a little bit
and Ms. Wu did as well, there is a long tail in the United
States.
And so, while the biggest financial institutions who
usually invest in their own technology stock are quickly able
to move to APIs, a lot of the community financial institutions
or minority-owned financial institutions usually use a
technology core provider, so they are waiting for that core
provider to give API access or to, essentially, level the
playing field across all of the financial institutions.
So, I would just say bringing the core providers in, and we
have several that are members of FDX, to ensure that there is
not a gap between the large and the small will help that
timeline get accomplished.
But I think with any technology transition--we often talk
about the chip card--the magnetic stripe, the chip card
transition. There were a lot of different waypoints along the
way that had to be accomplished before you could declare
success.
Mr. Torres. My time has expired. Thank you.
Chairman Lynch. The gentleman from New York yields back.
The Chair now recognizes the gentleman from Missouri, Mr.
Luetkemeyer, for 5 minutes.
Mr. Luetkemeyer. Thank you, Mr. Chairman, and thank you to
all of our witnesses today.
This is an interesting discussion we are having here.
Whenever I discuss screen scraping with my constituents and
explain to them what it is, they are aghast. They are
absolutely horrified that when they give an okay to a third
party to--or to their utility company to direct draft off their
bank account, they wind up with a third party having access to
their account. They are absolutely horrified that this is
happening.
So, why do we allow that? Why do we not have a separate
agreement which says that if you are going to be able to screen
scrape and take that information and sell it, then the
individual has to have a separate agreement with the different
company, or with a company that is going to have a separate
agreement with them that allows them to do that and then pay
them for that information? Why is that not a viable option?
Mr. Carpenter?
Mr. Carpenter. Thank you, Congressman Luetkemeyer.
I think it is helpful to think about the context of screen
scraping. It is an old technology. It is not a perfect
technology. It has a lot of issues.
It is also what has delivered the innovation that we have
today in the competitive financial services market, and I would
argue that without the ability for a consumer to access and
share their own data via screen scraping, again, while not
perfect, we would not have had the explosion in competition in
the financial services industry.
Mr. Luetkemeyer. Yes, but Mr. Carpenter, let's be honest
here. This is all done without the consumer's knowledge. Most
of your consumers, I will guarantee you--Mr. Smith, you made a
comment a while ago that 84 percent of people didn't know what
was going on or they didn't approve of who had access to their
information.
Mr. Smith. Yes, I think that was referring to a TCH survey
from 2 years ago.
Mr. Luetkemeyer. But most people don't approve of what you
are doing. They don't approve of screen scraping. We are
sitting here making the assumption that everybody thinks it is
okay. I am telling you that people don't believe it is okay
and, therefore, we need to take a different perspective on this
and say, whoa.
The first way you protect people's privacy and their
information is to be honest with them up front, and say, this
is what is happening with your information and how people are
accessing it, unbeknownst to you.
We are approaching this from the wrong angle, I think. If
people want to allow their accounts to be screen scraped, that
is fine. That is an individual decision. They want to be able
to have other people, other companies, have access to it so
they can prevent, and with other options and other services.
That is fine.
But most people do not know what is going on and would be
very reluctant to sign a form that says it is okay to do that.
So my question is, why can't we do that? Why can't we have the
company be honest with them up front and sign a separate,
completely different form--yes, I understand, Ms. Cochran, we
are going to have another screen you have to go through and
sign off on something .
But this should be in bright red letters, a whole new
screen that says when you sign this agreement you are going to
give access to the screen scrapers of the world to go with
this, and this has to be something completely different than
having a third party be able to have access to your account to
make payments for you.
Mr. Carpenter. Congressman, that is exactly what we are
doing as fast as we possibly can to move to an API realm where
instead of giving your login credentials, you are actually
being taken to your financial data provider or financial
institution, you are logging in, you are permissioning your
data there at your bank on your mobile app. You are then being
handed back with a token or a key so that an API does
completely circumvent the sharing of login credentials.
So, the industry is rapidly moving in that direction. As I
mentioned, 22 million consumers have currently been
transitioned to the FDX API. It is just a matter of, it does
take time. You can't flip that switch overnight and cut off
access to the consumer data sharing that they have, and I think
we are also working--
Mr. Luetkemeyer. Whoa, whoa, whoa. Mr. Carpenter?
Mr. Carpenter. Yes, sir?
Mr. Luetkemeyer. You missed my whole point by your last
comment. People aren't aware that this is going on. Why are you
allowing it to continue? Shouldn't we as Congress, or the CFPB
as a regulator, say, whoa, people are not aware that this is
going on?
They should be told. There should be options presented to
them. Why can't that be done right now? Why is this allowed to
continue to go on, when we know that people don't know what is
going on?
Mr. Carpenter. And I would just say--
Ms. Wu. Congressman, if I may, this is one area where we
completely agree. You and I are on the same page. We think that
this sort of mice-type consent is not acceptable. We need
meaningful, informed, separate dashboard, separate web page
consent. And not just a yes or no, but how much information to
share and for how long.
I understand the concern about information overload. It is
something we are worried about, too, and how you design the
consent is very important and that is something that FDX and
others are working on, so that it is easy.
But yes, a yes/no decision would be easy, would prevent
overload, but it wouldn't maximize the control, and we think
the consumer should have maximum control over their own data.
Mr. Luetkemeyer. I see my time is expired, Mr. Chairman. I
yield back. Thank you.
Chairman Lynch. The gentleman yields back.
The Chair is very pleased to welcome the Chair of the full
Financial Services Committee, the gentlelady from California,
Chairwoman Waters, for 5 minutes.
Chairwoman Waters. Thank you so very much, Mr. Lynch. I
certainly appreciate this hearing. It is very important. And it
seems as if I am agreeing with Mr. Luetkemeyer for the first
time since we have served on this committee together.
Mr. Luetkemeyer. Isn't that an overwhelming feeling, Madam
Chairwoman?
Chairwoman Waters. I want to make sure, and this may have
been discussed before I came in, but I want to know about opt-
out as opposed to opt-in. I get, from the people I do business
with, something in small writing on page 15 somewhere, that
says, if you want to opt-out, you have to let us know.
And people don't pay any attention to that. They don't even
know what is meant by it. And if you don't opt-out, your
information is shared with a third party, the third party
shares the information with somebody else, somebody else shares
the information, and then you get all these solicitations,
people who are not only soliciting you for their products, and
we don't know anything about those firms, and what protections
we have, et cetera.
So, this is very simple to me. Mr. Luetkemeyer asked, why
don't we just change it, why don't we just make sure the
consumer knows? He talked about it a little bit differently,
but my question is very simple: Why don't we just change the
law, or make a law that says you cannot simply offer to opt-out
on page 31, and if you don't do it, your information is going
to be shared?
Mr. Carpenter?
Mr. Carpenter. Yes, ma'am. Madam Chairwoman, thank you for
the question. I want to be very clear up front that I am not in
any way sticking up for screen scraping in its current manner.
Our entire organization's mission is to move to a new API
standard.
In terms of your question, everything that happens through
consumer permission data sharing is directed. It is that opt-
in, as you say, directed by the consumer. They are the one who
downloads the app to start with. They are the one who goes to
their financial institution to permission their data. So, none
of what we are doing with FDX is taking a consumer's data
without permission or consent.
Chairwoman Waters. Ms. Cochran?
Ms. Cochran. Yes. I think this is an incredibly important
issue, and it cuts across 1033, Gramm-Leach-Bliley, and the
Fair Credit Reporting Act. Right now, we have Federal laws that
don't require consent at all. They just set permissible
purposes and say companies can use it within those bounds. We
have laws that rely on opt-out consent, which means the data
flows unless the consumer says no. And now, with 1033, we have
a regime where the consumer has to say yes to turn it off.
So, we have all three in our current system. We know
consumers are overloaded with the choices they are making. And
so the balance between both how do we do sent well, where
consumers really understand and are making the decisions they
intend to make, and how do we, in some cases, maybe define the
permissible purposes so they don't have to decide everything on
a company-by-company or product-by-product basis. That is why
this is so complicated, and it really requires looking more
broadly, even beyond the 1033, to get to the answers to some of
these questions.
Chairwoman Waters. And what is your recommendation?
Ms. Cochran. There is a lot of evidence that opt-out
consent is very sticky, that consumers don't tend to see it,
they may not be reading those regimes. And so, I think that one
in the middle is a particularly tricky category. We know, in
GDPR and some other jurisdictions, that people are starting to
look harder at purposeful purpose regulations so that consumers
don't have to decide everything, or that there are gradations
and tiers to how many things that they are asked to decide
quickly in one setting. And I think looking closer at both of
those options is potentially really helpful.
Chairwoman Waters. I want to be very clear that on the opt-
out opportunity, if you do nothing, that means that you opted
in, is that correct?
Ms. Cochran. Right.
Chairwoman Waters. Something is wrong with that. Thank you.
I yield back the balance of my time.
Chairman Lynch. Madam Chairwoman, I am going to yield to
Mr. Carrillo to ask him to offer his observations on this.
Mr. Carrillo. Thank you very much. Thank you very much,
Chairman Lynch, and thank you for the question, Chairwoman
Waters. I think that permissible purpose regulation is
necessary at this point and we need to go beyond the notice and
consent paradigm. It is possible, within notice and consent
laws, to allow for click-wrap contracts, as the National
Consumer Law Center has noted, that give companies the ability
to harvest data based on the agreements, but data that is far
more than what was intended by the consumer.
So, the agreement between the consumer and a company is not
the appropriate site of regulation. We need to establish a
longer list of how companies can use data, and to what end.
There are still tricky questions as to intent, but it is a
better frame to look at this from a broader perspective of
public policy rather than identifying what consumers understand
or not at the point of sale or point of agreement. Thank you.
Chairman Lynch. I thank the gentleman.
The Chair now recognizes the gentlewoman from Georgia, Ms.
Williams, who is also the Vice Chair of our Subcommittee on
Oversight and Investigations, for 5 minutes.
Ms. Williams of Georgia. Thank you, Mr. Chairman. Thank you
for holding this hearing today for this important task force.
Anyone who follows my work in Congress knows that closing
the racial wealth gap, which in my home of Atlanta,
unfortunately is the worst in the nation, is the goal that I
infuse into all of my policy work, especially my work here on
the Financial Services Committee. In Congress, we have to be
sure that financial innovation proceeds in a way that doesn't
just deliver benefits to a few but to all, especially those
most marginalized.
Today, I would like to focus on how we ensure personal
consumer data is not used to reinforce racial and other biases.
The discussions that we have here and the policy that we pursue
will determine the level of progress that we make toward
building an economy that is inclusive and fair for all.
Ms. Wu, in your testimony you mentioned that we need to be
looking out for and preventing disparate impact when it comes
to data used for credit purposes. Could you elaborate on what
best practices Congress can employ to make sure that we're
picking up on any broad patterns of disparate impact? How can
Congress be sure we are addressing any issues through
legislation as needed, and making sure that the CFPB and other
agencies are writing appropriate and timely rules of the road?
Ms. Wu. Thank you for the question, Congresswoman Williams.
Certainly whenever big datasets are used, whether it's new
data, like cash flow information, or old-fashioned data, like
credit reports, one of the things that you really want to look
for is racial disparities and disparate impact. We know, as a
baseline, that credit reports and credit scores exhibit huge
racial disparities.
Cash flow information and the work by FinRegLab shows that
it may be more promising as a source of information, but it is
still going to show racial disparities. Why? For a number of
reasons. First, it still reflects fundamental underlying racial
disparities in economics in our society, and second,
overdrafts. Cash flow information will never truly be able to
benefit consumers of color until we get rid of overdraft
abuses, because that is one of the key things that they look
for in cash flows, and we know overdrafts hit minority
consumers a lot harder. We have to deal with the overdraft
abuses.
With respect to big datasets and artificial intelligence
and machine learning, one of the things we have seen is that
they are not free of racial disparities. They reflect back what
exists. If you take a dataset that inherently has racial
disparities, and you have the AI or machine-learning model
learn from it, it is just going to replicate it. And the
problem is, people think, oh, AI and machine learning, there is
no bias, but there is. It is all a reflection of the underlying
data that is a reflection of the inequalities in our society.
And so, we need to be cognizant of that. We need to be
aware of that. The unequal position of African Americans and
Latinx consumers in this society was built from decades and
centuries of intentional discrimination, and we are not going
to deal with those disparities until we intentionally try to
address them consciously. If you just say, let's treat everyone
equal, that is not equity and that is not going to do it.
Ms. Williams of Georgia. Ms. Wu, you just mentioned that
Black consumers are desperately impacted by bank overdraft
practices, and that we should keep this in mind when related to
consumer data, to whom consumer data is employed. So, how could
greater use of no-fee accounts address the underlying disparity
informing the data, going forward? Can you tell us the
importance of simultaneously addressing concerns with the data
used and disparities that inform the data being used?
Ms. Wu. Certainly, there have been a lot of efforts to
provide bank accounts for folks who have struggled with
overdrafts, accounts that don't impose overdrafts and overdraft
fees, that don't allow people to overdraft with their debit
cards, which is a huge problem, that don't reorder
transactions. And efforts by organizations to promote banking
are very helpful. And you can't get cash flow bank account
information if you don't even have a bank account, and we know
there are also disparities on who has a bank account. And we
know that lots of consumers, low-income and minority consumers
are driven out of the banking system by overdraft abuses.
So yes, efforts to get unbanked consumers into bank
accounts that are low-fee and safe are really important, but
what is really more important is congressional action to just
tamp down on those overdraft abuses and make sure that they do
not hit all consumers, not just the ones who are able to
benefit from no-fee and safe bank accounts.
Ms. Williams of Georgia. Thank you, Ms. Wu. I am out of
time, Mr. Chairman, but I do have another question around
technology and broadband access that I will submit for the
record, and hope that one of our esteemed panelists can provide
some answers on that as we continue to move forward in this
work.
Thank you, and I yield back.
Chairman Lynch. I thank the gentlelady, and we welcome her
question.
The Chair now recognizes the gentleman from Wisconsin, Mr.
Steil, for 5 minutes.
Mr. Steil. Thank you very much, Mr. Chairman. I would like
to dive in, Mr. Carpenter, if I can, with you. In your
testimony, you talked about the, ``what,'' and the, ``how,'' of
open banking. I thought it was well said, the, ``what,'' being
the question of which data fields are shared and under what
agreements or restrictions, and the, ``how,'' more of the
technological question.
I think another really appropriate question for us, and I
would love to have you speak to it, is what is the appropriate
role of the Federal Government in helping to address those two
questions that you posed?
Mr. Carpenter. It is a good question. I wish that I had the
perfect dividing line for you. I tried to set it up. I think
what has happened in the U.S. is many will say, oh, the U.S. is
so behind in open banking. The truth is, we are actually in
front. If you look at the number of consumers who have access
to their data, and the ability to use it in innovative Fintech
services, we are actually leading the world in that regard. And
so, I would argue that the CFPB and other regulators have
actually taken an appropriate time to watch the industry mature
in this area.
That said, where there are friction points, the Federal
Government may need to step in to decide some of these issues.
Industry standards can do a lot, but we are not a silver
bullet. We cannot answer every single sticky policy question. I
think where the government might see friction between the
industry or the inability to come to a decision on, say, the
scope of data or the like, it may be a role for the Federal
Government to step in.
Mr. Steil. Thank you. Mr. Smith, I would like to hear your
thoughts on the same thing. Hearing kind of his take, could you
give us any thoughts as to what the appropriate role is for the
Federal Government?
Mr. Smith. Yes. I think when you take a look at some of the
conflicting aspects of this, as I spoke to in my oral
testimony, you often run into situations where underregulation
of financial institutions are, and rightly so, very concerned
and very focused on safety and soundness. Safety and soundness
gives way to data security, data privacy, gives way to
limitations on the types of data that might be accessible.
So, when you look at rights to access, regulation would be
helpful, clarity would be helpful to determine the types of
data and scope of data that can be accessed for particular use
cases, for example.
These are the kinds of things that, as a data aggregator--
and I would just say, we've been leading the industry and
signing bilateral agreements with financial institutions. By
the end of this year, we will have greater than 60 percent of
our data, 60 percent of the data flowing through our access
pipes, integrations, through API integrations, that use a lot--
there is an authentication methodology and do not collect
credentials. And we further will have, in the pipeline, another
20 percent of the market coverage in integration development.
And so, these are some of the key issues with which we
deal.
Mr. Steil. Let me build on that a little bit, because I
think in your written testimony you comment on some other
countries and their open banking policies, and I want to get
back to Mr. Carpenter as well on the same question. Looking at
what other governments have done as far as government
intervention in the private market in this space, what lessons
have been learned about the appropriate role of government
regulation in this space?
Mr. Smith. Yes, I think Mr. Carpenter's comment was that
the U.S. has certainly been leading from an innovation
perspective and has more of a wait-and-see attitude from a
regulatory perspective, where other countries have been a bit
more aggressive or proactive, from a regulatory perspective.
Mr. Steil. And knowing that they have been more aggressive
or more proactive, your term, what do you think the lesson
learned is from that?
Mr. Smith. Yes, I think there is a benefit to understanding
what the use case and the value proposition is to consumers and
forming regulation around ensuring that consumers are not
harmed in any way and that the value proposition associated
with open access to data is maintained.
Mr. Steil. Okay. Let me jump back to you, Mr. Carpenter, on
the same topic. What lessons learned do you see from government
intervention, in particular in foreign countries?
Mr. Carpenter. I would argue that the lesson learned is
that you can't really go with all one approach or the other.
There really does probably need to be a hybrid approach. When
you have an entirely regulatory-dictated system, you end up
with compliance versus actually meeting the needs of the
market.
What standards are able to do is actually follow the
consumer: Where is the demand? Where does the market actually
need definition and standardization? It doesn't mean that there
may not be room for principles-based regulation or regulation
or government action that solves some tough questions. So, I
would argue that what we have seen is that you probably do need
a little bit of a mix of everything.
Mr. Steil. Thank you very much. I apologize that with the
time, we couldn't get to all of the witnesses. I yield back.
Chairman Lynch. The gentleman yields back.
Well, together with the ranking member, the gentleman from
Ohio, Mr. Davidson, I would like to thank our witnesses for
their testimony today.
The Chair notes that some Members may have additional
questions for these witnesses, which they may wish to submit in
writing. Without objection, the hearing record will remain open
for 5 legislative days for Members to submit written questions
to these witnesses and to place their responses in the record.
Also, without objection, Members will have 5 legislative days
to submit extraneous materials to the Chair for inclusion in
the record.
This hearing is now adjourned. Thank you.
[Whereupon, at 11:21 a.m., the hearing was adjourned.]
A P P E N D I X
September 21, 2021
[all]