Why Fintech Companies Want to be Regulated by the CFPB
It’s unusual to see an industry making a formal request to be regulated, but that’s exactly what fintech data aggregators are asking of the Consumer Financial Protection Bureau (CFPB).
Companies like Plaid and Robinhood have reasoned that more oversight by the CFPB comes with access to more consumer data–which in turn would allow fintech companies to fulfill transactions with their customers more smoothly.
The CFPB’s efforts to regulate consumer data privacy in the finance industry dates back a decade to 2010’s Dodd-Frank Act, which mandated that the CFPB develop regulations regarding consumers’ financial data rights.
However, it wasn’t until October 2020 when the CFPB began this rulemaking process, opening its ears to comments and feedback from the industry’s biggest stakeholders: banks, aggregators, fintech companies and other financial institutions.
Much of the discussion centered around Section 1033 of the Dodd-Frank Act, which includes a mandate requiring institutions to grant consumers’ access to their personal information. This seems relatively straightforward and not drastically different from what financial institutions already do–most of a consumer’s financial data is readily accessible through their online banking portal.
However, Section 1033 is less straightforward when it comes to third-parties like data aggregators and fintech companies. When a consumer authorizes these third-parties to access their data, it’s unclear how the third-parties are regulated. Without direct regulatory supervision for the CFPB, aggregators and fintech companies’ data activity is treated like that of third-party vendors. This means their data activity is overseen by the financial institutions themselves.
This is problematic in two ways. First, it gives traditional financial institutions, like big banks, regulatory authority over third-parties. Secondly, it puts the burden on banks to supervise the third-parties, resulting in more billing and credit report disputes.
Overall, the lack of regulatory oversight complicates activity involving the ecosystem of consumer financial data. When a consumer authorizes a third-party to complete a transaction with their data– tracking their spending, improving their credit score, decreasing their debt– the aggregators and fintech companies must enter an auditing agreement with the consumer’s bank. However, without regulation, there is no consistent standard for this type of data activity, and banks have the ability to restrict third-party access to consumer data. If they deny access for any reason, it makes it harder for certain fintech companies to operate.
On the surface, this might seem like a power struggle between banks and aggregators, but that would be an oversimplification. Many of the comments show that banks support direct government supervision of data aggregators, seeing as the obligation to conduct oversight often swamps banks with paperwork and holds them liable for the third party’s actions.
That being said, aggregators claim that a symptom of the issue is an unequal playing field that renders the banks too powerful. According to some, this stifles innovation in the financial industry and gives consumers less control over their data (because the role of aggregators and fintech companies is often to take action on the consumer’s behalf). Of course, when banks have control over smaller companies in the industry, it gives them the power to limit third-party access to consumer data. In short, this makes it harder for smaller fintech companies to conduct business, as banks can, in theory, freeze them out of data access, even if the consumer consented to it.
According to many of the public comments, the solution is simple: data aggregators should be considered “consumer reporting agencies” under the Fair Credit Reporting Act (FCRA). This means they would be regulated directly by the government, taking the onus off of banks. This arguably makes sense for aggregators that assemble consumer data from creditors and insurers to assess consumers’ credit-worthiness, but additional clarity is needed for other types of aggregators.
Most pushback against this movement has come from banks and credit unions. For example, the Credit Union National Associations (CUNA) wrote that they are concerned about the market costs associated with giving third-parties free access to consumer data. Citing the “time, money and continued upkeep” financial services invest in their databases, CUNA maintains that “if third parties can access and use this data without paying their fair share, these third parties are free-riders.”
CUNA’s comment also points to the security and privacy discrepancies between non-regulated fintech companies and regulated financial institutions. If third-parties are given free access to financial data with less strict regulations than banks, it could lead to cybersecurity risk and ultimately hurt consumers.
In short, it’s a question of who the data belongs to. Does it belong to banks who have the resources and regulatory obligations to protect it? Or does it belong to consumers who can authorize fintech companies to access it?
Whatever stance the CFPB takes will have major implications for the fintech industry. If third-parties become directly regulated, it would give banks less control over how consumer financial data gets moved between banks, fintech companies, and aggregators. In turn, there would be less of a barrier for new financial startups, as they could operate without entering a tedious contractual process with banks. That being said, some argue that it will pose a whole new cybersecurity risk if fintech companies aren’t held to the same regulatory standards.