Show Me the (Data About the) Money!

Abstract

Information about consumers, their money, and what they do with it is the lifeblood of the flourishing financial technology (“FinTech”) sector. Historically, this data was jealously protected by highly regulated banks. However, online shopping and smartphones have made consumers share their information more than ever before. Understanding the importance of such data, which can be monetized and used for countless business prospects, many believe that consumers’ ability to control their data has become a modern imperative. This ability is tightly linked to the concept of open banking—an initiative that lets customers control and share their financial banking data with service providers, as they see fit. In recent years, some U.S. banks have threatened to block the servers of tech companies and data aggregators from accessing their customers’ data, even when customers agree to it. With no regulation or accepted standards for the ethical gathering and use of data, banks argue that limiting access helps them protect their clients’ privacy, improve their accounts’ safety, and promote consumer protection principles. They argue that FinTech apps collect more data than needed, store it insecurely, and sell it to others. But the motivation of the big banks in advocating for such limitations may not be so pure. Banks do not want to be held liable for data or fund losses. Neither do they want to relinquish competitive advantages nor lose customers. Witnessing resistance, tech companies have not been sitting idly, waiting for banks to limit their access to data. Instead, they have been working on ways to outsmart banks’ blocking technology and use data aggregation services as a middleman. They have also extended the fight into Washington, where regulators such as the FTC and CFPB have noticed how technology impacts flows of consumer data and financial issues such as credit reporting. Advocating for consumers’ rights to control data, tech companies lobby for a top-down approach to open banking. The legal status of third parties’ right to access consumers’ financial data is anchored in the EU’s recently adopted Payment Services Directive II. In the U.S., however, the approach to open banking has been a market-based one, in which data aggregators have become a significant player without consumers noticing. Realizing this, FINRA issued a warning in 2018 about the dangers of consumers sharing their account data with data aggregators in order to access apps, and in 2019, the FDIC inspector general released a report expressing concerns about data aggregators. But the status-quo could change. Section 1033 of the Dodd-Frank Act “provides for consumer rights to access financial account and account-related data in usable electronic forms.” Yet, its applicability to consumer-authorized data access by third parties, as opposed to direct access by consumers, is at question, although the Department of the Treasury currently appears to support the earlier approach. This Article is the first to direct attention to an overlooked category within the financial services industry: data aggregators. By analyzing financial regulation and privacy law, this Article examines data aggregators’ relationships with banks, tech companies, and consumers. It provides a comparative lens between top-down and bottom-up regulatory approaches to open banking, and suggests regulating data aggregators as gatekeepers under the CFPB’s supervision in ways analogous to credit rating agencies, and tasking data aggregators with managing people’s digital identities.