Sen. Warren Warns of Fintech Privacy Risks
Warren and other senators are worried about data privacy as Treasury recommends a rule rollback for third-party aggregators.
The Senate Banking Committee continued to examine Tuesday how to handle the regulation of fintech, as concerns persist about data aggregation and consumers’ privacy.
“I think it’s critical that the government move methodically on a regulatory approach to fintech so we encourage productive innovation but we don’t expose consumers to a lot of unnecessary risks,” Sen. Elizabeth Warren, D-Mass., said during the hearing entitled “Fintech: Examining Digitization, Data, and Technology.”
“As this marketplace rapidly develops, so must we constantly evaluate our regulatory and oversight framework, much of which was designed prior to the digital era,” added Sen. Mike Crapo, chairman of the of committee, during his opening remarks.
“To the extent that there are improvements that can be made to better foster and not stifle innovation, we should examine those.”
The hearing also focused on the Treasury Department’s release in early August of its fintech report. Warren stated her unease with the report.
“In almost every instance, [Treasury’s report] advocates for deregulation in an effort to stimulate the fintech industry,” Warren said. “I’m concerned about a lot of those recommendations. One set of recommendations is rolling back rules about how banks can share personal and financial information with third-party data aggregators.”
Crapo agreed that consumers must know “when their data is being collected and how it is being used.”
Many products and services in the fintech sector, Crapo said, “revolve around big data analytics, data aggregation and other technologies that make use of consumer data. Oftentimes these processes operate in the background, and are not always completely transparent to consumers.”
Warren queried Saule Omarova, professor of law at Cornell University, as to her concerns about banks’ ability to share personal and financial information with third-party data aggregators.
“My main concern is that the Treasury recommendation will open the floodgates for the banks … to open up this treasure trove of sensitive financial data on the customer that they have for much more uses by various types of companies,” Omarova responded.
“My concern is about Facebook, is it about Google, it is about Amazon — we don’t know what they do with the data they touch.”
Stuart Rubinstein, president of Fidelity Wealth Technologies and head of data aggregation, stated at the hearing that Fidelity also provides third-party aggregation-based services to its customers, and that “customers have been able to use their Fidelity data in third-party applications for many years.”
However, he continued, “the cybersecurity environment has significantly changed over that time and we have a responsibility to protect the very sensitive personal financial data and assets of our more than 30 million customers from misuse, theft and fraud.”
To address these issues, Rubinstein said Fidelity has developed the following five principles that he said “should guide industry in creating better data sharing solutions.”
1. Fidelity strongly supports consumers’ right to access their own financial data and provide that data to third parties. As a provider of aggregation services, [Fidelity] knows that customers value these products, and the demand for aggregation is likely to increase.
2. Data access and sharing must be done in a safe, secure and transparent manner. Credential sharing makes the system less safe for consumers, aggregators and financial institutions alike.
3. Consumers should provide affirmative consent and instruction to financial institutions to share their data with third parties. Rather than trust that third parties who use customer login credentials to access a financial institution’s website are authorized, customers should tell financial institutions which third parties have permission to access their financial data.
4. Third parties should access the minimum amount of financial data they need to provide the service for which the customer provided access. There should be a tight nexus between the service provided and the information collected by third-party aggregators.
5. Consumers should be able to monitor who has access to their data, and access should be easily revocable by the consumer. Data sharing and “permissioning” should be an iterative process, with customers engaged continuously.