For years, Americans have been giving their banking data to financial apps such as Venmo, YNAB and Rocket Mortgage. And for years, banks have been trying to figure out how to deal with the security risks. A new proposal from the Consumer Financial Protection Bureau suggests a better way.
For customers, the ability to seamlessly share financial information with other companies has obvious benefits. So-called open banking can spur competition, both by making it easier to change providers and by encouraging innovation. Furnishing potential lenders with up-to-date information on an individual’s spending and savings can also result in better lending decisions. All told, the practice has proved broadly popular: About 100 million consumers have authorized a third party to access their account data.
Some banks resisted this trend, concerned that sensitive data like user names and passwords — and ultimately money — could be stolen. Others accepted the risks to keep their customers happy. The result was a patchwork of varying permissions and security standards. The biggest banks developed application programming interfaces, or APIs, to transfer data more securely and negotiated detailed agreements with the third parties that connect apps to the banking system. But for about half of third-party data access transactions, customers still need to share their online banking credentials, a risky practice that should be phased out. Meanwhile, banks still control the terms of data sharing — not consumers.
So the CFPB’s Oct. 19 proposal — which would mandate that banks develop APIs so that customers can share their data with other companies securely and free of charge — is mostly a welcome step. As the regulator takes feedback over the next few weeks, however, it should be open to some improvements.
First, the rule’s scope seems unnecessarily limited. Information on mortgages and auto and student loans isn’t included, for instance, even though some banks have already developed systems to share such information. Although the CFPB plans to expand the rule over time, why not encourage banks to develop APIs now to cover as many data types as they would eventually need to share?
Next, deciding what data is “reasonably necessary” for an application shouldn’t be up to fintech companies alone, as in the current rule, because of the temptation to exaggerate what they really need. Nor should it be left to the banks, which might try to thwart competition by being overly restrictive. Instead, the CFPB should assign that responsibility to an industry body such as Financial Data Exchange, a nonprofit that represents both banks and third parties and has already worked out data-sharing standards.
Finally, the bureau should establish clear liability for third parties that fail to keep data secure, especially if customers lose money. If the third party is another bank or regulated financial company, then such rules are already established. But in other cases, banks would have to deal with the costs up front — reimbursing customers, for instance — and then seek redress through the legal system, which can take years.
As banking grows increasingly digital, making data-sharing more secure is an essential goal. This proposal would be a step in the right direction.
This article was published in Bloomberg Opinion by its Editorial Board.
Views are personal and do not represent the stand of this publication.
