Data Portability And Liability: A Game Of ‘Three Dimensional Chess’
Open banking will usher in a new age of data portability but gives rise to a burning question: Who is ultimately responsible for that data?
MX Chief Advocacy Officer Jane Barratt told Karen Webster the answer would be crafted by frameworks that involve discussions and input from all parties — FinTechs, financial institutions (FIs) and consumers.
The conversation came against the backdrop where the Biden administration issued an executive order encouraging the Consumer Financial Protection Bureau (CFPB) to craft rules that would allow customers to download their banking data and take it with them.
“People have been sharing their financial data for decades,” she said — through paper forms, moving to emails and passwords and screen scraping.
With a nod to the Biden directive, as Barratt told Webster, there are already precedents and roadmaps to guide the CFPB in making it easier for consumers to access and control — and, crucially, protect — their data.
That comes through Dodd-Frank’s Section 1033, which states that financial services providers must make available to a consumer the very information about that individual that the FI possesses. The road is paved, then, as Barratt said, for firms to assign data ownership to the consumer; and provide regulatory oversight of FIs and intermediaries and aggregators. Along the way, she said, more transparency on data sharing and ownership will give consumers more confidence in permitting that data to be used as the financial services ecosystem creates new offerings that generate new revenue streams.
But as she noted, responsibility for that data does not “flip” with a new policy approach. The knotty problem of who is liable still has to be figured out. Does the responsibility lie with the source of the data breach? With the bank? Ultimately, shared between bank and FinTech?
In the digital age, she said, with credentials leaving peoples’ hands and being spread throughout the ecosystem, there needs to be a multi-agency approach to Dodd-Frank 1033 and decide the parameters of access.
Though it’s unlikely that the liability of data would shift 100 percent from the banks (where liability currently is) to 100 percent customers’ liability, it’s important to note that technology has the benefit of making data collection and use more transparent than ever before.
Not all that long ago, she said, screen scraping was the norm, where anything on a user’s screen might be visible to someone who wanted to do something nefarious. She pointed to application programming interfaces (APIs) as token sharing as ways to limit data access and to encrypt that data while it’s in transit. In one illustration, she said, responsibility resides at the “front door” of access — but the criminals are coming in through the proverbial back door.
“It’s a three-dimensional chess game,” she said.
Those points of access and data safety are paramount in an age where real-time payments are becoming more prevalent. The fund flows are irrevocable, and the question arises on just what happens if a payment is authorized to someone who — on the receiver — proves to be an impostor.
We’re still in the early stages of determining who is liable in that situation because we’re still in the early stages of porting our data and consent in the payments realm. In Barratt’s telling, we’re still in kindergarten or the “101 stage” of educating consumers that they can see and obtain their data in the first place, let alone share it with a third party to get a mortgage or set up a budgeting app (which she said are value-adds as banking becomes increasingly commodified in checking or savings.
PYMNTS data show that a significant percentage of consumers are concerned about data and privacy. At the same time, 75 percent of consumers, we found in one recent Connected Economy report, have gone online to make a retail purchase across the past 12 months.
The inclination to embrace open banking is there. Separate PYMNTS research finds that 65 percent of consumers would likely sign up for open banking with companies like Apple and Google.
Thus far, the industry has been putting frameworks around what data fields should be available and the use cases for those data fields. “We haven’t been super focused on payments, but I can see that as the next logical progression, especially as alternate rails stand out,” she said. Banks will be able to leverage the trust that has been built up over the years into new use cases. That will require an embrace of interoperable standards.
The more inclusive those standards are, the more FIs and FinTechs sign on to them, the less will be the need for huge compliance mandates from the government, she said, that might stymie innovation and the rise of FinTechs.
But with interoperability and collaboration, if two entrepreneurs at a startup “are attaching to your platform and you’re vetting them, they have the ability to enable whatever experience they’re creating, because your rails are solid and secure — and consumers have that through their bank,” said Barratt, “and that’s an opportunity for those banks to remain competitive and keep their customers.”