Skip to main content

tv   Hearing on Protecting Personal Banking Data  CSPAN  October 7, 2021 8:21pm-9:43pm EDT

8:21 pm
listen to c-span radio, and discover new podcast, all for free. download c-span now, today. good next, testimony from that experts on personal financial information, before the house financial services task force on financial technology.
8:22 pm
>> good morning, this task force will come to order . the chair is authorized to declare a resource at anytime . members of t without objection, members not on this committee, authorized to participate in this hearing. as a reminder, i ask all members to keep themselves muted would not being recognized. staff have been instructed to not talk to members, especially members are not being recognized, and there is inadvertent background noise. members, also, are minded that they may only participate in only one remote proceeding per time, participating today, please keep your camera on, and, if you choose to attend a different remote proceeding, turn your camera off. the hearing is entitled, in the
8:23 pm
light of consumers to access personal financial data. now, i will recognize myself for four minutes to give an opening statement. good morning. welcome to this hearing of the financial services committee, and the task force. today's hearing, discussing various issues surrounding the gathering usage and protection of consumer financial data. i would like to begin by thanking our distinguished panel of witnesses who testified, and with those perspectives for congress, and regulators, grappling with this rapidly changing landscape, in this area. the collection, and utilization, of internal financial data has exploded in the past decade, as the usage of small phones, a myriad of devices, in the internet of things, and enhanced computational power, and algorithms, with artificial intelligence, and robotic operations, as been combine to perform in transform the way consumers manage their finances, and conduct the most basic
8:24 pm
economic activities, while, also, changing the ways that financial service providers have responded to consumers desires, and preferences. whether using payment processes for the dinner bill, or employing personal financial management apps to track spending. accessing a mobile lending platform, for a personal loan, consumers, and financial service providers, rely, routinely, on the data flow that depends the delivery of those services. the consumer financial data ecosystem, also, extending beyond traditional banks to ensure data aggregator's, pin and processes, banks, and mobile lenders employ technologies that were not, necessarily, anticipated in earlier legislation, and regulation. while there is little doubt that the financial services innovations capital has a real potential, improving the efficiency, and accuracy, of the services, while reducing
8:25 pm
costs, and fostering greater inclusion. the relentless, the full spectrum cultivation of consumer data, and the manipulation of that data, is important policy questions of all personal data protections. user control, and meaningful consent, to sharing that data. as well, the ultimate contours with personal privacy. many financial service providers, and traditionalist in texas, requested regulatory guidance, and clarity, in this area. some current laws governing financial data, dodd-frank, the with the credible reporting act, and the incredible opportunity act, is generally, inspected. it allows serious jabs that leave much uncertainty, given the transformational technology, and advancements, as well as changing relationships, and customer preferences, that we face today. again, let's thank witnesses for the willingness to have this task force, and i look
8:26 pm
forward to our discussions. the chairman now recognizes our ranking member, the chairman from ohio, mr. davidson, for five minutes in the opening statement. >> thank you chairman lynch. i appreciate your conducting this hearing today on a, very important, and prevalent issue. the financial technology seems to be developing at light speed in recent years, so it is encouraging to see this task, force and committee, keep up with the industry like i said two years ago and it was great with being on both sides of the aisle to protect this topic. consumer control needs to be over their own financial data. both regulators, and policy makers, alike, are moving fast, enough to address the uncertainties in this area. i'm not convinced that we are. it was encouraging to see them continuing to make progress, towards rulemaking, under section 10:33 of the dodd-frank act. section 10:33 provides the
8:27 pm
opportunity to strengthen consumer control over their personal data. when they grant consent for any party to access, or hold their personal financial data, it is vital that this consent is right, narrowly. i am optimistic, they can, adequately, to find the proper scope of that consent. whether this involves limiting the specific financial activity would with all the data is needed, the length of time with which it is authorized, and i expect these types of questions to be at the forefront of this process, as they undertake the rulemaking. ideally, they will conclude, as i have, the individuals have a property right in their own data. much like a songwriter, would have protections for their lyrics, or music, as composed individuals know the data that they create. and they cannot fully
8:28 pm
appreciate what they are consenting, to whenever we utilize third-party financial service providers. please note, it's with this thin tech, and it is applying for personal loans, conducting peer to peer payments, getting mortgages and receiving and they have never been easier. finn tech companies and they've been more accommodated than ever before. despite this financial revolution, we need better transparency regarding the relationships between financial institutions, third-party service providers, and the consumers who are providing the data. it is encouraging to see some progress, within the industry, to shift away from practices, which essentially circumvents any need for consent, between financial service providers, and third parties. and then, towards application program interface. however, i believe policy makers, and regulators, retain
8:29 pm
the authority to shape our relationships, and protect consumers, financial privacy, moving forward. i won't say that regulators need to impose regulations with technical guidance. it is best to leave those to the industry. how regulators can still provide consumer focused, principal, based frameworks, that allow for innovation, and competition. i would be remiss that if i did acknowledge some industry specific standards, employed to address consumer privacy data. these policies can, largely, be found within the riley act, the fair credit reporting act, the electronic fund transfer act, and while section 10:33 of the dodd-frank is the step in the right direction, we're left with a fragmented, regulatory framework, and consumer devices protection. i know this hearing is more narrowly focused on the 10:33 real move king of open banking. but congress continues to hold a broader conversation.
8:30 pm
we are in the process of developing a bail on issuer data, which looks to secure that property right in law for american citizens. well we can all agree on the general outcome, reaching that outcome is a complicated endeavor through congress. i'm sure many questions here today will be rather specific or potentially complex. consumer data has become so leveraged and hold so much value, it has become a large business asset. no matter how big the financial industry gets or how much technology evolves, the monetary value of the aid it will never be worth more than the right to privacy. our constitution is supposed to protect the right to privacy for every american citizen. it is our duty to do that. i look forward to hearing our witness testimony today and i yield back. >> the gentleman yields back. >> today we are pleased to
8:31 pm
welcome the testimony of our witnesses. first we have mr. tom carpenter, director of affairs with the financial data exchange. next we have mr. raul carillo, an associate research scholar at yellow school. and the deputy director of the law and political economy project. next we have, the director of finreglab. next we have chi chi wu, a staff attorney with the national consumer law center. and now we have mr. smith, the ceo and cofounder of. witnesses are reminded their testimony will be limited to five minutes. a time will indicate how much time you have left and a trial will go off at the end of your time. be mindful of your timer and wrap up your testimony if you hear the chime.
8:32 pm
without objection, your written statements will be made part of the record. mr. carpenter now you are now recognized for five minutes summation of your written testimony. >> thank you. chairman lynch, ranking member davidson and members of the task force on financial technology. thank you for the opportunity to testify. my name is tom carpenter and i serve as the director of fdx one. fdx is currently barred from taking positions on financial regulatory policy issues. we do advocate for market lead api. but please regard my comments today as educational and regarding the way our work interact with education. the best way to understand fdx is the bluetooth standard.
8:33 pm
bluetooth brought together many different consumer electronic manufacturers to create a standard specifications so users could use differently branded products in an inter operable manner. in the same way, fdx brings together different players under a common api standard. it allows users to share data between different financial institutions in a secure manner. one which is not dependent on one bank or one finn tech ab a consumer may choose to use. adoption of api is replacing the need for shared consumer login credentials and screen scraping. a few details of fdx, we are nonprofit. it is also royalty free. fdx currently has 200 members across the financial sector globally, including banks
8:34 pm
aggregator's, financial industry groups and other stakeholders. i'm pleased to be joined by chi chi wu and steve smith, who both represent fdx member organizations. and casey thought fdx was just an interesting concept, i'm pleased to tell you that 22 million consumer accounts have been transitioned to screen scraping from api. that's 22 million consumer accounts. as this task force is aware, fintech innovations are allowing consumers to use their own financial data, to enable more efficient processes, no file bore workers when a traditional credit score is limited or incomplete. interim power decision-making via i consumers own data, just like companies have done for years, so they can see all their counts in one place. with this in mind, here are some key points i would like to
8:35 pm
make the task force aware of today. first, it's critical for the task force and regulators to draw a bright line distinction between use your permission financial data sharing versus data brokerage or data harvesting. consumer permission data sharing using the fdx api, it's fully controlled by the consumer. unless it includes explicit consumer consent. data brokers are harvesters, selling data about consumers often without express consumer consent, control awareness. secondly, fdx is committed to the five core principles that must be president in any system of open banking to ensure that the industry serves the need of consumers. these are control, access, traceability, security and access. i am happy to take questions on them. fda expert leaves that tactical api standards are best left to
8:36 pm
the financial industry rather than defined by regulators. for a host of reasons, expanded upon in my testimony, we believe the industry is best suited to maintain and continually adapt standards to the need of the market and consumer demand. as for potential cfpb rulemaking, fdx submitted comments to the cfpb war anpr and fdx was manchin and half of comments that the cfpb received. the fdx five principles and our core belief that technical data sharing standard should be left to the industry. we fdx also believe that potential cfpb rulemaking would need to find a good balance. consumers must be able to access and share their financial data with third parties via apis in the same way they can today through screen scraping. including three third parties
8:37 pm
who may have no relationship with the data provider. at the same time, data providers like bank must be able to maintain sound practices and activities consistent with the playable laws of regulation. fdx it's hopeful that its own certification of api implementation will be helpful here. finally, fdx encourages cfpb to do more to encourage the adoption of market lead apis defenders and to have friends or knowledge the standards to further the work and also to harmonize industry standards and regulations as much as possible, so the standards are not caught between competing or disjointed requirements. thank you again for the opportunity to testify. >> thank you, mr. carpenter. >> mr. carillo, you are now recognized to give your oral presentation of testimony. >> thank you. thank you ranking member davidson, members of the task force, thank you for inviting me to testify.
8:38 pm
i am an associate research scholar they yellow school. i am also special counsel for the enforcement director of the cfpb. this morning i took previous calls to adopt a approach to previous regulation. collecting highly personal information. today, opinion makers in mobile money accounts physically includes merchants, payment processors, internet service providers. additionally, roughly 50% of u.s. consumers and 95% of u.s. deposit accounts are estimated to use financial apps that frequently rely on under regulated aggregator's. our company can share data widely without the corporations and law enforcement agencies. the national consumer law
8:39 pm
center, more control over their data and financial institutions. with that being said, consumer rights to access to review, manage correct and delete data can only be maintained with a broader policy that minimizes collection as a first order principal. i look forward to discussing fintechs and their collection. this collection process must be subject to greater scrutiny. this occurs in the broader context of data minimization. just as the cfpb offers more control to consumers, and technology of api, they must use federal consumer protection, including fair credit reporting. if consumers are harmed, fintechs have not provided records, it does not include an
8:40 pm
explanation of how accounts have been shared. they must take appropriate action on noncompliance, leading to [inaudible] with which the cbp [inaudible] . we must upgrade federal security law. there are limits to the ways in which individual consumers can meaningfully make choices about how their data is used. as a legal scholar argues, an important factor for the digital economy is to predict broader trends on social and collective behavior. corporate and government actors frequently do not even know about collection until after they analyze the data and identify processes. consent is not exist when
8:41 pm
people cannot know the information they are revealing. as a matter of public policy, we should not be able to forfeit our right to privacy and security simply by clicking agree, as injury would have us believe. ultimately, congressman shift the burden to data protection from consumers and litigators to regulators and tech companies. that collusion of big tech and wall street in the state and [inaudible] demand careful scrutiny. regulation in processing [inaudible] strictly necessary to carry out such as [inaudible] and their intentional interactions. this principle itself demands transparency that rulemaking can help provide. i agree with banking data
8:42 pm
providers that [inaudible] privacy and security are especially important when we consider policies a financial inclusion and communities of color. credit data can for sensitive information and proper benefits family, criminal and immigration and security law already provided channel for policing civil rights concerns. moreover, medical action does not solve financial exclusion. the key problems are not structural problems. the erosion of aid security and privacy law and consumer finance to encourage over lines on credit and social provisioning and focus on better jobs, higher incomes and
8:43 pm
more equitable economic policy. thank you. >> thank you mr. carillo. ms. thompson cochran, you are now recognized. >> thank you chairman lynch and ranking member. my name is kelly thompson cochran, deputy director of finreglab, an independent research organization that evaluates the use of data and technologies in creating a more responsible and includes a financial marketplace. we have published a number of reports -- >> mrs. cochrane, i'm not sure if your microphone is on. >> can you hear me? >> yes, much better. >> so sorry. >> you were very clear in this room but i think that online it wasn't audible. >> should i start over? okay. good morning again to ranking member davidson and chairman lynch and members of the committee. my name is kelly thompson cochran, i'm the director of
8:44 pm
finreglab, an independent research organization that evaluates the use of data and technology to create a more responsible and inclusive financial marketplace. we published a number of reports on customer data access issues including a groundbreaking evaluation on the use of cash flow data for underwriting small business and consumer credit. our research finds that the system for consumer directed transfers is benefiting many consumers and small businesses today. by the it is also creating risks and burdens that reduce its ability to create greater customer friendly innovations and competition. efforts to meet the financial services needs of underserved population may be particularly sensitive to these risks and burdens. for instance, we are providing margins are already thin, or particular populations are particularly sensitive to concerns about privacy. improving the market and
8:45 pm
regulatory effort structure for customer direct transfers has critical implications for competition, customer protection and financial inclusion going forward. we are encouraged to see several federal regulators beginning initiatives to address critical issues. congress action will be needed to improve the broader data ecosystem. the regulatory initiatives are critical to help sharpen the focus of this complementary effort. the market today is moving toward more safe and more efficient technologies for data transfer. this is both through bilateral agreements through large players and three standardization initiatives. while congress has been slow by regulatory uncertainty, initially led standardization efforts can be highly beneficial, particularly on technical issues hard to enshrine in legislation. experienced justice are such
8:46 pm
efforts will be far more effective if regulator stick to some basic parameters. three such initiatives are in a way. in addition to the ruling we have discussed, the federal trade commission is modernizing trade security standards for non financial service providers, and financial regulators are harmonizing third-party guidance as it relates to customer transfers. we believe that the industry effort will be substantially strengthened if the regulators address five key separate issues in the proceedings. the first is the deadline for particular groups of financial service providers to make data available applying consumer requests under 1033. the second is the scope of the data that is subject to 1033 data access rights, the exceptions that's that a data, and whether there are additional provisions on data transfer. third, the obligations of companies that are acting on behalf of the consumer in
8:47 pm
connection with the 1033 transfer, and the requirements for data to be safeguarded with that information. fourth, plans to begin supervision of data aggregators and other non banks financial service providers, with a large amount of customer service data. and thank oversight responsibilities conservers concerning aggregator's in the downstream handling of data. agency coordination is critical between these various initiatives because a very deeply connected. the cfpb supervision of aggregator's could reduce third-party risk the banks. and these can affect the technical infrastructure and processes for 10:33 transfers. these regulatory initiatives will also help specific congressional actions. for instance, 1033 does not permanently define protections for data transfers, while other federal laws potentially
8:48 pm
provide safeguards crafted specifically for this system which may not apply to all. more broadly, as others have discussed, there are other gaps showing up in the financial regulatory ecosystem, including data practices and technology exchanges. our written testimony discusses things like meaningful consumer permission, while also dealing with the fact that there is evidence of customer overload, information overload in trying to manage all decisions they are faced with. the cfpb and other agencies will likely grapple with man of these cross cutting issues in these proceedings that congress has a role to play in looking across statutes. modernization will help reduce areas to consumers and small businesses, created more level playing field and encourage greater innovation going forward. thank you again for the opportunity. >> thank you very much.
8:49 pm
>> ms. wu, you are now recognized for five minutes for an oral presentation of your testimony. welcome. >> thank, you thank you mister chairman. thanks to ranking member davidson, members of the subcommittee for the opportunity to testify. i'm testifying on behalf of the loan compliance of the national consumer law center. at the heart of this hearing is preserving the right of consumers to access personal financial data. i absolutely agree. we support the presidents call to have the cfpb continue 1033 rulemaking. this has a lot of potential to benefit consumers. it could benefit the 45 million credit invisible consumers, or have found out that that credit score cannot be generated for them. but access must be subject to what i call the three seas and one of the. consumer choice and control.
8:50 pm
competition. consumer protection and the de-, data security. think about what is being accessed. how sensitive and revealing it is. think about your own credit card statement. and remember, a lot of credit invisible consumers won't be having a credit card, so they will use their debit card a lot. this shows what's places they shop, which health care providers they use, will cause they support. so consumers the control. consumers are tired of not having control over our own personal data. we are tired of tech giants silently collecting data to show us creepy personalized ads. and the original privacy invading tech giants are the three tech credit bureaus, experian equifax and trans union. they started collecting our data without our permission. we need a better system.
8:51 pm
not just whether to consent to sharing for what purposes, for how long, and control over exactly what data elements get shared. and no proforma consent. it must be meaningful informed and knowing. dashboard, like the ones developed by fdx are a good start. why are not good our efforts to access data without consumer control. unfortunately, we are starting to see this, including from a foreign called early warning services. competition. after the equifax breach, there was a lot of discussion about how consumers had no control over consumer -- where we can't choose between the three big three or walk
8:52 pm
away. data aggregators could serve as potential competition to the credit bureaus. and it could be more accurately precisely because of consumer control. when aggregator it does a terrible job with the data, consumers should have the ability to remote consent and delete their data from the aggregator's database. one risk we are beginning to see is that the big three has started purchasing alternative data providers. for example, all three have bought consumer reporting agencies specializing in subprime credit. we would be really worried if the big three started buying update aggregator's as well. consumer protections. new entrance to market love to complain that they can slice bread and that existing regulation does not apply to them because they are so novel. but not so much. even though there were dropped decades ago, the laws were written broadly. so the credit act applies and
8:53 pm
equal credit actors implicated. i am very much appreciating that my fellow witnesses have taken his position with respect to the fair credit reporting act. in addition, we would ask that the 1033 that the cfpb should establish authority over larger aggregator's. we need supervision from data security. the equifax data breach caused congress to be urged to and we wouldn't urge the same for data aggregator's. at a minimum, the cfpb should complete its rulemaking to safeguard that rule under that act. financial account information holds great promise but also great risk. it open doors to credit for millions of underserved
8:54 pm
americans. but echo thin -- forced to give up their privacy and allow each credit employer, landlord and government agency a direct impermanent it'll pipeline to their bank account data. it's up to the regulators to ultimately congress to make sure that the data promotes consumer welfare without. thank you for the opportunity to testify. i look forward your questions. you>> thank you miss woo. mr. smith you are now welcome to give oral explanation of your testimony. >> i'd like to thank chairwoman waters, chairman lynch, ranking member davidson and the thin tech task force to speak with all of you today. my name is steve smith, cofounder of a master card company. we allow financial account holders, typically small and mid size businesses to easily connect their services to a
8:55 pm
wide range of services. this is often called data aggregation. i spent the last 35 years working in the data naji industry. in that time there has been remarkable changes. we have experienced massive advances in virtually every industry. one notable technology disruption has been the use of data and analytics. large enterprises have leverage large data and. to improve experiences in much more. all of this has enabled significant cost productions combined with enhanced revenue opportunities. for too long, we as individuals, families and businesses have not reached the same benefits of using our data. why? the technology has been too expensive or the ability to collect and analyze our data has been exceptionally difficult or cumbersome. this is where the advent of
8:56 pm
open banking or open finance, powered by data aggregation, is forcing the data experienced one that empowers data with access control and the extensive use of their data. open banking is enabling a wide range of financial products and services that are transforming how consumers manage their money, prepare their taxes, apply for loans, make realtime payments and better understand and improve their credit. all of this is leading to more consumer choice and better experiences. along with increased financial literacy, financial inclusion and improved financial fitness. finn is city has been at the center of many of these empowering experiences, for example finicity has enabled consumers to attribute more data to their credit scores through experian boost and through the ultra ficus scores. the solutions use cash flow data, explicitly permissions by users to help them improve credit and achieve financial
8:57 pm
goals. so with all of this positive movement, why am i here? this is a technological shift that is still very much in the early innings. as it emerges and watchers, federal policy makers will play a meaningful role and pace in the pace of this transformation by providing clarity on data protection expectations, data privacy requirements and presume or consumer data rights. clearly, consumer data protection is a must throughout the data access ensuring process. safeguarding the data is foundational to accelerating innovation. while protecting the consumers from financial data theft. equally, i believe we all agree that the privacy of personally identifiable information is important to for the consumer empowerment. in many respects, data privacy is about consent. with clear and explicit consent, consumers will know we are, how and for what purpose their data
8:58 pm
is being used. putting them in control, enhances privacy. data should not be shared among or cross organizations without direct and transparent consent. finally, i think most importantly, consumer data rights must start in and with an individual's availability to access, use and benefit from their data. this is foundational to open banking. it is essential that consumers have reasonable access to all of their data in possession of the data holders in a format that they can permission for use, to financial services and have providers of their choosing. it is critical to safeguard data rights. otherwise the great progress we have made so far will fade. data rights, privacy and protection are inextricably connected to privacy and policy goals. each deserve focus and critical thinking. trade-offs may have to be made to balance competing objectives.
8:59 pm
even adopting newer and better technologies can have unintended consequences by curtailing gave access. we should bear in mind that these three goals are not equal. the consumers rights to their data must always be prioritized and maintained. we need it clear regulatory framework to protect and continue open banking in the u.s.. that is why we encourage by the sea of pvc moving forward under section 1033 of the dodd-frank act. we started this with one simple thought. date is the heart of good decision-making. it is incumbent upon all involved in the state is sharing ecosystem that small and mid size businesses and consumers are empowered with the data they need to make the best decisions for themselves and their organizations. thank you again for the opportunity to address the task force and answer any questions you have. >> thank you mr. smith. es toi now will yield five minus
9:00 pm
to myself for questions. let me ask the entire panel this. although i will select individuals at various times. the gdpr in the european union has gone from a policy approach, they recognize the right to be informed, the right to access data by individuals. the right to rectification of a flaw or mistake in a statement. the right shoe processing. the right to portability. so it encourages competition that an individual can move their data. and also the right to erase sure with the right to be forgotten, so called.
9:01 pm
from a policy perspective, did they get that right, ms. wu? have they gotten it right? are there gaps in what we've seen them attempt to accomplish? >> thank you, congressman lynch. many of the principles in the gdpr are, respective of their information principles and in fact, some of them are reflective in the fair credit reporting act. some were doctored in california, where there is a privacy law. the devil is always in the details when you talk about principle based regulation. you want to drill down to the details. but in general, he gdpr has put in place a stronger framework that exist in the united states. and it serves as a model for some states.
9:02 pm
>> thank you. mr. carillo. what are your thoughts? you are trying to develop the standard on apis? would you are subjective structure embrace those rights that have been articulated in the gdpr? >> frank you, chairman lynch. i think a couple of things are at play. one, technically api standards defined by the industry will always be subservient to any regulatory or policy actions put in place. whatever the industry defines, the sea of pvc or other regulators, those standards will meet those obligations as needed. i think it's important to think a little bit about the complexity of the u.s. market as compared to the eu or some of the other countries that have gone with a strong regulatory model for open banking or data sharing. one, a lot of those countries have a single financial regulator. we have a myriad, a lot of
9:03 pm
times with overlapping jurisdiction. a lot of those countries have also the financial services industries is held by just a few banks. we have well over 10,000 financial institutions in this country. so i think the u.s. is unique and its complexity. so they will need to be a balance between what the regulators do as well as what the industry does. so i can't comment specifically on exactly what regulators to do or where that dividing line is. but we took quickly look at open banking as a how and what. what is really up to regulators and policy makers. the how is, how is this accomplished? how is data move from a to point b. >> thank you, ms. cochran. >> i think the gdpr ace helpful in terms of thinking through the elements that need to be guided. and really creating a robust consumer and small business control over their own data. but the exact policy balancing
9:04 pm
really depends on the particular use case that you are doing. for instance, we focused on credit. one of the hardest cases. because traditional credit bureaus often don't require consumer consent to access data. the new system under 1033 does. that creates an opportunity to create a more robust system where consumers have more control. at the same time we have to balance that against the needs of creditors, to be able to access representative historical data so they can develop models that are fair and predictive and do a good job to do for the both the custom and the lander. so balancing both the individual and public interest are complicated. that is very helpful because it starts to think through those questions, although it's possible the balance may be different for particular use cases in particular situations. >> doesn't much depend on consent?
9:05 pm
meaningful, we'll consent? >> yes. one of the things i didn't get much time to talk about in my main testimony, but a lot of systems does depend on notice and consent. but it is a particular process. and what gdpr is a more robust fraud process about how consent can be revoked. and so thinking about consent is more than a one to one transaction. there is also a great deal of evidence. consumers are also overlooked by the decisions they are being asked to make, by the notice is being asked to read. so one thing that gdpr is struggling with, that may come up, is how do you make some of those decisions simpler so that consumers can really focus on the critical things that they need to decide on? and strip away from the surrounding things that may be more secondary, could be more consistent and make the decision more meaningful and
9:06 pm
more powerful? in addition to those rights. >> thank you. chair, i yield to the ranking member, the gentleman from ohio, mr. davidson, for five minutes. >> i thank the chairman, i think our witnesses, i appreciate not only are verbal but also your written testimony. and the preparation you've done. mr. smith, a november 2019 survey by the clearinghouse found that 80% of financial app eases were not aware that apps may use third parties to access consumer financial information. from your experience, can you speak to the progress made in the fintech that would improve consumer awareness of how data is being used? >> yes. thank you very much. with respect to the issue surrounding consent and knowledge of consent, a lot of progress has been made. specifically, for example, finicity makes it very clear
9:07 pm
that finicity is a service provider in the middle of the consented process between the consumer and the financial services provider that holds their data. they -- they fcx organization is also putting in place a working group and has promoted standards, ui standards that make it very clear that how to use consent or how to apply consent in a best practice format. it also makes very clear, the players that are involved. and i would just say that finicity together with several others, including data holders and providers, have started implementing at pace dashboard that allow consumers to understand who is involved in the consent process. >> thank you for that, and just highlighting the consumer
9:08 pm
friendliness, ms. cochran, your testimony highlighted the consumer friendly nature that is so important. a lot of times people say in industry, well, it's in our terms and conditions. and if you pointed out, it's 400 pages. and sure, yes, he acknowledged it. but could you elaborate on that and how we can do this -- i will come to you next mr. carpenter. because some of the things you both dealt with, are how gdpr it's being applied versus really our inaction in america on privacy. >> so yes. there are some academic research that i think shows how consumers would have to spend 25 days a year reading all of the disclosures that they get on digital data, across all sectors, not just financial, but it's really incredible. so clearly we need to get much crisper and more customer friendly about the disclosures being done, to make them really effective, just in time adapted
9:09 pm
to digital formats. a lot of people will read things over the phone, without thinking through those questions. as i said before, we also need to think about what we are asking to do more consumer control and give more questions at different times. so there's a real challenge, disclosure 30 can be helpful in this space. and there are already some industry efforts. but we know that there are broader questions about overload and that's one of the biggest challenges that we face to make that meaningful and manageable and quick. >> thank>> thank you. i think you also touched on the fact that some things have to be off the table. it's a tactic, but not actually
9:10 pm
real consent or choice for consumers. mr. carpenter, one concept is data minimization, or the idea that companies should collect minimal data to provide proper service. on the other hand, many businesses collect data that's not tied to the volume of service. perhaps they want to use that for resale. there is no end to the amount of data some companies want to collect. mr. smith, you've made that reference that there are trade-offs. i was pleased that you concluded that the fourth amendment is not for sale. can you touch on how to strike that balance and where regulators can help do that? >> thank you, congressman davidson. data minimization is something we are looking at in terms of defining and screen scraping
9:11 pm
provides consumer control over data sharing. you are sharing everything you can see, and you do have the ability to limit the day that you share for a given purpose. we have internal cases that are used for certification on the back end to assure the implementation as certifiable. the question is what do we do on the consumer front end. that is the area we are looking into. awareness is one of our five principles, consumer learned. we are defining the user experience. we are looking at it both on the front end. how many screens does it take before a consumer drops out because there's too many questions? also, it's through the dashboards, not just a one-time awareness, but ongoing. thank you for that. >> the chair now recognizes the
9:12 pm
counselor from new york for five minutes. >> thank you, mister chair. i have a real concern that the biggest thing -- stifling competition and choice under the guise of consumer protection and cybersecurity. there is legitimate cybersecurity concerns surrounding issues of data, but those concerns are best addressed not by allowing big banks to hoard financial information for themselves, but by regulating data aggregators and protecting consumers. i disagree with the earlier statement that standard should be left to the industry, because the big banks are not interested arbiters in what is best for consumers. banks have a vested interest in maintaining their all agave on information. is it fair to say big banks have a conflict of interest, and therefore, cannot be trusted to make disinterested
9:13 pm
determinations? >> thank you for the question, representative. certainly, consumer advocates are very concerned about ensuring consumers do you have the ability to share the data when they have meaningful opportunities to consent. one of the things used early on as a tactic is to tell consumers, if you share this data there's screen scraping and unauthorized use and you will be on the hook, which we thought was terrible. the last person that should suffer a loss if there is some sort of data breach or unauthorized access is the consumer themselves. we've got regulations for that. it's not the consumer that
9:14 pm
should suffer the loss. there's been more cooperation, but ultimately, there needs to be regulation. if we can't get rid of screen scraping, that's not going to happen until you have agreements on all these positions. >> nor would you just add a couple of thoughts? there are competitive tensions all over this market, banks, non banks. they intersect in very complicated ways. it's so important for regulators to set parameters, so that industry can focus on implementing an efficient way that benefits everyone. years the other thing i think is really important here any is
9:15 pm
interagency coordination, because concerns about liability are legitimate, open questions in this marketplace that affect everyone, and getting better answers to those questions and getting better answers for a third-party service obligations intersect with competitive interests. so if we can settle the regulatory question, that could be coupled and these dynamics can feed each other in ways that tend to slow the process of the overall system and reduced benefits for competition. >> thank you. i certainly agree there should be regulation. as i've said, there is legitimate concerns about cybersecurity, and concerns that data regulators are largely unregulated and unsupervised. my question for mr. smith, i'm curious to know your obligation as a data aggregator. do you have an obligation to provide accurate data and correct inaccuracy's?
9:16 pm
do you have a legal obligation to do so? >> we maintain a cra status. we are regulated under that. we also signed a number of bilateral agreements with leading financial institutions that require us to maintain certain aspects. and we maintain compliance to state and federal consumer privacy, and also maintain compliance. that is the scope of the regulatory framework. >> i have a question for mr. carpenter. i'm concerned about screen scraping, because it involves the use of blocking credentials. what's the timeline for a full transition? >> that's a great question. i wish i had a clear answer to give. you have to think about, there is a long tale in the u.s.. while the biggest financial
9:17 pm
institutions usually invest in technologies that are quickly able to move to api, a lot of community financial institutions are usually using a technology core provider. they are waiting for the core provider to give api access, or essentially level the playing field across all institutions. bringing the core providers in, we have several brought in to ensure there is not a gap between the large and the small. but with any technology transition, we often talk about that ship card transition. there were a lot of different things that had to be accomplished along the way before you could declare success. my time has expired. thank you. >> the gentleman from new york yields back. the chair record -- five minutes. >> thank you, mister chairman. thank you to all of our
9:18 pm
witnesses today. an interesting discussion we are having here. whenever i discuss screen scraping with my constituents, i explain to them what it is and they are gassed. they are absolutely horrified. when they give an okay to a third party, to their utility company to direct draft off their bank account, they wind up with a third party having access to their account. they are horrified this is happened. to me, why do we allow that? why do we not have a separate agreement that says, if you are going to be able to screen scrape and saw that information, that the individual has to have a separate agreement with a separate company, or with a company that will have a separate agreement that allows them to do that, and then pay them for the information? why is that not a viable option, mr. carpenter?
9:19 pm
>> thank you, congressman luetkemeyer. we have to think about the context of screen scraping. it's not a perfect technology. it has a lot of issues. it's also what's delivered the innovation we have today in the competitive financial services market. without the ability to access and share your own data via screen scraping, while not perfect, we would not have had the explosion of competition in the financial services industry. but mr. carpenter, let's be honest. this is all without the consumers knowledge. most consumers, i guarantee you, mr. smith made a comment about 84% of people not knowing what was going on, or didn't approve. >> i think that was it. referring to pch. a survey from two years ago. >> but most people don't approve of what you are doing. they don't approve of screen scraping. so we are sitting here, making assumptions that everyone thinks it's okay. i'm telling you, people don't
9:20 pm
believe it's okay. therefore we need to take a different perspective on this and say, whoa, okay, firstly you protect people's privacy and information, at least be honest with him and up front and say this is what is happening with your information. and how people are accessing it, and don't's to you. we are approaching this from the wrong angle. if people want to allow for screen scraping, that's fine. it's an individual decision. they cannot allow other companies to have access. that's fine. but most people do not know it is going on. and would be very reluctant to sign a form saying it's okay to do that. my question is, why can't we do that? why can't we have the company be honest and say, i separate, completely different form, and i understand ms. cochran, we will have another screen.
9:21 pm
but they should be in bright red ladders, over your screen, that says, when you signed this agreement, you will give access to screen scrapers of the world. and this is different from having a third party give access to your account. >> that's exactly what we are doing, to move to an api around where instead of giving logging credentials, actually being taken to financial data provider or financial institution, you are logging in, you are permission-ing your data there, and then being handed back with a token-ing or a key. so api does completely circumvent the sharing of logging credentials. the industry is moving in that direction. 22 million consumers have been transition to the fdx api. it does take time. you can't flip that switch overnight and cut off access to consumer data sharing that they
9:22 pm
have. and i think -- >> whoa, time out. you missed my whole point by last comment. people are unaware that this is going on. why are you allowing it to continue? shouldn't we, as congress, or cfpb as regulator say, whoa, people are not going on. they should be told. there should be options presented. why can't that be done right now? why are you allowing it to continue when we know that people don't know? >> i would just say -- >> if i may, this is one where we completely agree. you and i are on the same page. we think that this standard is not acceptable. we need meaningful, informed, separate dashboard web page consent. and not just a yes or no. how much information to share and how long. i understand information
9:23 pm
overload, it's something we are worried about to. and how you designed the consent is very important. that's something that fdx and others are working on so that it's easy. but a yes no decision would be easy, would prevent overload, but it wouldn't maximize control. and we think consumers should have maximum control over their own data. >> i see my time has expired. i yield back. >> the gentleman yields back. the chair is pleased to welcome the chairwoman of the full committee, the gentlelady of the full committee, miss waters, for five minutes. >> thank you so much, mr. lynch. i certainly appreciate this hearing. it's very important. and it seems as if i am agreeing with luetkemeyer for the first time since we have served on this committee together. >> isn't that overwhelming feeling? >> [laughs] well, i want to make sure. this may have been discussed before i came in. but i want to know about opt
9:24 pm
out as opposed to opt in. i get, you know, from people i do business with, whatever. something in small riding on page 15, somewhere. that says, you know, if you want to opt out you've got to let us know. and so most people don't pay attention to that. they don't even know what is meant by its. and so if you don't opt out the information is shared with the third party. third-party shares the information, somebody else shares the information, then you get all the solicitations. and people who are not only soliciting you for their products, we don't know anything about those firms. and what protections we have. so this is very simple to me. mr. luetkemeyer asked, why don't we just change it? make sure the consumer knows?
9:25 pm
you talked about it a little differently. but my question is simple. why don't we just change the law or make a law that says, you can't simply offer to opt out on page 31. and if you don't do it, the information is going to be shared. mr. carpenter? >> yes ma'am. madam chairwoman, thank you for the question. i want to be clear, up front. i am not sticking up for screen scraping in its current manner. our entire organizations mission is to move to a new api standard. in terms of your question, everything that happens with consumer permission data sharing is directed. it is that opt in, directed by the consumer. they are the ones that download the app to start with. they are the ones that go to their financial institution to permission their data. so none of what we are doing with fdx is taking a consumer dated without permission or
9:26 pm
consent. >> mrs. cochran. >> i think this is a incredibly important issue. i think it cuts across the crater credit reporting act. why now we have several laws that don't require consent at all. they address those purposes and say companies can use the most [inaudible] . we have laws which line opt out consent. and with 1033 we have a regime where the consumer has said yes to turn it on. so all three uses in our consumer system, we know that consumers are overloaded. we know that the balance between had we do consent we'll, whether consumers really understand it are making the decisions they intend to make. and how do we, in some cases maybe define it as permissible so that they don't have to define everything on a company or company or product by product basis. that's why this is so complicated.
9:27 pm
and it requires pushing more broadly even beyond the to 1033 get to the answers. >> and what is your recommendation? >> there's a lot of evidence that opt out consent is very sticky. that consumers don't tend to see it, they may not be reading those regimes. so i think that one in the middle is particularly tricky category. we know that in gdpr and some other jurisdictions, people are starting to look more at purpose regulations so that consumers don't have to decide everything, whether gradations through how many things they are being asked deciding one quickly in one setting. and we are looking at both of those options, it's helpful. >> i want to be very clear that on the opt-out opportunity, if you do nothing, that means that you opted in. is that right? >> yes. >> something is wrong with that. >> thank you, i yield back the balance of my time. >> i'm going to yield to mr.
9:28 pm
carillo to ask him to offer his observations on this. >> mr. carillo you are recognized. >> thank you very much. and thank you for the question. i think that regulation is necessary at this point. we need to go beyond the opt-out consent. it is possible without with these laws, to allow for quick contracts and the national consumer law center has noted, that company's ability to harvest data, based on the agreement, the date is far more than what was intended by the consumer. so the agreement between the consumer and the company is not sufficient. we need to establish a longer list of how companies can use data and to white and. it's still a tricky question. but it's a better frame to look at this from a broader perspective of public policy,
9:29 pm
rather than identifying what consumers understand and not in one agreement. >> i think the gentleman. the chair now recognizes the chair from georgia, who is also the vice chair of oversight and investigations. she is now recognized for five minutes. >> thank you mister chairman. thank you for holding this hearing today for this important task force. anyone who is followed my work in congress knows that the racial wealth gap in my home of atlanta is unfortunately the worst of in the nation. it's a focus for all of my policy work, especially my work in the financial services committee. in congress we have to be sure that financial integration proceeds in a way that does not have benefits flow to the few but to all. today i'd like to focus on how we ensure personal data is not used to reinforce disparities. and the policies that we pursue
9:30 pm
will make progress to a policy that is inclusive for. all ms. wu, in your testimony, you mentioned that we need to be preventing desperate impact when it comes to daddies for credit purposes. could you elaborate on what could be put in place to make sure we are picking up on any patterns of disparate impact? how can congress be assure we are addressing any issues that are needed and make sure cfpb and other agencies are writing appropriate rules of the road? >> thank you for the question, congresswoman. certainly, whatever big data sets are used, whether it's new data, like cash flow information, or old-fashioned credit reports, one of the things you want to look for is racial disparities and disparate impacts. we know credit reports and
9:31 pm
credit scores exhibit huge racial disparities. cash flow information shows it may be more promising, but it's still going to show racial disparities. why? a number of reasons. it's still reflect racial disparities in our society. second of all, overdraft. it will never be able to benefit consumers of color until we get rid of overdraft abuses. with respect to big data sets, one of the things we've seen is they are not free of racial disparities. they reflect back what exists.
9:32 pm
if you take a data set that has racial disparities and you have the model learn from it it will replicate the same bias. but it's all a reflection of underlying data that's a reflection of the inequalities in our society. we need to be aware of that. the unequal position of african americans and latin ex-consumers is perpetuated intentionally. we will not deal with that until we intentionally try to trust them consciously. if we say let's treat everyone equally, that's not equity. that won't do it. >> you just mentioned black consumers are impacted by overdraft practices and that we should keep this related to consumer data.
9:33 pm
how could greater use of no fee accounts underline the disparity? can you tell us the importance that informs the data of being used? >> certainly, there have been a lot of efforts to provide bank accounts for folks who struggle with overdraft debt. and there's been efforts by organizations to promote banking that are very helpful, and yet you can't get cash flow if you don't even have a bank account. we know lots of low income and minority consumers are driven out of the banking system by overdraft abuses. efforts to get consumers into
9:34 pm
bank accounts that are low fee and safe are very important. more important is congressional action to tamp down on overdrive to be uses and make sure they don't hit all sectors, not just the ones able to benefit from no fee. >> thank you, and i am out of time. i do have another question around technology and broadband access. i hope one of our esteemed panelists can get some answers on that. thank you and i yield back. >> we welcome her questions and the chair now recognizes the gentleman from wisconsin for five minutes. >> thank you, mister chairman. mr. carpenter, i'd like to dive into your testimony. you talked about the what's and the how of open banking, the wet being the question of what data is shared and under which agreements, and the how is a
9:35 pm
technological question. i'd love to have you speak to, what is the appropriate role of the federal government and helping to address those two questions you posed. >> i wish i had the perfect dividing line for you. i think what has happened in the u.s. is many will say the u.s. is so behind an open banking. the truth is, we are in front. if you look at the number of consumers who have access to data, the ability to use it, we are leading the world in that regard. i would argue the cfpb and other regulators have taken an appropriate time to watch the industry mature. that said, where there are friction points, the federal government may need to step in to decide some of these issues. industry standards couldn't do a lot, but we are not a silver bullet. i think where the government
9:36 pm
might see friction between the industry and the inability to come to a decision on the scope of data, it may be a role for the federal government to step in. >> can you give us a thought as to what the appropriate role of the federal government is? >> when you take a look at some of the conflicting aspects of this, as i spoke to in my testimony, you often run into situations where, financial institutions, and rightly so, are very concerned and very focused on making settlements. that gives way to data security. it's a way to put limitations on the types of data that might be accessible. when you look at access, regulation would be helpful. clarity would be helpful to
9:37 pm
determine types of data and scope of data that can be accessed for particular use cases, for example. these are the kinds of things that i would just say, we've signed bilateral agreements with financial institutions. by the end of this year, we'll have greater than 60% of our data flowing through our access pipes, through api integrations. it is an authentication methodology. and further, in the pipeline, we will have another 20% focused on integration development. these are the key issues we are dealing with. >> let me build on that a little bit. you comment on some other countries and they're open banking policies.
9:38 pm
looking at what other governments have done as far as government intervention in the private market, what lessons learned can we have about the appropriate role of government regulation? >> mr. carpenter's comments, the u.s. has been leading from an innovation perspective, and has had more of a wait and see attitude from a regulatory perspective, -- >> in knowing that, they have been more proactive, your term. what is the lesson learned from that? >> i think there is benefit in understanding what the value proposition is, and informing regulation around ensuring consumers are not harmed in any way. >> let me jump back to you, mr. carpenter.
9:39 pm
what lessons do you see from government intervention and foreign countries? >> the lesson learned is you can't go with all one approach. there needs to be a hybrid approach. you have and entirely regulatory dictated system, and you end up with compliance versus meeting the needs of the market. standards are able to follow consumer demand to where the market needs standardization. it doesn't mean there may not be room for principles based regulation. i would argue that what we've seen is you probably need a mix of everything. >> thank you. my apologies for the time. i yield back. >> the gentleman yields back. together with the ranking members, i'd like to thank our witnesses for the testimony today. without objection, all members will have five legislative days to submit additional questions,
9:40 pm
which will be added to the record. i ask witnesses to respond as promptly as you are able. we expect questions. all members will have five legislative days within which to submit material for inclusion in the record. questions should be submitted to the email address provided to your offices. this hearing is now adjourned. thank you. [background sounds]. [background sounds].
9:41 pm
[background sounds]. [background sounds].
9:42 pm
there's a real possibility in the not too distant future that al-qaeda or isis could reconstitute in afghanistan as soon as the spring. in remarks at the house armed services committee, general milley testified along with defense secretary lloyd austin, and general kenneth mackenzie, head of u.s. central command from. >>

16 Views

info Stream Only

Uploaded by TV Archive on