[Senate Hearing 115-380]
[From the U.S. Government Publishing Office]
S. Hrg. 115-380
FINTECH: EXAMINING DIGITIZATION, DATA, AND TECHNOLOGY
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON
BANKING,HOUSING,AND URBAN AFFAIRS
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
ON
EXAMINING FURTHER THE DIGITIZATION, DATA, AND TECHNOLOGY
ASPECTS OF FINTECH
__________
SEPTEMBER 18, 2018
__________
Printed for the use of the Committee on Banking, Housing, and Urban
Affairs
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available at: http: //www.govinfo.gov /
__________
U.S. GOVERNMENT PUBLISHING OFFICE
32-753 PDF WASHINGTON : 2018
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS
MIKE CRAPO, Idaho, Chairman
RICHARD C. SHELBY, Alabama SHERROD BROWN, Ohio
BOB CORKER, Tennessee JACK REED, Rhode Island
PATRICK J. TOOMEY, Pennsylvania ROBERT MENENDEZ, New Jersey
DEAN HELLER, Nevada JON TESTER, Montana
TIM SCOTT, South Carolina MARK R. WARNER, Virginia
BEN SASSE, Nebraska ELIZABETH WARREN, Massachusetts
TOM COTTON, Arkansas HEIDI HEITKAMP, North Dakota
MIKE ROUNDS, South Dakota JOE DONNELLY, Indiana
DAVID PERDUE, Georgia BRIAN SCHATZ, Hawaii
THOM TILLIS, North Carolina CHRIS VAN HOLLEN, Maryland
JOHN KENNEDY, Louisiana CATHERINE CORTEZ MASTO, Nevada
JERRY MORAN, Kansas DOUG JONES, Alabama
Gregg Richard, Staff Director
Mark Powden, Democratic Staff Director
Joe Carapiet, Chief Counsel
Kristine Johnson, Economist
Laura Swanson, Democratic Deputy Staff Director
Elisha Tuku, Democratic Chief Counsel
Dawn Ratliff, Chief Clerk
Cameron Ricker, Deputy Clerk
James Guiliano, Hearing Clerk
Shelvin Simmons, IT Director
Jim Crowell, Editor
(ii)
C O N T E N T S
----------
TUESDAY, SEPTEMBER 18, 2018
Page
Opening statement of Chairman Crapo.............................. 1
Prepared statement........................................... 29
Opening statements, comments, or prepared statements of:
Senator Brown................................................ 2
Prepared statement....................................... 29
WITNESSES
Steven Boms, President, Allon Advocacy, LLC, on behalf of
Consumer Financial Data Rights................................. 4
Prepared statement........................................... 30
Responses to written questions of:
Senator Brown............................................ 117
Senator Scott............................................ 117
Stuart Rubinstein, President, Fidelity Wealth Technologies, and
Head of Data Aggregation....................................... 6
Prepared statement........................................... 37
Brian Knight, Director, Innovation and Governance Program,
Mercatus Center at George Mason University..................... 7
Prepared statement........................................... 40
Responses to written questions of:
Senator Brown............................................ 118
Senator Heller........................................... 119
Saule T. Omarova, Professor of Law, and Director, Jack Clarke
Program on Law and Regulations of Financial Institutions and
Markets, Cornell University.................................... 9
Prepared statement........................................... 45
Responses to written questions of:
Senator Reed............................................. 119
Additional Material Supplied for the Record
Letter From The American Academy of Actuaries Submitted by
Chairman Mike Crapo............................................ 122
Statement From Financial Innovation Now Submitted by Chairman
Mike Crapo..................................................... 182
Letter From Electronic Privacy Information Center Submitted by
Senator Sherrod Brown.......................................... 184
Statement Submitted by Independent Community Bankers of America.. 187
(iii)
FINTECH: EXAMINING DIGITIZATION, DATA, AND TECHNOLOGY
----------
TUESDAY, SEPTEMBER 18, 2018
U.S. Senate,
Committee on Banking, Housing, and Urban Affairs,
Washington, DC.
The Committee met at 10:01 a.m., in room SD-538, Dirksen
Senate Office Building, Hon. Mike Crapo, Chairman of the
Committee, presiding.
OPENING STATEMENT OF CHAIRMAN MIKE CRAPO
Chairman Crapo. This hearing will come to order.
Today we will hear four very unique perspectives on a
segment of financial technology, or ``FinTech.''
Almost exactly 1 year ago, the Committee held a hearing to
explore the various sectors and applications of FinTech.
In the short time period between that hearing and this one,
many developments and innovations have occurred, both in the
private sector and on the regulatory front.
Digitization and data, in particular, are constantly
evolving, challenging the way we have traditionally approached
and conducted oversight of the financial services sector.
As technology has developed and the ability to readily and
cheaply interact with and use data has flourished, we have
experienced a sort of revolution in the digital era. This
digital revolution brings with it the promise of increasing
consumer choice, inclusion, and economic prosperity, among
other things.
Less than a decade ago, the concept of mobile banking, a
simple transaction, was relatively new. Now consumers have
countless options by which to interact with and access their
financial information and conduct transactions.
As this marketplace rapidly develops, so must we constantly
evaluate our regulatory and oversight framework, much of which
was designed prior to the digital era. To the extent that there
are improvements that can be made to better foster and not
stifle innovation, we should examine those.
Although these technological developments are incredibly
positive, the increased digitization and ease of collecting,
storing, and using data presents a new set of challenges and
requires our vigilance.
Many products and services in the FinTech sector revolve
around big data analytics, data aggregation, and other
technologies that make use of consumer data. Oftentimes these
processes operate in the background, and are not always
completely transparent to consumers.
It is important for consumers to know when their data is
being collected and how it is being used. It is equally
important for the companies and the Government alike to act
responsibly with this data and ensure that it is protected.
As we have seen in recent years, this can be a challenging
task. In order to fully embrace the immense benefits that can
result from technological innovation, we must ensure that
proper safeguards are in place and consumers are fully
informed.
Today I hope to hear from our witnesses about the ways in
which FinTech is changing the financial sector and the
improvements that can be made to ensure the regulatory
landscape welcomes that innovation; what kind of data is being
collected and used and how such data is secured and protected;
and what the opportunities and challenges are going forward.
Senator Brown.
OPENING STATEMENT OF SENATOR SHERROD BROWN
Senator Brown. Thank you, Mr. Chairman.
In the run-up to the financial crisis, Wall Street banks
bragged about innovations that they claimed made the financial
system less risky and credit more affordable. Some of these
innovations were in consumer products, like interest-only
subprime mortgages. Other innovations were happening behind the
scenes, like the growth in risky collateralized debt
obligations and credit default swaps.
According to the banks, technological advances like
increased computing power and information sharing through the
Internet allowed financial institutions to calculate and
mitigate the risks of these complex financial innovations. In
Washington, banks told lawmakers that regulation would hold
back progress--they say that often on many issues--and make
credit more expensive for consumers. Rather than look at
financial technology with an eye to the risks, Federal banking
supervisors repealed safety and soundness protections, and they
used their authority to override consumer protection laws in
several States.
Eventually, so-called financial innovations led to the
biggest economic disaster in almost a century, costing millions
of Americans their homes, their jobs, and much of their
savings.
Criticizing the bankers and regulators who lost sight of
the enormous risks that came with these new innovations, former
Fed Chair Paul Volcker declared, ``The ATM has been the only
useful innovation in banking for the past 20 years.''
I am more optimistic about some new technologies benefiting
consumers rather than just lining Wall Street's pockets, but I
think we should look at this Treasury report with the same
level of skepticism.
Rather than learn from past mistakes, the Treasury report
embraces the shortsightedness of precrisis regulators. It
exalts the benefits of ``financial innovation,'' describes
Federal and State regulation as ``cumbersome'' or as ``barriers
to innovation,'' and recommends gutting important consumer
protections, like the CFPB's payday lending rule. It even
suggests stripping away what little control we as consumers now
have over our own personal financial data, just a year after
Equifax put 148 million Americans' identities at risk, 5
million in my State alone.
Just like a dozen years ago, Wall Street banks and big
companies are making record profits, but working families are
struggling just to get by. Student loan debt is at record
levels; credit card defaults are rising. Worker pay is not
keeping up with inflation--comments from the Administration
notwithstanding--but we have managed to cut taxes for the
richest Americans while CEOs and shareholders have reaped huge
windfalls through over half a trillion dollars in stock
buybacks.
Plenty of financial institutions are adopting new
technologies without running afoul of the law. Rather than
focusing on how we can weaken the rules for a handful of
companies who prefer to be called ``FinTechs'' rather than
``payday lenders,'' or ``data aggregators'' rather than
``consumer reporting bureaus,'' Treasury should be focused on
policies that help working families.
This is not a partisan issue for me. I raised concerns
about relaxing the rules for FinTech firms when Comptroller
Curry, appointed by President Obama, suggested a special
``FinTech'' charter almost 2 years ago.
The new leaders at the Federal Reserve, the OCC, the FDIC,
and the CFPB have already made it clear that they are ready to
give Wall Street whatever it asks for. And they never have
enough. And the recommendations in this report call for more
handouts for financial firms, FinTech or otherwise.
I am interested, however, to hear from our witnesses about
how new financial technologies could increase our control over
our own information, better protect against cyberattacks, or
make it easier for lenders to ensure they are following the
law. And as traditional banks partner with technology firms, I
think it is important for the Committee to consider where gaps
in regulation might lead to future systemic risks.
Thank you, Mr. Chairman, for holding the hearing.
Chairman Crapo. Thank you, Senator Brown. And I agree with
you this is not a partisan issue. We all want to get the
benefits of what can be developed with this kind of increase in
technological capacity. But there is significant concern about
privacy and protection of data of our consumers that is agreed
to on both sides of the aisle here, I believe.
We welcome our witnesses here with us today. We have Mr.
Steven Boms, the president of Allon Advocacy, on behalf of the
Consumer Financial Data Rights association; Mr. Stuart
Rubinstein, president of Fidelity Wealth Technologies; Mr.
Brian Knight, director of the Innovation and Governance Program
at Mercatus Center at George Mason University; and Ms. Saule
Omarova, who is a professor of law and director of the Jack
Clarke Program on the Law and Regulation of Financial
Institutions and Markets at Cornell University.
We again welcome all of you. We appreciate your being here
to share your expertise with us. Your written statements will
be made a part of the record. We ask you to please be very
careful to pay attention to the 5-minute clock for your oral
comments and as you are engaged in questioning. The Senators
have a 5-minute clock, too, and sometimes they run right up to
the last second for their last question, and when that happens,
I ask you to be prompt in your responses to those questions.
With that, Mr. Boms, you may begin.
STATEMENT OF STEVEN BOMS, PRESIDENT, ALLON ADVOCACY, LLC, ON
BEHALF OF CONSUMER FINANCIAL DATA RIGHTS
Mr. Boms. Thank you, Mr. Chairman.
Chairman Crapo, Ranking Member Brown, and Members of the
Committee, thank you for this opportunity to testify today on
behalf of the Consumer Financial Data Rights, or CFDR, Group, a
consortium of approximately 50 aggregators and FinTech firms
united behind consumers' rights to access their financial data.
My testimony this morning also represents the views of the
Financial Data and Technology Association, or FDATA, of North
America, which is the trade association urging the adoption of
an open banking-like regime in the U.S., Canada, and Mexico.
The CFDR Group and its members consulted frequently with
the Treasury Department as it considered the current state of
the FinTech market. Our engagement was principally focused on
the crucial issue of consumer-permissioned financial data,
which was an area of emphasis in the Department's report and
which I would like to focus on today.
A recent White House study concluded that 20 percent of
adult Americans are underbanked by the traditional financial
services system and almost 9 million households are entirely
unbanked. For these consumers, third-party, technology-based
tools can provide vital, affordable access to a financial
system that has left them behind. These tools also help other
Americans address the growing complexity of the financial
system. Most consumers have multiple accounts across a variety
of products providers. The most basic, fundamental first step
toward financial health--understanding what one has and what
one owes--can be needlessly difficult. Technology-powered tools
can provide intuitive, accessible platforms that enable even
the least financially savvy among us to manage their finances
and improve their economic outcomes. The lifeblood of these
tools is user-permissioned data access: the right of the
consumer or the small business to affirmatively grant access to
the application of their choice to connect to or see the
financial data.
Unlike in other jurisdictions globally, there is no legal
requirement in the United States stipulating that a financial
institution must make the consumer's a small business'
financial data it holds available to a third party when the
customer provides consent or whether restrictions on the
consumer's access to that data are permissible. Consumers are
dependent on the financial services providers with which they
do business, with disparate outcomes for Americans who bank
with different financial institutions. The lack of a cohesive
framework also threatens American competitiveness and financial
innovation internationally.
The Treasury Department identified the key outstanding
issues with regard to user-permissioned data access. I briefly
highlight five Treasury recommendations for the Committee's
consideration here, noting that I provide significantly more
reaction in my written testimony.
Number one, the Bureau of Consumer Financial Protection
should affirm that third parties properly authorized by
consumers fall within the definition of ``consumer'' for the
purpose of obtaining access to financial account and
transaction data.
Though it may seem self-evident, Section 1033 of Dodd-Frank
provides that the Bureau has the authority to promulgate a rule
to ensure end users have electronic access to their online
data. But the Bureau has thus far declined to do so. Treasury's
affirmation that Dodd-Frank provides this right to consumers
and small businesses, even in the absence of a Bureau
rulemaking, represents a significant victory for innovation and
for consumer and small business financial empowerment.
Number two, all regulators should recognize the benefits of
consumer access to financial account and transaction data in
electronic form.
One of the systemic disadvantages facing the FinTech
ecosystem in the United States is the immense relative
regulatory fragmentation that exists. There are at least eight
Federal regulatory agencies with jurisdiction over some portion
of financial data access. There are, of course, also State
regulatory authorities. Treasury has called for all agencies to
align behind its interpretation of Dodd-Frank Section 1033 as
an important step toward a level playing field and one that
could be hastened by congressional engagement.
Number three, the Bureau should work with the private
sector to develop best practices on disclosures and terms and
conditions regarding consumers' use of products and services.
The United Kingdom's Open Banking architecture includes
prescriptive consent flows that ensure that a consumer's or a
small business' experience granting or revoking consent to
access their data to any third party is uniform. These open
banking consent standards are an excellent starting point for
creating best practices in the U.S. market.
Number four, a solution must address resolution of
liability for data access. The CFDR earlier this year released
a set of principles, Secure Open Data Access, or SODA, which
called for traceability, minimum cyberliability insurance
standards, and other standards designed to ensure that the
entity responsible for consumer financial loss as a result of a
breach--be it a bank, an aggregator, or a FinTech firm--is the
entity charged with making the end user whole for direct losses
resulting from that breach. While CFDR members are implementing
these principles, regulatory agencies and Treasury could
augment and assist this work by undertaking efforts to create a
more vibrant and affordable cyberliability insurance market.
Number five, address the standardization of data elements
as part of improving consumers' access to their data. While the
CFDR Group and FDATA North America wholeheartedly agree with
the Department's recommendation, I would respectfully submit an
addendum. The standardization of data elements should be made
available to the consumer to permit access to third parties of
their choosing so that all data elements available to the end
user in their native online banking environment is also
available to the third party if the consumer consents. This
approach would fully enable end users to leverage their own
financial data to their economic benefit, and it would allow
for the realization of a competitive, free marketplace in which
consumers have full transparency into financial products and
services offered by FinTech providers and financial services
firms alike.
Thank you again for this opportunity to testify. Though
tens of millions of American consumers and small businesses are
already utilizing third-party tools to improve their financial
well-being, more can be done to harness the power of innovation
safely and securely. We stand ready to work with this Committee
to identify and implement Treasury's recommendations.
Thank you.
Chairman Crapo. Thank you, Mr. Boms.
Mr. Rubinstein.
STATEMENT OF STUART RUBINSTEIN, PRESIDENT, FIDELITY WEALTH
TECHNOLOGIES, AND HEAD OF DATA AGGREGATION
Mr. Rubinstein. Thank you, Chairman Crapo, Ranking Member
Brown, and Members of the Committee. My name is Stuart
Rubinstein. I am president of Fidelity Wealth Technologies and
head of Data Aggregation at Fidelity Investments. Fidelity is a
leading provider of investment management, retirement planning,
brokerage, and other financial services to more than 30 million
individuals, institutions, and intermediaries with more than $7
trillion in assets under Administration. We are strong
supporters of FinTechs and are a major FinTech investor.
I am appearing today to represent Fidelity with a specific
focus on the topic of financial data aggregation. At Fidelity,
we have a unique perspective. We are an aggregator ourselves,
and we are also a source of data to aggregators who act on
behalf of our customers.
Fidelity is a strong believer in the benefits our customers
receive when they can see a consolidated picture of their
finances through aggregated data. We have offered aggregation
services to our customers for well over a decade, and our
customers have been able to access their Fidelity data through
various third parties since the 1990s. But the cybersecurity
environment has changed over time, and risks have become far
more pronounced and must be addressed.
First, most financial data aggregation that occurs today
requires consumers to disclose their financial institution's
user name and password to the third-party aggregator or
FinTech. While this process may have worked in the past, it is
now antiquated as there are new technologies that eliminate any
such requirement. Because cybersecurity is of paramount
importance, we believe that customers should not have to
disclose their user name and password in order to access any
third-party service.
Second, aggregators using credentials may have access to an
entire website or mobile app, which means they can access more
data than may be necessary to provide their services. For
example, a simple app that tracks your spending does not need
to know your investment holdings, but it will have access to
that under the current methods.
Because of the advancement of cyberthreats, Fidelity and
others in the industry have worked hard on developing a
different approach to data aggregation that helps to protect
consumers. At Fidelity, we have developed what we believe are
five principles for empowering consumers to share their data
safely with third parties.
First, consumers should be able to access their financial
account data where they want it and when they want it and
through third parties if they so desire. The question becomes
not if they can do it, but how.
Two, access must be provided in a safe, secure, and
transparent manner.
Three, consumers should provide affirmative consent and
directly instruct their financial institution to share data
with specific third parties.
Four, third parties should access only the financial data
that they need to provide their product or service. This should
not be a Trojan horse for the gathering, accumulating, and
reselling of consumer data.
And, five, consumers should be able to monitor those
account access rights and direct their financial institution to
revoke that if they so desire.
In an effort to back up these words with actions, Fidelity
announced in November of 2017 a new service based on these
principles called ``Fidelity Access.'' Fidelity Access will
allow Fidelity customers to provide third-party access to
customer data through a secure connection without providing
log-in credentials to any third party. We have also been
working with policymakers and industry groups to advance these
principles and are pleased that many have taken thoughtful
approaches to this problem.
Finally, I would be remiss if I did not mention the most
difficult issue standing in the way of wider adoption of safer
data-sharing technologies: the issue of responsibility. We
believe companies that collect and handle financial data should
be responsible for protecting that data and making customers
whole if misuse, fraud, or theft occurs. As we have been
discussing Fidelity Access, we have seen aggregators try to
limit their liability, some to very small dollar amounts.
Fidelity believes firms that obtain and handle consumer
aggregated data should be held responsible to protect that data
from unauthorized use just as we are. Any other standard
creates moral hazard and does not incentivize aggregators to
take their data stewardship responsibilities seriously.
Thank you again for the opportunity to testify before you
today. I look forward to answering your questions.
Chairman Crapo. Thank you, Mr. Rubinstein.
Mr. Knight.
STATEMENT OF BRIAN KNIGHT, DIRECTOR, INNOVATION AND GOVERNANCE
PROGRAM, MERCATUS CENTER AT GEORGE MASON UNIVERSITY
Mr. Knight. Thank you, Chairman Crapo, Ranking Member
Brown, and Members of the Committee. My name is Brian Knight,
and I am the director of the Innovation and Governance Program
at the Mercatus Center.
Whether it is a loan to deal with an emergency, moving
money to a loved one in need, or capital to build a business,
access to high-quality financial services is essential.
Technological innovation in financial services, or FinTech, has
the potential to significantly improve this access.
As the Treasury Department notes, one area where technology
may dramatically change financial services is in the collection
and use of data. Technology advances allow financial services
firms to obtain more data from consumers and process the data
in new ways, with the goal of providing more accessible,
inclusive, and cost-effective options. While it is early, there
are encouraging signs that innovation is, in fact, helping
consumers. These include innovative products giving consumers
more transparency as to their finances and allowing lenders to
offer potential borrowers better-quality credit through
innovative underwriting.
There is also indication that technology is making credit
markets less discriminatory. This is promising. But there have
also been concerns raised about potential risks to consumers,
including risks of privacy and discrimination. These concerns
should be taken seriously, and we should react appropriately.
But we should be loath to rush into regulation without being
certain that new regulation is necessary.
As we assess what the Government response to technological
innovation should be, we should keep a few things in mind.
First, we should judge an innovation compared to the status
quo, not perfection. Innovative financial service products will
not be perfect, but they may be better than the alternative.
Imposing unduly burdensome regulation that hampers innovation
and competition may ultimately be more harmful to the very
consumers that regulation seeks to protect.
Second, we should acknowledge that existing regulations may
address new risks. For example, the requirement that a lender
be able to explain why it took an adverse action could mitigate
against a concern that algorithmic underwriting will be unduly
opaque. There are existing regulatory incentives as well as
market incentives for companies to ensure their products are
fair and appropriately transparent.
Third, we should be open to the possibility that in some
cases the current regulatory system is, in fact, overly
burdensome. There may be cases where the costs of regulation
now exceed the potential benefits or where a regulatory
structure that made sense in the past has been overtaken by
market developments. This does not mean that new regulation may
not sometimes be needed, but as technology changes what is
possible with financial services, the optimal level or type of
regulation may change.
FinTech offers exciting possibilities for better, cheaper,
and more inclusive financial services. We should be mindful of
the risks posed, but we should not overreact. Instead, we
should work to ensure that the legal and regulatory system
facilitates innovation and competition while preserving
consumer protection so that Americans can obtain the best
financial services possible.
I look forward to our discussion, and thank you for your
time.
Chairman Crapo. Thank you, Mr. Knight.
Ms. Omarova.
STATEMENT OF SAULE T. OMAROVA, PROFESSOR OF LAW, AND DIRECTOR,
JACK CLARKE PROGRAM ON LAW AND REGULATIONS OF FINANCIAL
INSTITUTIONS AND MARKETS, CORNELL UNIVERSITY
Ms. Omarova. Senators, thank you for inviting me to testify
here today. My written testimony lays out the details of what I
have to say, so let me focus on a few big-picture points.
FinTech is by far the hottest topic in today's finance.
Cryptography, cloud computing, big data analytics are changing
financial markets by making transacting faster and easier to
automate and scale up. We have just heard arguments emphasizing
the immense societal benefits of these changes as long as
FinTech innovations are not stifled by outdated regulations.
Let us put these arguments in context. It is quite symbolic
that we are convened here today almost exactly on the tenth
anniversary of Lehman Brothers' failure that triggered the
global financial crisis. I do not have to tell you, Senators,
what a calamity that crisis was. You lived through that crisis.
And for years before the crisis, you and your colleagues
probably sat through many hearings just like this one listening
to many confident and articulate gentlemen with impeccable
industry credentials tell you that you should not let outdated
regulations stifle financial innovation. They told you and the
American public that innovative products like derivatives and
subprime mortgage loans were making the financial system more
efficient, resilient, and democratic by enabling better risk
management, expanding consumer choices, and making credit
available to low-income Americans. And so risky derivatives and
predatory subprime loans were allowed to grow unregulated until
they crashed the financial system 10 years ago.
Today the same rhetoric of financial innovation and
consumer choice that brought us the crisis of 2008 returns to
the center stage in the policy debate on FinTech. Of course,
this time it is different. It is not about derivatives, but
about crypto assets. It is not about predatory subprime
lending, but about marketplace lending--once again new
technologies promising to make the system more efficient,
resilient, and democratic: to expand consumer choices and to
give low-income Americans access to financial services.
The Treasury report adopts this rhetoric and translates it
into a strategy of significant deregulation in the U.S. banking
sector, meant to enable banks to form large-scale business
partnerships and even outright corporate affiliations with
technology companies.
For example, the report advocates for a significant
rollback of existing regulations in order to make it easier for
the banks to give unaffiliated tech companies, data
aggregators, cloud service providers, and various FinTech firms
much more direct access to their customers' account and
transactional data.
Currently banks are reluctant to allow data-mining
businesses to get the direct feed of their depositors' account
data because regulations make banks ultimately responsible for
the handling of sensitive customer information. For the same
reasons of regulatory compliance and liability, banks are
currently cautious about moving all of their data to the cloud
operated by a third party.
The Treasury characterizes this as a bottleneck in the flow
of financial information and calls for a concerted regulatory
effort to push banks to share their customer data and to
outsource its management to third parties much more freely. The
claim here is that allowing unaffiliated tech companies to
access, host, and manage bank data will make financial services
faster and cheaper for all consumers and give consumers control
over their financial affairs.
Of course, banks will benefit from being able to reduce
their operational and compliance costs and potentially
increasing their revenues by charging aggregators for direct
feeds of customer data. And consumers will get the convenience
of living in a seamless virtual space where all FinTech apps
can just magically connect to all of their bank accounts. But
this will also expose consumers to tremendous risks. Imagine
that your personal bank account data, transaction history, and
other sensitive information previously managed by your local
bank is now stored in the cloud and shared directly and in real
time with multiple data-collecting companies. These companies
are not regulated under a bank-like regime with dedicated
supervisors making sure that the data is safe and secure, that
these companies maintain strong operational controls and do not
misuse sensitive consumer information. In this environment, it
is easy to imagine not just one but many Equifax-style
catastrophes occurring far more frequently and with far more
devastating consequences.
This is, in fact, a particular kind of a broader problem
that our system of bank regulation has jealously guarded
against since the 19th century: the potential for excessive
concentration of financial and market power, if banks are
allowed to engage too intimately with nonbank commercial
businesses. This separation of bank and commerce remains a core
principle of U.S. banking law to this day. The Treasury report,
however, calls for measures that will directly undermine this
longstanding and sensible regime.
What it frames as low-key technical fixes to how regulators
apply banking laws is, in fact, opening the door to de facto
FinTech conglomeration. If allowed, this new platform trust
will be able to monopolize the flow of both money and
information and effectively take control of our lives not only
as economic actors but also as citizens.
The American Republic of George Washington and Teddy
Roosevelt was never meant to become a dystopic company town of
this kind. As you are deliberating on FinTech as a public
policy matter, I urge you to stand on guard and not let this
become even a remote possibility.
Thank you.
Chairman Crapo. Thank you, Ms. Omarova.
I will start my questions with you, Mr. Knight. While
innovations in data have brought many benefits, it has also
become known that firms may be, in fact I think are, using this
data to drive social policy and to restrict access to entirely
legal, in fact sometimes constitutionally protected conduct and
do this for reasons of trying to influence social policy
unrelated to safety and soundness or other concerns that would
make these targeted groups unfit to do business with.
Do you think this presents a problem?
Mr. Knight. Thank you, Senator. I do, and I think it
presents a couple of problems. The first one, to key in on the
data point, is to the extent that a financial institution is
collecting data that relates to a sensitive or private matter,
and particularly the more granular the data collection is, the
potentially more harmful a breach would be. Information that is
relatively innocuous at one level of detail can become
extremely damaging at another level of detail. And, of course,
depending on how much microtargeting, if you will, the bank is
doing and the level of detail that the bank has stored, if that
data is breached, that data is now available and people can be
harmed more than had the data been recorded at a less granular
level.
The second and, I think, bigger issue that we are dealing
with here is I think our starting point should be that a
business can choose to do or not do business with anyone they
want for whatever reason they want in a free market, and then
we are going to narrow that for some compelling societal issues
like antidiscrimination. The problem is banks are not a free
market. For banks, because of public policy, there are barriers
to entry; there are barriers to exit; there is significant
subsidy. And so banks derive part of their market power from
public power. And so when they choose to use their market power
in an effort not to do what they have been charged to do, which
is effectively intermediate credit or provide savings, but
instead try to insist or de facto regulate the American people
in a social policy setting, they are not using their market
power. They are using public power. And the people who are on
the receiving end of that do not have the same market
protections that they would in a freer market.
You know, let us take an example of YouTube, which will
periodically say, ``We will not cover certain types of videos
for social policy reasons.'' Well, you can stand up a YouTube
competitor tomorrow. You do not need a Government-granted
discretionary charter. And if you were to stand up a competitor
to YouTube, YouTube does not get special access to Government
Internet. It does not get insurance. It does not get loans from
the Government. There is not a presumption that if YouTube is
about ready to fail, the Government will bail it out, which is
something that banks enjoy versus their nonbank competition,
and that increases the ability of banks to throw market power
around that is not derived from anything other than Government
power.
Chairman Crapo. Well, thank you, and I share those
concerns.
I want to shift a little bit here, and to you, Ms. Omarova.
I appreciated your testimony on some of the positive aspects
that FinTech offers consumers. But some of the concerns that
you raise are also concerns that I share.
There is an article in today's Wall Street Journal that
highlights this intersection, and this is the title of it:
``Facebook and Financial Firms Tussled for Years Over Access to
User Data''. This follows an August article in the Wall Street
Journal entitled, ``Facebook to Banks: Give Us Your Data, We
Will Give You Our Users''. The article suggests that data
privacy is a sticking point in these conversations.
Can you discuss the data privacy concerns and the need to
better understand what kind of data is being collected and used
and how such data is secured and protected? And I only have
about a minute left in my time, so I----
Ms. Omarova. I think this article actually highlights
precisely what is at stake here. This is not what the Treasury
report is suggesting: it is not so much about what current data
aggregators do with data today. It is about companies like
Facebook, and it just shows that those big tech companies,
platform companies that use information as currency in their
businesses, once they get their hands on the data, on the
sensitive bank customers' data, in any way for any reason, they
will try to use that data to increase their revenues in a
variety of spheres. And it will be extremely difficult to
actually check how they use the data. They use proprietary
algorithms to basically hide that from us. And who is going to
oversee it? Who regulates Facebook for these kinds of issues?
Nobody does.
I am glad that Bank of America and Wells Fargo refused
Facebook access to their bank customers' data, but I do not kid
myself for a minute that they have done it out of some kind of
moral respect for customer privacy. They have done it because
of the regulations that apply to them today. If we remove those
regulations, then all of our sensitive financial data will be
open to companies like Facebook and we will not know how it
will be used.
Chairman Crapo. Well, thank you, and I share those concerns
as well.
Mr. Rubinstein and Mr. Boms, I am out of time, but I am not
out of questions for you. I might have to submit them if we do
not get another opportunity.
Senator Brown.
Senator Brown. Thank you, Mr. Chairman.
Ms. Omarova, thank you for mentioning the tenth
anniversary. There is, as I remind many of my colleagues here,
a bit of collective amnesia on this dais and in this Senate,
and thank you for always reminding me of that.
I have three questions I would like to get through, and I
am going to start with you, Ms. Omarova, and if you would give
answers as close to yes or no as you can, I will start with her
on each of the questions and move from my right to my left.
The Treasury Department and much of the financial industry
argue that consumers should have the right to share their
financial data with any third party of their choosing. Do you
think this should include the right for consumers to require
that a FinTech or a data aggregator erase all information at
that consumer's request?
Ms. Omarova. Yes, absolutely. And, you know, we have to
keep in mind, though, that this rhetoric of consumer choice and
consumer's right to share the information also implies the
firm's right to share their information, and that is what we
need to guard against.
Senator Brown. Mr. Knight.
Mr. Knight. Yes, subject to reasonable considerations like
law enforcement.
Senator Brown. OK. Mr. Rubinstein.
Mr. Rubinstein. Yes, absolutely. Consumers should
understand why they are sharing their data, and share it for a
specific purpose. When they no longer have that purpose, they
should be able to stop sharing it and have it deleted.
Senator Brown. Mr. Boms.
Mr. Boms. Agreed, subject to applicable regulations and
laws.
Senator Brown. Thanks.
Ms. Omarova, it is hard for consumer to understand all the
ways that financial data might be used by a company they share
it with. Should there be legal limits on how aggregators use
the consumer's financial information in addition to consumer
identified limits?
Ms. Omarova. Yes, absolutely. Basically, data aggregators
and other data platform companies like Facebook should not be
allowed to engage in a form of ``insider trading'' once they
get access to customer data in one context so they could use it
another context.
Senator Brown. Mr. Knight, legal limitations?
Mr. Knight. I believe the limitations should revolve around
disclosure and the fact that any consent is knowingly given and
the consumer has rights to terminate that consent at any time.
Senator Brown. Mr. Rubinstein.
Mr. Rubinstein. Yes, I would agree with that. I think
really under a disclosure with explicit consent so the consumer
knows what they are getting into, really understands it, and
can control it. I do not know that we need a specific legal
limitation, though.
Senator Brown. Mr. Boms.
Mr. Boms. I would echo what the past gentleman said with
the additional addendum, which is we as an industry, not just
FinTech but the financial industry, can and should do a lot
better on conspicuous disclosures.
Senator Brown. OK. So you are saying legal limits. You are
saying disclosure should be the emphasis.
Last question. Companies like Google and Facebook collect
enormous amounts of personal information. They also influence
what information consumers are exposed to. For example,
Facebook might show payday loan advertisements to
servicemembers or to minorities, but not its other users.
Should fair lending laws be updated to cover not just providing
credit products but also their targeted advertisements on
social media platforms? Ms. Omarova.
Ms. Omarova. Yes, absolutely. Algorithmic opacity raises a
new spectrum of discrimination concerns, and we have to guard
against that.
Senator Brown. Mr. Knight.
Mr. Knight. Senator, that is a great question, and I do not
know if I can give you an answer in the time limit you would
want. If you would like to submit a QFR, I am happy to answer
it.
Senator Brown. I will do that. Thank you.
Mr. Rubinstein.
Mr. Rubinstein. Senator, I am sorry. I am not an expert in
fair lending, and I probably cannot respond to that question.
Senator Brown. Could I still send a letter to you and have
people at Fidelity answer it?
Mr. Rubinstein. You can send the letter. We can try. We are
not lenders, so I do not know that we would have a good answer
on that one for you.
Senator Brown. OK. Mr. Boms.
Mr. Boms. Senator, I would echo, I would be happy to
respond in writing. It is not smuggling that we have discussed
with our members.
Senator Brown. OK.
Fourth question. Thanks for your promptness, all of you.
The biggest four banks control about 45 percent of bank assets.
According to your testimony, Facebook and Google together
capture between 59 and 73 percent of the online advertising
revenue in the U.S. Do you think the Treasury report's
recommendation, which many of you have cited, favorably would
benefit the large incumbents or would increase competition? Ms.
Omarova.
Ms. Omarova. Well, the increase in competition is another
good rhetorical choice to, you know, promote deregulation. But,
in reality, both the financial sector and the tech sector are
the businesses where economies of scale and economies of scope
are extremely important. So in reality, what the Treasury
report wants us to have is the maximum scale and maximum scope
of these conglomerates.
Senator Brown. So it would benefit the larger----
Ms. Omarova. It would benefit the large incumbents.
Senator Brown. Mr. Knight.
Mr. Knight. Senator, I believe that it would actually be
potentially a mixed benefit. In some cases the largest
companies would benefit; in some cases the ability of smaller
financial institutions to plug into large data providers may
allow them to compete with larger financial services companies.
Senator Brown. Mr. Rubinstein.
Mr. Rubinstein. Yes, Senator, the Treasury report refers to
APIs, which is tech speak for more secure data-sharing methods.
I do believe that they actually increase competition. With
respect to standards, small companies only need to build to one
API standard to plug into many interfaces, so, yes, I do think
it helps competition.
Senator Brown. It would certainly be working against
trends, but, Mr. Boms.
Mr. Boms. And, Senator, I would just say on behalf of many
smaller financial technology firms, not the Facebooks or
Googles of the world, there is a very strong view that this
would promote competition.
Senator Brown. So the smaller guys think it would promote
competition?
Mr. Boms. Yes, that is correct.
Senator Brown. Thank you.
Chairman Crapo. Senator Rounds.
Senator Rounds. Thank you, Mr. Chairman. First of all,
thank you all for being here today.
One of the common threads that I have noted throughout each
of your testimonies was the importance of data breach or data
security in FinTech. I am really curious about the issue of the
importance of or the challenges of a national data breach
standard.
A number of businesses and trade associations have called
for Congress and the Federal Government to step in and to
establish one unified data breach standard so businesses could
operate across State lines; they would not be forced to comply
with a patchwork of different regulations. In addition, my
colleague in the House, Congressman Blaine Luetkemeyer,
recently released the Consumer Information Notification
Requirement Act. This legislation, which has passed the House
Financial Services Committee, would require Federal regulators
to establish a national unified data breach standard.
On the other hand, 31 State Attorneys General have released
a letter opposing a prior version of a data breach bill in the
House because it would preempt State laws.
I would like your thoughts, first of all, on what we are
discussing right now coming out of the House. And, second of
all, is a national standard necessary? And if so, how do we
balance that with State interests? Who would like to begin?
Ms. Omarova. Let me take this on. I think, as a general
matter, just because a particular standard is unified,
universally applied, and easier to understand does not
necessarily make it the better standard. It depends on what the
standard is, qualitatively.
We have the Federal system of regulation in this country
because we believe in the checks and balances. Sometimes State
consumer protection laws have to step in more effectively to
protect us consumers from abuse by large companies. And
sometimes the Federal laws do a better job by basically, you
know, creating an even playing field for everybody else.
So, my response to that would be it is not necessarily a
bad idea to have a unified standard, but the key to that would
be that that standard creates the maximum protection for the
customer's financial data from various abuses that would likely
ensue if we take State authorities completely out of the game.
Senator Rounds. Thank you.
Other thoughts?
Mr. Rubinstein. I am happy to respond, Senator.
Senator Rounds. Please.
Mr. Rubinstein. Thank you for the question. We do support a
Federal breach notification. While a large firm like ours can
stay on top of the various State laws, speed is often very
necessary in a breach notification. Being able to understand
one law and being able to respond quickly to that I think
enhances consumer protection, and gets customers and regulators
just notified faster.
Senator Rounds. Other thoughts?
Mr. Boms. Senator, if I may, I would just add I think
certainly you would find broad support within the FinTech
ecosystem for a national standard, provided that it was strong
enough and provided the right consumer protections.
Just to juxtapose that with the ecosystem that we have
today, it is very inconsistent from a regulatory perspective.
We have CFDR members who are, for example, FFIEC supervised and
examined as third-party vendors to large financial
institutions. We have other FinTechs who are State regulated,
and so who are not subject to the prudential bank regulatory
oversight. And so one standard that encapsulates best practices
I think would be welcomed.
Mr. Knight. Senator, I cannot speak to Representative
Luetkemeyer's bill specifically, but I would also say that when
assessing whether or not a Federal standard makes sense, some
other things to think about are whether or not the patchwork of
regulations is generating inefficiency that ends up costing
consumers money; whether or not there is a disparate treatment
among competitors, so some people get to leverage one standard,
some people get to leverage a different standard;, and third,
whether or not we are seeing citizens being de facto regulated
by other States to a significant degree because, of course, you
know, if you are a national player, you are going to comply
with California even if someone in Wisconsin maybe would not
support that standard.
One of the potential advantages of a Federal standard is
that there is broader political representation in setting it
and everyone gets a seat at the table, even if you do not end
up winning.
Senator Rounds. Is there a process today where a lot of
these States that have individual offices, in particular
Attorneys General offices and consumer offices, to where they
have--do they have an association, so to speak, where they can
speak with a unified voice in terms of what should be part of a
core of a national standard that you have worked with?
Mr. Knight. Well, I have not worked with them on this
topic, but the National Association of Attorneys General may be
a place to go. They do work together both on advocacy and on
enforcement through multi-State enforcement actions.
Senator Rounds. Any of you worked with any one of your
associations? No? OK. Thank you.
Thank you, Mr. Chairman.
Chairman Crapo. Thank you, Senator Rounds.
Senator Reed.
Senator Reed. Well, thank you, Mr. Chairman. And thank you
for your excellent testimony.
Mr. Rubinstein, thank you. Very thoughtful comments. We
appreciate it. You point out in your written testimony that
there are significant benefits, but there are also, as you say,
very real cybersecurity and privacy risks. Can you project or
let us know what your fears are about sort of the big problems
that are out there lurking?
Mr. Rubinstein. Senator, thank you for the question. Number
one is the issue of credential sharing, people giving away
their IDs and passwords. Today when FinTechs or aggregators
show up at our front door, they log in typically with robotic
activity. It is robots that impersonate the customer,
basically, same as you sitting at your keyboard typing in your
ID and password. That only gives access to data, and some of
that data may be private which you did not intend to share. But
it also can give access to transactions. If you think about
that, what does that mean? It means that potentially a robot
can come in and move your money to somewhere else. That is a
risk from having just open access to the website, which the
current methods have.
It is difficult for a financial institution to know that
that is a robot coming in because it looks just like a
customer. It is also difficult for the customer then to come
back later and say, ``I did not authorize that activity,''
when, in fact, they actually gave their ID and password to a
third party. Those are real risks that we think about each and
every day.
Senator Reed. Thank you very much.
The other aspect of this is that we are at the beginning of
a huge wave. Eventually the aggregation of data will go way
beyond just sharing financial information from an institution
with customers of a place like Facebook. It will go to all the
information they collect: what websites you are looking at,
maybe what potential pharmaceuticals you are ordering, et
cetera. The financial decisions that are being made may not be
being made by even individual human beings, and they might not
be made in the financial institutions. It will be a machine
that is sharing all this data. Is that something that you are
concerned about?
Mr. Rubinstein. I think there are great concerns with data
that flows without the customer's knowledge and affirmative
consent. So I think, you know, all that comes in.
However, we do firmly believe in the customer's right to
share their data. It is their data. If they understand that it
is being shared, understand how it is being used, frankly, if
they want to participate in selling that data, let them
participate. Hopefully they will get rewarded for that. But
they should be able to turn it off at any time, too.
Senator Reed. So in one concept there is the notion that--
and I think we have said it before--there has to be an opt-in
and opt-out, not just a generic one when you sign up, but
constantly as the situation changes; that if there is value in
your data, then somehow the customer should be able to realize
that value, or at least make the decision based upon, you know,
I am giving something up or I am getting something. And then
the notion of erasing data is critical. Do you agree?
Mr. Rubinstein. Yes, Senator. Take Fidelity Access, as I
mentioned earlier in my comments, as an example. When we use
that, a customer can actually have a dashboard that they can
see which third parties they have granted access to their data,
so they can monitor that on an ongoing basis and with a single
click be able to revoke that consent.
Now, that only works--and many financial institutions are
building similar things. That only works on the financial
institution side. Once a consumer shares their data with a
third party, we do believe that they should be able to get that
erased. But that is actually between the third party and the
consumer.
Senator Reed. That is where we have to step in and provide
some type of sensible rule so they can do that. Correct?
Mr. Rubinstein. I think so, yes.
Senator Reed. Ms. Omarova, in this deregulatory climate,
which more and more is going to be left to the market, isn't
that an argument for giving people the right to go to court if
they feel aggrieved, even more so than today, giving people a
private right of action if they feel aggrieved?
Ms. Omarova. I suppose so. I think in general, because of
the complexity of the environment with which we are dealing
today and because of the complexity of understanding exactly
what kind of personal data is available to whom and how it
could be used and the difficulty of monitoring all of that use,
I think absolutely every lever of control over the use of that
data by the big tech companies, especially, should be utilized.
Senator Reed. Thank you very much.
Thank you, Mr. Chairman.
Chairman Crapo. Senator Perdue.
Senator Perdue. Thank you, Mr. Chairman.
One of the unintended consequences of the Dodd-Frank law
was I think it spawned probably--and it is arguable--the
greatest period of bank consolidation in U.S. history. We have
lost 1,700 banks in the last decade, and virtually no new banks
have been started. So I have got a question.
In that environment, Dr. Omarova, you mentioned earlier--I
have a question for Mr. Knight first, but I want to come back
to you on a second question. But Dr. Omarova talked about
aggregation, the bigger the banks get, the more important this
aggregation of data becomes. I am concerned that today in that
environment of consolidation we have six examining agencies
charged with consumer financial protection. One of those is the
CFPB. We had the Acting Director before this Committee a couple
months ago tell us there have been at least 240 breaches of
data that they are investigating and possibly as many as 800.
Any one of those could be worse than the Equifax breach.
So the question I have, as we talk about--Mr. Knight, you
talk about accessing this data can help banks actually improve
services, particularly for people who are underserved today,
and I agree with that. But this unified national data security
standard, as we are talking about, breach notification that I
think we all agree on, how would that apply in your mind to
these Federal examining agencies that have access to this same
data?
Mr. Knight. I apologize. If I understand your question, is
the concern that there is going to be a breach at the agency
level?
Senator Perdue. Yeah, we have already been told--there are
240 CFPB known breaches today, 800 they are investigating, any
one of which could be worse than the Equifax breach.
Mr. Knight. I absolutely share that concern, and I think
that the challenge is if you allow any entity to access data,
be it the bank or be it a Federal agency, there is that risk.
And I think that while there are concerns and tools available
to punish banks in the case of a breach or Equifax in the case
of a breach--and we can debate whether or not those tools are
adequate--it is harder in many respects to go after an agency
due to issues like sovereign immunity.
Senator Perdue. But should they be held to the same
standard of data protection that commercial interests are?
Mr. Knight. At least the same standard, Senator.
Senator Perdue. Thank you.
Dr. Omarova, I have a question about where the United
States sits with our regulatory environment relative to other
countries. In Kenya, for example, 93 percent of Kenyans have
access to a bank account through M-PESA, a mobile phone-based
money transfer and microfinancing service in China. Alibaba--I
was on a visit with Alibaba and Tencent a couple months ago in
China. They help facilitate $12.8 trillion in mobile payments
in China. They have leapfrogged us and our technology here. No
matter what we think of our FinTech, a lot of these innovations
were developed here, but we are slow adopters somehow in the
United States. Are we falling behind places like the U.K.,
Kenya, and China in terms of the adoption of this technology
and FinTech?
Ms. Omarova. Well, Kenya is very different, has a very
different financial services market than we do here. They do
not have an actual banking system.
Senator Perdue. But the U.K. is very similar.
Ms. Omarova. I will get to that in a second. And in Kenya,
by the way, the success of their mobile banking was built on
the central bank and the major telephonic provider banding
together. So the State was critical to providing the service to
everybody else.
China, yes, China has Alibaba, which is competing with our,
you know, PayPals and Facebooks and what have you. Again, in
China, the State apparatus is so strong that China can control
whatever those companies do, and that is a critical factor.
The U.K., we always hold up the U.K., especially the
industry does, as this sort of principles-based, much more
market friendly, much smarter kind of regulator type
environment. But, remember, before the crisis, I worked in the
Treasury, and we were doing reports about how the Financial
Services Authority was so much better than our regulators were
in terms of allowing financial innovation to go forward. And
then the crisis hit. Where is the Financial Services Authority
now? I am not so sure that the Open Banking Initiative in the
U.K. is actually achieving the benefits that it was promising.
So I think what we should look for is not so much how, you
know, industry-friendly or deregulatory a particular country's
environment is. I think we should look at our market structure
and the concentrations of power in the tech industry and the
financial sector in our country.
Senator Perdue. And that is my question. I have to gauge
this against other standards and other performances, and so are
we falling behind the adoption of these technologies relative
to consumer protection and consumer access to banking services?
And I would welcome anybody's response to that.
Ms. Omarova. I do not think we are falling behind. I think
we are taking a more cautious approach simply because we have
probably much more to lose.
Senator Perdue. Very good. Anybody else?
Mr. Boms. Senator, I would just add we should not discount
the vibrancy and resilience of the U.S. market, which obviously
stands way above other markets.
That said, the lack of consistency and clarity in the
regulatory and legal framework in the U.S. with regard to data
access presents a potential future competitive risk for the
U.S. market.
Senator Perdue. Thank you very much.
Thank you, Mr. Chairman.
Chairman Crapo. Thank you.
Senator Warner.
Senator Warner. Thank you, Mr. Chairman.
I want to follow up where Senator Perdue was at, Mr. Boms,
with what the Europeans are doing, with what the Brits are
doing. How does this affect, again, our market's ability to
stay competitive in what is obviously a global field?
Mr. Boms. Sure, Senator. It is very early days. PSD2 and
Open Banking in Europe and the U.K. just went live on the 13th
of January this year. There was a conformance period that will
last until September of next year. So we are in this transition
period. But we are seeing adoption of Open Banking APIs by
consumers in the U.K., for example, increase 50 percent month
over month. So, clearly, there is interest in adoption of these
tools.
We are seeing significant investment into the FinTech
market in London. It is not because the cost of living or taxes
are low. It is because there is a clear regulatory framework
and a legal framework for how these tools can be deployed,
proscriptive consent and disclosure flows that consumers have
come to expect and are aware of.
So I do not think it is an imminent threat, but I do think
if we do not get our house in order in the relative near term,
it could become a threat.
Senator Warner. One of the things I--and related to this,
while not the direct topic today, you know, there is a group of
us, bipartisan, that have been working for now 3\1/2\, 4 years
to try to at least standardize data breach legislation. The
fact that we have got 49 or 47 different data breach
legislative laws--this is different than data portability, but
I would hope you would think that some level of Federal
leadership on data breach would be important as well.
Mr. Boms. Absolutely, Senator, so long as the floor that it
establishes provides sufficient consumer protection.
Senator Warner. Right, and that is, I think, what we have
done. Frankly, it has been some of--I was from the telecom
business before. It is my old industry that has been some--
everybody is for data breach legislation, but then they all
want a carveout for their specific industry, and that is not
going to end up being, I think, the way we get there.
Unfortunately, those efforts have lagged a little bit in the
last 8 or 9 months, and I think as we think about this, we have
got to think holistically. And, Ms. Omarova, that is where I
want to go to my question with you. I am a big advocate around
data portability, and I think Senator Brown may have indirectly
raised this question already. In my efforts on the Intelligence
Committee, where we are looking at the social media firms who
have these platforms, who have enormous, enormous power and
growing power, if we deal with data portability in the FinTech
space alone but do not deal with data portability in terms of
our individual personal data, if we are not able to move from
Facebook to another enterprise and make it easy and allow our
cat videos to move easily as well, we are really not going to
be able to have the type of competitive market, I think, in
that field.
I would just like you to comment on the need to not only
get this right in the FinTech, in the financial arena, but more
broadly based.
Ms. Omarova. You are absolutely correct. Information is the
currency in the digital economy, and, you know, it takes many
forms and it flows through many, many markets for many, many
goods and services, not just financial markets but markets for
other types of data. And it is a structural problem. I
understand the concerns with competitiveness, and I am
completely in favor of allowing consumers to move freely
between different apps and utilize various information in ways
that serve their interests. But the problem here is that you
have to understand that, structurally speaking, financial
institutions are sitting on the type of information that
presents, you know, a much heightened danger of misuse, and
this is where we should be particularly careful with respect to
FinTech and how the financial information is moving
structurally in these markets and probably deal with the
broader issues of data protection outside the financial sector
and perhaps antitrust issues as well, because those are serious
structural issues that exist everywhere in the big tech sector
separately.
Senator Warner. My concern is that what--and this Committee
has looked in terms of Russia sanctions, what happened in 2016,
where Russia intervened, but what I see as the next iteration
is that someone will come in and break into nonprotected
personal financial data, as they did with Equifax, and Senator
Warren and I have a bill, and it is, I think, a travesty that
we are a year later and there still has been no penalty paid by
that company. But they will break in, get personal information,
contact any of us as an individual, and then what will pop up
with be what is called a ``fake video,'' and it will be
somebody that looks like Senator Brown, but it is not actually
Senator Brown live stream video. And the combination to wreak
havoc there not only on the political side but on the market
side is really huge, so we have to solve this issue not just
for financial data portability but across the board.
Ms. Omarova. Oh, that is absolutely correct. That is
absolutely correct.
Senator Warner. Thank you.
Chairman Crapo. Thank you.
Senator Cortez Masto.
Senator Cortez Masto. Thank you, and thank you, Mr. Chair
and Ranking Member. Obviously, this is an important discussion,
and thank you all for being here today. It is a great
conversation.
I echo my colleague Senator Warner. I think we have to look
at this in a holistic approach. I think what I have heard
today, we all agree we have got to address the data privacy,
security, and consumer protection piece of this, but this is
emerging technology. It is not going away, and we are going to
have to figure out at a Federal level how we address this, but
also, I believe, incorporating State laws in the States as
well. They have to be a part of this discussion.
So let me ask you this, because we received a letter from
the National Association of federally Insured Credit Unions,
the Committee did. One statement the association makes is that,
``As new companies emerge and compete in this area, it is
important that they compete on a level playing field of
regulation, from data security to consumer protection.'' Would
each of you agree with that statement?
Mr. Boms. Senator, yes.
Mr. Rubinstein. Yes, absolutely. Whoever holds consumer
data should be held to the same standards.
Mr. Knight. Yes.
Senator Cortez Masto. Thank you.
Ms. Omarova. Well, yes, it is generally a good principle.
Senator Cortez Masto. And that level playing field of
regulation does not mean that we roll back regulation, does it?
Mr. Boms. Senator, from my perspective, no, it does not. It
means that we make the regulation consistent across the various
regulators who have some stake in this.
Senator Cortez Masto. Thank you.
Mr. Rubinstein. Yes, I would agree.
Senator Cortez Masto. Right. And I think you would all
agree.
Mr. Knight. Senator, I would say that when we talk about
level playing field, we should be thinking about what is the
risk that is generated that we are trying to regulate against,
and so if that risk exists, comparable regulation should exist.
If a new player comes along and offers a comparable service but
does not generate a certain risk, then they should not be
regulated in the same way vis-a-vis that risk. For example, a
lender that does not fund their loans from federally insured
deposits should not be regulated as a depository because they
are just not generating the risks that go along with the
deposit holding. They should be regulated vis-a-vis consumer
protection in lending, for example.
Senator Cortez Masto. OK.
Ms. Omarova. Well, sometimes it is very difficult to figure
out exactly what types of risks a particular lender or a
particularly institution really poses. Sometimes we do not see
how exactly they fund their loans and their services. We have
learned that from this last crisis. And I think that in that
sense, it is important that, if we are looking for leveling the
playing field, we have to make sure that that common level is
not the minimum regulatory level of oversight but the maximum
one. And when we are looking at the maximum level of regulatory
oversight in the interest of the American public, we should
keep in mind the biggest players in those markets, not the
smallest ones.
Senator Cortez Masto. Thank you. And can I ask you, each
one of you, when we are talking about banks and credit unions
that allow data aggregators access to bank customers' accounts,
if there is a violation of those customers' privacy information
and that privacy information for those customers, who should be
legally liable? Should the banks and credit unions be legally
liable if they are working with those third-party aggregators
and there is a breach?
Mr. Boms. Senator, you have identified, I think, perhaps
the largest, most significant obstacle in this ecosystem, which
Mr. Rubinstein referenced in his opening statement. The members
that I represent would say that he who breaches the data should
be responsible for making the consumer whole.
The catch to that and the issue with that is we have
decades of regulation and consumer expectations that say that
it is the financial institution that either should or must make
the consumer whole. So on some level, even though our members
have taken it upon themselves, are adopting this notion of he
who breaches must make the consumer responsible, at some point
we need to holistically take a look at the regulations that we
have on the books and modernize them for the 21st century
economy.
Senator Cortez Masto. OK. Anyone else?
Mr. Rubinstein. Senator, as Mr. Boms said, it is a very
difficult topic, and we firmly believe that whoever causes harm
to the consumer should make the consumer whole.
Unfortunately, this is a chain. Consumer data starts at the
financial institution. It moves to a financial data aggregator.
Then it moves to a FinTech. It may continue to move beyond
that.
The financial institution only has a direct relationship in
that first step of the chain with the financial aggregator.
They need to look to that financial aggregator to make the
financial institution whole if the financial institution has
reimbursed the consumer and then they can deal with their own
customer. Similar to getting into a car accident, right? You
have auto insurance. You turn to your insurance company, and
then your insurance company goes and subrogates with the others
down the chain. It has been very difficult. The industry is not
adopting that yet, and we can use a nudge in that direction.
Senator Cortez Masto. Thank you. Please, whoever would like
to go next.
Ms. Omarova. I think that everybody in that chain should
bear a responsibility and be exposed to the liability for data
breaches of bank customer data. And what concerns me about the
Treasury report in particular is that it never really addresses
that issue directly, and it talks about, yes, we need to kind
of have an appropriate liability regime, but it is not clear to
me what that regime will be like.
What I know, though, is as a practical matter, in order to
incentivize banks to share their information, their bank
customer information, with various technology companies, you
are going to have to relax the actual liability constraints
existing today on them, because, otherwise, they simply would
not share it. So that is what concerns me a lot.
Senator Cortez Masto. Thank you. And I know I am out of
time, Mr. Chair. I do not know, Mr. Knight, if you wanted to
say a few words--I do not want to take up any more time.
Chairman Crapo. Briefly.
Senator Cortez Masto. Thank you.
Mr. Knight. So in addition to all that has been said, I
would say that one threshold question we need to talk about is
that Treasury takes the position in the report that Dodd-Frank
Section 1033 compels the bank to make the information available
to the consumer's chosen aggregator. I do not know if that is
the position the Bureau will take, and if we are compelling the
bank, then the normative argument for holding the bank liable
if some accident happens down the chain with an aggregator they
did not choose to partner with but were compelled to partner
with weakens; whereas, if it is a matter of choice all the way
down, then the principles discussed make more sense.
Chairman Crapo. Senator Scott.
Senator Scott. Thank you, Mr. Chairman. Thank you to the
panel for investing the time to be here this morning.
Things get complicated when a company is headquartered in
Tennessee, does business in South Carolina, and is breached in
Arkansas. Those States all have different laws on the books
governing when and how companies must notify the public of a
data breach.
The reality is that a patchwork quilt of 50 different
breach notification standards creates a race to the bottom in
which breached parties will often comply with the lowest
possible standard. Consumers are ultimately the ones that pay
the price. They are the ones that lose out.
I know that Senator Rounds touched on this question
earlier, but let me ask you, Mr. Boms, is a State-by-State
framework for breach notification effective? Who stands to
benefit from a more uniformed approach?
Mr. Boms. Senator, we think that there is certainly room
for improvement. A Federal approach that lifts up what the
ceiling is across the board would benefit consumers, it would
benefit the industry. We think it would be a win-win for
everybody involved.
It is not simply an issue of regulatory complexity at the
State level. Several of the FinTech firms that I work with have
Federal supervision through third-party vendor risk management,
and so there is a piece of prudential bank regulatory authority
here as well on this score. This is another area where
consistency among regulation, not deregulation, would be
immensely helpful.
Senator Scott. Thank you, sir.
The Gramm-Leach-Bliley Act from 1999, we did business very
differently then. I think we were all still using paper for
most of our transactions. We probably had dial-up for our
Internet connection, and we certainly did not have cell phones
that could do anything other than call, and that was a pretty
expensive venture as well.
The bottom line is that the world has changed so
significantly since GLBA was enforced, became law, but it is
still the foundation of how we govern data aggregators for
financial institutions. I am encouraged by the fact that we are
moving to APIs from screen scraping, but it is happening fairly
slowly.
Mr. Boms, you mentioned Europe, Mexico, and Japan in your
testimony. How are U.S. policymakers falling behind in crafting
laws that foster FinTech innovation and protecting consumer
data?
Mr. Boms. Senator, I would answer in two parts. I think the
first thing I would say is APIs in and of themselves are not a
panacea. They will not solve everything. The API, in addition
to being secure, as we have heard, also must be robust. So the
API must include data fields like fees, for example, so that a
consumer who is using a third-party tool that compares fees at
one, for example, financial institution can compare what its
fees would be for the same products or services at another
financial institution. So making sure that the APIs with the
direct feeds are robust is the first step.
The second is there are no standards in the U.S. market.
The Treasury report talks about data standardization, which we
think is a very important area that other markets have
addressed. In the U.K. open banking environment, the data
elements are standardized. The Mexican central bank and
securities regulator are currently working on an API that would
standardize the data sets. This would be, we think, one place
to start, but there are quite a few that regulators here could
begin with.
Senator Scott. Thank you.
Almost 30 percent of Americans living in economically
distressed communities are credit-invisible, meaning they have
no credit score. An additional 15 percent are unscorable due to
having an insufficient or old credit history. In South
Carolina, that combined number is about 23 percent, or one out
of every four adults.
Senator Cortez Masto and I have worked diligently to find
ways to bring that credit-invisible person to a place where
their consistent habits of paying their bills, whether it is
their electric bill or their cell phone or the rent from a
place that they are renting, if they are paying those on time,
they should get some credit for that.
Mr. Knight, you testified that innovative underwriting can
provide consumers with benefits such as lower interest rates.
Can you speak to the benefits of using rent and utility
payments in credit scoring and to other developments in
underwriting that will benefit consumers?
Mr. Knight. Thank you, Senator. Yes, I think that expanding
access to the types of data that bear on the creditworthiness
of a borrower, even if they have not traditionally been
captured in traditional underwriting like a FICO score, has the
potential to be valuable in allowing lenders to make an
accurate assessment of the risk that they would take on by
lending to a borrower. In some cases, that will make someone
who is credit-invisible visible and, therefore, the lender has
enough data they feel like they could make an offer.
In other cases, it will indicate that people who are, in
fact, good credit risks or better credit risks than they
otherwise get credit for, because you are looking at data that
has not otherwise been picked up. So I think that there is
potential value there.
Senator Scott. Thank you. I have another question on my
legislation, the MOBILE Act, that I will submit for the record.
Thank you, Mr. Chairman.
Chairman Crapo. Thank you.
Senator Warren.
Senator Warren. Thank you, Mr. Chairman.
So FinTech holds out a lot of promise for consumers and
also raises a number of concerns. I think it is critical that
the Government move methodically on a regulatory approach to
FinTech, so we encourage productive innovation but we do not
expose consumers to a lot of unnecessary risks.
So the Treasury Department issued a report on FinTech
earlier this year, and in almost every instance, it advocates
for deregulation in an effort to stimulate the FinTech
industry. And I am concerned about a lot of those
recommendations.
One set of recommendations is about rolling back the rules
that govern how banks can share personal financial information
with third-party data aggregators. So, Professor Omarova, I
know you addressed this issue in your written testimony, and I
just would like you, if you could very briefly, to explain what
your concerns are with the Treasury Department's
recommendations on this front.
Ms. Omarova. So my main concern is that the Treasury's
approach will essentially open the floodgate for the banks that
are currently regulated to open up this treasure trove of
sensitive financial data on the customers that they have for
much broader types of uses by various tech companies. So my
concern is about Facebook, it is about Google, it is about
Amazon. And we do not know what they do with the data they
touch, so they could use it, they could get access to that data
in one capacity, let us say as a cloud service provider and the
code writer, but then misuse it in order to sell something to
the customer, and that is what I worry about. And the customer
consent here could be obtained by the bank at the point when
the customer is actually opening a deposit account with the
bank, and that is what concerns me. This notion of consent and
choice could be actually diminished.
Senator Warren. All right. That is very important. Thank
you. You know, given what just happened with the Equifax
breach, I think a lot of my constituents and constituents for
pretty much everybody here would be uncomfortable with the idea
of even more companies getting access to our financial data
without our effective consent and without strict rules on how
they have to protect that data.
Another set of Treasury recommendations would further
weaken the wall between banking and commerce. They would allow
our biggest banks and our huge technology platforms to join
their corporate empires--you were just talking about this--and
giant technology companies like Facebook and Google to buildup
equity stakes in multiple smaller banks across the country.
Again, could you go back to this, Professor, and describe
some of the potential harms in allowing this kind of
consolidation across different industries?
Ms. Omarova. Right. So the Treasury basically seeks to
weaken how control is defined in the Bank Holding Company Act.
The Bank Holding Company Act currently subjects any company
that controls a U.S. bank or is affiliated with a U.S. bank to
various regulations and supervision, and it is essentially an
antitrust law that seeks to prevent banks from abusing their
control of immense power over public money and credit. And what
the Treasury says is essentially we should make it much easier
for the banks to acquire equity stakes in tech companies and
vice versa. And I worry about the fact that it will not create
greater competition; it will actually lead to extreme
concentrations of power over money and information across the
sectors. And it will take the ``too big to fail'' problem to an
unprecedented level because in the next crisis we may have to
save Facebook and Amazon because they would be so intertwined
in the financial sector.
Senator Warren. So, actually, this is powerfully important,
and I appreciate your comments on this. You know, a lot of
discussion in FinTech centers on the consumer to corporate part
of this, but there is also the part about the effect it would
have on wholesale banking. Can you just say a word more about
that? You have talked about blowing up ``too big to fail.''
Just a bit more.
Ms. Omarova. So remember with subprime mortgages, for
example, it was also--the rhetoric was all about the right of
the consumer to choose to take a very expensive loan, for
example, but in reality, those mortgages were the fuel for the
wholesale market speculation. And so I worry that allowing
digitization of data and all of this sort of new FinTech
innovation without proper controls will actually increase the
potential for wholesale market speculation in the secondary
markets that would make the system more volatile and more
unstable, and we have to be aware of that danger.
Senator Warren. Good. Thank you very much. You know, I know
there is a lot that improving technology can do to reduce costs
and improve service for customers. But I am concerned that this
Treasury report consistently ignores real concerns that could
arise both for consumers and for the industry and change the--
have an impact on protecting data, on reducing consumer
choices, on maintaining safety in the financial system.
So thank you very much, Mr. Chairman, for holding this
hearing. I hope we will continue to dig into this issue. Thank
you.
Chairman Crapo. We definitely will. And I think there is
lot of bipartisan agreement on a lot of these issues.
I need to wrap up the hearing. However, Senator Brown has
asked for one more round of 5 minutes.
Senator Brown. I have a couple questions. Thanks.
Chairman Crapo. Senator Brown, I will grant that to you,
and I am sorry, then I am going to have to wrap the hearing up.
Senator Brown. Mr. Chairman, thank you. We have had sort of
private discussions about overlap and the common interests we
see in some of this on privacy, and I am hopeful that we can
come together on some things.
I have a couple questions left. Professor Omarova and Mr.
Knight, if I could direct the first one to you, starting with
you, Professor Omarova. Should a nonfinancial company be
allowed access to consumers' detailed financial data such as
transactions or account balances? Or should the traditional
separation of banking and commerce extend to data sharing as
well?
Ms. Omarova. I absolutely think that the traditional
separation of banking and commerce should extend to everything
that relates to data. I do not think that pure disclosure
really cures the problem because the problem is structural. The
problem is about the market power crossing over different
sectors and essentially hurting all of us and the long-term
competitiveness of our economy.
Senator Brown. Thank you.
Mr. Knight, any comments on that?
Mr. Knight. So I am somewhat more optimistic. I think that
there may be circumstances where allowing that sort of exchange
can actually be beneficial to the consumer. I do think that
meaningful disclosure, meaningful acceptance is critical to
this, because we are talking about very sensitive information,
and if the consumer is allowing that information to be shared,
it should be used only for the purposes that the consumer has
granted access to, and that consent should be periodically
reacquired. It should not be something that you click ``yes''
on a splash screen when you first sign up and then never hear
about it again. But I do think that there may be scenarios
where that exchange actually is worth it.
Senator Brown. Thank you.
And the last question to Mr. Boms, and thank you, Mr.
Chairman. What would be the impact of a successful hack of one
of your members?
Mr. Boms. Senator, it would depend on which of the members
we are talking about. So if I could, I will separate them from
the aggregator members and the end FinTech clients.
For the aggregator members, there is a wide variety. They
are mostly read-only platforms. You cannot execute transactions
across them. While many do hold credentials as a way to get
into the ecosystem, they employ best in class security systems,
hardware encryption, elements of data security that I am not
qualified to get into. That is not to say that more cannot be
done, but, of course, they are not encumbered by----
Senator Brown. And there have been successful hacks in the
past, of course.
Mr. Boms. Well, I would argue, respectfully, that the vast
majority of the hacks that we see in the financial ecosystem
are at the incumbent financial institutions, not the FinTech
players, or at least the ones that I represent. That is not to
say that one will not happen the second this hearing ends.
For the end user--and I should also add, for the
aggregators, many have adopted policies where they do not
collect PII. So they are the pipeline; they connect one entity
to the data that they acquire for the use case, but do not
themselves retain the identifying information that the end user
provides to their third party.
But I think underlying the question, Senator, is there need
to be standards for data security in this ecosystem, and that
is why my members at least have come out and said, whether it
is regulatorily prescribed or whether it is private sector
driven, we are ready to have that conversation. And we have
already started to deploy some of those standards across the 50
companies that I work with.
Senator Brown. Thank you.
Chairman Crapo. All right. Thank you, Senator Brown, and I
again want to thank the witnesses. I have a lot more questions
I want to ask, and I do not know if I will pummel you with all
of those, but over time we are going to dig much more deeply
into this as a Committee. It is an incredibly important issue.
And it is complex. It needs to be understood, and we appreciate
your helping us to get a deeper understanding today.
That concludes the Committee questioning. For Senators
wishing to submit questions for the record, those questions
will be due in 1 week, on Tuesday, September 25. Witnesses, we
ask you, when you receive questions, if you would promptly
respond to them. And, again, we thank you for your willingness
to come and share your expertise with us today.
With that, this hearing is adjourned.
[Whereupon, at 11:21 a.m., the hearing was adjourned.]
[Prepared statements, responses to written questions, and
additional material supplied for the record follow:]
PREPARED STATEMENT OF CHAIRMAN MIKE CRAPO
Today, we will hear four very unique perspectives on a segment of
financial technology, or ``FinTech.''
Almost exactly one year ago, the Committee held a hearing to
explore the various sectors and applications of FinTech.
In the short time period between that hearing and this one, many
developments and innovations have occurred, both in the private sector
and on the regulatory front.
Digitization and data, in particular, are constantly evolving,
challenging the way we have traditionally approached and conducted
oversight of the financial services sector.
As technology has developed and the ability to readily and cheaply
interact with and use data has flourished, we have experienced a sort
of revolution into the digital era.
This digital revolution brings with it the promise of increasing
consumer choice, inclusion and economic prosperity, among other things.
Less than a decade ago, the concept of mobile banking, a simple
transaction, was relatively new.
Now, consumers have countless options by which to interact with and
access their financial information and conduct transactions.
As this marketplace rapidly develops, so must we constantly
evaluate our regulatory and oversight framework, much of which was
designed prior to the digital era.
To the extent that there are improvements that can be made to
better foster and not stifle innovation, we should examine those.
Although these technological developments are incredibly positive,
the increased digitization and ease of collecting, storing and using
data presents a new set of challenges and requires our vigilance.
Many products and services in the FinTech sector revolve around big
data analytics, data aggregation and other technologies that make use
of consumer data.
Oftentimes these processes operate in the background, and are not
always completely transparent to consumers.
It is important for consumers to know when their data is being
collected and how it is being used.
It is equally important for the companies and the Government alike
to act responsibly with this data and ensure it is protected.
As we have seen in recent years, this can be a challenging task.
In order to fully embrace the immense benefits that can result from
technological innovation, we must ensure that proper safeguards are in
place and consumers are fully informed.
Today, I hope to hear from our witnesses about: the ways in which
FinTech is changing the financial sector and the improvements that can
be made to ensure the regulatory landscape welcomes that innovation;
what kind of data is being collected and used, and how such data is
secured and protected; and what are the opportunities and challenges
going forward?
______
PREPARED STATEMENT OF SENATOR SHERROD BROWN
In the run-up to the financial crisis, Wall Street banks bragged
about innovations that they claimed made the financial system less
risky and credit more affordable. Some of these innovations were in
consumer products--like interest-only subprime mortgages. Other
innovations were happening behind the scenes, like the growth in risky
collateralized debt obligations and credit default swaps.
According to the banks, technological advances like increased
computing power and information sharing through the internet allowed
financial institutions to calculate and mitigate the risks of these
complex financial innovations. Here in Washington, banks told lawmakers
that regulation would hold back progress and make credit more expensive
for consumers. Rather than look at financial technology with an eye to
the risks, Federal banking supervisors repealed safety and soundness
protections and used their authority to override consumer protection
laws in several States.
Eventually, so-called financial innovations led to the biggest
economic disaster in almost a century, costing millions of Americans
their homes and their jobs.
Criticizing the bankers and regulators who lost sight of the
enormous risks that came with these new innovations, former Fed Chair
Paul Volcker declared that ``the ATM has been the only useful
innovation in banking for the past 20 years.''
I am more optimistic about some new technologies benefiting
consumers rather than just lining Wall Street's pockets, but I think we
should look at this Treasury report with the same level of skepticism.
Rather than learn from past mistakes, the Treasury report embraces
the shortsightedness of precrisis regulators. It exalts the benefits of
``financial innovation,'' describes Federal and State regulation as
``cumbersome'' or as ``barriers to innovation,'' and recommends gutting
important consumer protections, like the CFPB's payday lending rule. It
even suggests stripping away what little control we have over our
personal financial data, just a year after Equifax put 148 million
Americans' identities at risk.
Just like a dozen years ago, Wall Street banks and big companies
are making record profits, but working families are struggling just to
get by. Student loan debt is at record levels, and credit card defaults
are rising. Worker pay isn't keeping up with inflation, but we've
managed to cut taxes for the richest Americans while CEOs and
shareholders have reaped huge windfalls through over half a trillion
dollars in stock buybacks.
Plenty of financial institutions are adopting new technologies
without running afoul of the law. Rather than focusing on how we can
weaken the rules for a handful of companies who prefer to be called
``FinTechs'' rather than ``payday lenders'', or ``data aggregators''
rather than ``consumer reporting bureaus'', Treasury should be focused
on policies that help working families.
This isn't a partisan issue for me. I raised concerns about
relaxing the rules for FinTech firms when Comptroller Curry, appointed
by President Obama, suggested a special ``FinTech'' charter almost two
years ago.
The new leaders at the Federal Reserve, the OCC, the FDIC, and the
CFPB have already made it clear that they're ready to give Wall Street
whatever it asks for. And the recommendations in this report call for
more handouts for financial firms, FinTech or otherwise.
I am, however, interested to hear from our witnesses about how new
financial technologies could increase our control over our own
information, better protect against cyberattacks, or make it easier for
lenders to ensure they're following the law. And as traditional banks
partner with technology firms, I think it's important for the Committee
to consider where gaps in regulation might lead to future systemic
risks.
Thank you to the Chairman for holding this hearing, and to the
witnesses for their testimony today.
______
PREPARED STATEMENT OF STEVEN BOMS
President, Allon Advocacy, LLC, on behalf of Consumer Financial Data
Rights
September 18, 2018
Introduction
Chairman Crapo, Ranking Member Brown, and Members of the Committee,
thank you for the opportunity to testify today on behalf of the
Consumer Financial Data Rights, or CFDR, Group. The CFDR Group is a
consortium of nearly 50 financial technology (FinTech) companies,
including financial data aggregation companies and end user-facing
technology tools, on whose services more than 100 million consumers and
small businesses collectively depend for access to vital financial
services and wellness applications that serve them at every stage of
their financial lifecycles. CFDR Group member-companies provide, for
example, automated savings services, no-fee credit cards, investment
advisory services, retirement savings advice and critical small
business capital. In the complex and often opaque financial services
ecosystem, the CFDR Group strives to be the voice of consumers and
small businesses before policymakers and market stakeholders alike.
My testimony today also provides the perspective of the Financial
Data and Technology Association (FDATA) of North America, a trade
association for which I serve as Executive Director. FDATA North
America is comprised of several financial services providers, some
newer entrant FinTech firms and some incumbent, traditional providers,
united behind the notion that standardization of consumer data access
is both a fundamental consumer right and a market-driven imperative.
FDATA North America is a regional chapter of FDATA Global, which was
the driving force for Open Banking in the United Kingdom and which
continues to provide technical expertise to regulators and policymakers
in London, to the European Commission, and to regulatory bodies
internationally contemplating many of the same issues identified in the
Department of the Treasury's (``the Department'' or ``Treasury'')
report released on July 31, A Financial System That Creates
Opportunities: Nonbank Financials, FinTech, and Innovation.
The CFDR Group and its members consulted frequently with the
Department as it considered the current state of the FinTech market,
the consumer and small business benefits it provides to Americans
today, and how best to harness innovation in the FinTech ecosystem
moving forward while ensuring that consumers, small businesses and the
financial system itself are well protected. The CFDR Group's engagement
with Treasury was principally focused on the crucial issue of consumer-
permissioned financial data, which ultimately was an area of emphasis
in the Department's report.
Ultimately, any provider of a technology-based financial tool,
whether that provider is a FinTech firm or a longstanding market
incumbent, depends on the ability to access and utilize, with the
consumer's or small business' express permission, elements of that
customer's financial data to offer its products or services. Financial
data, including, for example, balances, fees, transactions, and
interest charges, are essential to facilitating the technology tools on
which millions of Americans depend. These data elements are typically
held at the financial institution with which that customer holds a
checking, savings, and/or lending account. Before providing an overview
of how this data exchange works today in the United States, I would
first like to underscore the immense need that the technology-based
tools offered by CFDR Group and FDATA North America member firms are
fulfilling.
The State of U.S. Consumer Finances
Although the U.S. economy is performing well from a macroeconomic
standpoint, there are unquestionably significant numbers of Americans
who are being left behind and are financially invisible. The level of
credit card debt in the United States is historically high and, earlier
this year, exceeded $1 trillion for the first time ever, with the
average American household holding approximately $8,200 in credit card
debt. \1\ About half of American consumers have no retirement savings
at all, and of those that do, the average retirement account balance is
about $60,000. \2\ Approximately one-third of American adults have
sufficient savings to last comfortably for more than a few months
during their golden years. \3\
---------------------------------------------------------------------------
\1\ Comoreanu, A. (2018, June 11). ``Credit Card Debt Study:
Trends and Insights''. Retrieved from https://wallethub.com/edu/credit-
card-debt-study/24400/.
\2\ Morrissey, M. (2016, March 3). ``The State of American
Retirement: How 401(k)s Have Failed Most American Workers''. Retrieved
from https://www.epi.org/publication/retirement-in-america/.
\3\ ``1 in 3 Americans Have Less Than $5,000 in Retirement
Savings''. (2018, May 8). Retrieved from https://
news.northwesternmutual.com/2018-05-08-1-In-3-Americans-Have-Less-Than-
5-000-In-Retirement-Savings.
---------------------------------------------------------------------------
The crisis, of course, is not limited only to an accumulation of
debt or a lack of retirement savings. The Federal Reserve Board of
Governors determined earlier this year that 40 percent of American
consumers could not afford a surprise $400 expense without either
selling an asset or taking on additional debt. \4\ And, unsurprisingly,
many of us do encounter these surprise expenses. According to a recent
study by CIT Bank, while half of Americans experience a financial
emergency, such as a major health event or an unforeseen home repair,
every year, more than one in four do not save for these unexpected
events. \5\
---------------------------------------------------------------------------
\4\ ``Report on the Economic Well-Being of U.S. Households in
2017''. (2018, May 22). Retrieved from https://www.federalreserve.gov/
publications/files/2017-report-economic-well-being-us-households-
201805.pdf.
\5\ ``Summer Survey: Trends on Saving for Life's Planned and
Unplanned Events''. (2018, August 1). Retrieved from https://
bankoncit.com/blog/2018-summer-savings-survey/.
---------------------------------------------------------------------------
It is no wonder, then, that 85 percent of Americans report feeling
anxious about their financial state, with more than two-thirds
believing that their financial anxiety is negatively impacting their
overall health. \6\
---------------------------------------------------------------------------
\6\ ``Planning and Progress Study 2016''. (2016, June 8).
Retrieved from https://news.northwesternmutual.com/planning-and-
progress-study-2016.
---------------------------------------------------------------------------
Compounding this economic predicament is the growing complexity of
most consumers' and small business' relationships with the American
financial system. The vast majority of Americans have multiple
different accounts across a variety of products providers. The most
basic, fundamental first step towards financial health--simply
understanding what one has and what one owes--is often intimidating and
logistically difficult for all but the most financially savvy. The
technology-powered tools on which millions of Americans have come to
depend, provide intuitive, accessible platforms that enable even the
least financially savvy among us to manage their finances and improve
their economic outcomes. In addition to allowing Americans to see the
totality of their financial accounts in one place, these applications
empower consumers and small businesses to find lower loan rates or
better loan terms, to avoid predatory products and services, to compare
fees across different product offerings, to receive personalized
investment and wealth management advice, to find and secure capital
that otherwise may not be extended, or to take advantage of budgeting
and savings tips to secure their financial future.
This of course presumes that one has access to the system in the
first place. Twenty percent of adult Americans are underbanked by the
traditional financial services system and almost nine million American
households are entirely unbanked. \7\ For these consumers, third-party,
technology-based tools can provide vital, affordable access to a
financial system that has left them behind.
---------------------------------------------------------------------------
\7\ ``Financial Inclusion in the United States''. (2016, June 10).
Retrieved from https://obamawhitehouse.archives.gov/blog/2016/06/10/
financial-inclusion-united-states.
---------------------------------------------------------------------------
Regardless of the use case a consumer or a small business wishes to
leverage, and irrespective of whether that technology-powered tool is
offered by a FinTech firm or a traditional financial services provider,
the lifeblood of these tools is user-permissioned data access: the
right of the consumer or small business to affirmatively grant access
to the third party of their choice to connect to or see the financial
data required to provide them the product or service for which they
have provided their consent.
The State of Consumer-Permissioned Financial Data
Usage of third-party, FinTech tools in the U.S. is widespread: by
2017, 87 percent of consumers preferred to adopt a FinTech application
rather than use a product or service offered by a traditional financial
services provider. \8\ To gain access, with the consumer's or small
business' consent, to their customer's financial data in order to
provide their products or services, the vast majority of technology-
based tools retain contractual relationships with financial data
aggregators, such as Envestnet Yodlee, Quovo, or Morningstar
ByAllAccounts, all of which are members of the CFDR Group. These
aggregators, which have built data connectivity to thousands of U.S.
financial institutions over many years, function as technology service
providers for the consumer or small business-facing applications. Once
the consumer or small business has affirmatively provided their consent
to the application that they wish to utilize, that consent is
transmitted to their financial institution and they are authenticated.
Upon authentication, the aggregator utilizes one or more methods of
data consumption to capture the financial data permissioned by the end
user that is required to deliver the use case requested and delivers it
to the application provider. The application provider then uses this
data to provide its service or product to the consumer or small
business.
---------------------------------------------------------------------------
\8\ ``EY FinTech Adoption Index 2017''. (2017, June 28). Retrieved
from https://www.ey.com/Publication/vwLUAssets/ey-fintech-adoption-
index-2017/$FILE/ey-fintech-adoption-index-2017.pdf.
---------------------------------------------------------------------------
Because there are no overarching statutory, regulatory or market
standards in the United States with regard to consumer or small
business authentication, or with regard to the data consumption
protocol used by aggregators to transmit the end user's data, with
their permission, to their application of choice, there are several
different methods used in the ecosystem today. To authenticate, end
users typically provide their online banking credentials, either to the
third-party application provider delivering them the service or product
they have selected, or, through redirection, to their financial
institution, which in turn issues an access token to the third party
and the aggregator with which it partners. Once the consumer or small
business is authenticated, the aggregator may use any of several data
consumption methods to retrieve the financial data required for the use
case. Some financial institutions have created direct feeds, such as
Application Programming Interfaces (APIs), specifically for aggregators
and third parties to utilize for the purpose of providing products or
services to their customers; however, the vast majority of U.S.
financial institutions have not. The significant capital investment
required to build and maintain these feeds typically results in only
the largest U.S. financial institutions deploying them. In the case
where no direct data feed is available, aggregators employ proprietary
software to retrieve the data required for the use case from the end
user's native online banking environment. This data consumption method
is colloquially referred to as ``screen scraping.''
I note here a critical issue that underlies the entire FinTech
ecosystem's ability to continue to deliver the products and services on
which many consumers and small businesses now rely: There is no legal
requirement in the United States stipulating that a financial
institution must make the consumer's or small business' financial data
it holds available to a third party in the event their customer
provides affirmative consent for the institution to do so. Accordingly,
a consumer's or small business' ability to take advantage of the
benefits offered by third-party, technology-based tools rests almost
entirely with the inclination of their financial institutions to allow
them to do so. Not all financial institutions are disposed to allow
third-party tools, some of which compete directly with their own
products and services, complete access to their customers' data. The
Treasury's report notes, for example, that ``access [to financial data]
through APIs was frequently and unilaterally restricted, interrupted,
or terminated by financial services companies.'' \9\ In many cases,
these APIs also may not provide the full suite of data required by
technology-powered tools to deliver their products or services. The
market is therefore fundamentally dislocated; the ability of U.S.
consumers and small businesses to utilize third-party technology tools
is dependent on the financial services provider(s) with which they do
business, with disparate outcomes for Americans who bank with different
financial institutions. The unevenness of this playing field could
materially worsen as many large U.S. financial institutions seek to
impose on consumers and small businesses their view of how the
ecosystem should function in the form of bilateral agreements with
aggregation firms.
---------------------------------------------------------------------------
\9\ ``A Financial System That Creates Economic Opportunities:
Nonbank Financials, FinTech, and Innovation''. (2018, July 31).
Retrieved from https://home.treasury.gov/sites/default/files/2018-08/A-
Financial-System-that-Creates-Economic-Opportunities---Nonbank-
Financials-Fintech-and-Innovation_0.pdf.
---------------------------------------------------------------------------
The Bureau of Consumer Financial Protection (``BCFP'' or ``the
Bureau'') engaged in a year-long process to address this issue, which
ultimately culminated in the release in October 2017 of nonbinding
principles for consumer-authorized financial data sharing and
aggregation. \10\ Though the BCFP's engagement was earnest and well-
intentioned, the principles it ultimately released did not meaningfully
shape or change market behavior, both because they were not legally
binding and because the Bureau declined to forcefully stake out a
position regarding consumer-permissioned data access. The BCFP
asserted, for example, that consumers ``generally'' should be able to
use ``trusted'' third parties to obtain information from account
providers \11\ but provided no further detail regarding these
qualifiers. As a result of this ambiguity, and despite the BCFP's much-
needed engagement in the market, the state of consumer-permissioned
financial data access in the United States is not meaningfully
different today than it was when the Bureau's nonbinding principles
were released almost 1 year ago.
---------------------------------------------------------------------------
\10\ ``Consumer Protection Principles: Consumer-Authorized
Financial Data Sharing and Aggregation''. (2017, October 18). Retrieved
from https://files.consumerfinance.gov/f/documents/cfpb_consumer-
protection-principles_data-aggregation.pdf.
\11\ Ibid.
---------------------------------------------------------------------------
While policymakers in the United States have not issued any
regulation specific to consumer-permissioned financial data access,
regulators and legislators abroad have sought to harness innovation. As
these other jurisdictions implement frameworks that harness innovation,
the U.S. market is at risk of losing pace internationally with the
development and delivery of new, innovative financial tools for
consumers. There is, accordingly, ``a huge risk the U.S. will fall
behind, and with that a risk that jobs will go elsewhere.'' \12\
---------------------------------------------------------------------------
\12\ Phillips, C. (2018, September 12). Remarks to the Exchequer
Club of Washington. Speech, Washington, DC.
---------------------------------------------------------------------------
The United Kingdom's Open Banking regime, under which consumers can
utilize authorized third-party tools without restriction, began its
implementation phase earlier this year, as did Europe's Second Payments
Services Directive, or PSD2. In Mexico, following a recently passed new
FinTech law, the Bank of Mexico and the National Banking and Securities
Commission (CNBV) are in the midst of developing API standards that
national financial institutions will be required to adopt in order to
facilitate the use of third-party FinTech tools. The Australian
Government has made public its intention to begin its implementation of
an Open Banking regime in July 2019, and New Zealand, Canada, and
Mexico are not far behind.
In the preamble to its report, Treasury rightly notes that
policymakers' engagement with the FinTech ecosystem--and the decisions
that are made by the financial regulatory agencies in response to the
Department's recommendations, particularly with regard to consumer-
permissioned data access--will have implications for U.S. global
competitiveness. \13\ Developments such as the announcement earlier
this month of a pact between the Monetary Authority of Singapore and
the Dubai Financial Services Authority to work collaboratively on
digital payments and blockchain projects are becoming increasingly
common. While the U.S. market continues to consider the most
fundamental policy issues regarding innovation in financial services,
policymakers in other jurisdictions are assertively creating well-
regulated, innovative regulatory frameworks designed to attract and
encourage large-scale innovation. The stakes are high: Globally, the
FinTech market attracted more than $31 billion in 2017, with the United
States attracting more than half the investment in the market. \14\
---------------------------------------------------------------------------
\13\ ``A Financial System That Creates Economic Opportunities:
Nonbank Financials, FinTech, and Innovation''. (2018, July 31).
Retrieved from https://home.treasury.gov/sites/default/files/2018-08/A-
Financial-System-that-Creates-Economic-Opportunities---Nonbank-
Financials-Fintech-and-Innovation_0.pdf.
\14\ ``The Pulse of FinTech--Q4 2017''. (2018, February 13).
Retrieved from https://home.kpmg.com/xx/en/home/insights/2018/02/pulse-
of-fintech-q4-2017.html.
---------------------------------------------------------------------------
Treasury Report Recommendations
Both the CFDR Group and FDATA North America strongly believe that
the Department in its July report identified the key outstanding issues
with regard to consumer and small business financial data access. I
would respectfully highlight five of the Treasury recommendations for
the Committee's consideration, as formalizing standards around these
areas would significantly bolster the ability of Americans to utilize
third-party technology tools to improve their financial well-being:
1. The Bureau should affirm that for purposes of Section 1033 [of
the Dodd-Frank Wall Street Reform and Consumer Protection Act],
third parties properly authorized by consumers . . . fall
within the definition of ``consumer'' under Section 1002(4) of
Dodd-Frank for the purpose of obtaining access to financial
account and transaction data.
Treasury's assertion that the Dodd-Frank Act's inclusion of
language in Section 1033 mandating that financial institutions provide
their customers with electronic access to their data should be
interpreted to ``cover circumstances in which consumers affirmatively
authorize, with adequate disclosure, third parties such as data
aggregators and consumer FinTech application providers to access their
financial account and transaction data from financial services
companies'' \15\ marks a significant step forward for consumers' and
small businesses' financial rights. Though it may seem self-evident,
because Section 1033 of Dodd-Frank provides that the BCFP has the
authority to promulgate a rule to ensure end users have electronic
access to their online data, and the Bureau has thus far declined to do
so, Treasury's affirmation that the Dodd-Frank Act provides this right
to consumers and small businesses, even in the absence of a Bureau
rulemaking, represents a significant victory for innovation and for
consumer and small business financial empowerment. The CFDR and FDATA
North America both respectfully echo the Department's call for further
action on this score by the BCFP.
---------------------------------------------------------------------------
\15\ ``A Financial System That Creates Economic Opportunities:
Nonbank Financials, FinTech, and Innovation''. (2018, July 31).
Retrieved from https://home.treasury.gov/sites/default/files/2018-08/A-
Financial-System-that-Creates-Economic-Opportunities---Nonbank-
Financials-Fintech-and-Innovation_0.pdf.
2. All regulators . . . should recognize the benefits of consumer
access to financial account and transaction data in electronic
form and consider what measures, if any, may be needed to
---------------------------------------------------------------------------
facilitate such access for entities under their jurisdiction.
One of the systemic disadvantages facing the FinTech ecosystem in
the United States as compared with many other countries that have
imposed standards with regard to consumer-permissioned data access is
the immense relative regulatory fragmentation that exists in the U.S.
financial system. In the United Kingdom, for example, two agencies, the
Financial Conduct Authority and the Competition and Markets Authority,
represent the totality of regulatory authorities that were required to
implement an entirely new, innovative approach to harnessing FinTech
under Open Banking. Mexico's CNBV and the Bank of Mexico are themselves
responsible for developing and imposing financial API standards. The
Australian Treasury and the Competition and Consumer Commission alone
will deliver Open Banking in 2019.
There are at least eight Federal regulatory agencies with
jurisdiction over at least some portion of financial data access in the
United States: the BCFP, the Office of the Comptroller of the Currency,
the Federal Deposit Insurance Corporation, the National Credit Union
Administration, the Federal Reserve Board of Governors, the Securities
and Exchange Commission, the Commodity Futures Trading Commission, and
the Federal Trade Commission. (Other Federal agencies, including the
Financial Crimes and Enforcement Network and the Financial Industry
Regulatory Authority, have also been involved in the issue of consumer-
permissioned data recently permissioned data recently. \16\) One
commonly discussed regulatory constraint to the open transmission of
permissioned consumer and small business financial data has been the
prudential bank regulatory agencies' third-party vendor risk management
guidance. \17\
---------------------------------------------------------------------------
\16\ ``Know Before You Share: Be Mindful of Data Aggregation
Risks''. (2018, March 29). Retrieved from http://www.finra.org/
investors/alerts/know-you-share-be-mindful-data-aggregation-risks.
\17\ ``Third-Party Relationships''. (2017, June 7). Retrieved from
https://www.occ.gov/news-issuances/bulletins/2017/bulletin-2017-
21.html.
---------------------------------------------------------------------------
There are also, of course, regulatory authorities in each State
that have jurisdiction over entities that play a role in the FinTech
market, financial services providers and FinTech firms alike. While
Treasury cannot address the intrinsic, structural disadvantages in the
United States' regulatory regime as compared with other countries', its
call for all of the agencies in this space to align behind the
Department's interpretation of Section 1033 of the Dodd-Frank Act is an
important step towards a level playing field, and one that could be
hastened by Congressional engagement. While, interestingly, some U.S.
regulatory agencies have begun to collaborate with their peers
internationally, \18\ greater domestic coordination that provides
harmonization, rather than divergence, would spur innovation and
improved consumer and small business financial outcomes.
---------------------------------------------------------------------------
\18\ ``BCFPB Collaborates With Regulators Around the World To
Create Global Financial Innovation Network''. (2018, August 7).
Retrieved from https://www.consumerfinance.gov/about-us/newsroom/bcfp-
collaborates-regulators-around-world-create-global-financial-
innovation-network.
3. The Bureau [should] work with the private sector to develop best
practices on disclosures and terms and conditions regarding
consumers' use of products and services powered by consumer
financial account and transaction data provided by data
---------------------------------------------------------------------------
aggregators and financial services companies.
The CFDR Group and FDATA North America strongly believe that
consumers and small businesses should be empowered to use their
financial data for their own financial benefit. To fully realize this
empowerment, however, end users must be able to clearly and easily
understand to what data elements they are granting third parties access
to and for what purpose, as well as how they can revoke their consent
to access and use the data. Though several industry groups have
previously sought to establish guidelines in this space--and others
continue to seek to formulate best practices--given the vast scope of
the financial services market, very little standardization has taken
place.
Fortunately, to the extent that the private sector, the BCFP and
other regulatory agencies come together to develop best practices that
could be adopted broadly across the industry, a market-tested framework
already exists. The United Kingdom's Open Banking architecture includes
prescriptive consent flows that ensure that a consumer's or small
business' experience granting or revoking consent to access their data
to any third party in the Open Banking environment is uniform.
Accordingly, consumers in the Open Banking ecosystem experience the
same consent-granting process across every third-party application they
use, regardless of the financial institution with which they have their
primary banking relationship. Offboarding is similarly uniform. The
evidence suggests that end users of the Open Banking ecosystem are
quickly becoming comfortable and familiar with these standards; three
million Open Banking API calls were made this July, a month-over-month
increase of 50 percent. \19\ Public and private sector participants
would do well to use these Open Banking consent standards as a starting
point for creating best practices in the U.S. market.
---------------------------------------------------------------------------
\19\ ``Open Banking Progress Update 13 July-31 August''. (2018,
September 3). Retrieved from https://www.openbanking.org.uk/about-us/
news/open-banking-progress-update-july-august-2018/.
4. Any potential solution [to move to more secure and efficient
methods of data access should] address resolution of liability
for data access. If necessary, Congress and financial
regulators should evaluate whether Federal standards are
---------------------------------------------------------------------------
appropriate to address these issues.
The CFDR and FDATA North America believe that the issue of
liability is the fundamental obstacle preventing the U.S. market from
offering a more even, consumer-centric delivery of third-party tools
powered by permissioned data connectivity. Decades-old regulations,
such as Regulation E, create either the regulatory expectation or the
consumer perception that financial institutions will largely make their
customers whole in the event of any financial loss, including as a
result of a data breach at a third party. \20\ Further, prudential bank
regulators have told the FinTech community that the potential liability
exposure to customers that nationally regulated banks face in the event
of a data breach for which customers experience a financial loss
represents a safety and soundness concern.
---------------------------------------------------------------------------
\20\ 12 CFR 205.
---------------------------------------------------------------------------
Largely as a result, some of the financial institutions seeking
bilateral agreements with data aggregators are seeking to place the
aggregator in the position of holding full, unlimited liability for the
FinTech ecosystem. These financial institutions hold that, because the
aggregator is the only party with which they will have a bilateral
agreement, the aggregator is the only entity from which they can recoup
customer losses; however, this position is both impractical and
untenable. Aggregators typically have no direct relationship with
consumers or small businesses. Practically, they do not have the scale
necessary to be in a position to provide their financial institution
counterparties with boundless liability protection for the entire
FinTech market, nor would that fairly apportion responsibility
throughout the ecosystem. As responsible stewards of consumer data,
however, aggregators are prepared to be liable for any direct consumer
harm that arises as a result of a breach for which they are at fault.
More broadly, the question of liability must also address the
responsibility of the third party with which the consumer or small
business has a relationship, whether it is a FinTech application or a
technology tool delivered by a traditional financial institution. The
CFDR earlier this year released a set of principles, Secure Open Data
Access (SODA), which called for the implementation of traceability,
minimum cyberliability insurance standards and other standards designed
to ensure that the entity responsible for consumer financial loss as a
result of a data breach--be it a bank, an aggregator, or a FinTech
firm--is the entity charged with making the end user whole. While CFDR
members are starting to implement the SODA principles with regard to
liability, the financial regulatory agencies and Treasury could augment
and assist this work by undertaking efforts to create a more vibrant
and affordable cyberliability insurance market, similar to the steps
taken by Her Majesty's Treasury in the United Kingdom last year.
5. Any potential solution [to move to more secure and efficient
methods of data access should] also address the standardization
of data elements as part of improving consumers' access to
their data.
Treasury notes in its report that ``a standardized set of data
elements and formats would help to foster innovation in services and
products that use financial account and transaction data . . . '' \21\
While the CFDR Group and FDATA North America wholeheartedly agree with
the Department's recommendation, I would respectfully submit an
addendum to this recommendation. Standardization of data elements will
only be impactful to American consumers and small businesses if they
are able to grant access to all of the data required to power the use
case they have selected. A standardized data set that, for example,
does not allow end users to grant access to any data fields related to
the fees or interest rates a financial institution assesses inherently
restricts the ability of that customer to utilize fee comparison tools
or to use a third-party tool to select an alternative, lower-cost
provider.
---------------------------------------------------------------------------
\21\ ``A Financial System That Creates Economic Opportunities:
Nonbank Financials, FinTech, and Innovation''. (2018, July 31).
Retrieved from https://home.treasury.gov/sites/default/files/2018-08/A-
Financial-System-that-Creates-Economic-Opportunities---Nonbank-
Financials-Fintech-and-Innovation_0.pdf.
---------------------------------------------------------------------------
Therefore, with the appropriate consent, authentication, and
liability safeguards in place, the standardized data elements made
available to the consumer or small business to permit access to third
parties of their choosing should include all of the data elements
available to the end user in their native online banking environment.
This approach would fully enable end users to leverage their own
financial data to their economic benefit and it would allow for the
realization of a competitive, free marketplace in which consumers have
full transparency into financial products and services offered by
FinTech providers and financial services firms alike.
Conclusion
Though tens of millions of American consumers and small businesses
are already utilizing third-party tools to improve their financial
well-being, more can and should be done to harness the power of
innovation and to give Americans full control of their own financial
data and future. The Treasury's report provides an insightful overview
of the outstanding issues facing the U.S. market that should be
collaboratively addressed in order to better serve consumers and to
ensure that the United States remains globally competitive as multiple
countries implement comprehensive, consumer-centric financial data
access frameworks. The CFDR Group and FDATA North America stand ready
to work with the Department, the regulatory agencies, market
stakeholders, and, of course, Congress, to implement the Treasury's
recommendations.
______
PREPARED STATEMENT OF STUART RUBINSTEIN
President, Fidelity Wealth Technologies, and Head of Data Aggregation
September 18, 2018
Chairman Crapo, Ranking Member Brown, and Members of the Committee:
thank you for holding this important hearing. Fidelity is very
interested in FinTech and data policy and has a unique perspective to
share on financial data account access and aggregation used by many
FinTech firms.
My name is Stuart Rubinstein and I am President of Fidelity Wealth
Technologies and Head of Data Aggregation. In this role, I oversee the
team focused on helping Fidelity and other institutions enable
consumers to securely share account data and documents with third
parties. Fidelity is a leading provider of investment management,
retirement planning, portfolio guidance, brokerage, benefits
outsourcing, and other financial products and services to more than 30
million individuals, institutions, and financial intermediaries with
more than $7 trillion in assets under Administration. Our goal is to
make financial expertise broadly accessible and effective in helping
people live the lives they want.
I will focus my testimony for this hearing on an issue I first
worked on over 20 years ago: financial data aggregation services and
ways we can make data sharing safer and more secure.
Fidelity's Perspective on Data Aggregation
Fidelity has a unique perspective on financial data aggregation
practices and necessary protections for customers. We are on all sides
of this issue: we are an aggregator of data for third parties, \1\ we
are a significant source of data for aggregators acting on behalf of
our mutual customers, and we offer a data aggregation service for our
retail customers and retirement plan participants. \2\ This perspective
gives us a thorough understanding of the benefits of financial data
aggregation, but also of the very real cybersecurity and privacy risks
that current data aggregation industry practices create.
---------------------------------------------------------------------------
\1\ Financial advisors can use eMoney Advisor, a Fidelity-owned
business that provides account aggregation services along with software
that helps them provide financial advice to their clients.
\2\ Fidelity offers its FullView' services to retail
customers through Fidelity.com and to retirement plan participants
through NetBenefits.com, and developed its first account aggregation
service over 15 years ago. Fidelity FullView provides a snapshot of
customers' net worth in a simple format with an ability to do budgeting
and financial planning.
---------------------------------------------------------------------------
Financial data aggregation in this context refers to services that,
with customers' consent, collect financial information from their
various bank, brokerage, and retirement accounts, along with other
sources, to be displayed and processed in an aggregated view. An
example of this kind of service might be a budgeting and planning
smartphone app. Consumers use third party applications that leverage
data aggregation because they value tools to help manage financial
planning, budgeting, tax preparation, and other services. As part of
our focus on helping our customers, Fidelity works to make it possible
for customers to access the services they want to use--including third
party aggregation-based services. To that end, customers have been able
to use their Fidelity data in third party applications for many years.
However, the cybersecurity environment has significantly changed over
that time and we have a responsibility to protect the very sensitive
personal financial data and assets of our more than 30 million
customers from misuse, theft, and fraud.
Current data aggregation practices make this challenging, because
they rely on consumers providing their financial institution log-in
credentials (i.e., username and password) to third parties. Those third
parties, typically data aggregators, then almost always employ a
practice known as ``screen scraping.'' At its most basic, screen
scraping involves the use of computerized ``bots'' to log-in to
financial institution websites, mobile apps, or other applications as
if they were the consumer. Once the bots have access to the site or
app, they ``scrape'' customer data from the various screens to be
presented on a consolidated basis, along with information scraped and
collected from other sources.
There are two consumer data security problems with this practice.
First, as a matter of basic security consumers should not be asked or
required to share their private log-in credentials in order to access a
third party service. Doing so creates cybersecurity, identity theft,
and data security risks for the consumer and financial institutions.
Unfortunately, we know that due to years of this practice, financial
institution log-in credentials are now held by a myriad of companies.
Some are likely very secure, while others may not be secure at all.
Given this, allowing third parties to log-in using these credentials as
if they are the customer creates significant risk of cyberfraud.
Because consumers go directly to data aggregators or their commercial
clients and not their financial institution, the financial institutions
never really know if the activity has in fact been authorized by the
customers or if the customer credential has been compromised and a
criminal is using the data aggregation service to test the credential's
validity and illicitly gather data.
Second, screen scraping may result in access to data fields far
beyond the scope of the service a third party offers the consumer--
including personally identifiable information (PII) about consumers and
in some cases their dependents. This means third parties have access to
fields of information often used by financial institution call centers
to identify customers. For example, if a consumer provides his or her
log-in credentials to a budgeting app, that app potentially has access
to sensitive personal information like customer dates of birth and
dependent names and dates of birth, all of which might be data
financial institutions use to verify customer identities online or over
the phone. Collection of information beyond what is needed for the
service the consumer has elected creates unnecessary risk. And all of
this adds up to an array of risks financial institutions must navigate
to protect the integrity of their systems and the assets of their
customers.
In considering the challenges described above, Fidelity developed
the following five principles that we believe should guide industry in
creating better data sharing solutions:
1. We strongly support consumers' right to access their own
financial data and provide that data to third parties. As a
provider of aggregation services ourselves, we know that
customers value these products, and the demand for aggregation
is likely to increase. We also believe that the concept of
access is broad enough to encompass security, transparency, and
cybersecurity protections for consumers.
2. Data access and sharing must be done in a safe, secure, and
transparent manner. We firmly believe credential sharing makes
the system less safe for consumers, aggregators, and financial
institutions alike. While we strongly support customer access,
the security of customer data, customer assets, and financial
institution systems must be our primary concern.
3. Consumers should provide affirmative consent and instruction to
financial institutions to share their data with third parties.
Rather than trust that third parties who use customer log-in
credentials to access a financial institution's website are
authorized, customers should tell financial institutions which
third parties have permission to access their financial data.
This eliminates the potential that unauthorized access using
credentials is mistaken for authorized access.
4. Third parties should access the minimum amount of financial data
they need to provide the service for which the customer
provided access. There should be a tight nexus between the
service provided and the information collected by third party
aggregators. For example, if a customer signs up for a tax
planning service that leverages aggregation, that service
should only access the information needed for tax planning.
5. Consumers should be able to monitor who has access to their data,
and access should be easily revocable by the consumer. We
believe data sharing and permissioning should be an iterative
process, with customers engaged continuously. Moreover, many
customers believe revoking access is as easy as deleting an app
from their phone--this is not the case. Customers should be
able to easily instruct their financial institution to revoke
access when they no longer want or need the aggregation-based
service.
We believe that embracing these principles will better protect
consumers, aggregators, and financial institutions, and facilitate more
efficient data sharing practices.
How Do We Solve This for Consumers?
Fortunately, although the risks and challenges of the current
system are serious, there are steps financial institutions and
aggregators can take together to improve the data sharing ecosystem.
The financial services industry is employing technological solutions
for the secure exchange and access of financial information. These
technologies involve the implementation and use of application
programming interfaces (APIs), which are provided by the financial
institution to aggregators and other third parties. An API works in
conjunction with an authentication process that is handled by the
financial institution. There are authentication processes, for example
``open authorization'' (OAuth), that do not involve sharing of account
access credentials with third parties. Consumers who want their data
aggregated sign into their accounts at the financial institution's
website and provide authorization for third party aggregators to access
their financial data. The financial institution and the data aggregator
then manage that connection through secure, encrypted tokens that are
provisioned for the specific connection.
There are several compelling consumer and data security benefits
for moving to APIs. First, it keeps log-in credentials private and
secure by eliminating the need for consumers to share log-in
credentials with third parties. This reduces the cyber, identity, and
personal data security risks that exist when a consumer shares private
log-in details with a third-party. Second, it puts the consumer in the
driver's seat by giving consumers greater transparency and control of
their data by allowing consumers to provide unequivocal consent and
instruction to share their data with third parties. Third, it allows
financial institutions and aggregators to agree on what data should be
shared and avoid over-scraping. Fourth, it eliminates the need to
reconfigure aggregators' systems every time a consumer changes his or
her username or password or the financial institution updates its
webpage. Fifth, it removes the traffic-intensive screen scraping
activity from financial institutions' web sites and other digital
properties, returning that capacity to the individual consumers for
whom those sites were created. Finally, it enables the consumer to
monitor the ongoing access and instruct their financial institution to
revoke the consent if desired.
Fidelity Access
In November 2017, Fidelity announced its own API solution for data
sharing called Fidelity Access. Fidelity Access will allow Fidelity
customers to provide third parties access to customer data through a
secure connection without providing log-in credentials. Fidelity Access
will include a control center, where customers can grant, monitor, and
revoke account access at any time. We have been working closely with
aggregators and other third parties on adoption of this solution.
Of particular note, eMoney Advisor, Fidelity's affiliate that
offers its own aggregation service, is committed to working with other
financial institutions that offer APIs. By championing the exclusive
use of APIs to facilitate customers providing third parties access to
their financial data, we hope to show leadership by taking action to
better secure our customers' data.
Industry Standards and Policymaker Guidance
In addition to our own efforts to address the problems with data
aggregation, we have been working with a wide array of industry and
public sector stakeholders. We support many of the data sharing and
aggregation principles that have been put forth:
In October 2017, after a year-long inquiry into the topic,
the Bureau of Consumer Financial Protection (BCFP) released
nonbinding financial data sharing and aggregation principles,
which helpfully emphasized the importance of access, security,
transparency, and consent. \3\
---------------------------------------------------------------------------
\3\ Available at https://files.consumerfinance.gov/f/documents/
cfpb--consumer-protection-principles--data-aggregation.pdf. Fidelity
commented on the Request for Information that culminated in these
principles (https://www.regulations.gov/document?D=CFPB-2016-0048-
0053).
In February 2018, the Financial Services Information
Sharing and Analysis Center (FS-ISAC), a cybersecurity
information sharing group focused on the financial services
industry, published a standard durable data API free of charge
to help facilitate safer transfer of financial data. \4\ The
---------------------------------------------------------------------------
Fidelity Access API is based on this standard.
\4\ See https://www.fsisac.com/article/fs-isac-enables-safer-
financial-data-sharing-api. Fidelity is a member of FS-ISAC and
contributed to the development of the durable data API.
---------------------------------------------------------------------------
In March 2018, the Financial Industry Regulatory Authority
(FINRA) published an investor alert that explained the risks
associated with aggregation-based services and noted that many
firms are moving toward APIs. \5\
---------------------------------------------------------------------------
\5\ Available at http://www.finra.org/investors/alerts/know-you-
share-be-mindful-data-aggregation-risks.
In April 2018, the Securities Industry and Financial
Markets Association (SIFMA) released data aggregation
principles that focused on similar themes. \6\
---------------------------------------------------------------------------
\6\ Available at https://www.sifma.org/resources/general/data-
aggregation-principles/. Fidelity is a member of SIFMA and worked
closely with other member firms in developing these principles.
In July 2018, the U.S. Department of the Treasury released
a report on Nonbank Financials, FinTech, and Innovation that
includes a lengthy discussion of financial data aggregation and
helpful recommendations, including simplified disclosures,
moving away from screen scraping, and eliminating log-in
credential sharing. \7\
---------------------------------------------------------------------------
\7\ Available at https://home.treasury.gov/sites/default/files/
2018-08/A-Financial-System-that-Creates-Economic-Opportunities---
Nonbank-Financials-Fintech-and-Innovation_0.pdf.
These efforts to provide guidance have brought many of the
challenges and risks associated with data aggregation to the fore and
encouraged healthy debate on how to solve them.
Continuing Challenges
Despite the general consensus that the status quo is untenable and
the industry should move to safer data sharing technologies, there are
roadblocks that prevent wider adoption of APIs and other solutions.
Here are what we see as the most challenging:
Inertia: One force working against adoption of safer data
sharing technologies is simple inertia. Existing practices have
been the norm for close to two decades. Getting firms to adopt
new technologies can be challenging no matter what the
benefits. However, given the stakes, with headlines replete
with examples of cybersecurity events and data breaches, this
is not an adequate reason to resist better data sharing
technology.
Cost: Another countervailing force is cost. One of the
unfortunate truths about screen scraping is that it is cheap
and effective. While safer technologies like APIs have become
less costly as technology advances, building one does incur
costs. We believe the incremental increase in cost is well
worth the substantial security and transparency improvements
for consumers. Still, financial institutions should be
sensitive to this reality, which is why we are providing
Fidelity Access to third parties free of charge.
Liability: Liability is the most stubborn blocker to wider
adoption of safer data sharing technologies. Third party
aggregators want to limit their potential liability in the
event that financial data is illicitly obtained. We have seen
firms try to limit their liability to low dollar amounts. These
kinds of limits are untenable for financial firms like Fidelity
that have a duty to protect client assets. Fidelity believes
firms that obtain and handle consumer data should be held
responsible to protect that data from unauthorized use, just as
we are. Any other standard creates moral hazard and does not
incentivize aggregators to take their data stewardship
responsibilities seriously.
Until all industry participants--aggregators, FinTech firms, and
financial institutions--are prepared to overcome these challenges in a
responsible manner, we will not move as swiftly as we otherwise could
to adopt safer data sharing technologies.
Thank you again for the opportunity to testify and I look forward
to answering your questions.
______
PREPARED STATEMENT OF BRIAN KNIGHT
Director, Innovation and Governance Program, Mercatus Center at George
Mason University
September 18, 2018
Good morning, Chairman Crapo, Ranking Member Brown, and Members of
the Committee. I thank you for inviting me to testify.
My name is Brian Knight, and I am the director of the Innovation
and Governance Program and a senior research fellow at the Mercatus
Center at George Mason University. My research focuses primarily on the
role technological innovation plays in financial services. Any
statements I make reflect only my opinion and do not necessarily
reflect the opinions of the Mercatus Center or my colleagues.
I would like to begin by thanking Chairman Crapo and Ranking Member
Brown for their leadership in holding this hearing. The role of
financial technology (or FinTech) in changing the market for financial
services is continuing to grow, with innovations permeating all
financial markets. The importance of these technological changes is
reflected by the fact that the Treasury Department chose to devote
almost an entire report to the topic in its series of reports on core
principles in financial regulation. \1\ I also appreciate your
collecting speakers from a broad array of experiences and viewpoints
for what I expect will be a productive discussion. I am honored to be
part of it.
---------------------------------------------------------------------------
\1\ Steven T. Mnuchin and Craig S. Phillips, U.S. Dep't of the
Treasury, ``A Financial System That Creates Economic Opportunities:
Nonbank Financials, FinTech, and Innovation'' (2018) [hereinafter
Treasury Report].
---------------------------------------------------------------------------
Given the limited amount of time, I have focused my testimony on a
handful of areas centered on the collection, aggregation, and use of
data. I am happy, however, to answer any other questions you may have
to the best of my ability.
I want to leave you with three main points:
1. FinTech innovation has significant potential to improve the
quality of, and access to, financial services.
2. While there are potential risks, these risks should be judged
against the status quo, not an unobtainable perfection.
3. Existing law can mitigate risk to some degree, and changes to the
law should be considered only if existing law is proven to be
inadequate and the benefits of changing the law will outweigh
the costs.
The Potential for a Better Financial Services Market
Changes in technology have the potential to improve the financial
services markets. Specifically, the collection, use, and aggregation of
consumer data may allow consumers to enjoy more choice, more
competition, and higher-quality services. Likewise, the use of
artificial intelligence, machine learning, and other advanced
algorithmic techniques to process data present the possibility of more
accurate, fair, and inclusive underwriting and risk management.
While there are reasons to be excited, there are also potential
risks. More granular data collection and broader access might increase
the risk and harm of data breaches to consumers. There are concerns
that the enhanced use of algorithms may lead to more discrimination, a
lack of transparency, or diminished access to essential services like
credit. \2\ There are also fears that the existing legal and regulatory
environment is unable to address the risks introduced by technology.
---------------------------------------------------------------------------
\2\ See, e.g., U.S. Fed. Trade Comm'n, ``Big Data: A Tool for
Inclusion or Exclusion'' 8-11 (2016) (summarizing findings of public
workshop on big data regarding potential risks).
---------------------------------------------------------------------------
While these concerns merit consideration and the risks they
describe should be monitored, it is premature to panic. First, the
early data are promising, in many cases finding that financial
technology and the competition and innovation it fosters are improving
financial services. Second, existing law and regulation might mitigate
some of the major risks already. Although this area is often presented
as a lawless Wild West, it is incorrect to think that these areas are
unregulated. As discussed below, existing regulations apply, and in
general, we should see how well the existing laws and regulations work
with new technology before we impose new restrictions. Indeed, we
should consider the possibility that, in fact, we already have too much
regulation that affects these new technologies. Otherwise we risk
forestalling innovations that can lead to more competitive, efficient,
and inclusive financial markets--to the detriment of the American
consumer.
Data Collection
As the Treasury Report notes, the ability of financial service
providers to collect and utilize a broader and more diverse selection
of consumer data has the potential to improve the provision of
financial services, especially to consumers who are poorly served by
the status quo. \3\ Not only could cost-effective access to more data
help established firms improve their offerings, it could also encourage
competition and innovation from new entrants.
---------------------------------------------------------------------------
\3\ Treasury Report, supra note 1, at 17.
---------------------------------------------------------------------------
While the ability to access and utilize more data has a significant
upside, it also presents risks. For example, it is possible that the
more granular a dataset a financial institution collects on a consumer,
the more harm a security breach could cause. Data that might be
relatively harmless at one level of detail could become highly
sensitive at another. What could be labeled ``professional or medical
services'' at one level of detail could be labeled ``marriage
counseling'' at another. While obtaining more information could allow
financial services providers to offer better products, we should also
be alert to the risks that could develop.
Additionally, as the Treasury Department notes, there are divergent
regulations at the State level regarding data security and breach
notification. \4\ These different requirements can increase compliance
costs for firms and result in citizens being regulated by sets of rules
put in place without consultation with them, the consumers. \5\ Given
the predominantly interstate nature of cybersecurity, there is little
question that Congress could constitutionally preempt State law to
create consistent national standards, and given the costs of the status
quo, it may want to consider doing so.
---------------------------------------------------------------------------
\4\ Treasury Report, supra note 1, at 39-41.
\5\ For further discussion of the potential costs of State-by-
State regulation on FinTech, including the costs of inefficiency and
political inequity among citizens of different States, please see Brian
Knight, ``Federalism and Federalization on the FinTech Frontier'', 20
Vand. J. Ent. and Tech. L. 129, 185-99 (2017).
---------------------------------------------------------------------------
Data Aggregation
Third-party aggregators, acting on a consumer's behalf, can now
allow consumers to see all of their accounts from different financial
services providers at a glance. This convenient display of information
can help consumers more effectively assess and manage their finances.
Third-party aggregation can also be used by applications, again acting
at the request of the consumer, to collect the consumer's financial
data in order to allow the consumer to use the application's service.
Such applications are gaining in popularity; a recent survey conducted
by the Clearing House found that about a third of banking customers use
financial technology applications. \6\
---------------------------------------------------------------------------
\6\ The Clearing House, ``FinTech Apps and Data Privacy: New
Insights From Consumer Research'' 4 (2018).
---------------------------------------------------------------------------
While there are real potential benefits to data aggregation, the
practice is not without controversy. Banks and other financial
institutions have expressed concern that data aggregators, particularly
those using ``screen scraping,'' \7\ place consumers' data at risk and
potentially expose consumers to fraud and the bank to liability. \8\ As
the Treasury Department's FinTech report notes, the banks' fears are
not outlandish, as there is an open question as to the scope of the
banks' liability under existing law, even if the customer willingly
granted access to a third party that was responsible for the data
breach. \9\
---------------------------------------------------------------------------
\7\ Screen scraping generally refers to an aggregator using a
customer's login credentials to log into a financial institution's
webpage on behalf of the customer and extracting data from the webpage.
\8\ See, e.g., The Clearing House, ``Ensuring Consistent Consumer
Protection for Data Security: Major Banks vs. Alternative Payment
Providers'' (2015).
\9\ Treasury Report, supra note 1, at 35-36.
---------------------------------------------------------------------------
This concern is part of why section 1033 of the Dodd-Frank Act is
so controversial. As the Treasury Department report notes, there is a
plausible reading of the act (one that the Treasury endorses) that
requires financial institutions covered by Dodd-Frank to, subject to
rules promulgated by the Bureau of Consumer Financial Protection
(Bureau), make account records available in an electronic form not only
to consumers themselves but also to a consumer's agent, including a
FinTech application. \10\ Paired with potential legal liability, this
provides banks with few options to protect themselves.
---------------------------------------------------------------------------
\10\ Treasury Report, supra note 1, at 31.
---------------------------------------------------------------------------
Understandably, this presents some significant issues that the
Bureau, and potentially Congress, should consider. Among them are the
following:
The extent of the burden placed on covered financial
institutions. Must a covered financial institution make data
available to all comers, or may it place limits on the basis of
safety or data security?
The standards for data transmission. As mentioned in the
Treasury Report, there has been a shift from screen scraping to
the use of application programming interfaces (APIs) that may
provide a more secure method of communicating data. However,
there is not a mandatory standard that would allow
interoperability. While there are ongoing industry efforts to
bring standardization, \11\ questions remain as to whether
covered financial institutions must accommodate all requests
and who will set standards for data transmission methods.
---------------------------------------------------------------------------
\11\ See, e.g., ``NACHA, API Standardization--Shaping the
Financial Services Industry'' (2018) (discussing efforts by NACHA to
develop standards for financial services APIs to allow
interoperability).
The scope of data transmission. One of the major concerns
expressed by covered financial institutions is that data
aggregators can obtain data in excess of what is needed to
perform the service the consumer has authorized them to do.
Conversely, data aggregators express frustration that financial
service providers prevent them from accessing needed data via
financial-service-provider-approved APIs. \12\ While the
availability of more data may allow applications to offer
better services, it could also increase consumer harm if there
were a breach. The scope of data that aggregators will be able
to obtain from financial institutions, and what factors control
that scope, will need to be determined.
---------------------------------------------------------------------------
\12\ Treasury Report, supra note 1, at 34.
Consumer control of data transmission. The amount of
control consumers will have over the amount of data that is
obtained by aggregators, and how that control must be
exercised, will need to be determined. According to the same
survey by the Clearing House, a majority of consumers would
like to be required to provide explicit consent to any third
party seeking data. \13\ However, what that might look like in
practice (e.g., when that consent must be provided or how
granular the consent must be), and whether that standard is
even practical, remain to be determined.
---------------------------------------------------------------------------
\13\ The Clearing House, supra note 8, at 7.
---------------------------------------------------------------------------
Liability for data breaches. As the Treasury Report
discusses, there is a question regarding the scope of liability
for a financial institution in the event consumer data is lost
owing to a failure on the part of a data aggregator or a
downstream application. Financial institutions feel at risk
that they will ultimately be forced to compensate customers,
even if the financial institution was not at fault, because the
aggregator or application lacks sufficient resources to make
aggrieved customers whole. This concern is heightened if
financial institutions are forced to make data available to
aggregators, rather than choosing to enter into contracts that
allow the financial institutions to perform due diligence and
make demands of the aggregator.
If the Bureau adopts the Treasury Department's view regarding
section 1033, it will need to craft a rule that provides meaningful
access while addressing the legitimate concerns of covered financial
institutions. However, the Bureau should also leave as many of the
details as possible to market participants so as to not impede
innovation or risk enshrining requirements that will become outdated or
suboptimal far faster than the regulatory process can adapt. Congress
should monitor these developments to determine whether any subsequent
adjustment is necessary.
Innovative Underwriting
As the Treasury Department notes, credit underwriting is one area
where data, in conjunction with artificial intelligence, are being used
to potentially great effect. There is optimism that algorithmic
underwriting may increase inclusion and improve the quality of
underwriting, making it more accurate and efficient. However, there are
also concerns that it could exacerbate discrimination and exclusion,
because the algorithms may exacerbate existing discrimination or be so
opaque that humans lose the ability to discern what is driving the
algorithm's results, preventing humans from excluding improper
variables. \14\ These concerns are particularly acute with regard to
unintentional discrimination through the use of facially neutral
variables that nonetheless have a ``disparate impact'' on protected
classes of persons.
---------------------------------------------------------------------------
\14\ Treasury Report, supra note 1, at 57-8.
---------------------------------------------------------------------------
While these concerns should be taken seriously, there are also
reasons to believe they are at least somewhat overstated. First, it
must be remembered that the appropriate standard to judge innovative
underwriting is not perfection. Rather, we should judge whether it is
an improvement over the status quo. In this regard, there is evidence
that innovative underwriting may prove to be less discriminatory than
current practices. Second, there are reasons to believe that the
current legal and regulatory environment for financial services may be
well situated to mitigate these risks.
As Professor Anupam Chander points out, there are several reasons
why algorithms may prove to be less prone to discrimination than human
decision making. To the extent that discrimination is driven by
subconscious or unconscious bias, those biases are less likely to
survive the process of being written down in an intentional
underwriting algorithm compared to a ``gut decision'' by a lending
officer. \15\ Additionally, to the extent there is concern that
algorithms may present a ``black box'' that cannot be audited, they
nonetheless present less of a black box than the human mind. \16\
Further, to the extent human decision making incorporates inaccurate
stereotypes when making decisions, algorithms, with access to more and
better data, and without the baggage of inaccurate stereotypes, may be
able to do a better job. \17\
---------------------------------------------------------------------------
\15\ Anumpam Chander, ``The Racist Algorithm?'', 115 Mich. L. Rev.
1023, 1028 (2017).
\16\ Id. at 1030.
\17\ Id.
---------------------------------------------------------------------------
Early evidence of the use of innovative underwriting is promising.
For example, researchers at the Federal Reserve Banks of Chicago and
Philadelphia looked at a leading marketplace lender's use of innovative
underwriting and found that the lender was able to offer many borrowers
better rates than they would have received from a traditional lender.
These loans also seemed to age reasonably well, indicating that the
underwriting did not present an undue risk of default. \18\ Likewise,
scholars at the University of California, Berkley, found evidence
indicating that FinTech lenders using innovative underwriting for
mortgages were significantly less likely to discriminate on the basis
of race than traditional lenders. \19\ While we are still in the early
days and more research is necessary, there are good indications that
innovative underwriting, as applied, may have significant benefits.
---------------------------------------------------------------------------
\18\ See Julapa Jagtiani and Catharine Lemieux, ``FinTech Lending:
Financial Inclusion, Risk Pricing, and Alternative Information'' (Fed.
Res. Bank of Phila., Working Paper No. 17-17, 2017); Julapa Jagtiani
and Catharine Lemieux, ``The Roles of Alternative Data and Machine
Learning in FinTech Lending: Evidence From the Lending Club Consumer
Platform'' (Fed. Res. Bank of Phila., Working Paper No. 18-15, 2018).
\19\ See Robert P. Bartlett, Adair Morse, Richard Stanton, and
Nancy Wallace, ``Consumer Lending Discrimination in the FinTech Era''
(2018).
---------------------------------------------------------------------------
Additionally, certain existing regulatory requirements may
encourage firms developing innovative underwriting tools to avoid some
of the concerns expressed by pessimists. For example, while there are
concerns about the opacity of algorithms, the Equal Credit Opportunity
Act and Fair Credit Reporting Act require lenders to be able to provide
prospective borrowers with adverse action notifications explaining why
the borrower was denied or charged a higher rate and detail the
information the lender used to make that determination. \20\ Complying
with this requirement will be difficult if the lender's algorithm is
truly opaque, giving lenders an incentive to maintain auditability and
explainability. \21\
---------------------------------------------------------------------------
\20\ Matthew Bruckner, ``The Promise and Perils of Algorithmic
Lenders' Use of Big Data'', 93 Chicago-Kent L. R. 1, 38-39, 51 (2018).
\21\ Id. at 40.
---------------------------------------------------------------------------
Further, while lenders have an economic incentive to ensure that
their algorithms are accurate and not irrational, there are also
existing regulatory reasons to do so. To the extent that underwriting
algorithms generate lending decisions that create the ``artificial,
arbitrary, and unnecessary barriers'' that disparate impact theory is
meant to address, \22\ the lender may, depending on the unique
circumstances and the relevant applicable statutes, also find itself
subject to liability for lending decisions that, while relying on
facially neutral criteria, have a disparate impact on protected classes
of borrowers, unless those decisions are driven by a legitimate
business purpose and cannot be accomplished with less discriminatory
means. While lenders have a strong profit motive to make certain their
underwriting is as accurate as possible, potential liability should
also encourage lenders to actively monitor and improve their
algorithms.
---------------------------------------------------------------------------
\22\ Tex. Dep't of Hous. and Cmty. Affairs v. Inclusive Cmtys.
Project, Inc., 135 S. Ct. 2507, 2522 (2015).
---------------------------------------------------------------------------
Conclusion
The advance of technology has shown significant promise for
improving the market for financial services. Specifically, the
collection, aggregation, and use of consumer data has significant
potential to allow consumers to enjoy the benefits of a more
competitive and innovative market. Of course, there is no such thing as
a free lunch, and increased risks may accompany the benefits. However,
at present there is no reason to panic, and rash regulatory
intervention may frustrate proconsumer innovation, leaving consumers
worse off.
Congress should carefully monitor and evaluate developments in the
FinTech arena and intervene only when existing law and regulation--
including market regulation--prove inadequate to address a problem and
where the costs of intervening would not be worse than the problem the
intervention seeks to solve. When Congress does intervene, it should do
so in a technologically agnostic manner and refrain from imposing
specific technical requirements on market participants because such
solutions are likely to become obsolete in short order.
A specific area Congress may want to monitor is whether concerns
about potential liability are chilling innovations in underwriting that
might otherwise benefit society. Congress should consider tools such as
``regulatory sandboxes,'' which can allow firms to experiment in a way
that encourages innovation while maintaining appropriate consumer
protection. While some regulators have announced their intention to
undertake such activities under their existing authority, given the
fragmented nature of financial regulation, it may require Congress to
provide sufficient authority to allow for meaningful experiments.
Another area Congress should consider is the question of whether
the current allocation of regulatory authority regarding data security
and breach notification is appropriate. As mentioned earlier, the laws
governing data security and data breach notification, especially those
at the State level, may be unduly burdening market participants and
forcing consumers to pay for rules they had no say in. Therefore,
Congress should consider whether establishing consistent, preemptive
Federal standards would be appropriate.
Technology presents the opportunity for market actors to more
effectively gather, aggregate, and use data to provide customers with
better, cheaper, and more effective financial services. While there are
potential risks that should be monitored, there is also the potential
for significant benefits. Intelligent regulatory choices, including the
possibility of exercising forbearance, can help create an environment
where consumers are able to enjoy the maximum benefits of innovation
and competition while enjoying adequate protection.
Thank you again for the invitation to testify. I look forward to
your questions.
______
PREPARED STATEMENT OF SAULE T. OMAROVA
Professor of Law, and Director, Jack Clarke Program on Law and
Regulations of Financial Institutions and Markets, Cornell University
September 18, 2018
Dear Chairman Crapo, Ranking Member Brown, Members of the
Committee: Thank you for inviting me to testify at this hearing. My
name is Saule Omarova. I am Professor of Law at Cornell University,
where I teach subjects related to U.S. and international banking law
and financial sector regulation. Since entering the legal academy in
2007, I have written numerous articles examining various aspects of
U.S. financial sector regulation, with a special focus on systemic risk
containment and structural aspects of U.S. bank regulation. Prior to
becoming a law professor, I practiced law in the Financial Institutions
Group of Davis Polk and Wardwell. I also served in the George W. Bush
administration as a Special Advisor on Regulatory Policy to the U.S.
Treasury's Under Secretary for Domestic Finance. I am here today solely
in my academic capacity and am not testifying on behalf of any entity.
I have not received any Federal grants or any compensation in
connection with my testimony, and the views expressed here are entirely
my own.
FinTech--an umbrella term that refers to a variety of digital
technologies applied to the provision of financial services--is by far
the hottest topic in finance today. Recent advances in computing power,
data analytics, cryptography, and machine learning are visibly changing
the way financial transactions are conducted and financial products are
used. New financial technologies promise to make transacting in
financial markets infinitely faster, cheaper, easier to use, and more
widely accessible. Reaching across generational and political lines,
technology is bringing tech-savvy millennials, utopian anarchists, and
computer scientists into the mainstream debate on the future of
finance, infusing it with a new sense of excitement about the game-
changing potential of the unfolding FinTech ``revolution.'' As usual,
financial markets translate these expectations into massive and rapidly
growing flows of capital into FinTech-related ventures.
This is, of course, not the first time in modern history that these
market dynamics are being played out. \1\ As history keeps teaching us,
in such periods of rising investor optimism, it is especially critical
that policymakers and regulators remain cautious, cool-headed and even-
handed in their assessment of FinTech. On the one hand, there is no
doubt that technological progress creates previously unimaginable
opportunities for improving the functioning of financial markets and,
more broadly, the quality of our financial lives. On the other hand,
there is no guarantee that any of these expected benefits will, in
fact, materialize--or whether they will generate any real long-term
benefits for the Nation's economy and society as a whole.
---------------------------------------------------------------------------
\1\ See Charles P. Kindleberger and Robert Aliber, ``Manias,
Panics, and Crashes: A History of Financial Crises'' (2005).
---------------------------------------------------------------------------
In this context, it is especially commendable that the Committee is
taking a closer look at the current state of FinTech and the current
Administration's strategic priorities in this area laid out in the U.S.
Treasury Department's recent report to President Trump, ``A Financial
System That Creates Economic Opportunities: Nonbank Financials,
FinTech, and Innovation'' (hereinafter, the ``Treasury Report'' or
``Report''). \2\
---------------------------------------------------------------------------
\2\ U.S. Department of the Treasury, ``Report to President Trump:
A Financial System That Creates Economic Opportunities: Nonbank
Financials, FinTech, and Innovation'' (July 2018), [hereinafter,
Treasury Report] available at https://home.treasury.gov/sites/default/
files/2018-07/A-Financial-System-that-Creates-Economic-Opportunities---
Nonbank-Financi....pdf.
---------------------------------------------------------------------------
At this early stage in the development and adoption of many FinTech
applications, it is difficult to come up with an exhaustive list of
specific policy concerns associated with each specific technology use.
It is also difficult to identify the full spectrum of changes in the
existing legal and regulatory regimes needed to accommodate specific
uses of new technologies in financial transactions. It is both possible
and necessary, however, to start taking a broader systemic view of
FinTech and identifying key public policy issues arising in connection
with the continuing growth of FinTech.
A comprehensive analysis of the macrolevel, systemic implications
of FinTech is provided in my new working paper, ``New Tech v. New Deal:
FinTech as a Systemic Phenomenon'', attached separately as an Appendix
hereto. In this testimony, I will take a broader look at a few
overarching themes that arise directly out of the Treasury Report and,
in my view, deserve the Committee's special attention.
The key point here is that the Treasury Report understates or even
ignores a number of critically important public policy issues and
concerns raised by the unfolding digital ``revolution'' in finance. My
testimony identifies a few such high-level public policy concerns that
both (1) merit full consideration by the Committee, and (2) are not
adequately discussed or acknowledged in the Treasury Report. It is not
intended as a detailed critique of the Treasury's conclusions and
recommendations, nor does it claim to analyze the full risks and
benefits of any particular FinTech application discussed in the Report.
The purpose of my testimony is to widen the lens beyond the seemingly
value-neutral and narrowly technocratic ``solutions''--and to introduce
the necessary note of caution with respect to potentially crucial
systemic implications of the Treasury's approach to FinTech innovation.
The Treasury Report: The FinTech Strategy Outlined
The Treasury Report addresses a wide range of important trends in
today's FinTech sector and discusses a long list of legal and
regulatory challenges such trends present. The Treasury's numerous
conclusions and recommendations span across multiple issues and vary
greatly in the level of specificity. The Report's primary public policy
significance, however, is that it outlines the current Administration's
strategic approach to FinTech--and, more generally, financial sector--
regulation. Thus, understanding the Report's programmatic content is
the key first step in the process of examining FinTech as a public
policy challenge.
Underlying Narrative: FinTech as a Technical Phenomenon
From the outset, the Treasury clearly states its view of data
digitization and the corresponding growth in the use of digital
technologies in financial and commercial transactions as the
fundamental drivers of innovation and economic growth in the modern
economy. \3\ The Report asserts that recent advances in core computing
and data storage capacity dramatically reduced the cost of
transmitting, keeping, and managing financial information--thus greatly
increasing operational efficiencies and reducing the overall cost of
delivering financial services. \4\ It claims further that digitization
allows financial institutions to satisfy consumers' and companies'
demand for increased convenience and speed of transacting and to scale
up their services to reach a greater number of customers. \5\
---------------------------------------------------------------------------
\3\ Treasury Report, at 6-8.
\4\ Id. at 7.
\5\ Id.
---------------------------------------------------------------------------
On the basis of this optimistic narrative, the Treasury concludes
that ``[t]he availability of capital, the large scale of the financial
services market, and continued advancements in technology make
accelerating innovation nearly inevitable.'' \6\ Accordingly, the
Report defines the Administration's overarching strategic policy
priority in terms of actively facilitating the ``inevitable'' march of
FinTech innovation.
---------------------------------------------------------------------------
\6\ Id. at 8.
---------------------------------------------------------------------------
To the extent this approach conveys a basic recognition of the need
to accept and facilitate socially beneficial technological change, the
Report's contribution is both timely and important. Technological
progress and financial innovation, however, are not ``natural'' and
value-neutral ``win-win'' phenomena: they have significant long-term
distributional and systemic stability-related--and thus political--
consequences. Technology is a tool that can be used in socially harmful
ways that advance the interests of the few rather than those of the
many.
This basic fact makes it especially important to keep in mind that
the Treasury's conclusions and recommendations directly reflect, and
are shaped by, certain fundamentally normative preferences and
assumptions. These underlying normative choices are often hidden behind
the technical idiom and deliberately technocratic discussions filling
the Report's 223 pages. An unbiased evaluation of the Treasury's
proposed FinTech strategy, therefore, requires a clear understanding of
what that strategy actually calls for--and whose economic and political
interests it prioritizes.
Normative Baseline: Regulatory Accommodation of Private Sector
Innovation
Two principal themes run through the long list of Treasury's
recommendations: (1) an explicit and strong commitment to promoting
private sector-led financial innovation; and (2) an implicit but
equally strong commitment to minimizing regulatory interference with
private firms' efforts to scale up FinTech operations. These
fundamentally normative choices form the basis of the Treasury's
overall FinTech strategy.
The Treasury Report envisions financial innovation as both (1)
presumptively socially beneficial; and (2) a fundamentally and
inherently private sector-led initiative. The Report consistently
emphasizes private firms' leading role in digitization of financial
data and services. Even where the Report advocates establishing
``public-private partnerships'' (PPP), its envisioned PPP model clearly
places control over the nature and pace of technological change in
private firms' hands. Throughout the Report, the principal role of the
Federal and State lawmakers and regulators is effectively confined to
providing the necessary logistical and infrastructural support for
private firms' FinTech activities, while otherwise ``staying out'' of
their way.
Accordingly, the Treasury's strategic emphasis is on
``modernizing'' the existing legal and regulatory regimes in order to
accommodate, rather than control, the process of privately led
financial innovation. In that sense, the Treasury's normative stance is
fundamentally deregulatory.
Rhetorical Focus: ``All About Consumers''
As a rhetorical matter, the Report justifies this inherently
reactive and accommodating regulatory posture by stressing that new
FinTech products are (1) created in response to consumer demand for
better financial services, and (2) offer important benefits to
consumers. \7\
---------------------------------------------------------------------------
\7\ See, e.g., Id. at 17-19.
---------------------------------------------------------------------------
These consumer benefits include greater speed and convenience of
transacting; easier access to financial markets and services; and
greater freedom of consumer choice with respect to financial products
and service providers. \8\ By offering these benefits, the Treasury's
argument goes, FinTech serves equally the interests of all segments of
America's population, from digitally savvy millennials to the under-
served poor, from pragmatic bargain-hunters to ideological
libertarians. Put simply, the Treasury's argument is that all of us,
ordinary consumers of retail financial services, are the principal
beneficiaries of the proposed regulatory unshackling and unfettered
FinTech innovation.
---------------------------------------------------------------------------
\8\ Id. at 17.
---------------------------------------------------------------------------
This is, of course, a well-known mode of arguing consistently
employed by the proponents of deregulation in the financial sector. The
financial industry and its representatives have a long historical
record of justifying their demands for regulatory easing by reference
to consumer benefits. As discussed below, in the years before the 2008
crisis, the same rhetoric was widely used to avoid legislative or
regulatory ``interference'' with predatory subprime lending practices
that were at the core of the unsustainable speculative asset boom and
the resulting economic devastation. It is therefore important to
contextualize the Treasury's claims.
Practical Focus: Relaxing Bank Regulation To Enable Certain Structural
Changes
To operationalize its programmatic goals--promoting private sector-
led financial innovation and minimizing regulatory ``interference''
with that process--the Treasury adopts what may be viewed as a
structural approach. Many of the Treasury's various recommendations
target, directly or indirectly, the organizational and operational
``walls'' that currently prevent or slow down FinTech companies' full-
scale entry into the banking sector.
Thus, the Treasury Report strongly calls for financial regulators
to ``modernize''--or, more precisely, to relax or remove--some of the
key rules and regulations governing banking institutions' relationships
with unaffiliated technology companies. The unstated goal of the
Treasury's ``modernization'' strategy is to enable regulated banks to
form large-scale de facto partnerships with technology companies,
without subjecting the latter to bank-like oversight.
Three examples of this deregulatory approach are particularly
noteworthy. Thus, the Treasury Report lists a variety of specific
recommendations that seek to:
1. enable banking institutions to enter into open-ended, large-scale
data-sharing and information-management partnerships with
technology companies;
2. enable mutual equity investments and direct affiliations between
banks and nonbank technology companies; and
3. facilitate ``rent-a-charter'' arrangements allowing online
marketplace lenders to take advantage of national banks'
exemptions from State usury laws.
These recommendations raise a number of potentially significant
public policy concerns that do not receive attention in the Report. In
broad terms, these policy concerns arise in three interconnected but
conceptually separate areas:
1. consumer financial data privacy and safety;
2. market structure and potential concentration of economic power;
and
3. systemic financial stability and economic growth
Below, I will examine each of these high-level public policy
issues--or systemic concerns--in the context of the three groups of
Treasury recommendations outlined above.
Systemic Concern Number One: Consumer Protection
The Treasury Report advocates for a significant relaxation, if not
elimination, of the existing rules governing banking institutions'
relationships with third-party vendors, in order to make it easier for
regulated banks to form large-scale data-sharing and data-management
partnerships with data aggregators and cloud service providers. \9\
---------------------------------------------------------------------------
\9\ Id. at 73-77.
---------------------------------------------------------------------------
Data aggregators--or data miners--are technology companies that
collect and ``share'' (i.e., sell to interested businesses) vast
amounts of online business and personal user data. So far, banking
institutions have been reluctant to share their customers' financial
information--including personal bank account types and balances,
history of late fees and charges, detailed transaction records, and so
forth--with unaffiliated data aggregators. Bound by their legal and
regulatory obligations to safeguard customer information handled by
third-party vendors, banks typically insist on controlling their
bilateral relationships with individual data aggregators and often
impose unilateral restrictions on their access to banks' customer data.
The Treasury Report views this situation as an example of
undesirable regulatory obstacles to financial innovation and,
accordingly, calls for a concerted regulatory effort to allow data
aggregators a greater direct access to banking customers' financial
data. The Report maintains that it is critical to ease legal and
regulatory requirements that currently ``hold back'' financial
institutions from entering in unrestricted data-sharing agreements with
data aggregators. In particular, the Report calls for a universal
adoption of Application Programming Interfaces (APIs) that would give
data aggregators direct access to customer account and transaction data
in possession of either any particular bank or all participating
financial institutions. \10\ Relieving banks from legal liability for
third-party service providers' handling of customer data is key to this
industrywide shift to APIs that is, in turn, critical to scaling up the
flow of financial information from banks to data aggregators. \11\
---------------------------------------------------------------------------
\10\ Id. at 26-27.
\11\ Id. at 73-77.
---------------------------------------------------------------------------
The Treasury Report adopts the same approach to promoting large-
scale partnering between banks and cloud computing service providers,
The Treasury recommends that Federal financial regulators ``modernize
their requirements and guidance (e.g., vendor oversight)'' to reduce
regulatory barriers to large-scale migration of banks' data and
information management activities to the cloud managed by third
parties. \12\ As the Report emphasizes, facilitating a massive shift to
cloud computing would ``increase the speed of innovation'' in the
financial sector. \13\ Enabling banks and other regulated financial
institutions to outsource their integrated data management and
information technology functions to large cloud service providers,
without exposing themselves to potentially extensive liability, is
critical to this industrywide shift. \14\
---------------------------------------------------------------------------
\12\ Id. at 52.
\13\ Id. at 49.
\14\ Id. at 49-50.
---------------------------------------------------------------------------
To justify shielding banks from liability--among other things, by
relaxing existing bank service provider regulations--the Treasury
points to banks' efficiency gains and their customers' greater
convenience and freedom of choice. The basic claim is that allowing
unaffiliated tech companies to access, host, and manage bank data will
(1) render financial services faster and cheaper for all consumers; and
(2) give consumers unfettered control over their own financial data and
their own financial affairs.
There is no doubt that wholesale outsourcing of banks' customer and
enterprise data storage and management to specialized technology
companies would greatly reduce banks' operating costs and regulatory
compliance headaches--and even enhance banks' revenues by enabling them
to charge data aggregators for direct feeds of their customers' account
data. It would also potentially enable individuals to access their bank
accounts and other financial records via the same device they use for
downloading music and rating restaurants. As the Report emphasizes,
data-sharing through APIs would create a seamlessly integrated virtual
data management space for individuals seeking this kind of click-
through convenience.
However, the Treasury Report ignores potentially significant public
harms of allowing an industrywide wholesale migration of core bank
activities and highly sensitive financial data to the cloud and/or data
aggregation platforms run by third parties. What is breezily portrayed
as ``financial data freedom'' for consumers, in practice, may lead to
potentially irreversible erosion of consumer rights and meaningful
freedom of choice in the financial marketplace.
While it is difficult to present a comprehensive list of potential
harms to consumers likely to result from the proposed data-sharing
expansion, two basic issues deserve the Committee's consideration.
Privacy and Safety of Bank Customers' Financial Data
One reason for concern is that, despite the attractive rhetoric of
``financial data freedom,'' an easy and direct access to banking
institutions' data creates both the opportunity and the incentive for
tech platform companies to engage in unauthorized commercial uses of
bank customers' personal data.
Giving consumers ``unfettered'' access to their personal financial
data, in the way advocated in the Treasury Report, would simultaneously
give technology platform operators an equally unfettered access to the
same data. These platform operators, however, are not regulated or
supervised in the interest of consumer financial privacy as banks
currently are. \15\ Unlike banks, these companies are not required to
maintain any particular levels of liquid assets or equity capital to
ensure their safety and soundness. They don't have any explicit legal
obligations to make customers whole in case of unauthorized withdrawals
of money from customers' accounts. They don't have a corps of dedicated
Federal and State agency staff--such as bank examiners--monitoring
closely their daily operations for compliance with the applicable
consumer protection and business conduct standards. In other words,
these companies are regular private entities seeking to maximize their
own private profits in a free capitalist market, governed by the basic
principle of ``caveat emptor'' (``buyer, beware''). In this sense, they
are not fundamentally different from used car salesmen.
---------------------------------------------------------------------------
\15\ See Karen Petrou, ``The Crisis Next Time: The Risk of New-Age
FinTech and Last-Crisis Financial Regulation'' (Sept. 6, 2018),
available at http://www.fedfin.com/images/stories/client--reports/
FedFin%20Policy%20Paper%20on%20The%20Risk%20of%20New-
Age%20Fintech%20and%20Last-Crisis%20Financial%20Regulation.pdf.
---------------------------------------------------------------------------
Unlike used car salesmen, however, these tech platform companies
will now be able to get direct access to your bank account and
transaction data--and thus invisibly monitor your earnings and your
expenses, your daily Starbucks coffee purchases and your annual
political campaign contributions. That will give these professional
information merchants an extraordinary advantage over you, the
consumer. They will be able to ``harvest'' a valuable asset--your
personal financial information--without paying you for it. They can
then use it to make you buy the products they want to sell you. They
can also sell your financial information to other salesmen who can, in
turn, use it to make you buy what they want to sell you. And all of
this ``free commerce'' can happen without your knowledge or informed
consent. In fact, the only action required on the part of an individual
to become a captive participant in this spiral of ``free commerce'' may
be as simple as opening a deposit account at a local bank--and perhaps
signing a boilerplate ``consent'' form. \16\
---------------------------------------------------------------------------
\16\ Treasury Report, at 26.
---------------------------------------------------------------------------
If this is a plausible hypothetical, the Treasury's proposed method
of ``embracing digitization'' by relaxing existing regulatory
constraints on banks' data-sharing has to be subjected to the strictest
scrutiny. Instead of giving consumers meaningful ``financial data
freedom,'' it would give a massive gift of ``free financial data'' to
data aggregators, cloud providers, various FinTech companies, and other
businesses set up to capitalize on it. This is a deeply troubling
prospect. As a recent study found, ``the FinTech ecosystem is
predicated on little to no privacy protections for consumer data housed
outside regulated financial institutions.'' \17\ But it is also
intuitively easy to understand the obvious dangers of allowing large
tech platform companies such an easy access to bank customers' personal
financial data. A strong public reaction to the recent news of
Facebook--one of the world's largest and most notorious data
aggregators--requesting access to large banks' customer data shows that
consumers care deeply about keeping their financial information
private, safe, and secure from all manner of unauthorized use. \18\
---------------------------------------------------------------------------
\17\ Petrou, supra note 15, at 3.
\18\ See Emily Glazer et al., ``Facebook to Banks: Give Us Your
Data; We'll Give You Our Users'', Wall St. J. (Aug. 6, 2018).
---------------------------------------------------------------------------
The Treasury Report does not address the heightened risk of
unauthorized commercial uses of consumer data by tech platforms allowed
to access it. Instead, it confines the discussion to issues of data
security, or unauthorized access to data.
While acknowledging the importance of data protection in general
terms, the Report generally seems content leaving the necessary
adjustments to the private sector. Thus, it refers to the fact that the
Federal Trade Commission (FTC) imposes certain information security
requirements on data aggregators that are ``significantly engaged in
financial services,'' and are therefore subject to its so-called
Safeguards Rule. \19\ In the Treasury's view, that rule ``appropriately
addresses'' all concerns about the security of customers' financial
information managed by data aggregators and other FinTech firms. \20\
Accordingly, the conclusion is that no further legislative or
regulatory action is needed in order to bolster consumer data
protection. It is not clear, however, to what extent the FTC's
Safeguards Rule is sufficiently effective in practice. The Rule may not
even apply to giant platform conglomerates whose financial activities
do not technically constitute a ``significant'' portion of their
overall operations. \21\ Moreover, a recent massive data security
breach at Equifax, which affected over 143 million people, is a vivid
example of what can happen even on the FTC's watch. \22\
---------------------------------------------------------------------------
\19\ Treasury Report, at 38.
\20\ Id. at 39.
\21\ See Petrou, supra note 15, at 5.
\22\ See https://www.ftc.gov/equifax-data-breach.
---------------------------------------------------------------------------
Of course, any meaningful discussion of data security has to
address the critical issue of apportioning liability for security
breaches. While the Treasury acknowledges the importance of this issue,
it does not provide a clear answer to the fundamental question: Who
will be liable to the consumer whose bank account is hacked? It seems
clear that, as a practical matter, the only way banks would be willing
to share their customer data with tech platforms is if they are not
held liable for the platform operators' failures to protect the data.
But, if banks are not liable, then who is going to make the account
holder whole? Unless this question has a clear--and satisfactory--
answer, the notion of ``facilitating innovation'' through unrestricted
data-sharing is inimical to the objective of protecting consumers'
interests.
Predatory and Discriminatory Pricing of Financial Services
The Report's rhetoric of consumer choice and financial data freedom
implies the existence of a perfectly competitive and transparent market
in which individual consumers have the power to choose the best FinTech
service provider. Reality, however, is far more complicated and a lot
less benign.
In particular, the market for cloud computing and data analytics is
both highly concentrated and inherently opaque. Only four megatech
companies currently dominate the worldwide market for cloud services:
Amazon, Microsoft, Alibaba, and Google. \23\ These four ``hyperscale''
service providers hold approximately 73 percent of the global cloud
infrastructure services. \24\ Apple, Amazon, Google, Microsoft, and
Facebook--five of the largest publicly traded U.S. companies by market
capitalizations--are the pioneers of megascale data aggregation and
``integral drivers of the digital economy'' as a whole. \25\ Even
though the Treasury Report refers to data aggregators and cloud service
providers in generic terms, it is these megacompanies that define the
dynamics in the tech sector.
---------------------------------------------------------------------------
\23\ ``Gartner Says Worldwide IaaS Public Cloud Services Market
Grew 29.5 Percent in 2017'', Press Release (Aug. 1, 2008), available at
https://www.gartner.com/en/newsroom/press-releases/2018-08-01-gartner-
says-worldwide-iaas-public-cloud-services-market-grew-30-percent-in-
2017.
\24\ Id.
\25\ Treasury Report, at 23.
---------------------------------------------------------------------------
It is no coincidence that today's giant technology conglomerates
are aggressively growing, diversifying, and continuously expanding
their market shares. As recent studies show, this constant quest for
size and market power is the built-in economic imperative in this
business so intimately dependent on network effects. \26\ These
companies' critical reliance on complex proprietary analytical tools
renders their business models, and the markets in which they operate,
fundamentally nontransparent. Put simply, nobody really knows what
exactly these companies can see or what they can do with the data they
touch.
---------------------------------------------------------------------------
\26\ See, e.g., John M. Newman, ``Digital Antitrust'' (June 22,
2018), available at https://papers.ssrn.com/sol3/
papers.cfm?abstract_id=3201004; Lina Khan, ``Amazon's Antitrust
Paradox'', 126 Yale L. J. 710 (2017); Frank Pasquale, ``Paradoxes of
Digital Antitrust'' (2013), available at https://jolt.law.harvard.edu/
assets/misc/Pasquale.pdf.
---------------------------------------------------------------------------
In this context, the Treasury's proposed strategy of enabling
megatech companies to ``get inside'' banks' customer data raises a
number of significant consumer protection concerns. If that happens,
the dominant players in the financial data and services market will be
perfectly positioned to abuse their enormous market power, among other
things, by engaging in predatory or unfair pricing of financial
products and consumer discrimination.
The basic blueprint for such abuses is already there. For example,
Amazon's unprecedented market power in online commerce and command of
digitized consumer data enable it to adjust its prices almost
instantaneously, in response to fluctuations in current demand for
specific goods. \27\ For example, if more people are buying a
particular brand of baby food in the morning, Amazon can raise its
price by noon. \28\ This type of ``dynamic pricing'' is difficult for
any outsider to detect, as only Amazon has control of its algorithms
and data. This algorithmic opacity makes consumers extremely vulnerable
to predatory or unfair pricing, and not only by Amazon but also by
other companies widely emulating its practices. \29\
---------------------------------------------------------------------------
\27\ Alberto Cavallo, ``More Amazon Effects: Online Competition
and Pricing Behaviors'', Harvard Business School and NBER (Aug. 10,
2018), available at https://kansascityfed.org//media/files/publicat/
sympos/2018/papersandhandouts/825180810cavallopaper.pdf?la=en.
\28\ David Dayen, ``Does Amazon Have More Power Than the Federal
Reserve?'' New Republic (Aug. 28, 2018), available at https://
newrepublic.com/article/150938/amazon-power-federal-reserve.
\29\ Id.; Rana Foroohar, ``Amazon's Pricing Tactic Is a Trap for
Buyers and Sellers Alike'', FT.Com (Sept. 2, 2018).
---------------------------------------------------------------------------
In the context of financial services, this technical capacity for
nontransparent ``dynamic pricing'' can easily translate into the highly
questionable practice of ``micro-targeting'' consumers. Amazon, Google,
and other FinTech companies will be able to use the vast amounts of
data gained from monitoring consumers' behavioral patterns and
commercial transactions--and now the detailed real-time bank account
data--to ``up-price'' financial products and services offered to
individual consumers. \30\ In essence, they will be able to charge
individual borrowers not the fair market price but the maximum price
each of them is able to pay.
---------------------------------------------------------------------------
\30\ See Petrou, supra note 15, at 4.
---------------------------------------------------------------------------
This microtargeting may be presented to the public under the benign
guise of ``product customization.'' In practice, however, it will
effectively destroy consumers' ability to make informed decisions and
to gauge whether they are being overcharged, underserved, or even
entirely excluded from certain product markets. The opacity of the
pricing process, the service provider's control of the customer's data,
and the practical difficulty of switching providers will fundamentally
skew the balance of power in favor of the service provider. \31\
---------------------------------------------------------------------------
\31\ See Foroohar, supra note 29.
---------------------------------------------------------------------------
Importantly, the same factors will also make it difficult, if not
impossible, for any regulatory agencies to detect and punish abusive
behavior in financial markets. The growing deficit of regulatory
capacity is likely to leave consumers to fend for themselves--precisely
at a time when they acutely need Government protection. This is
particularly poignant, given the current efforts to weaken the Bureau
of Consumer Financial Protection and to limit its enforcement
capabilities. \32\
---------------------------------------------------------------------------
\32\ See Renae Merle, ``Trump Administration Strips Consumer
Watchdog Office of Enforcement Powers in Lending Discrimination
Cases'', Wash. Post (Feb. 1, 2018), available at https://
www.washingtonpost.com/news/business/wp/2018/02/01/trump-
administration-strips-consumer-watchdog-office-of-enforcement-powers-
against-financial-firms-in-lending-discrimination-cases/
?utm_term=.4c83cde19b28.
---------------------------------------------------------------------------
In sum, simply relaxing existing bank regulations in order to allow
wholesale migration of the highly sensitive and valuable financial
information currently controlled by banks to data aggregators, cloud
providers, and other FinTech companies would expose consumers to
potentially massive data privacy and safety risks. Rather than gaining
meaningful control over their personal financial data, American
consumers will be an easy target for unscrupulous salesmen of the
digital era. A prudent public policy approach to safe and secure
financial data-sharing in the digital age requires a deeper and more
balanced analysis of these risks, as well as the means of preempting
them.
Systemic Concern Number Two: Structural Shifts in the Economy
Under the headings of ``aligning'' and ``modernizing'' the
regulatory framework, the Treasury Report makes a number of specific
recommendations intended to remove or relax the existing restrictions
on permissible business activities and organizational affiliations of
banking organizations. While framed as a narrowly technical issue, this
effort goes directly to the long-standing U.S. policy of separation of
banking from commerce. It also raises a broader spectrum of concerns
related to potentially far-reaching structural shifts in the U.S.
economy.
The principle of separation of banking and commerce is one of the
core principles underlying and shaping the elaborate regulatory regime
applicable to all U.S. banking organizations. \33\ Under the National
Bank Act of 1863, U.S. commercial banks generally are not permitted to
conduct any activities that fall outside the statutory concept of ``the
business of banking.'' \34\ Moreover, under the Bank Holding Company
Act of 1956 (the BHC Act), bank holding companies (BHCs)--companies
that own or ``control'' U.S. banks--are generally restricted in their
ability to engage in any business activities other than banking,
managing banks, or certain activities ``closely related'' to banking.
\35\
---------------------------------------------------------------------------
\33\ See Bernard Shull, ``Banking and Commerce in the United
States'', 18 J. Banking and Fin. 255 (1994); Bernard Shull, ``The
Separation of Banking and Commerce in the United States: an Examination
of the Principal Issues'', 8 Fin. Markets, Inst. and Instr. 1 (Aug.
1999).
\34\ 12 U.S.C. �24 (Seventh).
\35\ 12 U.S.C. ��1841-43.
---------------------------------------------------------------------------
Since the 1980s, the scope of banks' and BHCs' permissible
activities has been steadily and gradually expanding. \36\ The Office
of the Comptroller of the Currency (OCC) has been especially aggressive
in its interpretations of the statutory term ``business of banking'' to
allow banks to engage, among other things, in data storage and certain
software-related activities. \37\ In 1999, Congress passed the Gramm-
Leach-Bliley Act (the GLB Act), which partially repealed the Glass-
Steagall Act and authorized certain qualifying BHCs to become
``financial holding companies'' (FHCs) and to conduct a wide range of
financial and even some commercial activities. \38\
---------------------------------------------------------------------------
\36\ See Saule T. Omarova, ``The Quiet Metamorphosis: How
Derivatives Changed the `Business of Banking' '' 63 U. Miami L. Rev.
1041 (2009); Saule T. Omarova, ``The Merchants of Wall Street: Banking,
Commerce, and Commodities'', 98 Minn. L. Rev. 265 (2013).
\37\ Id.
\38\ 12 U.S.C. �1843(k).
---------------------------------------------------------------------------
These developments notwithstanding, however, U.S. banks' and BHCs'
activities, investments, and organizational affiliations remain subject
to significant limitations. Citing with approval the OCC's aggressively
expansive approach, the Treasury Report recommends that all banking
regulators interpret banking organizations' scope of activities ``in a
harmonized manner as permitted by law wherever possible and in a manner
that recognizes the positive impact that changes in technology and data
can have in the delivery of financial services.'' \39\
---------------------------------------------------------------------------
\39\ Treasury Report, at 80.
---------------------------------------------------------------------------
The Treasury also recommends that the Federal Reserve ``consider
how to reassess'' the definition of ``control'' in the BHC Act, in
order to make it easier for banking institutions and FinTech companies
invest in each other's equity. \40\ The BHC Act defines ``control'' in
deliberately broad terms: in addition to specifying a quantitative
threshold (direct or indirect ownership of 25 percent or more of any
class of voting securities), it grants the Federal Reserve discretion
to make the requisite findings of ``controlling influence'' in a wide
range of circumstances. \41\ The Treasury Report criticizes the Federal
Reserve's accumulated interpretations of ``control'' as ``not
sufficiently transparent'' and thus discouraging--instead of
facilitating--the formation of extensive business partnerships and
close organizational relationships between BHCs and FinTech companies.
The practical worry here is that unregulated technology companies may
be deemed either to ``control'' a U.S. bank or to be ``controlled'' by
a BHC--and thus subject to the BHC Act's activity restrictions and
supervisory oversight. \42\
---------------------------------------------------------------------------
\40\ Id.
\41\ 12 U.S.C. �1841(a).
\42\ Treasury Report, at 80.
---------------------------------------------------------------------------
Although the Treasury does not explicitly direct the Federal
Reserve to adopt any specific definition of ``control,'' the main
thrust of its recommendation is clear: a properly ``modernized''
definition should be significantly narrowed and uniformly applied. In
contrast to the Treasury's usual calls for ``tailored'' FinTech
regulation, the Federal Reserve's tailoring of ``control''
determinations to the circumstances of each individual case is deemed
undesirable as hindering bank partnerships with and acquisitions of
(and by) nonbank technology companies.
Separation of Banking and Commerce
Adopting a systematic policy of aggressively pushing the legal and
statutory boundaries of bank-permissible business activities and
affiliations, as advocated by the Treasury, will significantly
undercut--if not completely incapacitate--the operation of the
foundational U.S. principle of separation of banking and commerce. In
this sense, it will weaken the overall integrity and efficacy of the
U.S. bank regulation and supervision.
It is important to remember why the entire system of U.S. bank and
BHC regulation is designed to keep institutions engaged in deposit-
taking and commercial lending activities from conducting, directly or
through some business combination, any significant nonfinancial
activities, or from holding significant interests in any general
commercial enterprise. There are three main public policy reasons for
maintaining this legal wall between the ``business of banking'' and
purely commercial businesses: (1) preserving the safety and soundness
of federally insured depository institutions; (2) eliminating potential
conflicts of interest and ensuring a fair and efficient flow of credit
to productive economic enterprise; and (3) preventing excessive
concentration of financial and economic power in the financial sector.
\43\
---------------------------------------------------------------------------
\43\ See Omarova, ``The Merchants of Wall Street'', supra note 36,
at 274-278.
---------------------------------------------------------------------------
Of course, each of these traditional concerns may be more or less
pronounced in the context of a particular commercial activity. It is
also clear that banks' involvement in certain nonfinancial activities
may--and often does--produce financial benefits to their clients and,
indirectly, to society as a whole. Yet, after decades of unquestioning
acceptance of private firms' self-interested depiction of such
benefits, it is critical that policymakers fully address and appreciate
potential social costs of mixing banking and commerce--especially,
digital commerce.
The key point here is simple: allowing banks and BHCs to form wide-
ranging business partnerships with technology firms--either through
global contractual arrangements or through outright combinations--would
critically undermine all of the public policy goals at the heart of the
U.S. bank regulation.
For example, it would expose banking institutions to a wide variety
of nontypical and potentially excessive economic, operational, and
legal risks associated with tech companies' rapidly evolving commercial
activities. Banks are ``special'' business actors in that they perform
critical public functions, enjoy direct public support, and are
inherently vulnerable to runs that can trigger systemic financial
crises. For these reasons, banks' safety and soundness remains the
cornerstone of bank regulation and supervision. \44\ Expanding banking
entities' economic activities to encompass global e-commerce, ``big
data'' management, and AI development will diversify and magnify not
only their potential revenues but also their potential losses and
vulnerabilities. It will also render banking organizations' internal
governance and regulatory oversight far more challenging, if not
outright impossible, propositions.
---------------------------------------------------------------------------
\44\ See E. Gerald Corrigan, ``Are Banks Special?'' 1982 Fed. Res.
Bank of Minn. Ann. Rep., available at http://www.minneapolisfed.org/
pubs/ar/ar1982a.cfm. For a systematic exposition of banks' special
function as sovereign public's ``franchisees,'' see Robert C. Hockett
and Saule T. Omarova, ``The Finance Franchise'', 102 Cornell L. Rev.
1143 (2017).
---------------------------------------------------------------------------
Furthermore, it would give rise to new patterns of conflicts of
interest, potentially systematic misallocation of credit, and other
cross-sectoral abuses of market power. Some of these abuses of market
power are discussed above, in the context of consumer protection.
However, this type of bank-tech conglomeration would also pose an
immediate and tangible threat to all other businesses, especially those
competing with banks' technology affiliates or partners. These types of
structurally determined distortion in the economywide credit flows
would critically impede economic growth and cause a host of socio-
economic and political problems.
Market Structure, Antitrust, and ``Too Big To Fail'' Concerns
Perhaps the most far-reaching potential consequence of opening the
door for direct cross-sectoral acquisitions and affiliations between
banking institutions and tech firms is the dangerous increase in the
overall concentration of the economic and political power likely to
result from it.
The U.S. financial services industry is already heavily
concentrated. The passage of the GLB Act, which officially removed the
long-standing prohibition on affiliations between commercial and
investment banks, has elevated the pace of industry consolidation to a
qualitatively new level. \45\ The level of industry concentration
increased further in the wake of the global financial crisis of 2008,
so that the top five banks in the U.S. now control approximately half
of all assets in the sector. \46\ Large BHCs control over 80 percent of
all banking assets. \47\
---------------------------------------------------------------------------
\45\ See Arthur E. Wilmarth, Jr., ``The Transformation of the U.S.
Financial Services Industry, 1975-2000: Competition, Consolidation, and
Increased Risks'', 2002 U. Ill. L. Rev. 215 (2002).
\46\ https://fred.stlouisfed.org/series/DDOI06USA156NWDB
\47\ See NAFCU, ``Modernizing Financial Services: The Glass-
Steagall Act Revisited'' (2018), at 14, available at http://
stilltoobigtofail.org/wp-content/uploads/2018/09/Glass-Steagall-Act-
White-Paper_R4.pdf.
---------------------------------------------------------------------------
The same trend is strongly evident in the tech sector. Despite the
great number and diversity of what we call ``technology'' companies, a
few giants at the core of the tech industry undoubtedly dominate it.
Thus, only two companies, Apple and Google, currently provide the
software for 99 percent of all smartphones, the indispensable devices
for mobile payments. \48\ Facebook and Google capture between 59 and 73
cents of every dollar spent on online advertising in the U.S. \49\
Amazon takes 49 cents of every e-commerce dollar in the U.S. \50\ This
dominance is clearly reflected in the stock markets. Earlier this year,
both Apple and Amazon exceeded $1 trillion in market capitalization.
And the largest tech companies--including Apple, Amazon, Facebook, and
Google--lead the longest stock market rally in decades. \51\
---------------------------------------------------------------------------
\48\ See Matt Phillips, ``Apple's $1 Trillion Milestone Reflects
Rise of Powerful Megacompanies'', N.Y. Times (Aug. 2, 2018).
\49\ See id.; Lina M. Khan, ``Sources of Tech Platform Power'', 2
Geo. L. Tech. Rev. 325, 326 (2018).
\50\ See David Streitfeld, ``Amazon Hits $1,000,000,000,000 in
Value, Following Apple'', N.Y. Times (Sept.4, 2018).
\51\ See Phillips, supra note 48.
---------------------------------------------------------------------------
It is against this background that the Treasury Report's seemingly
low-key, technocratic recommendation to ``correct'' or ``clarify'' a
specific regulatory interpretation of the statutory definition of
``control'' in the BHC Act should be evaluated.
The existing body of the Federal Reserve's interpretations of what
constitutes ``control'' for purposes of the BHC Act is fundamentally
fact-driven and thus inevitably complex. While that may complicate
private firms' efforts to structure their investments so as to avoid
being subject to the BHC Act, it preserves the necessary flexibility
enabling the Federal Reserve to safeguard the principles underlying the
Act. This is especially critical in light of the fact that the BHC Act
was originally designed to operate as an antitrust, antimonopoly law.
\52\
---------------------------------------------------------------------------
\52\ See Omarova, ``The Merchants of Wall Street'', supra note 36,
at 276-277.
---------------------------------------------------------------------------
By contrast, what the Treasury calls ``a simpler and more
transparent standard to facilitate innovation-related investments''
would effectively enable large U.S. financial holding companies to take
significant equity stakes in various FinTech ventures, alongside large
tech companies. It would also enable the tech giants to acquire
significant equity stakes in U.S. banks and BHCs of varying sizes,
without becoming subject to BHC regulation. The Treasury Report
carefully frames its recommendations to create an impression that such
a regulatory pullback would make financial markets more efficient and
competitive by enabling a myriad of small investments by a myriad of
banks in a myriad of competing tech companies--and vice versa. What
remains unsaid, however, is that the dominant players in both markets--
including JPMorgan Chase, Citigroup, Bank of America, Goldman Sachs,
Morgan Stanley, Wells Fargo, Facebook, Amazon, Google, Apple,
Microsoft, and IBM--will also be able to take advantage of such
explicitly permissive regulatory standards. Given the importance of
scale and network effects for both tech platforms and financial
institutions, they will be remiss not to.
Thus, in practice, ``simplifying'' the Federal Reserve's
interpretation of the BHC Act's ``control'' requirements for purposes
of ``facilitating FinTech innovation'' is likely to trigger a wave of
unprecedented cross-sectoral consolidation. Because of the 25 percent
threshold built into the BHC Act's definition of ``control,'' this new-
generation consolidation wave will likely take new transactional forms,
potentially resulting in a Byzantine system of corporate ownership and
de facto management interlocks. In this web of formal and informal
corporate control linkages, detecting and punishing collusive behavior
and other abuses of market power will be even more difficult than it is
today.
One additional point bears emphasis here. In both sectors,
companies' size and market share are key to profitability and success.
In the financial sector, the quest for scale and scope is also driven
by the presence of the bank public subsidy. The well-known phenomenon
of ``too big to fail''--a de facto suspension of market discipline with
respect to systemically important entities--presents one of the
greatest public policy challenges in the financial sector. \53\
Drastically curtailing the regime of separation of banking from
commerce would facilitate a potentially massive transfer of banks'
public subsidy to the tech sector. In that sense, it is virtually
guaranteed to take the ``too big to fail'' problem to an entirely
different--perhaps even unimaginable--level. In the next crisis, the
sheer scale of the Government bailouts required to keep the hypersized
FinTech conglomerates from failing might make the taxpayer cost of
saving Wall Street in the last one look like small change.
---------------------------------------------------------------------------
\53\ See Matt Egan, ``Too-Big-To-Fail Banks Keep Getting Better'',
CNN Money (Nov. 21, 2017), available at https://money.cnn.com/2017/11/
21/investing/banks-too-big-to-fail-jpmorgan-bank-of-america/index.html.
---------------------------------------------------------------------------
Of course, money is not the only thing that matters to the American
public in this scenario. The increasing concentration of economic power
in a small club of corporate giants is a direct threat to American
democracy. \54\ It perpetuates and exacerbates deep socio-economic
inequality, which inevitably undermines political order premised on
ideals of equal participation and voice. Big corporations' ability to
``buy'' political influence fundamentally corrupts political process
and corrodes public confidence in the democratic system as a whole.
\55\ This is an unacceptably high societal price for the personal
convenience of accessing one's bank accounts and digital wallets via a
single iPhone click.
---------------------------------------------------------------------------
\54\ See Omarova, ``The Merchants of Wall Street'', supra note 36,
at 349-351; Julie Cohen, ``Technology, Political Economy, and The
Role(s) of Law'' (June 8, 2018), available at https://lpeblog.org/2018/
06/08/technology-political-economy-and-the-roles-of-law/.
\55\ See generally Rana Foroohar, ``A Light Shines on the
Concentration of Power in Silicon Valley'', FT.Com (July 22, 2018);
Buttonwood, ``Political Power Follows Economic Power'', Economist.com
(Feb. 3, 2016), available at https://www.economist.com/buttonwoods-
notebook/2016/02/03/political-power-follows-economic-power.
---------------------------------------------------------------------------
In sum, it is critical to keep in mind that, without proactive and
appropriately applied public oversight, data digitization, cloud
computing, and other seemingly value-neutral and science-driven FinTech
innovations may operate as hidden channels for the formation of
economywide FinTech platform conglomerates.
Systemic Concern Number Three: Financial Stability and Economic Growth
The Treasury Report uses a direct reference to the ``bank
partnership model'' in its discussion of marketplace lending. Among
other things, the Treasury makes a very specific recommendation for
Federal legislation overruling the Second Circuit's decision in Madden
v. Midland Landing LLC, which held that the National Bank Act did not
preempt State usury rules with respect to the interest charged by a
third-party nonbank purchaser of loans from a national bank. \56\
---------------------------------------------------------------------------
\56\ Madden v. Midland Funding, LLC, 786 F. 3d 246 (2d Cir. 2015).
---------------------------------------------------------------------------
The Madden decision directly affects marketplace lenders operating
under the so-called rent-a-charter model, in which the online lender
markets the loans and runs its proprietary algorithms but the actual
loan is initially extended and funded by a chartered bank. The bank
typically holds the loan for a few days and then sells it back to the
online lender. \57\ In effect, the online lender buys the originating
bank's ability to ``export'' its home-State's favorable (or
nonexistent) usury rate nationwide. In this sense, the bank is
``renting out'' its bank charter--or, more accurately, selling a
special legal privilege the Government grants exclusively to chartered
banks--to an entity that does not qualify for a bank charter and is not
entitled to any privileges that come with it. \58\
---------------------------------------------------------------------------
\57\ See Michael S. Barr, et al., ``Financial Regulation: Law and
Policy'' 185 (2nd ed., 2018).
\58\ For a discussion of why bank charters are special and
different from regular corporate charters, see Robert C. Hockett and
Saule T. Omarova, `` `Special', Vestigial, or Visionary? What Bank
Regulation Tells Us About the Corporation--and Vice Versa'', 39 Seattle
U. L. Rev. 453 (2016).
---------------------------------------------------------------------------
The ``rent-a-charter'' model is not a recent invention; it was
widely used by predatory payday lenders and subprime mortgage companies
in the run-up to 2008. \59\ At the time, Federal bank regulators did
not interfere with this unseemly charter-arbitrage practice in the name
of promoting ``financial innovation,'' ``freedom of consumer choice,''
and ``access to credit'' for high-risk/low-income borrowers. The OCC's
aggressive Federal preemption strategy, the Federal Reserve's laxity,
and the absence of a dedicated Federal financial consumer protection
agency contributed to the rampant growth of subprime debt that
ultimately triggered a major financial crisis. \60\
---------------------------------------------------------------------------
\59\ See Consumer Federation of America and U.S. Public Interest
Research Group, ``Rent-A-Bank Payday Lending: How Banks Help Payday
Lenders Evade State Consumer Protections'' (Nov. 2001), available at
https://consumerfed.org/pdfs/paydayreport.pdf.
\60\ See, e.g., Kathleen C. Engel and Patricia A. Mccoy, ``The
Subprime Virus: Reckless Credit, Regulatory Failure and Next Steps''
(2011).
---------------------------------------------------------------------------
In this context, the Treasury's insistence that Congress
legislatively overrule Madden brings into bold relief the broader
concerns about systemic financial stability and the threat of recurring
financial crises. All too often, the familiar rhetoric of
``facilitating consumer access to cheap credit'' obscures the
underlying systemwide dynamics that drive the emergence and growth of
specific ``innovations.'' The Treasury Report's normatively inflected
rhetoric also diverts attention from the significant potential impact
of proposed deregulatory measures on the financial markets as a whole.
To avoid repeating the costly mistakes of the pre-2008 period,
therefore, policymakers must look behind the Report's technocratic
gloss and examine FinTech developments from a systemic, public
interest-driven perspective.
Financial Asset Speculation in the Digitized Marketplace
Contrary to the Treasury Report's baseline narrative, FinTech is
not simply a matter of applying computer and information science to
financial transactions and finding ``win-win'' technical solutions to
various market ``frictions.'' It is trivially true that new
technological tools are designed to make financial transactions faster,
cheaper, and easier to use and adjust to transacting parties'
individual needs and preferences. But that is only part of the story.
The rise of FinTech is an integral part, and a logical stage in the
development, of the broader financial system. Therefore, FinTech's
overall normative significance cannot be simply postulated on the basis
of its intended microtransactional efficiencies. It has to be assessed
in the context of the financial system's stability and ability to
perform its core social function: effectively and reliably channeling
capital flows to their most productive uses in the real, i.e.,
nonfinancial, economy. \61\
---------------------------------------------------------------------------
\61\ For an in-depth analysis of the systemic significance of
FinTech, see Saule T. Omarova, ``New Tech v. New Deal: FinTech As a
Systemic Phenomenon'', 36 Yale J. Reg. (forthcoming 2019), available at
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3224393.
---------------------------------------------------------------------------
From this systemic perspective, the rapid digitization of data and
financial services presents a far more complex public policy challenge
than the Treasury Report is willing to acknowledge. FinTech innovations
are driven not only--and perhaps not even mainly--by the financial
institutions' and tech companies' desire to improve retail financial
services. Despite the consumer-centric rhetoric surrounding FinTech,
digital technologies are likely to have their greatest systemic impact
in the highly volatile and speculative secondary financial markets
dominated by professional traders, dealers, and institutional
investors. Fixing the focus of policy discussions on the expected
benefits of FinTech to retail consumers, however, diverts attention
from potentially crucial developments in wholesale financial markets.
It accordingly creates a dangerous blind spot for policymakers and
regulators.
The pre-2008 subprime mortgage and securitization boom provides a
vivid illustration of just how dangerous it can be. It is well-known
that the rapid growth of risky subprime mortgage lending in the early
2000s--a predominantly retail market phenomenon--was fundamentally
driven by the insatiable demand on the part of yield-hungry
institutional investors for tradable asset-backed securities. Subprime
mortgage loans served as the perfect raw material for the creation of
high-yielding yet highly (and wrongly) rated mortgage-backed securities
(MBS), collateralized debt obligations (CDOs), and other complex
structured products. \62\ As speculative demand for these products
grew, mortgage lenders used increasingly deceptive and discriminatory
tactics to generate greater volumes of such raw material, among other
things, by targeting the most vulnerable borrower populations. \63\
---------------------------------------------------------------------------
\62\ See generally Engel and McCoy, supra note 60; ``Fin. Crisis
Inquiry Comm'n, The Financial Crisis Inquiry Report: Final Report of
the National Commission on the Causes of Financial and Economic Crisis
in the United States'' (2011), https://www.gpo.gov/fdsys/pkg/GPO-
FCIC.pdf; S. Permanent Subcomm. on Investigations, 112th Cong., ``Wall
Street and the Financial Crisis: Anatomy of a Financial Collapse''
(2011), http://hsgac.senate.gov/public/_files/Financial_Crisis/
FinancialCrisisReport.pdf.
\63\ Id.
---------------------------------------------------------------------------
Ironically, in the public arena, these predatory subprime loans
were often touted as a great benefit for low-income borrowers. This is
how a senior executive of now infamous Countrywide Financial described
his company's subprime lending activities to Congress in early 2004, a
year in which some of the worst subprime mortgages were originated:
``[ . . . ] Countrywide entered the nonprime lending market in
1996 as part of our effort to make homeownership possible for
the largest number of American families and individuals. We
believed then, as we believe now, that nonprime lending is a
natural extension of our commitment to bring Americans who have
traditionally been outside mainstream mortgage markets into
their first homes. Our nonprime lending programs also have
helped these families and individuals build equity and use this
equity to send their children to colleges, start their own
businesses, and gain control over their financial destiny.''
\64\
---------------------------------------------------------------------------
\64\ Testimony of Sandy Samuels, Senior Managing Director and
Chief Legal Officer of Countrywide Financial Corporation and the
Housing Policy Council of the Financial Services Roundtable before the
Subcommittees on Financial Institutions and Housing, U.S. House of
Representatives (March 30, 2004), available at https://www.gpo.gov/
fdsys/pkg/CHRG-108hhrg94689/pdf/CHRG-108hhrg94689.pdf.
``Nonprime products give borrowers more choices and make credit
more readily available, because we and other lenders can price
according to the level of risk.'' \65\
---------------------------------------------------------------------------
\65\ Id.
Millions of Americans who either lost their homes in the crisis or
are forced to carry the heavy burden of underwater mortgage debt would
strongly disagree. \66\
---------------------------------------------------------------------------
\66\ See Robert C. Hockett, ``Accidental Suicide Pacts and
Creditor Collective Action Problems'', 98 Cornell L. Rev. 55 (2013).
---------------------------------------------------------------------------
In reality, of course, Countrywide flooded the market with risky
loans not because it cared for its poor borrowers' economic rights, but
because it was reaping huge profits in the wholesale securitization
markets. Its executive's remarkably self-serving statements illustrate
how the financial industry used--indeed abused--consumers not only as
the unwitting captive source of fuel for its high-stakes speculation
game, but also as the ``sympathetic beneficiary'' legitimizing and
shielding that game from public scrutiny.
Today, similar consumer-centric rhetoric is being deployed to
justify various deregulatory moves, among other things, in the context
of FinTech innovation. It is, of course, too early to draw definitive
conclusions as to what exactly this rhetoric may be obscuring from
policymakers' and the broader public's view. The recent history tells
us, however, that whenever a powerful private industry demands
deregulation in the name of consumers' ``freedom of choice'' or
``access to credit,'' something a lot bigger and much less altruistic
is driving these demands. It is, therefore, both timely and necessary
to start identifying some of the ways in which FinTech is likely to
impact the ``big-picture'' issues related to systemic financial
stability.
The basic point here is simple: In the current environment of
global investment capital glut, the rapid digitization of financial
data and transactions is bound to amplify the underlying structural
incentives for excessive speculation in secondary markets for financial
instruments. By making financial transactions infinitely faster,
cheaper, and easier to use and to customize, FinTech innovations
potentially empower wholesale market participants to engage in
financial asset speculation on an unprecedented level. Armed with new
digital tools, financial and FinTech firms will be able to synthesize
potentially endless chains of virtual assets, tradable in potentially
infinitely scalable virtual markets. This FinTech-driven qualitative
growth in the volume and velocity of speculative trading, in turn,
potentially amplifies the financial system's vulnerability to sudden
shocks and cascading loss effects. In short, a fully digitized and
frictionless financial marketplace is bound to grow not only much
bigger and faster but also more complex, opaque, and volatile. \67\
---------------------------------------------------------------------------
\67\ For a detailed discussion, see Omarova, supra note 61.
---------------------------------------------------------------------------
It is worth emphasizing that advances in technology are
increasingly enabling private market participants to create tradable
cryptoassets effectively out of thin air. These cryptoassets--digital
tokens or bits of data representing some value--can have such an
attenuated connection to productive activity in the real economy as to
be practically untethered from it. By potentially rendering the
financial system entirely self-referential, this type of unchecked
private sector ``innovation'' can fundamentally undermine--rather than
promote--the long-term growth on the part of the American economy. On a
macrolevel, therefore, the key risk posed by FinTech lies in its--still
not fully known--potential to exacerbate the financial system's
dysfunctional tendency toward unsustainably self-referential growth.
\68\ (For a detailed discussion of these and related issues, see
Appendix to this testimony.)
---------------------------------------------------------------------------
\68\ Id.
---------------------------------------------------------------------------
Regulatory and Supervisory Capacity
Understanding some of the potentially destabilizing systemic
effects of unchecked FinTech innovation brings into a sharp relief the
crucial importance of strengthening the capacity of the relevant
regulatory agencies to effectively oversee this process.
FinTech's ability to bring about massive increases in the volume
and velocity of speculative trading in financial assets inevitably
magnifies the systemic role of--and amplifies the pressure on--central
banks and other public instrumentalities charged with ensuring
financial and macroconomic stability. Hyperfast, hyperexpansive
financial markets require a hyperfast and hypercapacious public actor
of ``last resort''--one of the central bank's core functions.
Similarly, substantial new risks to consumers, posed by the
digitization of personal financial data and the rise of the digital
platform economy, dramatically elevate the role of Government agencies
in protecting consumers' data privacy and safety. And, of course, the
growing concern with potentially excessive concentrations of economic
and political power in the hands of hypersized FinTech conglomerates
underscores the need for a far more proactive approach to Government
enforcement of antitrust principles.
This, however, runs contrary to the Treasury Report's overall
deregulatory strategy and the emphasis on an inherently passive and
accommodative regulatory posture. As a general matter, the Report
supports, and even insists on, proactive--or ``agile''--regulatory
action only where such action is necessary to ``expedite regulatory
relief'' under existing laws in order to facilitate private
experimentation with new digital technology.
The Treasury's recommendation to form a State and Federal
``regulatory sandbox'' should be read in this normative context. \69\
Several foreign jurisdictions, including Singapore and the United
Kingdom, have already established such regulatory sandboxes, which
essentially refer to the practice of allowing certain FinTech companies
to operate for a period of time without having to comply with various
otherwise applicable laws and regulations. The purpose of this
arrangement is to conduct a controlled test of FinTech products, which
should then help the regulators decide how beneficial and safe these
products are for the rest of the market.
---------------------------------------------------------------------------
\69\ Treasury Report, at 168.
---------------------------------------------------------------------------
The idea of a regulatory sandbox as a way to generate usable
empirical data for better regulatory decision making is not necessarily
a bad one. In each particular case, however, the efficacy of this
effort depends fundamentally on the specific design features of the
``sandbox.'' Thus, if the specific assessment criteria for FinTech
products in the ``sandbox'' are insufficiently capturing potentially
problematic effects of these products on consumer interests or systemic
financial stability, the resulting data will not be a reliable
indicator of how that product will fare outside the ``sandbox.''
Furthermore, some of the most significant systemic implications of a
particular product may be inherently impossible or difficult to test in
a controlled ``sandbox'' environment. \70\
---------------------------------------------------------------------------
\70\ See, e.g., Hilary Allen, ``A U.S. Regulatory Sandbox?'' (Feb.
2018), available at file:///C:/Users/sto24/Downloads/SSRN-
id3056993.pdf.
---------------------------------------------------------------------------
In any event, a ``regulatory sandbox'' is not a substitute for a
well-coordinated and well-resourced regulatory apparatus, capable of
devising and dynamically implementing a comprehensive and balanced
approach to overseeing FinTech activities. In this moment of great
change in financial markets, the American public needs such an
apparatus: it needs capable regulators and supervisors who show their
true ``agility'' by staying in front of, rather than behind or away
from, the market.
For all of the foregoing reasons, I urge the Committee to apply the
healthy dose of skepticism to the Treasury Report's and the interested
industry actors' consumer-centric rhetoric and deregulatory demands.
The systemic significance of FinTech innovations must be assessed in
the broader public policy context, with a special focus on the need to
protect American consumers from abusive market practices on the part of
megasized corporate conglomerates, to safeguard the structural
integrity of the U.S. financial market, and to ensure long-term
systemic stability and sustainable growth of the Nation's economy.
Technology is not an end in and of itself, it is merely a tool: it can
be used to improve our collective future or to destroy it. The
Committee's task is to ensure that the latter does not happen, while
everybody is looking the other way.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
RESPONSES TO WRITTEN QUESTIONS OF SENATOR BROWN
FROM STEVEN BOMS
Q.1. Given that companies like Google and Facebook collect
enormous amounts of information, and are also in a position to
influence what information consumers are exposed to. For
example, Facebook might show payday loan or private student
loan advertisements to servicemembers or to minorities but not
its other users.
Should fair lending laws be updated to cover not just the
provision of credit, but also targeted advertisement of such
products on social media platforms?
A.1. CFDR members believe that fair lending laws represent
important public policy. The content of those laws, however, is
determined solely by Congress and, when authority is delegated,
to regulatory agencies. Each company in the CFDR membership--
which does not include Google, Facebook, or any similar ``big
tech'' company that operates a social media platform--strives
to abide by all applicable fair lending laws, at both the State
and Federal levels, and will continue to abide by fair lending
laws if they should change in response to your concerns
addressed in the predicate to this question.
------
RESPONSES TO WRITTEN QUESTIONS OF SENATOR SCOTT
FROM STEVEN BOMS
Q.1. My ``Making Online Banking Initiation Legal and Easy''--or
MOBILE--Act allowed banks and credit unions to use a scan of a
driver's license through a mobile device to verify a customer's
identity when opening an account.
Approximately 16 million adults live in households without
a checking or savings account and an additional 51 million
adults live in households that rely on nonbank lenders with
sky-high interest rates.
Yet about 90 percent of unbanked and underbanked adults own
a mobile phone, of which 75 percent are smartphones.
Please answer the following with specificity:
What impact does linking personal finance with mobile and
data technologies have on the financial well-being of
consumers?
A.1. The ability to link personal finance with mobile and data
technologies could significantly decrease the number of
unbanked or underbanked households in the United States. The
first step in analyzing the impact of a more seamless flow of
data transfer through mobile technology would be to asses why
these householders are unbanked or underbanked. For some,
including those who live in rural communities, it may be that
the nearest branch bank has closed and that the next closest
bank is tens of miles away. For others, it may be a distrust of
the traditional banking system, informed perhaps by prior bad
experiences or lack of knowledge about the services and
solutions offered. Either way, having access to--and actually
availing oneself of--financial services products is critical to
consumer financial wellness as it helps families manage
budgets, establish credit, pay bills, and save for the future.
The mobility of technology driven by the near ubiquity of
modern mobile telephones and digital networking holds great
promise to reach underserved areas of the country with tailored
financial services solutions. The MOBILE Act is a great example
of a forward-thinking legislative approach that embraces new
ways of using and transmitting data. CFDR supports Congress's
building on this success to further erode barriers to the free
flow of consumer-permissioned data across interfaces so that
all consumers, whether presently underserved or not, can make
the best use of a 21st century, mobile, data-driven financial
services marketplace.
------
RESPONSES TO WRITTEN QUESTIONS OF SENATOR BROWN
FROM BRIAN KNIGHT
Q.1. Given that companies like Google and Facebook collect
enormous amounts of information, and are also in a position to
influence what information consumers are exposed to. For
example, Facebook might show payday loan or private student
loan advertisements to servicemembers or to minorities but not
its other users.
Should fair lending laws be updated to cover not just the
provision of credit, but also targeted advertisement of such
products on social media platforms?
A.1. It is reasonable and appropriate to prohibit social media
platforms from enabling lenders to use prohibited
characteristics to target or withhold credit offers, and
regulators should have the ability to enforce this prohibition.
An illustrative example in a related area is found in the
Assistant Secretary for Fair Housing and Equal Opportunity
filing's of a housing discrimination complaint against Facebook
for violations of the Fair Housing Act. \1\ In its complaint,
the assistant secretary alleges that Facebook allowed
advertisers of housing and housing-related services to directly
target or withhold ads on the basis of protected classes such
as race, religion, age, and gender. Such conduct should be
prohibited. \2\
---------------------------------------------------------------------------
\1\ Anna Maria Farias, ``Housing Discrimination Complaint:
Assistant Secretary for Fair Housing and Equal Opportunity v. Facebook,
Inc.'', August 13, 2018, https://www.hud.gov/sites/dfiles/PIH/
documents/HUD_01-18-0323_Complaint.pdf.
\2\ Facebook has not been found liable for any such acts, and to
my knowledge it has not admitted to the allegations in the Assistant
Secretary's complaint.
---------------------------------------------------------------------------
The question of whether social media sites should be
prohibited from using neutral data that may correlate with
protected classes is more complex. Concerns about disparate
impact must be balanced with the fact that accurate algorithms
based on neutral data may also be the most effective way to
communicate useful information to potential customers.
Additionally, seeking to prohibit the use of algorithms using
neutral data for conveying ads to customers could face
potential constitutional issues. \3\ Beyond identifying these
potential issues, I have not done sufficient study to come to a
conclusion on the issue.
---------------------------------------------------------------------------
\3\ Some courts have found that algorithms like those used by
Google are speech protected by the First Amendment. See Langdon v.
Google, Inc., 474 F. Supp. 2d 622, 629-30, (D. Del. 2007).
Additionally, the Supreme Court in Texas Department of Housing and
Community Affairs v. Inclusive Communities Project, Inc., acknowledged
that disparate impact liability must be limited to avoid ``serious
constitutional questions.'' See Texas Department of Housing and
Community Affairs v. Inclusive Communities Project, Inc., 135 S. Ct.
2507, 2512 (2015).
---------------------------------------------------------------------------
------
RESPONSES TO WRITTEN QUESTIONS OF SENATOR HELLER
FROM BRIAN KNIGHT
Q.1. In Nevada, Industrial Loan Companies (ILCs) play an
important role in our economy. There is a growing demand for
ILCs which have proven to meet consumer needs throughout the
country. The current FDIC Chair has said that she welcomes ILC
applications. Do you believe that a FinTech company that meets
FDIC requirements should be allowed to be chartered as an ILC?
A.1. Expanding competition and innovation in banking services
will benefit consumers. Therefore, we should have a presumption
that a FinTech firm that meets the statutory and regulatory
requirements for an ILC charter should be granted a charter.
Risks created by granting a charter could likely be addressed
through existing regulation and competition protection
mechanisms. To the extent that additional protections or
limitations are needed to handle unique circumstances, Congress
should pass legislation to create those protections or
limitations.
------
RESPONSES TO WRITTEN QUESTIONS OF SENATOR REED
FROM SAULE T. OMAROVA
Q.1. In your testimony, you state that ``Technology is not an
end in and of itself, it is merely a tool: it can be used to
improve our collective future or to destroy it. The Committee's
task is to ensure that the latter does not happen, while
everybody is looking the other way.'' You also mention
elsewhere in your testimony that FinTech could lead to
``potentially systematic misallocation of credit, and other
cross-sectoral abuses of market power.''
Could you please provide us with a couple of concrete
examples of precisely what we should be trying to avoid? Do you
have any suggestions for how to avoid these examples?
A.1. Finance is the lifeblood of the economy, and information
is the lifeblood of the digital economy. By definition,
``FinTech'' combines both. That means that FinTech firms,
either individually or as a group, can potentially exercise an
unprecedented degree of control over the flow of money,
information, and physical goods in e-commerce--all at the same
time. This potential for extreme concentrations of power across
previously separate economic markets raises a spectrum of
significant public policy concerns, including concerns about
dominant FinTech conglomerates stifling (instead of promoting)
competition in affected markets and misallocating financial and
other economic resources throughout the economy.
More narrowly, it also implicates the venerable U.S.
principle of separating banking from commerce. Goldman Sachs'
recent foray into metals warehousing provides a recent real-
life example of how a large financial institution can combine
and abuse market power across different, seemingly unrelated,
markets. Thus, it has been well-documented how Goldman Sachs'
acquisition of Metro, a metals warehousing company, allowed it
to control supply--and therefore price--of aluminum in North
America, by creating artificial bottlenecks in the delivery of
physical aluminum to purchaser-companies. Goldman Sachs'
control over the critically important storage facilities gave
it both the incentive and the ability to drive up the price of
aluminum to benefit its own physical commodities trading and
financial derivatives operations. The artificial rise in the
price of aluminum, however, significantly increased American
companies' production costs and ultimately resulted in higher
consumer prices for a wide range of products, from soft drinks
to automobiles.
Big FinTech conglomerates are well-positioned to commit
similar abuses of market power on a far larger scale. This is
one of the principal reasons why the direct or indirect
formation of such conglomerates, in any organizational from,
should not be permitted as a matter of public policy and public
interest.
Here is a simple hypothetical example of what can happen
if, among other things, the Federal Reserve narrows its
presently flexible interpretation of what constitutes
``controlling influence'' under the Bank Holding Company Act of
1956 (the ``BHC Act''). Thus, Amazon Inc. can buy 24.9 percent
of voting equity in multiple U.S. deposit-taking banks, without
technically being deemed a ``bank holding company'' (or
``BHC''). As a result of the Federal Reserve's newly
``clarified'' interpretive approach, Amazon can easily
structure these equity acquisitions in a way that leaves it
free to continue all of its online commerce, logistics, cloud
warehousing, and other data management businesses. Yet,
Amazon's size and power in these markets will effectively
guarantee it a de facto ability to exercise outsized control
over each individual bank's management and business decisions.
Amazon's heft as a potential business client, a service
provider, or a strategic partner will put it in the driver's
seat with respect to the banks in which it technically holds
``noncontrolling'' stakes (let us call them ``Amazon-owned
banks,'' for simplicity's sake).
Amazon can then use its outsized de facto power over these
Amazon-owned banks to do the following:
It can get sensitive financial or other information
on its competitors--i.e., various nonfinancial
companies that also happen to be Amazon-owned banks'
banking clients--and then uses that information either
to drive those companies out of business or to force
them to do business with Amazon on unfavorable terms.
Amazon can also pressure Amazon-owned banks to
extend credit to businesses affiliated with or favored
by Amazon, which will give it additional leverage over
those ``favored'' companies and thus increase its
market power in the affected sectors.
Amazon can also make Amazon-owned banks refuse
credit to its direct competitors or to any other ``un-
favored'' local companies.
In each case, Amazon's self-interested behavior will result
in significant market distortions and inefficiencies and
compromise federally insured banks' ability to perform the
critical task of channeling capital to its more productive uses
in the real economy. From this perspective, allowing the
formation of big FinTech (or TechFin) conglomerates will pose a
grave danger to the country's long-term economic growth--and,
ultimately, its social and political stability.
To prevent this and many other similarly dangerous
outcomes, it is crucial that policymakers always place the
arguments that, in one way or another, call for ``facilitating
innovation'' or ``modernizing financial regulation'' in the
context of how they impact the broader financial and economic
market structure and integrity. Rhetoric notwithstanding, no
FinTech-related proposals and arguments that could potentially
result in the creation of large finance-technology (or tech-
finance) conglomerates should be adopted into actual policy.
Additional Material Supplied for the Record
LETTER FROM THE AMERICAN ACADEMY OF ACTUARIES SUBMITTED BY CHAIRMAN
MIKE CRAPO
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]