Not long ago, financial technology (FinTech) startups were all seeking to disrupt the market for financial services and compete directly with financial institutions (FIs) for customers. But as these startups have grown into more mature companies, cooperation with FIs has come to replace disruption for many FinTech firms. These companies have realized that FIs can help scale their technology to larger bases of potential users, and can also help FinTechs raise capital by showing strong partnerships and FI distribution channels.
In turn, FIs now recognize that FinTech firms offer more than competition, representing potentially valuable partnerships with better technology and an improved user experience. By collaborating with FinTechs, FIs can improve product offerings and increase efficiency, all without the FIs committing significant resources to create new solutions themselves.
While cooperation between FIs and FinTechs has trended up for some time, expect further acceleration in the remainder of 2018. With the Revised Payment Services Directive (PSD2) now the law in Europe, FIs are required to share data with non-FI payment service providers via open Application Programming Interfaces (APIs), which will provide a stronger basis for collaboration than ever before. And although data sharing via APIs in the U.S. is not mandated, the movement towards API open data sharing in the U.S. has begun and those FIs that do not embrace it risk being left behind in terms of both technology and partnerships.
PSD2 in Europe
On January 13, 2018, PSD2 finally went into effect in the European Union (EU). Passed in 2015, PSD2 grew from a review of the original Payment Services Directive (PSD) that became law in 2009. The PSD provided significant benefits to the financial services market in the EU by establishing a European-wide legal framework for payment services and setting the information requirements, and the respective rights and obligations, of payment service users and non-FI providers. It also has increased competition and choice by facilitating market entrance for non-FI players like FinTech startups. PSD2 retained these benefits while also incorporating technological innovations and further clarifications and protections into EU law.
The most notable—and controversial—aspect of PSD2 is the requirement that FIs openly share their customer data with non-FI payment service providers. Until now, most FIs have not allowed third-party providers to access customer data directly via APIs; instead, most non-FI providers have been accessing consumer data using the consumers’ account credentials, for example, by logging into a consumer’s online banking using the consumer’s username and password (provided by the consumer), and then extracting the available data once there. This technique, known as “screen scraping,” allows the third parties to stand in the shoes of consumers and access all of the consumers’ account information.
While convenient for the FinTech companies, screen scraping has long been a point of contention for FIs because it creates risk and confusion for consumers. Consumers are repeatedly warned by FIs and others not to share their financial account usernames and passwords, yet are told by reputable firms like Mint and SoFi to supply their account credentials to receive products and services they desire. In addition, screen scraping is more likely to miss or misinterpret data fields than a real-time, FI-sourced data feed. Furthermore, FIs’ online banking portals were designed for consumer use and can be overwhelmed by data requests from commercial third parties, making them slower or even inaccessible to FI consumers.
After significant debate, PSD2’s implementing regulations ban standard screen scraping and require FIs to open their APIs. Although FIs are understandably reluctant to share valuable customer data with their competition, there is a consensus that open APIs are preferable to screen scraping as APIs offer a more secure way for FIs and FinTechs to share account data. And for FinTechs that fear FIs will withhold customer data, the European Commission has provided a contingency measure, euphemistically termed “screen scraping+”, which is allowed if the FIs’ APIs do not perform as required. If five consecutive third-party access requests get no response within 30 seconds, then FinTechs will be allowed to access the FIs’ data using screen scraping+, where the third parties must identify themselves to the FI as third parties acting on behalf of consumers (rather than the FinTech simply impersonating consumers à la regular screen scraping).
This compromise may leave both sides unsatisfied, but the competition to FIs from FinTech startups has been growing for some time, and a change to data sharing methods was almost inevitable. Ultimately, most believe that PSD2 is set to improve FI competition and collaboration across the EU. Consumers have already embraced FinTechs; with better access to account data, usage of FinTechs will likely grow. If FIs want to avoid losing more customers to FinTech challengers, then FIs need to provide a customer experience that either equals or exceeds what the FinTechs can offer. For FIs that have been struggling to adapt to the changing demands of their customers, partnerships with FinTechs offer an attractive way for FIs to expand and improve their product offerings at a lower cost than innovating in-house. And not all of these partnerships need be commercial. FIs can partner with Google, Apple or Facebook to send reminders to customers when payments are due, improving convenience. Furthermore, PSD2 requires FIs to share only current account data, but not information on savings accounts, direct debits, and demographics. Forward-thinking FIs operating in the EU will undoubtedly capitalize on the vast pools of untapped data that they already hold to form new partnerships and improve their services.
In the U.S.
While Europe moves forward with laws and regulations on data sharing between FIs and non-FI companies, data sharing in the U.S. remains informal. Screen scraping remains the norm and FIs allow it due to market pressures and consumer demand. Although Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) requires banks and other financial service firms to make customers’ financial data available to the customer in a usable form, no promulgated rules define what “usable form” means or identify sanctions for FIs that limit what information they share. According to the Wall Street Journal, several of the biggest FIs temporarily blocked access to some third party providers and data aggregators in 2015, and last year Yahoo Finance reported that some FIs have been blocking consumers from accessing their data, including transaction records and account balances, in defiance of Dodd-Frank and without consequence.
While the Consumer Financial Protection Bureau (CFPB) has the authority to pass regulations on data sharing under Dodd-Frank, it has opted not to do so thus far. Instead, in October 2017, the CFPB published a set of nine non-binding Consumer Protection Principles (Principles). The Principles—which cover issues from access and data usability to informed consent and security—affirmed consumers’ ownership rights over their financial data. But the Principles do little to illuminate how FIs must share that data with consumers and third parties in the U.S.
Screen scraping is never mentioned in the CFPB’s Principles, but the CFPB does seem to suggest that it is not the preferred technology for sharing data. Under the “Access” principle, the CFPB states that consumers should generally be able to authorize third parties to obtain financial information from account providers, and access should “not require consumers to share their account credentials with third parties.” Because screen scraping requires exactly that, the CFPB effectively discourages screen scraping. But it is unclear if this means that FIs can prohibit consumers from sharing their account credentials and require third parties to access consumer data through an API, or if prohibiting credential sharing would deter consumers from access since such a ban on the practice would make many FinTech products and services currently offered unavailable.
The CFPB has provided no clarification and the ongoing turmoil at the CFPB makes it unlikely that the Principles will be fleshed out or converted into rules anytime soon. But perhaps the CFPB’s approach is correct and it is not yet time for formal rulemaking. The CFPB received over 70 comments from a broad range of stakeholders when it put forth a request for information regarding consumer access to financial records, and many of those comments recommended minimal or no involvement from the CFPB at this time. Technology is evolving and there are several key issues yet to be resolved.
From the FIs’ perspective, data security is paramount and the related regulatory requirements on the FIs have not been sufficiently addressed. The prudential regulators responsible for ensuring the safety and soundness of banks frequently examine FIs’ information security practices, and financial institutions have devoted significant resources to improving their data security procedures and technology. Would an FI face an enforcement action from the FDIC or other banking regulator if it shared customer data with a FinTech startup and that startup were breached?
From the FinTechs’ perspective, even if there is a suspicion that FIs are withholding API access for anti-competitive reasons, a full switch to APIs (as in Europe) has its own drawbacks. For the past 15 years, third parties have built their products on screen scraping technology; switching to APIs would require massive work to retrofit apps and programs. Furthermore, APIs are expensive to develop and many community banks and credit unions have limited resources to invest, and would most likely have to pay for third-party FI technology vendors to develop them. If those FIs cannot afford to develop APIs, their customers could lose access to FinTechs they have come to rely on, while the FIs would lose the ability to take full advantage of future innovation.
Ultimately, the current data sharing landscape in the U.S. is unsustainable. Although it may be best to have a regulator like the CFPB craft a solution, direction from Washington likely will not occur anytime soon. Yet U.S. FIs would be wise not to wait on formal data sharing requirements, given the clear trend towards open data sharing via APIs, even in the U.S. FIs should start developing APIs now, rather than wait for a PSD2-esque law to mandate it. Some of the biggest FIs, like Wells Fargo, BBVA Compass, Citibank, and J.P. Morgan Chase already have APIs, even if they have so far limited access to companies that they approve. Other FIs would be shortsighted to fight sharing data with FinTechs instead of embracing the innovations reshaping the industry. Rejecting open APIs will not prevent consumers from sharing their data with third parties; it will just force consumers to share their financial data in a less secure way, by sharing FI login credentials.
FIs would be wise to view PSD2 and open APIs as an opportunity to position themselves as financial partners to customers, providing new banking experiences that are user-friendly, competitive, and aligned with modern customers’ banking needs. And as other FIs open their data to third parties—including European financial institutions—those that stay behind will risk competitive disadvantage and their customers’ annoyance. The growth of the data sharing movement suggests that, even without requirements written into law, FIs will have to start making their customer data accessible, in a secure manner, if they want to keep up with the competition.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.