by Zachary Zehner, RBFL Student Editor
If I were a betting man, I would guess that the average reader has a bank account, a credit card, and maybe some even have an investment portfolio. With juggling all of these accounts and attempting to stick to one’s financial budget, many consumers opt for a third party service provider like Mint.com. Mint provides a platform to consolidate all of these accounts into one place and provide a fuller picture of one’s financial health. But how does Mint know all of your financials across all of these accounts? As with Mint and many other third party financial services in the United States, you’ve given them your username and password to log into your financial accounts and record the financial data. It’s a process called screen scraping. The user provides his login credentials to the data aggregator, usually a separate company working on behalf of the third party service provider, which employs proprietary software to collect your account balances, transactions, fees, and interest charges. Given the nature of the data aggregator’s access, they not only have full reign over your financial accounts, but also other data including non-essential personal data that you may have added to your account like home address, phone number, and your birthday. In fact, it is hard for your banking institution to track whether it is you or the data aggregator logging into your account. While this all seems quite scary, there has yet to be any data breaches due to data aggregators using screen scraping techniques. What might be scarier is that in the United States, some financial institutions have unilaterally blocked some third party services. Thus, the consumer may feel like they do not actually own their financial data because the financial institution decides who may access it. Financial institutions use the argument that there are serious security concerns with screen scraping as well as some logistical concerns to rationalize blocking third party service providers.
In the European Union, the revised Payment Services Directive (PSD2) puts an end to this monopoly over consumer financial data and placed it back into the hands of consumers. It also almost completely did away with screen scraping, opting for the use of Application Programming Interfaces (APIs). With APIs, data aggregators can access the consumer data through a specialized portal on the financial institution’s website instead of the consumer-facing interface as was done with the screen scraping technique. APIs allow greater control over the range of personal data shared with data aggregators and eases many of the logistical concerns financial institutions had with screen scraping. While on the face of the issue it seems APIs are a clear answer for where the United States should head for its financial data regulation, it is much muddier than that. APIs are expensive and many community banks would not be able to offer extra services to its consumers like it can through screen scraping. APIs appear impenetrable, but the Equifax breach proved otherwise. Lastly, many third party service providers have relied on screen scraping so long that it would be a hardship on their business to switch to APIs.
For now, the Consumer Financial Protection Bureau has not taken any affirmative actions towards regulating our financial data. The industry is self-regulating, and hopefully, that will get us through until we take stock with the result of the newly enacted PSD2 in the EU.
- Fintech: Examining Digitization, Data, and Technology: Hearing Before the S. Comm. on Banking, Housing and Urban Affairs, 115th Cong., at 31 (Sept. 18, 2018), https://www.govinfo.gov/content/pkg/CHRG-115shrg27749/pdf/CHRG-115shrg27749.pdf
- Consumer Financial Protection Bureau, Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation(Oct. 17, 2018), https://files.consumerfinance.gov/f/documents/cfpb_consumer-protection-principles_data-aggregation.pdf
- S. Dep’t of Treas., A Financial System That Creates Economic Opportunities Nonbank Financials, Fintech, and Innovation Report to President Donald J. Trump Executive Order 13772 on Core Principles for Regulating the United States Financial System, at 25, https://home.treasury.gov/sites/default/files/2018-07/A-Financial-System-that-Creates-Economic-Opportunities—Nonbank-Financi….pdf
- Erin Fonte & Brenna McGee, EU Law Brings Data Sharing Pointers For US Financial Cos., Law360 (June 29, 2018), https://www.law360.com/articles/1056977/eu-law-brings-data-sharing-pointers-for-us-financial-cos