House Financial Services Committee Hearing on Big Data
House Financial Services Committee Task Force on Financial Technology
“Banking on Your Data: the Role of Big Data in Financial Services”
Thursday, November 21, 2019
Key Topics & Takeaways
- GDPR and CCPA: Multiple members of the committee asked questions specific to GDPR and CCPA. Pozza, Wiley Rein, said that it has been difficult for financial institutions to navigate CCPA compliance, noting that the regulations are still being finalized, adding that the CCPA is affecting small companies that are struggling with compliance, illustrating the problems with regulating in this space with a broad brush. Pozza said that it is costly for businesses to have different regimes governing different types of data and it is difficult for consumers to have clear expectations about how their data will be treated.
- Transparency and Consumer Expectations: Cardinal, FDX, said that transparency, or the idea that a consumer should know what data elements they are sharing and for what purpose, should be a driving principle. He continued that consumers should be able to make an informed decision about what data they are sharing because an informed consumer makes the whole industry better. Asked whether consumers should have to give consent for the transference of their data to third parties, all witnesses agreed this should be the minimum standard.
- Congressional Action: Asked how Congress can address this issue, Saunders, National Consumer Law Center, said data needs to be used in ways the consumer expects, permissions should expire and data should be minimized. Pozza said that there should be a risk-based approach, and though consumer control over their information is important, it needs to be balanced.
- Lauren Saunders, Associate Director, National Consumer Law Center
- Dr. Seny Kamara, PhD., Associate Professor of Computer Science, Brown University and
Chief Scientist, Aroki Systems
- Dr. Christopher Gilliard, PhD., Professor of English, Macomb Community College and Digital Pedagogy Lab Advisor
- Don Cardinal, Managing Director, Financial Data Exchange (“FDX”)
- Duane Pozza, Partner, Wiley Rein
Chairman Stephen Lynch (D-Mass.)
In his opening statement, Lynch said that there has been an explosion of financial products and services, noting that consumers now have access to apps to manage their finances, change their saving habits and pay friends in a way that was not possible even a few years ago. However, he said that more personal financial data is being transmitted and held outside the traditional financial system, asking if existing statutory protections are adequate for these new circumstances. Lynch noted that large-scale data breaches serve as a “vivid reminder” that even legacy institutions can be vulnerable to security lapses, resulting in harm to consumers. He said lengthy terms of service agreements lead to consumes clicking “I accept” without fully reading or understanding the terms, adding that the technical aspects of data security are “opaque and complex.” Lynch said it is important for Congress and regulators to “get this right” and empower consumers to be in control of their data.
Ranking Member Tom Emmer (R-Mo.)
In his opening statement, Emmer said that Congress needs more education about new innovations in financial services and the emerging developments in technology that already have and will continue to influence the industry. He noted that privacy and security concerns are very important, but data can also benefit consumers and empower individuals to own their own data and leverage it when seeking services from companies, saying that “information can be power.” He said there is an increased responsibility and ethical duty to use data properly, adding that many companies have realized this on their own and are benefitting from listening to customer demand. He said Congress should focus on ensuring data empowers the consumer.
Lauren Saunders, Associate Director, National Consumer Law Center
In her testimony, Saunders there is significant focus on the growing use of data aggregators to access bank accounts and other transaction data. She said that the use of consumer transaction data can help consumers by improving access to credit, preventing fraud, encouraging savings and helping to better manage finances. She also noted that financial technology (fintech) advances address problems traditional banks are not and are encouraging banks to improve their services. She explained that although data is being used today with consumer permission, personal and sensitive data in consumer accounts could be used for negative purposes, like targeting consumers for harmful products, or be fed into algorithms or machine learning applications that could result in discriminatory impacts. She said the use of data aggregators poses concerns for security, privacy, and compliance with the Fair Credit Reporting Act, though she said there are efforts underway to address these issues. Saunders said that consumers need enhanced data security requirements and federal supervision for entities that store significant amounts of consumer data, as well as strong privacy laws that impose substantive limits on use of that information. Saunders called for consumer choice and control that is meaningful and does not preempt state protections, saying consumers have a right to know what information about them is being used, to demand accuracy, to obtain corrections, and to be told if that information leads to adverse consequences.
Dr. Seny Kamara, PhD., Associate Professor of Computer Science, Brown University and
Chief Scientist, Aroki Systems
In his testimony, Kamara noted that the financial industry is using new sources of data and is processing data in new ways, including using machine learning models to make automated decisions quickly and at scale. He explained that machine learning models are produced by algorithms that learn from data, and the models produced can be very effective in certain contexts but suffer from certain limitations, including a lack of transparency and bias in decision-making. Kamara said that fintech applications can make use of multiple sources of consumer data ranging from financial records to location information. He noted that it is widely accepted that screen scraping practices are substandard from a security perspective, and application programming interfaces (APIs) are a considerable improvement, though they are still not optimal. Kamara detailed that over that last 30 years, researchers have developed a wide array of techniques to process encrypted data, giving apps the ability to run algorithms without ever decrypting the data, meaning consumers do not necessarily have to sacrifice their privacy to benefit from financial and technological innovations. He said that although it is easy to get carried away with “tech optimism,” it is important to be acutely aware of the potential harms and to worry about the erosion of privacy, adding that “moving fast and breaking things” is “not sound policy.”
Dr. Christopher Gilliard, PhD., Professor of English, Macomb Community College and Digital Pedagogy Lab Advisor
In his testimony, Gillard said that too often, digital technology renders systems invisible and inscrutable under the guise of propriety code, black box algorithms or artificial intelligence, but now there are countless documented examples of algorithmic discrimination, data breaches and violation of privacy on the part of platforms. Gilliard said the onus for addressing these problems should be shifted onto companies so that before they move their product to market, they provide evidence that they will not bring harm to the consumer. He explained that third party data brokers handle all manner of data to the point that even if there are categories of data that are protected, processing such massive amounts of data often necessitates the existence of proxies that allow for discrimination against protected classes within or among systems that may not appear to be financial. He said that while new forms of banking and credit may provide access to systems marginalized people may not have traditionally had access to, many of these technologies also offer these benefits in exchange for peoples’ privacy or create opaque systems that offer little opportunity for redress. He noted there are two crucial frameworks for understanding these technologies and their impacts on marginalized communities: digital redlining and predatory inclusion. He said that the assumption should be that automated systems will deepen inequality unless proven otherwise, as bias makes its way into systems even if computational tools don’t use identity markers as the basis for decision-making. He said that privacy policies are mainly designed to protect companies and a structure of consent is lacking, adding that consumers rarely understand the full uses of their data and those harmed during innovation tend to already be the most marginalized.
Don Cardinal, Managing Director, Financial Data Exchange (“FDX”)
In his testimony, Cardinal explained that FDX’s mission is to unify the financial services industry around a standard for secure sharing of financial data with fintech apps, saying their core principles are control, access, transparency, traceability and security. He said that over the last decade, technological innovations in financial services have empowered consumers to better understand where and how they spend their money, increase their credit scores, pay their taxes, verify their accounts and balances, and aggregate disparate financial accounts. He noted that while consumers have immensely benefited from these applications, they have primarily resulted from screen scraping, which requires the sharing of login credentials for accounts at financial institutions with third parties. Cardinal explained that screen scraping is the automated process of collecting the text that appears on a website for purposes of another application, collecting for example banking information for use in another application. He called this practice very inefficient and said it can lead to poor information quality as well as places undue burden on the financial institution’s technology staff due to the sheer volume of automated logins. He said that FDX was formed to find a better way forward and move industry away from screen scraping and towards the use of APIs. He said APIs are a way for computers to talk to each other in a common format, which allows users within a financial data ecosystem to be securely authenticated without sharing or storing login credentials with third parties, eliminating access for data brokers who collect data without consumer knowledge or consent.
Duane Pozza, Partner, Wiley Rein
In his testimony, Pozza said that data-drive financial services hold enormous potential to improve consumers’ financial lives, as companies can use financial data responsibly to expand access to credit, provide customized financial advice, detect and prevent fraudulent behavior, and provide financial services at a lower cost. He said companies are already using large and robust data sets to accomplish these objectives, noting that companies using consumer data in innovative ways operate in an area that already has many significant laws and regulations on the books as well as multiple regulatory authorities governing them. He noted that many financial services laws already implicate the use of financial data, including the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act (GLBA), and that companies must also comply with consumer privacy laws that reach across sectors, including state and international laws like the E.U.’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). He said state laws threaten to create a piecemeal compliance framework and burden businesses that already have substantial compliance obligations, adding that the CCPA illustrates some of the challenges companies face on this issue. Pozza said that as consumer data is increasingly used to provide better financial services, it is important to carefully consider consumer expectations and preferences around the use of their information and weigh the benefits better financial services can bring.
Question & Answer
GDPR and CCPA
Multiple members of the committee asked questions specific to GDPR and CCPA. Rep. Blaine Luetkemeyer (R-Mo.) asked about conflicts with other state laws and about compliance. Pozza responded that it has been difficult for financial institutions to navigate CCPA compliance, noting that the regulations are still being finalized. He said the rules are “a bit unclear” and some may change pending action by the California Attorney General, making it difficult for companies to determine how to manage their data practices under the law. In response to a question from Emmer, Pozza added that the CCPA is affecting small companies that are struggling with compliance, illustrating the problems with regulating in this space with a broad brush.
Rep. French Hill (R-Ark.) asked what the biggest shortcomings are in CCPA. Pozza said there is a lack of clarity about specific obligations under the law. He said that while the law carves out data that is subject to GLBA, it does not carve out financial institutions generally, meaning it is layering another layer of unclear regulation on top of GLBA and institutions have to parse through whether a particular piece of data id covered under GLBA. He said it is confusing for both consumers and companies to have their data treated in different ways under this approach.
Rep. David Scott (D-Ga.) said these laws seems to shift to conversation towards a “bill of rights” model in which consumers can have a certain expectation about what privacy protections they have. Kamara agreed with that assessment, saying that the laws are forcing the industry to put real technological measures in place to protect consumer privacy, calling it a positive step. Asked by Scott what challenges have arisen during the implementation of these laws, Kamara said that any challenges are surmountable because technology can be used to provide privacy.
Rep. Bryan Steil (R-Wis.) noted that the GDPR gives individuals the “right to be forgotten” and asked the witnesses how this impacts common financial products. Pozza noted that under CCPA there is an exemption to the deletion provision for business exemptions such that data cannot be deleted in a way that the business can no longer function or if it is necessary for analytics, saying there must be sensitivity about business concerns. He explained that data models that are used for things like fraud prevention could be incomplete if certain data is deleted, so a carveout would be helpful to ensure companies have access to certain data for these purposes.
Steil asked how the complexity of overlapping and conflicting rules, like CCPA and GDPR, impacts businesses and consumers. Pozza replied that it is costly for businesses to have different regimes governing different types of data and it is difficult for consumers to have clear expectations about how their data will be treated.
Transparency and Consumer Expectations
Emmer asked whether the average consumer utilizing fintech services knows to what extent their personal and financial data is being stored and shared. Cardinal said that transparency, or the idea that a consumer should know what data elements they are sharing and for what purpose, should be a driving principle. He continued that consumers should be able to make an informed decision about what data they are sharing because an informed consumer makes the whole industry better.
Rep. Al Lawson (D-Fla.) asked how a consumer would know who has access to their data and how it will be shared. Saunders said that is not something consumers are equipped to know, and the onus should not be on consumers to figure that out. Cardinal said there are innovations in the industry to address this, including the development of dashboards where consumers can see who they’ve permissioned to access their information and the ability to kill that connectivity at any time. Gilliard pointed out that it is impossible for people to know how their data is being processed and what kinds of correlations will be made by companies using their data. Kamara added that a lot of data is used in ways we do not understand, with data being kept longer than needed and consumers not knowing for how long or for what purpose.
Rep. Warren Davidson (R-Ohio) asked whether consumers should have to give consent for the transference of their data to third parties. All witnesses agreed this should be the minimum standard.
Lynch asked how to instill in consumers the knowledge of what they are agreeing to when they agree to terms of services with privacy provisions. Saunders said it is not possible for consumers to understand how their data will be used or have the option to not agree as the uses of data become more widespread. She said consumers need confidence that their data will be used for the purposes they would expect in order to provide the service and that a minimal amount of data is being used. Kamara pointed out that there are ways to design apps and services so consumers do not have to give up their raw data, saying that although the technology has existed for a decade, companies have not had an incentive to improve their privacy practices, so it has been under-invested in.
Reps. Ben McAdams (D-Utah) and Steil asked how Congress can address this issue. Saunders said data needs to be used in ways the consumer expects, permissions should expire and data should be minimized. Pozza said that there should be a risk-based approach, and though consumer control over their information is important, it needs to be balanced. Hill added he supports a national privacy standard.
Emmer asked whether fintech companies, data aggregators and data brokers are covered under the GLBA. Saunders said that it covers traditional financial institutions such as banks and credit unions but is not nearly broad enough to cover the range of companies that have consumer data and implicate privacy concerns.
McAdams asked for an explanation of the difference between a data aggregator and a data broker. Cardinal explained that a data aggregator is simply a data service company that allows any third party that is permissioned to reach out and extract, with a consumer’s consent, data from a variety of sources, like a bank. He continued that a data broker is harvesting “quite a bit of data,” often without customer’s knowledge or consent.
Luetkemeyer expressed his concern about data aggregators and screen scraping, to which Cardinal replied that screen scraping is inefficient, expensive, and can lead to data inaccuracy, adding that APIs are more secure and limit the amount of data that is shared.
Bias and Discrimination
Lawson asked how big data collection impacts consumer profiling. Saunders responded that the problem is that we do not know the answer to that question. She explained that data is being entered into algorithms and there is little understanding about how it is being used or how conclusions are being reached.
For more information on this hearing, please click here.
For an archive of past SIFMA hearing coverage, please click here.