Consumers — not banks — should control access to personal financial data

Consumers — not banks — should control access to personal financial data
© Getty Images

The U.S. economy has a competition problem. Across a wide range of industries, a few giant companies are buying up or sabotaging their competitors and consolidating market share at alarming rates. When it comes to anti-competitive practices in the financial services industry, a little-known provision in the Dodd-Frank Wall Street Reform and Consumer Protection Act can open the door for regulators to make the market work better for consumers. 

Large financial institutions hold vast amounts of consumer financial data. The Dodd-Frank provision, known as Section 1033, gives consumers the right to access their own financial data, and by extension, to make that data available to other financial institutions that might compete to offer services to the consumer. 

The ability to freely access one’s own financial data helps consumers switch banking relationships without losing their transaction history or disrupting their automatic bill pay arrangements. The right to access and share one’s own financial data also enables a wide range of third-party financial services that are not offered by or compete with services offered by banks. 

ADVERTISEMENT

For example, when consumers can share their data with third-parties (so-called “consumer-permissioned access”), they are able to use third-party account monitoring services to help avoid overdraft or late fees. They are also able to easily import their data into financial planning and budgeting services. Being able to share one’s own financial data enables consumers to get loans underwritten based on their bank transaction history, even if they do not have a credit history. And it enables consumers to make electronic payments through non bank payment platforms like Venmo. In short, being able to share one’s own data enables all sorts of products that compete with banks.  

Not surprisingly, big banks don’t like this. Consumer data access — and the new businesses that it facilitates — is a major threat to large, entrenched institutions. And legacy financial services giants have treated it as such, resorting to a number of dirty tricks to undermine consumer data access and stifle competition.

For example, large financial institutions have imposed onerous user reauthorization requirements and regularly interrupted third-party connections, leading to long periods of downtime or brownouts that undermine service reliability. They have implemented technological barriers to consumers giving third-parties access to their data through “screen scraping.” These are all anti-competitive tactics designed to prop up in-house products. The big banks engage in these anti-competitive practices against the wishes of consumers who have expressly authorized third-party services to access their financial data, and they do so in clear violation of the intent of Congress as articulated in Section 1033. 

That’s why it’s essential for the Consumer Financial Protection Bureau (CFPB) to undertake a rulemaking implementing a strong data access right with consumer protections provisions. A CFPB rulemaking can address any ambiguity about the scope of the data access right in Section 1033. Paired with strong consumer protection measures, consumer-permissioned access can give individuals more choice and more control. But in an economy where consumer data increasingly drives market power, any effort to democratize data is going to be met with stiff resistance by the incumbents who predominantly hold it.

The big banks defend their hoarding of consumers’ data under the banner of consumer privacy and data security. Some third-parties, they argue, use technologies with known security vulnerabilities, while large financial institutions are governed by a strict set of federal regulations that may hold them liable for data breaches or other security failures at third-party companies over which they have no control.

ADVERTISEMENT

To be sure, consumer privacy and data security are paramount and should be thoughtfully addressed by the CFPB and other regulators. Consumers should have full control over what data they share, including the ability to stop sharing their data at any time, and there should be safeguards to protect consumers from harm. But privacy and data security should not be used as tools to impede competition: It’s possible to have privacy, security and competition all at the same time. 

Last fall, the CFPB took a promising step by issuing an Advanced Notice of Proposed Rulemaking for Section 1033, suggesting that the agency is looking toward advancing regulation in this area. The CFPB should issue a strong, pro-consumer rule that affirms consumers’ clear and unencumbered access to their financial data. Doing so would level the playing field for small businesses and new market entrants and expand consumer choice. 

The CFPB’s mission is to “help consumer finance markets work.” Giving consumers access to their own data is key to making markets work.  

Adam J. Levitin is a professor of law at Georgetown University Law Center.  He previously served on the CFPB’s Consumer Advisory Board.