Congress Talks Fintech Law

The Senate Banking Committee dipped its toes this week into the future of fintech regulation, debating whether that future should mean implementing new rules to cover the emerging sector or shedding existing financial regulations that might hamper innovation.

The hearing included testimony from representatives of fintech and financial services companies as well as academia.

Committee chairman Sen. Mike Crapo, R-Idaho, said fintech’s rapid evolution is challenging the way government has traditionally exercised oversight of financial services. In many cases, that regulatory framework predates the digital era. “To the extent that there are improvements that can be made to better foster and not stifle innovation, we should examine those,” he said.

Sen. Sherrod Brown, D-Ohio, the committee’s ranking minority member, noted that banks bragged about “innovations” such as subprime mortgages prior to the 2008 financial crisis, and convinced Congress then to slow-roll possible regulation..

“Eventually so-called financial innovations led to the biggest economic disaster in almost a century,” Brown said. He said lawmakers should be skeptical about the Treasury Department’s July fintech report, which called for modernizing certain regulations to keep pace with changing technologies.

One point where Crapo and Brown did agree: there are serious data privacy and security issues that need examination.

Brian Knight, director of the Innovation and Governance Program at the Mercatus Center (a libertarian think tank at George Mason University), said the granularity of the data collected directly affects the risk; some data could be innocuous at one level of detail, but extremely damaging at another. Knight said existing laws can mitigate those risks to some extent, and new regulations should be added only if current rules are proven inadequate.

“Fintech offers exciting possibilities for better, cheaper, and more inclusive financial services. We should be mindful of risks posed, but we should not overreact,” Knight said.

Fintech and Data Collection

With reports like the recent Wall Street Journal article about Facebook aggressively pushing banks to turn over customer financial data, Banking Committee members from both parties stressed the importance of consumers knowing — and granting specific permission for —  who has access to their personal data. Experts backed the need for clear disclosures with consumers’ right to revoke access at any time (something the GDPR already grants to European Union citizens), but most stopped short of recommending statutory limits on what information a data aggregator could collect or share.

Saule Omarova, a law professor at Cornell University and former Bush Administration official, said the Facebook article highlights what is at stake: there is nothing to prevent Facebook or a similar tech company from using sensitive personal data for unauthorized commercial purposes.

Omarova praised Wells Fargo and Bank of America for refusing to give Facebook access to customer data, but said she doesn’t delude herself that the banks did so out of respect for their customers’ privacy. Rather, they told Facebook to buzz off “because of the regulations that apply to them today.”

Such regulations don’t exist for other types of companies, and Omarova also warned against the Treasury Department’s recommendations that would relax rules on permissible activities for banks. Such a rollback could pave the way for large-scale partnerships between banks and technology companies that could create monopolies on the flow of money and information.

“The American republic of George Washington and Teddy Roosevelt was never meant to become a dystopic company town of this kind,” Omarova said.

Steven Boms, executive director of the Financial Data and Technology Association of North America, argued that the “lifeblood” of third-party fintech tools is user-permissioned data access; yet there’s no legal requirement in place that forces financial institutions to grant a third party access to a consumer’s data — even with affirmative consent from the consumer.

The “lifeblood” of third-party fintech tools is user-permissioned data access; yet there’s no legal requirement in place that forces financial institutions to grant a third party access to a consumer’s data — even with affirmative consent from the consumer.

Boms, who was testifying on behalf of a consortium of 50 fintech companies, said the unevenness of the playing field could get worse if large banks don’t give competing third parties access to customer data. He pointed instead to the Open Banking regime in Britain, which lets consumers use any third-party tools they want, and similar approaches taken by lawmakers in the EU, Mexico, and Australia.

One thorny issue for the fintech ecosystem: liability. Current expectation is that financial institutions are on the hook to make consumers whole in the event of a data breach, even if that breach occurred due to a third party — like some random fintech firm that somehow convinces a user to give it access to his or her data.

Boms said his group has released a set of principles for secure, open access that would place responsibility on whatever link in the chain — bank, fintech, data aggregator — was responsible for the breach.

Crapo said the Senate Banking Committee will continue to review challenges posed by fintech, adding that bipartisan agreement does exist on many issues.

“Over time we’re going to dig much more deeply into this as a committee,” Crapo said. “It’s an incredibly important issue, and it’s complex.”