Are U.S. Banks Leaning Toward “Closed Banking?”

Odds are, if you work in fintech, you know what open banking is. It is such a popular concept that in Europe an entire regulatory regime, PSD2, has sprung up around the concept.

So if Europe is progressive enough to create regulations mandating open banking, how is the U.S. doing? It turns out that some banks in the U.S. are taking an opposite approach and preventing third parties from accessing consumer data.

Keeping it secure

The motive behind this move is pure: banks are closing down connections to third party apps to keep customer information secure and limit data breaches. Data retrieval methods such as screen scraping or using the customer’s password to gain access are indeed unsafe. We spoke with Chief Growth Officer and Co-founder of Flybits, Gerti Dervishi, who said this type of data sharing is “risky in so many different ways” since data scraping is not a standard protocol. Regarding recent decisions of U.S.-based banks who are gating off third parties, Dervishi said, “Honestly, this couldn’t go on for much longer.”

First-movers

JP Morgan Chase recently came up with a new access plan for third party fintechs that require access to customer data. The aim of this new plan is to stop third parties from using password-based access to retrieve customer banking data. Starting July 30, fintechs will be barred from pulling customer information until they sign data access agreements and stop using customer passwords to retrieve banking information. Instead, JPM wants third parties to connect to consumers’ accounts via its open API. The bank made it clear that not only is this method more secure, it will also place consumers in control of what data they want other applications to access.

PNC Financial is also cracking down on third party data access, but is leaving third parties with fewer options. Explaining the decision to the Wall Street Journal, PNC Chief Customer Officer Karen Larrimer said, “When aggregators access account numbers, many store them indefinitely, often unbeknownst to customers. This puts customers and their money at risk. We want to make sure we know who is setting up the account.”

As part of the move, Pittsburgh-based PNC is preventing customers from using P2P money transfer app Venmo and has blocked “multiple different aggregators,” including Plaid, which PNC states circumvented its security protocol. Plaid, a popular data transfer network, connects consumer information to other third party apps such as Square’s Cash app, Robinhood, and Digit.

Who owns the data?

But shouldn’t the consumer be able to decide if they want a third party to use their data? This became a major issue when PNC began directing users from PayPal’s P2P payment app Venmo to Zelle, the bank’s in-house P2P money transfer tool. This is because, as Dervishi said, “There is already an agreement in place with Zelle. [PNC] understands data sharing with Zelle, but they don’t have a standardized agreement with Plaid.”

When it comes to the issue of data ownership, Dervishi circled back to the need for standardization. Because PNC does not have a clear agreement in place with third parties, there is nothing to hold them accountable when it comes to how they use or store customer data. “We need a NAFTA for data,” he said.

So though it may seem as if both of these U.S. players are taking a “closed banking” approach, that statement isn’t exactly correct. Both banks offer open APIs. The difference is that PNC has shut out Plaid (and, in turn, the many third party apps that use Plaid) to head off security issues. JPM (and potentially others) may not be far behind. As Ron Shevlin pointed out in his piece The Real Story Behind the PNC Venmo Clash, “[JPM will] be watching what happens with PNC, for sure. If PNC sees limited account attrition, other Zelle banks will be likely to follow.”

At the end of the day, the only thing to prevent banks in the U.S. from taking a “closed banking” approach may be to follow in the footsteps of the European Union and create a PSD2-like, standardized regulation for data sharing. “Because each bank takes a different approach to third party data access,” Dervishi said, “until we have a well-understood framework like open banking and PSD2, we will have a thousand different methods [to access data].”

Everything Fintech at Davos 2020

The five-day World Economic Forum wrapped up late last month. The event, based in Davos, Switzerland, hosted some of the brightest minds in the world to speak on some of the biggest issues facing our society today.

We combed through the agenda to bring you a view of the discussions through a fintech lens. Here’s a summary of some of the most interesting fintech-related topics covered at the global event.

Shaping the Future of Financial and Monetary Systems
The majority of this session wrestled with digital transformation. One of the overarching themes in this discussion as it related to digital transformation was the idea that we’ve recently reached a major inflection point in the banking industry. That is, banks are no longer adding products and services to their existing models, but the very nature of how they operate is beginning to change. And as these changes happen, banks can only move as fast as their customers are willing to move alongside them.

Shaping the Future of the Digital Economy
This panel represented a range of industries. Specific to the financial services industry, PayPal CEO Dan Schulman said he expects the fintech industry to see more innovation in the next five years than it has seen in the last 30. The cause of this development speed comes down to AI. Along with AI, digital transformation was another hot topic. The panel agreed that digital transformation has opened up new opportunities and in many cases requires firms to revamp their entire business model.

From Token Assets to a Token Economy
This session sought to answer the question, “how can tokenization make illiquid assets accessible without creating new financial risks?” The panelists explained how tokenization makes fractional ownership possible with physical goods, such as a famous painting or a piece of real estate. One overarching theme that pulsed throughout the discussion is that global regulation is behind in the tokenized asset realm. So while technology may be advanced enough for a tokenized asset economy, we are still many years away from it being commonplace.

How to Implement Responsible AI
The World Economic Forum has teamed up with the government of Singapore to create a model framework of governance for the use of AI. This panel discussed the new framework and how it addresses the explainability of AI, which aims to be simple enough for all players to understand. As a part of the effort, the group has also released a toolkit for boards of directors to understand how to conduct AI oversight.

The Real-World Impact of 5G
This session hosted representatives from Verizon, Qualcomm, and ABB. The group addressed political and policy issues around security and trust. Secondary to the conversation were social concerns. The first considered if 5G will cause a digital divide between societies that have 5G and those that do not. The other social concerns addressed were potential climate change and health concerns.

Global Cybersecurity Outlook
The general consensus of this panel is that we are currently losing the battle of cybersecurity. The panelists looked at who is ultimately responsible to act as the authority to govern fraudsters, discussed the balance between security and consumer privacy, and considered whether businesses’ cybersecurity spending is happening in the right areas. Finally, the panelists concurred that security is not an IT problem, but that it is a business problem and everyone at the organization should be a security expert to some extent.

Creating a Credible and Trusted Digital Currency
This discussion looked at opportunities, challenges, and concerns around digital currencies. The panel acknowledged that digital currency adoption has a certain and definite future. Representatives addressed real use cases, including cross-border payments, financial inclusion, and fraud prevention. Among the discussion points were stablecoin competition, central banks’ participation, as well as cultural effects. Much of the dialogue circled back to digital currencies issued by central banks (CBDCs).

Other sessions worth a look include Valuing Unicorns, Building Trust in Data Flows, and Investing in the next Frontier.

The CA Consumer Privacy Act Went into Effect While You Were on Vacation

If you’re unfamiliar with the California Consumer Privacy Act (CCPA), you might want to stop catching up on email you missed over the holiday and focus on this new regulation. Here are a few highlights of California’s new law, which went into effect yesterday.

CCPA grants California residents new rights when it comes to their data and privacy. Essentially, this group of consumers are now entitled to know what data businesses collect about them, where they received it, how they plan to use it, who they have shared it with, and if it will be sold.

Here’s are some take-aways of what fintechs need to know now that the new rule has taken hold:

What’s required of you

Essentially, California consumers have the right to receive a report of their personal information that a business has collected on them for the past year, the right to have that data deleted, and the right to limit the sale of their data to third parties.

All of this means that in addition to tracking consumer data, businesses are also responsible for reporting where the data came from and where it’s going.

CCPA may not apply to you

The state of California has almost 40 million residents, and if you’re conducing business in the U.S., you likely have clients there. And even if you don’t, CCPA grants the new privacy rights to all California residents as defined by income tax, even if they are not currently living in the Sunshine State. In contrast, those living in California but paying income tax in another state are not covered by CCPA.

That said, there’s still a chance CCPA won’t apply to you. Businesses with gross annual revenues less than $25 million, or those that deal with personal information of fewer than 50,000 consumers, or businesses that generate less than 50% of their annual revenue from selling consumers’ personal information are exempt.

Heads up: you could be sued

Data breaches are generally always costly, and CCPA will add to the expense. If a consumer notifies a business that it has improperly handled their data and the business doesn’t rectify the issue within 30 days, the consumer has a right to sue for damages in the amount of $100 to $750 per incident, injunctive or declaratory relief, or another option deemed suitable by the court.

On top of that, if a business experiences a data breach, sells consumer data without permission, or retains data after the consumer requested it to be deleted, the Attorney General has a right to charge violators $2500 to $7500 for each consumer data file involved.

CCPA may go federal

As you plan out methodologies to document data collection, usage, and distribution, don’t limit your systems to Californians. The privacy act may eventually be escalated to the federal level so plan your data protocol around all of your U.S. clients.

Just because you’re GDPR compliant doesn’t mean you comply with CCPA

The U.K.’s General Data Protection Regulations (GDPR) went into effect in May of 2018. But just because you’ve mastered your compliance strategy for GDPR doesn’t mean you can rest easy when it comes to CCPA.

On the contrary, there are a handful of differences between the two, as outlined by Pillsbury Law:

  • The coverage group
  • The privacy policy disclosures
  • The breadth of disclosure rights
  • The data disclosures and deadlines
  • The right to opt-out
  • The explicit protection against discrimination

For a more in-depth look into the differences, I highly recommend taking a look at Pillsbury Law’s piece.

Identity verification may be an issue

A user may request access to all of his data, but how do you ensure he is indeed who he says he is and not a criminal? Furthermore, how do you ensure he is a California resident?

According to IDology COO Christina Luttrell, “If GDPR is an indicator of how CCPA will unfold, then businesses need to consider how criminals can and will exploit subject access requests.”

Luttrell went on to explain, “The organizations that will be well positioned to complete CCPA-related requests are the ones that understand the facets of CCPA identity verification (IDV) and adopt IDV systems that scale and automate, are secure and easily integrated, and have multiple IDV methods that will satisfy consumer needs.”

You may be late but you’re not too late

In the event a business violates the CCPA, it has additional time before fines and enforcement take hold due to the 30 day period to cure noncompliance.

If a business can fix a problem with its privacy compliance and follow the procedures set forth in the law to do so, then they haven’t violated the law and will not be subject to a lawsuit for the failure to comply.