Congress Tackles Data Privacy Compliance for FinTech

When Democrats and Republicans in Congress agree on an issue, you know the problem must be serious.

In this case, the problem is third-party FinTech data sharing. According to Roll Call, the House Financial Technology Task Force held a hearing to discuss “whether consumers understand the degree of access they hand over to third-party data aggregators and whether stronger protections are needed.” The committee pointed to apps that share sensitive data and then aggregate usernames and passwords to scrape data from the accounts.

Thanks to a growing number of data privacy regulations ranging from HIPAA to GDPR, consumers are increasingly aware of the risks to their personal information and the need to protect it. But they also only see these risks on a limited scale and don’t always see how their information is used by organizations or how privacy regulations work. When there are no regulations, consumers may have no idea what’s happening with the data they’ve shared.

“Whenever I discuss screen scraping with my constituents and explain to them what it is, they are aghast. The first way you protect people’s privacy and their information is to be honest with them,” Missouri congressman Blaine Luetkemeyer told Roll Call.

Recognizing the Risks in FinTech Data Sharing

The risks involved with FinTech and third-party sharing include data breaches and privacy-related fines, said Prashant Sharma, CTO at Secuvy, in an email interview. In addition, consumers can sue a FinTech company for bias within their services towards a user group based on age, income or ethnicity, and the bias/fairness might be derived from third-party vendor data.

“In the financial services industry, providers have traditionally relied on third-party data to send pre-approved offers to consumers,” Sharma said. But today, technology offers new ways to expand the use of that data. For example, savvy marketers rely on non-bureau-based second-party data to deliver insights. Or a credit card issuer who wants to increase sign-ups for its co-branded card with retail partners can purchase transaction data to identify frequent shoppers. Businesses see the sharing of this information as a way to improve customer loyalty. What the customer doesn’t know is exactly what information is being shared and with whom.

Introducing New Regulations

Overall, Congress has done very little in the way of introducing data privacy regulations, instead relying on states or industries to handle compliance to protect consumer information. Currently, the Consumer Financial Protection Bureau is looking at ways to add new standards to the Dodd-Frank Act that will focus on data security and privacy and consumer control of their information.

Also, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC) are working together to come up with a framework to better manage third-party data sharing and risks.

“The proposed guidance also offers a framework that takes into account the level of risk, complexity and size of the banking organization and the nature of the third-party relationship, and promotes compliance with applicable laws and regulations, including those related to consumer protection,” according to an FDIC memo.

Over in Congress, the Financial Technology Task Force is building momentum behind consumer privacy regulations that will address issues like screen scraping, consumer consent and making sure consumers understand how their data is used across FinTech third parties.

“Vendors need to disclose publicly how much and what kind of private consumer information is being shared with third-party vendors,” said Sharma. “Users should be able to view this information on-demand with complete transparency into how their data is being shared across multiple vendors so they’re aware of the risks involved.”

It’s then up to the government to create regulations focused on data sharing transparency and requirements for making this information publicly available and audited at regular intervals for FinTech businesses.

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 271 posts and counting.See all posts by sue-poremba