Fintech Industry Group Calls for Scaled Cybersecurity Regulation, Greater Use of Open APIs

The development of fintech regulation has been somewhat of a Catch-22. There are claims that regulation aimed at traditional institutions stifles innovation in the industry, while it’s also argued that a lack of fintech regulation has hindered entrepreneurs’ ability to gain traction in the industry, as players don’t have the added clout of regulatory support or direction.

One fintech industry group in particular is making its voice heard on the need for scaled cybersecurity regulation for smaller fintech firms, and it is shining a light on the future of screen scraping, a process used by some fintech players to collect financial information from traditional institutions and present it to consumers on their platform.

In early 2017, Consumer Financial Data Rights (CFDR), a fintech industry group comprised of several fintech heavy hitters, was formed to lobby for consumers’ rights to access their financial data. According to the group, access to financial data does more than empower consumers’ financial well-being and their ability to make better financial decisions. It also acts as a catalyst for innovation, leading to new product and service development within the industry.

The group’s membership pulls together several corners of the fintech ecosystem, from online platform lending, robo advice and digital payments processing, and includes the likes of companies Affirm, Betterment, Digit, Envestnet | Yodlee, Kabbage, Personal Capital, Ripple, and Varo Money, among others.

The group’s first move was to weigh in on a proposed cybersecurity rule, the Enhanced Cyber Risk Management Standards, brought forth by the Office of the Comptroller of the Currency, the Federal Reserve Board and the Federal Deposit Insurance Corporation in late 2016. CFDR specifically raised concerns over the rule’s “external dependency management” definition; that is, the financial industry’s external connections and the third-party relationships upon which it relies to deliver services, and the information flows and interconnection between the financial entity and those external parties.

According to the industry group, the proposed definition is so broad that it would subject many fintech players to prudential regulatory oversight. For smaller fintech players, this could significantly hinder their ability to compete. The CFDR is calling on regulators to scale its proposed cybersecurity rules; that is, rather than casting a wide net, build a risk hierarchy within the fintech industry based on the company’s risk to consumers and the financial system. This would help protect smaller fintech firms from facing the same regulatory burden as their large, multi-billion-dollar bank partners, positioning fintech players to better compete and drive innovation within the industry.

The CFDR also weighed in on the future of screen scraping. When it comes to screen scraping (the online collection and aggregation of consumer data from banks and other websites), an industry line has been drawn. Fintech companies will use this process as a way to access a customer’s financial data (with its permission) to run their products. Banks suggest the practice exposes customers to risk, such as identify theft or fraud, while data aggregators claim the banks’ security warnings are simply a tactic to ward off competition.

Over in the EU, regulators are even considering outlawing screen scraping. Regardless of whether there is added security risk, the biggest challenge with screen scraping is the potential for unreliable information. If a bank’s legacy system is rewritten or redesigned, incorrect or incomplete data could be pulled over to the customer’s third-party application.

As such, CFDR is promoting the use of open APIs, saying consumers and small business owners have the right to access their financial data and that the process is better when controlled. The group’s stance is supported by the Consumer Financial Protection Bureau, which argues consumers should be in control of who they share their information with and how it is used.  

The comment period for the proposed Enhanced Cyber Risk Management Standards closed in mid-February; however, no further developments have been announced. Financial regulation will likely be at the fore over the coming months, with a House Committee recently approving the Financial Choice Act, the law that could potentially replace the existing Dodd-Frank act. It’s still too early to know when – or even if – the Dodd-Frank replacement will reach the Senate for consideration, but, should that happen, fintech players could find themselves in a better position. The replacement act aims to roll back regulation to foster greater competition and innovation with the industry, and to create a more even playing field for new entrants. Expect all industry parties – new and old – to be monitoring developments closely.