FinXTech Intel 2023 report final 2 - Flipbook - Page 20
DATA GENERATION AND PRIVACY
By: Kiah Lau Haslett
Banks must address a number of important issues as their connectivity with
financial technology companies increases. Those issues include how they will
manage customer privacy, bank cybersecurity, data ownership and accountability — responsibilities they must share with their new fintech partners.
Banks are held to high regulatory standards when it comes to customer privacy and institutional
security. The regulatory environment may be shifting, raising the privacy risks for banks, especially in an increasingly digital operating environment. Executives should know how any formal
fintech partnership will manage access and ownership of any data it creates, as well as how their
partner will approach customer privacy. This data could generate insights into customer behavior,
which either company could leverage to provide better service or tailored products. That means
bankers will want to be clear around how this data could be used and shared, especially if the
fintech partner is interested in selling or aggregating it for a third party, says Clayton Mitchell,
managing principal, fintech at Crowe LLP.
“You don’t want to tell your customer you aren’t selling their data, and then [it turns out] you’re
selling their data,” he says.
Bank privacy obligations have long been complicated by customers’ desire to use third-party
applications and software that require them to share sensitive login information. Historically,
this was accomplished through credential-based screen-scraping technology from data aggregation companies. That approach raised a number of concerns for stakeholders, wrote the U.S.
Department of the Treasury in its 2022 report, “Assessing the Impact of New Entrant Non-Bank
Firms on Competition in Consumer Finance.” Those data aggregators have a growing amount of
data on bank customers with “virtually no regulatory oversight of [their] storage of consumer
financial information akin to the supervision of [bank] data security.” The access that data aggregators have through bank login credentials presents “concerns for data privacy” and can even be
a liability for banks that are required to protect consumer data, the Treasury authors wrote.
Banks have responded to these privacy concerns with technology of their own. The Treasury wrote
about a number of initiatives designed to share permissioned data through tokenized access using
application programming interfaces, or APIs, which would avoid the need for consumers to share
credentials with data aggregators. One such initiative is the 2019 model agreement from the
bank-owned association The Clearing House to help banks and fintechs establish legal terms with
respect to sharing bank-held consumer data. The agreement was designed to “accelerate the legal
review process during negotiations and ensure that key data security requirements are understood,” according to The Clearing House.
18 | FINXTECH INTELLIGENCE REPORT
POWERED BY BANK DIRECTOR