Nearly a third of U.S.-banked consumers responding to a 2018 TCH/A.T. Kearney study used at least one FinTech application in the prior 12 months to facilitate complex data sharing, ranging from personal financial management services and budgeting/saving schemes (for example, Mint, Acorns, and Wally), investment services and robo-advisors (such as Betterment and Robinhood), and lending services applications (including LendingClub and SoFi).
But how much do consumers know about the ways FinTechs access, collect, use, store, and share their personal and financial information? Research suggests they know shockingly little, although many harbor serious apprehensions.
In our survey of approximately 1,500 self-described FinTech users, 99% report feeling some level of concern about the privacy of the information that is shared when they use online or mobile FinTech applications, including 33% who were “very concerned” and 34% who felt “extremely concerned” (Figure 1).
In this same study, roughly half of FinTech application users reported being “uncomfortable” about the sharing of most payment information, financial information, and financial history (Figure 2).
Access to Sensitive Data
Consumers seem mostly unaware of how readily their most sensitive data can be accessed. Within the same population of FinTech users, less than half believe the apps they use can access their personally identifiable information, which includes Social Security number, date of birth, phone number, email address, and home address. Thirteen percent admit they don’t know which data types the FinTech apps they use can access. Only 20% of FinTech users claim to be certain about which third parties receive their data from the FinTech apps they use.
The reality, of course, is that credential storage effectively allows third parties to access any or all of a consumer’s bank account data (even consumer-provided bank usernames and passwords), far beyond the data actually required to power the application’s stated services. FinTech and data aggregators freely use “screen scraping” to access user account information from HTML forms to periodically refresh the data within their applications – and for other purposes of their own choosing.
While screen scraping allows third parties to quickly source personal and financial data they need to meet consumer demand for FinTech services, the practice also exposes banks to significant operational, cybersecurity, and data privacy risks.
In the European Union, the Revised Payment Service Directive (PSD2), enacted in November 2015 and rolling out in stages, will ban screen scraping in 2019 while requiring banks to grant third parties access to customer data via dedicated interfaces. PSD2 further stipulates that these interfaces may only be used in relation to the specific service the third party provides to the consumer. PSD2 is an effort to boost marketplace competition through Open Banking, a system that provides users with data from multiple financial institutions through application programming interfaces (APIs), while curtailing the consumer data protection risks posed by unconstrained data aggregation. These regulations, in addition to the recent implementation of the General Data Protection Regulation on May 25, 2018, mandate a future in which EU consumers are provided explicit, transparent disclosures of third-party access, collection, and use of their data.
U.S. financial regulators, in contrast, have taken a more market-oriented regulatory stance, reflecting a different regulatory framework. In 2017, the Consumer Financial Protection Bureau issued a principles-based approach to consumer data privacy and security, which addressed the topics of data access, payment authorization, data security, and consent (among other things). This has encouraged an environment in which banks are rapidly pursuing bilateral partnerships with data aggregators and FinTechs directly (for example, the data-sharing partnerships JPMorgan Chase and Wells Fargo formed with Intuit in 2017). These partners recognize not only the mutual benefit of scale but also the data privacy and security benefits gained through partner APIs.
Banks’ Obligation and Opportunity
Nevertheless, in light of banks’ intrinsic obligation to safeguard the data consumers entrust to them, it is not enough for banks to seek one-off partnerships. The FinTech and data aggregation ecosystem represents thousands of FinTech applications, many offering wondrous financial solutions but also the potential for the next massive data breach. As the source system(s) for consumer financial data, banks can (and should) capitalize on their “trusted” custodian status to provide consumers with the financial education and tools they need to protect their own data.1
Thankfully, consumers have straightforward data privacy and control expectations. Our study found that FinTech users desire a permissions dashboard within their primary bank (that is, the one where they conduct transactions most frequently). Additionally, FinTech users want the permissions mechanisms banks provide to allow consent by account and data type. In an environment where banks and FinTechs continue to improve and enhance the consumer experience, providing explicit opt-in and transparent disclosures can empower bank customers to make better and more-informed decisions about their data while also helping banks reduce the risk of the next major data breach.
If banks do not capitalize on this opportunity, their margin of trust relative to their FinTech counterparts may risk further erosion. As of early 2018, 59% of FinTech users say banks should serve as a consumer educator regarding FinTech data access and usage (see Figure 3).
Nevertheless, banks only topped FinTechs as the preferred provider of such education and awareness by 12%, followed by regulators and industry/consumer advocacy groups. Only 2% of FinTech users believed that consumer education was not required.
The time for U.S. banks to act is now; U.S. financial regulatory agency actions support it, consumers demand it, and market evolution requires it.
The 2018 TCH/A.T. Kearney Payments and FinTech Survey was conducted to address digital behaviors across banked customers, including both payments services user and FinTech application user awareness of how third parties (i.e., non-banks) access, collect, use, store, and share their financial and nonfinancial data. n
1 Bob Hedges, “Data Privacy: A Strategic Opportunity for Bank,” The Clearing House. https://www.theclearinghouse.org/banking-perspectives/2016/2016-q4-banking-perspectives/departments/my-banking-pers=pective-data-privacy
Dave Fortney is EVP, Product Development and Management, for The Clearing House and is responsible for defining strategy, identifying synergistic opportunities, and overseeing the development of new products for the company. Currently, Fortney is leading TCH’s initiative to develop, pilot, and launch a secure digital payments tokenization system.
Fortney has expertise in conceptualizing and growing innovative e-finance ventures for financial institutions, financial technology providers, and emerging payments companies. Prior to joining TCH, he held executive roles at Metavante Corporation, including President and General Manager of the organization’s ePayment Solutions Division. Previously, he served as EVP and CTO of Paytrust, an online bill management company, and as SVP of Payments and Access Strategy for Bank of America.
A Morehead Scholar at the University of North Carolina, Fortney graduated with a Bachelor of Science in mathematics and earned a master’s degree in operations research from Stanford University.
Rajesh John is a principal with the management consulting firm A.T. Kearney and is focused on strategic growth, innovation, and large digital transformation in the financial services sector. Recently, he has led open banking and data aggregation strategic reviews across the globe. Previously, John was with Alix Partners and has had startup/leadership roles at Portrait Software, Bonita Software, EPIK Communications, and Lucent. John holds a Bachelor of Science degree from Cornell University.