Fintech apps have proliferated over the last decade. It is now commonplace to use these services to track your spending and set your budget for the coming month, to help you apply for a loan, split a bill with friends, or manage your investments. According to a 2018 survey by the Clearing House, one in three U.S. banking consumers now uses at least one fintech app.
These apps rely on establishing connections with traditional financial institutions. Data aggregators, in particular, play a major role in this ecosystem. These companies access financial account data with consumers’ permission and facilitate the underlying service the consumer has requested.
Increasingly, consumer-permissioned data sharing is enabled by APIs—short for “application programming interfaces.” APIs may allow financial data to flow between fintech companies and traditional financial institutions with improved accuracy, increased control over data, and enhanced data security. But when companies use APIs for these purposes, they also need to consider a wide range of legal issues.
APIs and the Fintech Ecosystem
An API is a collection of tools, computer routines, and technology protocols that act as a conduit for data to flow between systems in a controlled fashion. APIs have been used for years, both among financial institutions and in other industries, to share data within closely restricted environments. Increasingly, they are being used to connect previously detached aspects of the financial services industry.
APIs help address a number of challenges posed by the development of fintech. For example, many fintech apps have traditionally relied on “screen-scraping” to retrieve account information, which requires consumers to provide their login credentials to a third party. However, this practice may create security risks. In contrast, where financial institutions and fintech companies partner to use a secure API, they can achieve this data transfer with less risk and increased data accuracy. APIs can also facilitate safe, quick payments and transfers of account relationships between financial institutions.
Initial Regulatory Responses
Beginning in 2016, European authorities made a strong push in support of open banking through APIs. Specifically, the U.K.’s Competition and Market Authority (“CMA”) announced its “Open Banking” initiative, and the European Union issued its second Payments Systems Directive (“PSD2”). Open Banking requires the largest U.K. banks to use open-access APIs so that consumers can access transaction and payment data. Similarly, PSD2 requires institutions to allow licensed third parties to access consumer financial data through APIs.
The regulatory framework in the United States is more muddled. Section 1033 of the Dodd-Frank Act requires financial institutions to make consumers’ financial data available to them in an easily useable format. It also grants authority to the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) to create rules to govern these interactions. Consistent with its section 1033 authority, the Bureau issued a request for information (“RFI”) regarding data aggregators in November 2016. Following the RFI, the Bureau issued non-binding principles for “Consumer Authorized Financial Data Sharing and Aggregation” in October 2017. These principles “advocat[ed] strongly for consumer control of the consumer’s data” while emphasizing the need for privacy and data security protections.
Other U.S. regulators have also discussed the benefits and risks associated with data aggregation, APIs, and increasing connectivity within the banking system. For example, in July 2018, the Treasury Department issued a report strongly supporting data aggregation. This report also “identified the need to remove legal and regulatory uncertainties currently holding back . . . data-sharing agreements that would effectively move firms away from screen-scraping to more secure and efficient methods of data access,” like APIs. In contrast, the Financial Industry Regulatory Authority (“FINRA”) issued a March 2018 Investor Alert that sounded a more cautious note, warning customers to “be mindful of data aggregation risks” while acknowledging that APIs offer “a safer option than [screen] scraping.”
Despite these various regulatory publications, U.S. policymakers have not yet created binding rules focused specifically on open APIs or data aggregation generally. This has created its own challenges, as discussed further below.
Legal Issues To Consider
These services implicate a wide variety of legal issues, and in many cases further clarity is needed to both encourage continued innovation and protect consumers. Below are a few of the issues that financial services companies that use APIs for fintech partnerships should consider.
When using APIs to exchange financial data, companies must ensure personal information remains subject to appropriate privacy protections. A central premise of account aggregation is that the data is shared only with consumer consent. Companies should therefore use robust consent mechanisms to ensure consumers understand the terms to which they are agreeing.
This is critical under several legal frameworks. First, clear and conspicuous disclosures reduce the risk that a regulator could consider the practices “deceptive” under the Federal Trade Commission (“FTC”) Act, the Dodd-Frank Act, or relevant state laws. Second, the Gramm-Leach-Bliley Act (“GLBA”) and California Consumer Protection Act (“CCPA”) both recognize exceptions to their data sharing restrictions when the consumer intentionally directs the sharing. In negotiating agreements governing the use of APIs, the parties should consider specific provisions governing appropriate consumer disclosures.
As noted previously, APIs are generally considered more secure than screen scraping. Nonetheless, maintaining the security of data retrieved by APIs is critical from both a commercial and regulatory perspective, and requires ongoing investment.
All financial institutions are subject to data security requirements under GLBA. Generally, nonbank fintech companies are subject to the FTC’s GLBA Safeguards Rule, which has historically created very general obligations. In March 2019, however, the FTC proposed to make these requirements much more detailed.
Banks supervised by the prudential banking regulators are subject to even more stringent cybersecurity oversight through regulatory supervision, including through the Federal Financial Institutions Examination Council’s information technology standards. In addition, these regulators have exercised their authority under the Bank Service Company Act to supervise directly the data security practices of certain bank service providers, including at least one of the major data aggregators. Finally, as part of their obligations under GLBA, as well as general third-party risk management guidance, banks are responsible for conducting stringent diligence of the data security practices of third parties with whom they share personal information.
These legal frameworks highlight the need for companies to maintain robust security standards, and also often shape negotiations around data aggregation. Points of contention may include audit rights and the allocation of risk for potential data breaches.
While these data protection questions are central to these services, a wide range of other topics may be implicated. For example:
- Data Rights. The legal ownership of consumer data as between the various participants in the ecosystem (including customers, banks, and fintech companies) is not always clear. For now, these questions are typically resolved through contract.
- Unauthorized Transactions. Under the Electronic Funds Transfer Act (“EFTA”) and Regulation E, financial institutions generally may not hold a consumer liable for an unauthorized transaction. These institutions have long protested that this rule should not apply if a data aggregator is responsible for the unauthorized transaction.
- Fair Credit Reporting. The Fair Credit Reporting Act (“FCRA”) imposes certain obligations on “furnishers” of consumer report information. When a financial institution agrees to provide a fintech company with consumer data through an API, is it acting as a “furnisher”? Such a conclusion would be inconsistent with the purposes of the FCRA but the statutory or regulatory text does not clearly foreclose this interpretation.
- CFPB Supervision. The CFPB has authority under the Dodd-Frank Act to designate certain financial companies as “larger participants” subject to Bureau supervision. Some traditional financial institutions have argued that the Bureau should exercise this authority to supervise the major data aggregators.
- Third-Party Risk Management. The federal banking agencies have issued guidance describing their supervisory expectations for banks’ oversight of third-party service providers. These expectations are risk-based and may include due diligence, contractual protections, and monitoring. Data services companies such as data aggregators should be subject to these risk management programs when they enter into API agreements with financial institutions.
Interconnected banking is helping consumers access innovative services and increasing competition in the financial services industry. More and more, APIs are playing a role in facilitating these connections. Along with significant benefits, such relationships between market participants also raise a variety of legal questions. At least until the United States develops a clearer framework for interconnected banking, companies will need to remain vigilant to ensure they have thought through and addressed all the relevant legal risks.