US Congress Wrestles With Financial Technologies and Data Privacy
In a hearing on Thursday, the Congressional Fintech Task Force questioned expert witnesses on the outlook for consumer data protection in a quickly changing industry.
On Nov. 21, the United States Congressional Task Force on Financial Technologies held a hearing on the role of big data in financial services.
The last major legislation focused on the subject was the Gramm-Leach-Bliley Act of 1999, which formalized a financial service firm’s obligations to clients — specifically, how they share client information. Given the field’s expansion over the past 20 years, the Fintech Task Force’s posture on Thursday was that of an early exploration of options and opportunities for new and major legislation.
The current conundrum
Obviously, the scene has changed remarkably since 1999. Financial services are more accessible than ever. Smartphones and powerful free apps have put financial capabilities previously reserved for industry professionals literally into the hands of everyday consumers. The flip side, as the task force seemed to acknowledge, is that many of those financial opportunities approach consumer data predatorily. The old axiom “if you are not paying for the product, the product is you” seemed to frame the conversation.
While the public eye was largely directed at the ongoing Trump impeachment hearings the same day, the members of the Fintech Task Force — led by chairman Stephen Lynch (D-MA) and ranking member Tom Emmer (R-MN) — questioned five expert witnesses who testified as to the state of the industry and appropriate measures to rein in big tech.
The five testifying
The witnesses espoused a range of views reflective of highly distinct professional backgrounds. Lauren Saunders, an associate director at the National Consumer Law Center, focused on minimizing firms’ legal right to use consumer data in ways beyond those that users would reasonably expect. She also expressed concern about the ways that machine learning was amplifying discriminatory financial practices in ways that would be harder to correct than in traditional systems.
An associate professor of computer science at Brown University and chief scientist at Aroki Systems, Dr. Seny Kamara also believed that firms were running rampant over consumer rights. A cryptographer, Kamara showed a unique insight into ways that technology itself could limit financial service providers’ access to consumer data. He cautioned, however, against excess hope in the field, saying “It is easy to get carried away on a wave of technological optimism.”
Like Saunders, Dr. Christopher Gillard, an English professor at Macomb Community College and an advisor to the Digital Pedagogy Lab, was extremely concerned about the role of new technologies in reinforcing old discrimination. He referred to “opaque systems that offer consumers little power of redress” in the form of practices hidden from consumers under the auspices of proprietary code. Gillard further affirmed that “We must reject the notion that regulations stifle innovation.”
More optimistic in tone, Don Cardinal, managing director of the Financial Data Exchange (FDX), pointed to industry moves away from data practices like screen-scraping, in which customer login information is accessible to aggregators. He saw the industry as addressing the problems preemptively.
Similarly, Duane Pozza, a partner at law firm Wiley Rein, sought to define the concept of big data and emphasize its role in expanding financial services. He was particularly interested in cash-flow data, which Saunders had called out as a potential major overstep when it allows loan providers to access data on merchants and specific purchases rather than vaguer information on overall balances and transfers. Saunders said that such data enabled profiling and discrimination on a major and distopian scale. Pozza saw cash-flow data as a means of freeing credit seekers from the traditional gatekeepers of credit scores.
Curiously bi-partisan issue
Though traditional party lines did come into play, with Republicans making slightly more mention of consumer choice and Democrats more frequently bringing up consumer protection, the assembled congresspeople all seemed to be in alignment that consumers had little choice and were unprotected.
Chairman Lynch described the contracts users must agree to in order to access services: “Framed as privacy agreements, they’re actually lack-of-privacy agreements.” Lynch specifically called out the agreements of Mint, Venmo and Qapital, which according to him were, respectively 30, 40 and 10 pages long and filled with language that Lynch, an attorney, described as dense legalese. The consensus was that such problems are inescapable, with Rep. Ben McAdams (D-UT) opining that, as a consumer, he has no idea how many firms are using his data right now.
The shared atmosphere in the room was that consumers were being failed. It was a rare moment of consensus, with the major exception of witness Don Cardinal, who was frequently quick to point out how much progress the field has seen in recent years, as well as how much financial access has expanded to new demographics thanks to innovative companies.
New laws for today’s data challenges
As always, solutions are trickier. Many members leaned into the prospect of more comprehensive legislation, along the lines of the European Union’s General Data Protection Regulation, or laws passed in recent years in California and New York — traditionally, the tech and finance capitals of the U.S., respectively. Instances of massive financial data breaches including Equifax and Capital One loomed large over the proceedings. The bulk of the hearing presumed the need to enact legislation in response to the clear failure of financial institutions to meet due diligence in protecting these treasure troves of customer information of the most sensitive nature
New York’s regulation 23 NYCRR 500 placed new burdens on cybersecurity for companies handling client financial data. It took effect on March 1, 2017, but has less to do with limiting the amount of customer data that a firm can access than with establishing requirements for the cybersecurity surrounding that data. On March 1, 2019, what is perhaps the most ambitious element of the regulation was the last to come into play. This final requirement obliges financial services companies to examine and issue reports on the cybersecurity effectiveness of third-party services that also have access to the data collected by the primary firms.
Passed in September 2018, the California Consumer Privacy Act (CCPA) will come into effect at the beginning of 2020. Given the portion of U.S. tech firms that are registered in the state, California’s status as the most-populous of the United States, as well as the law’s broad prescriptions for any action in any jurisdiction taken by firms operating in California, the CCPA will likely serve as either Congress’s template or cautionary tale for legislation on data privacy for years to come. Expect all eyes to be on its impacts on firms and its effectiveness at protecting consumers once the new year comes.
The tech cure
It was, however, clear throughout the proceedings that many of the legislators involved lacked technical expertise. Ranking Member Emmer commented on this after the hearing, telling Cointelegraph that there was clearly a “steep learning curve that a lot of people in Congress have when it comes to this type of technology.” He continued:
“This body tends to look like the people that you saw up here today as opposed to young people who are writing code, on the edge and always pushing into this new universe.”
As Dr. Kamara pointed out during questioning, “Services can be provided without having to give up data.” He continued: “We can minimize the amount of data collected down to 0 if we invest in the right technology.”
Cointelegraph got the chance to follow up with Kamara on the subject after the hearing, during which time he highlighted the availability of technology “that allows us to process data without ever seeing it. So you can hold your data, you don’t ever have to release it to anybody, but I can still compute on your data and get some kind of signal from it.” When Cointelegraph asked him about zero-knowledge proofs as an example, Kamara responded that “you can do similar things for computation as well. So not just proving identity, or proving knowledge of something, but computing as well.”
It was, however, clear throughout the hearing that Dr. Kamara was not suggesting that financial services providers be left to enact such technological practices out of the goodness of their hearts. In response to a question from Chairman Lynch as to why consumers were still vulnerable, Kamara answered: “Because companies never had any incentive to improve their privacy practices, they have never been invested in.”
Among other promising technological advances that received mention during the hearing were new application programming interfaces, or APIs. Don Cardinal, in particular, saw these mechanisms as providing built-in filtration, restricting the information available to companies to what is relevant to their particular line of work.
Cardinal, whose work at Financial Data Exchange involves implementing FDX’s API, showed a particularly rosey outlook on the industry’s willingness to change its own practices internally. FDX’s press release on the event of the hearing featured the tagline “Industry Proves Quick to Adopt Secure Data Sharing Standard – Over Five Million U.S. Consumers on FDX API.”
Thursday’s hearing left little doubt that major federal legislation governing data usage is coming in the United States. Democrat outrage over new financial data practices targeting vulnerable groups through predatory lending and discriminatory algorithms met with Republican frustration with the obvious inability of even the most savvy of consumers to cope with the ways that their data are being manipulated beyond their control. Unless some improbably ambitious initiatives from both the private sector and existing regulators — especially the Federal Trade Commission — come into play to prune the overgrowth of customer data in the possession of fintech firms in advance, that legislation will be sweeping.
However, do not expect legislation yet. Congress is going to wait until they can assess the new California law as a case study, and then larger committees are going to need to get up to speed with the work of Fintech Task Force, which is still a young and small wing of the Financial Services Committee. Meanwhile, stay tuned.