【国际观察】美Fintech企业指责银行并未遵守CFPB数据共享准则

会员服务 ·

【国际观察】美Fintech企业指责银行并未遵守CFPB数据共享准则

2017 年 12 月 2 日 互联网金融

在共享消费者账户数据领域，一些金融科技企业及数据聚合方似乎与银行前嫌尽释，然而并非所有人都认为这场纷争已然终结。

近日，一些美国金融科技企业指责金融机构称其没有遵守消费者金融保护局（CFPB）10月发布的数据共享准则。

数据聚合企业Plaid合作与策略负责人Eric Showen表示："尽管准则受到广泛支持，但重要的是能得到切实落实。挑选模式对银行虽具吸引力，但对消费者来说并不奏效。"

然而银行却持不同意见，辩驳称其遵守了相关准则。

富达投资集团数据相关负责人Stuart Rubinstein说道："我们相信我们已处理了所有呈交至我方请求数据的个案要求。但可能存在新提交请求及遗漏的情况。我们很乐意就此进行讨论。"

金融科技企业针对银行的主要控诉之一在于，银行有选择地与某些金融企业进行合作，而对其他企业不闻不问。尽管CFPB数据共享准则并未言明银行应与所有金融企业进行平等合作，但其文件精神言下之意既是金融机构应同所有可信的第三方进行合作。

消费者金融数据权益集团（Consumer Financial Data Rights）代表了31家金融科技企业与数据聚合方的权益。作为该机构的代表，在线小型企业借贷机构Kabbage的联合创始人及首席运营官Kathryn Petralia表示，目前看来金融机构好像在挑拣其意欲与之合作的企业，而他们对所有此类交易背后的运作一无所知，感觉这种模式十分专断，就好像银行在告诉消费者'我们比你更清楚什么对你有利，你们只能与那些有我们有交易的企业共享数据'。Petralia认为，这对小型金融科技企业不利。

Petralia表示，这些消费者金融科技企业能够帮助消费者管理更多资产、处理收支、规划退休生活，他们并没有高昂的利润，许多几近是非营利的。这类企业如果不能获得共享数据就将遭受不小的损失。

然而富国银行、第一资本投资银行抗议称其将与所有企业通力合作。

第一投资银行企业数字产品与数据联通业务副总裁Becky Heironimus表示："我们的应用程序接口是公开的，发布在DevExchange平台上，我们与所有请求使用的企业都进行了会谈。纵观全局，我们的目标是为消费者获取数据创建安全机制，保证其想要使用金融科技服务时找寻到适宜的对象。"自二月推出其数据共享应用程序接口以来，第一投资银行已与五家金融科技与数据聚合商签订了协议，这五家企业分别为Clarity Money、Intuit、Abacus、Xero及Expensify。该银行表示其与更多企业的合作也正在运作中。

FI.SPAN帮助银行搭建了数据共享协定。其创始人兼CEOLisa Shields就银行小心挑选数据共享合作方作出了一种解释：客户服务存在崩盘的风险。

打个比方，如果某银行与Intuit有业务关联，顾客同时又实用了Quickbooks内置的应用，那么在将账户数据导入信用新应用时银行就成为了备选。

Shield说道："我上周听到了银行方的评论，他们认为顾客使用的不是银行方的聚合服务没关系，他们使用的不是银行的应用也不重要。即便银行已从三方交互中移除，只要顾客在使用过程中看到过银行的名字，一但有所差池，消费者首先联系的就是银行。银行不能进行诊断也无法提供帮助，但顾客总希望银行能解决，因为它们是银行。我认为这种担忧非常合理，市场也未能解决。"

各家银行标准相互冲突

此外金融科技企业还指出，应对各银行的不同标准也是一件麻烦事儿。有些标准可能相互冲突。照银行标准行事可能花费数年的时间。这就可能限制了那些没有充足资金支撑长耗时法律要求的初创企业、小型企业获取此种服务。

Petralia称美国银行应效仿英国银行，集体创制获取消费者信息的框架与共同准则。数据共享标准化将帮助消费者更好地理解其信息。然而目前的方式非常复杂，且随着更多银行入局复杂程度也将加剧。

数据共享范围有限

金融科技企业还抱怨称银行与其的协议过于严苛，不涵盖顾客的邮箱、电话等身份认证信息之类的数据与发起支付所需的信息。金融科技企业称其需要此类数据防范诈欺行为。

CFPB的数据共享准则并未要求银行与金融科技企业共享所有个人身份信息，但准则规定其需分享交易、账户、利息与奖励等数据。

然而许多金融科技企业都需身份信息才能顺利运作，因为身份信息对降低风险、防止诈欺来说至关重要。"

比如，抵押贷款机构须要与银行账户关联的信命信息才能处理数字抵押贷款请求。购买汽车或进行电汇时，发起行与收款行一般需要身份信息才能安全完成交易。

银行若保留发起支付所需的此类信息，"讽刺的是将使这个体系变得更不安全，原因在于这样就需消费者直接输入账户号码，且一旦输入完全无法更改。"

Heironimus称第一投资银行分享交易与账户数据。但有时金融科技企业会索要与所需服务无关的大量数据。

Heironimus说道："每次被索要额外数据时，我们会问'你们要这些数据有什么用？有什么安全风险？'我们有保护消费者数据的监管义务。"

Heironimus称第一投资银行有兴趣利用表计划等安全的机制共享敏感账户数据，并已经着手与许多第三方开始合作。

金融科技企业承担了过多责任

金融科技企业进一步表示，有关未来可能出现的状况，银行要求其承担过多的责任。

Heironimus指出若出现诈欺行为，银行将对大多数消费者进行补偿。

她说道："我们认为所有接触消费者数据的相关方对其行为导致的损失，应共担风险。"

英文原文

While some fintechs and data aggregators appear to have buried the hatchet with banks when it comes to sharing customer account data, not everyone is ready to say the battle is over.

Some fintechs are accusing financial institutions of not following either the spirit or letter of the data-sharing principles the Consumer Financial Protection Bureau released in October.

“While the principles have been publicly embraced, it’s important that they’re also fully implemented behind the scenes,” said Eric Showen, head of partnerships and policy at Plaid, a data aggregator. “A pick-and-choose approach, while tempting for some banks, doesn’t work for consumers.”

But banks disagree, arguing they are following through on the principles.

“We believe we’ve addressed every use case that’s been presented to us for data,” said Stuart Rubinstein, head of data aggregation at Fidelity Investments. “But it’s possible there will be a new use case or one we missed. We’re happy to talk about those.”

One of fintechs’ primary accusations is that banks are selectively choosing fintechs to work with — leaving the rest out in the cold. Though the CFPB data-sharing principles do not spell out that banks should work with everyone equally, the spirit of the document suggests financial institutions should work with all trusted third parties.

“Right now it feels like financial institutions are cherry-picking the providers with whom they want to work,” said Kathryn Petralia, co-founder and chief operating officer of the online small-business lender Kabbage, who spoke on behalf of the Consumer Financial Data Rights group, which represents 31 fintechs and data aggregators. “We have no idea what the backroom deal is on any of those transactions and it feels paternalistic, like the banks are telling their customers, ‘We know what’s good for you more than you do; you should only share your data with these people with whom we have a deal.’ ”

This disadvantages smaller fintechs, she said.

“There are a lot of really interesting consumer fintech companies that are trying to do things like help consumers make more money, help them manage their expenses, help them plan for retirement,” Petralia said. "These are not businesses making a ton of money; a lot of these are almost nonprofit. These types of businesses will lose if they can’t get access to this data to help consumers.”

But banks like Wells Fargo and Capital One protest that they will work with anyone.

“Our API is public, we advertise on our DevExchange platform, we meet with everyone who inquires about using it,” said Becky Heironimus, vice president of enterprise digital products and data connections at Capital One. “In the larger picture, our goal is to ensure we create a secure mechanism for customers to access data that meets the use cases they want to use fintechs for.”

Capital One has signed agreements with five fintechs and data aggregators—Clarity Money, Intuit, Abacus, Xero and Expensify—since introducing its data-sharing application programming interface in February. It says more are in the pipeline.

Lisa Shields, CEO and founder of FI.SPAN, a company that helps banks set up data-sharing arrangements, offered one reason why banks might be careful about choosing data-sharing partners: the potential for customer service fiascoes.

If a bank has a deal with Intuit, for example, and a mutual customer is using an app that’s integrated with QuickBooks, the bank becomes a drop-down option for importing account data into the new application.

“A comment I got from a banker last week was, ‘It doesn’t matter that it’s not my aggregation service and it doesn’t matter that it’s not my application the customer is using,” Shields said. “Even if my bank is three parties removed from that interaction, as soon as my customer sees my name anywhere in their user experience, the first time something goes wrong, I’m the one getting the phone call from the customer. I have no ability to diagnose or assist, but I’m expected to because I am the bank.’ To me, that’s a very legitimate concern and the market hasn’t quite figured all that out.”

Banks have too many conflicting requirements

Another issue cited by fintechs is that it’s tough dealing with each bank’s different set of standards and requirements.

“Some of those standards may be in conflict,” Petralia said. “It can take years to comply with a bank’s requirements and it probably eliminates access to newer startups, to smaller businesses that don’t have a lot of cash sitting on their balance sheet, to support that kind of long lead time for legal requirements.”

She said it reminds her of the 1990s, when consumers couldn’t keep their phone number when switching from one telephone company to another.

The telecoms "liked the control that gave them over their customers, because it’s really hard to change your phone number, just as it’s really hard to change your bank account,” Petralia said. “In my mind, this is being driven by the desire to retain customers and prevent portability.”

'In my mind, this is being driven by the desire to retain customers and prevent portability.'

She says U.S. banks should follow the lead of U.K. banks and collectively create a framework and a set of shared principles for gaining access to customer information.

“Standardization of data sharing would help customers make better sense of their information,” Petralia said. “Our customers would prefer that experience, in particular the ability to avoid providing a user name and password. That would be a fantastic win for everyone—for the banks, for the fintechs, for the customers.

“But the way it’s happening right now is really complicated and it’s only going to get more complicated as more banks do it,” she said.

But Heironimus said Capital One has a standard agreement it sends to anyone who is interested.

“If someone identifies something they have a problem with and they talk to us, we work it out,” she said. “The whole intent is to provide a more stable and secure connection.”

Withholding information such as PII and payment data

Another complaint is banks’ agreements with fintechs are too restrictive and leave out certain kinds of data, such as identity information like customers’ email addresses and phone numbers, which they say they need to prevent fraud, and information needed to initiate payments.

In its data-sharing principles, the CFPB does not insist that banks share all personally identifiable information with fintechs, though it does ask them to share transaction, account, fee, interest and reward data.

Yet many fintechs need identity data for their offerings to work.

“Identity data is critical for reducing risk and preventing fraud for both banks and fintechs,” Showen said.

Mortgage lenders, for instance, need the name associated with a bank account in order to process a digital mortgage. In a car payment or wire transfer, the initiator and the recipient bank typically require identity information to securely conduct a transaction.

And when banks withhold information needed to initiate payments, “that ironically makes the ecosystem less secure, because the alternative is for consumers to directly enter their account routing numbers, which is an immutable piece of information that can never be changed,” Showen said.

Heironimus said Capital One shares transaction and account data. But sometimes fintechs ask for a multitude of data fields unrelated to the service being provided.

“Each time we’re asked about additional fields, we say, ‘What are you going to use it for? What are the security risks?’ ” she said. “We have a regulatory need to protect customers’ data.”

Capital One is interested in sharing sensitive account data through a secure mechanism like tokenization, Heironimus said. “We’ve worked with many third parties on answers to that.”

Too much liability for fintechs

Fintechs further say that banks are asking fintechs to take on too much uncapped liability for anything that might occur down the road.

Heironimus pointed out that in the event of fraud, most consumers will be made whole by their bank.

“We believe anyone handling the customers’ data should share the risk of losses resulting from their actions,” she said.

译者：常笑

原文来源： AMERICAN BANKER