Skip to main content

Data Privacy, Security, and Regulation in Financial Technology

June 25, 2019

Authors:

Diana Catinas, Conor Cunningham, Connor Herriford, Jennifer Wood

Financial Technology, or FinTech, provides consumers ease of access to personal financial data, mobile banking, and investment opportunities in non-traditional situations. As a sector lacking a uniform regulatory framework, FinTech firms such as Venmo remain vulnerable to hacking attempts, potential exploits from their software’s interaction with traditional banking institutions, and overall systemic financial risk.

Many banks contract FinTech firms with the aim of enhancing interface functionality, or view FinTech firms as industry competitors. Through their competition with each other, FinTech firms and financial institutions have spurred rapid innovation unmatched by improvements in the regulatory landscape.

The U.S. has seen massive breaches of consumer data in recent years that have left consumers vulnerable to identity theft and exploitation. Credit reporting and FinTech company Equifax experienced a data breach in 2017 compromising the social security numbers and personal financial information of over 146 million consumers. Had Equifax been required to update its software, notify consumers of the vulnerability, and prioritize protection of consumer data; the impact of the breach may have been mitigated or avoided.[1]

The FinTech sector is at a crossroads in terms of data privacy, security, and regulation. Below, we offer four policy recommendations for increasing the security of the sector.

Embed security into initial design phases and expand testing and auditing

We recommend that the Conference of State Bank Supervisors’ (CSBS) FinTech Industry Advisory Panel propose that FinTech firms embed security and cross-platform harmonization into initial technology design phases, and expand procedural testing and audit processes for multi-platform compatibility.

Bankers associations agree that security, through the enhancement of banking and payments technology and standards infrastructure, must be a top priority in technological innovation.[2] Presently, banks connect with FinTech firms by opening their infrastructure to third parties and connecting via Application Programming Interfaces (APIs).

Potential vulnerabilities in FinTech systems inherently exist in the API differences between the software systems involved. When combining disparate systems that have asymmetric qualities, engineers from either side (i.e., banks and third party developers) do not have access to how the other system works. Embedding security-measures in the initial design phase reduces the number of vulnerabilities that exist due to cross-platform contamination risks.[3]

Currently, FinTech firms follow a standard seven-step process of testing, but do not have mandated procedural multi-platform testing processes.[4] By requiring regular testing while also promoting closer interface integration, FinTech firms will minimize compatibility issues and reduce vulnerabilities.[5]

Standardize state regulatory frameworks

We recommend to the National Conference of State Legislators that states pursue standardized regulatory frameworks implementing best practices in privacy and security.[6]

Not all FinTech firms fall under the formal definition of Financial Institutions, leading to inconsistency in regulation between companies.[7] We recommend states work to standardize their regulatory frameworks to ease cross-border licensing and operations for FinTech firms, lowering costs of entry to market and easing political opposition to privacy regulations.

There is no current viable path to nationwide licensing for FinTech firms. A licensing program through the OCC exists, but, due to multiple lawsuits brought forth over 10th Amendment violation concerns, has received no applications. This same concern applies to the viability of a nationwide law, which is unlikely to pass in the current political climate.

Due to the General Data Protection Regulation (GDPR) passed in the European Union, U.S. firms have already begun complying with comprehensive privacy measures not required by U.S. law.[8] A state-by-state standardized framework should aim to replace complicated terms of service agreements with easily understandable descriptions of how companies use personal data to improve transparency in use of private data.

As stated in Section 3 1798.185 (6) of the California Consumer Privacy Act (CCPA), consumers should also have the option to delete any and all private information from a company’s database.[9] Improved transparency between company and consumer will increase trust in the system and provide a framework by which consumers can stay up-to-date with security and privacy changes and concerns, including notifications for periodic password changes and software updates.[10] States such as Washington and New York have introduced comprehensive privacy regulations akin to the CCPA and GDPR, indicating progress towards standardization of regulation in this sector.

Classify FinTech as critical infrastructure under the Financial Services Sector

We recommend the Department of Homeland Security (DHS) classify FinTech as Critical Infrastructure (CI) under the Financial Services Sector.

The 2015 DHS Financial Services Sector-Specific Critical Infrastructure Plan makes reference to financial institutions’ use technology platforms, but stops short of referencing FinTech firms and products themselves. Instead, the plan recognizes technologies like ATMs and mobile check depository functions. The DHS and Department of the Treasury, which manage the financial services sector, only views FinTech in conjunction with, but not a part of, the Financial Services Sector.[11]

Since 2015, the FinTech industry has seen rapid and exponential growth, and this plan is no longer sufficient to protect the full breadth of financial services. Sectors designated as Critical Infrastructure enjoy greater government attention and response in the face of major attacks, including cyberattacks. Presidential Policy Directive 21 (PPD-21) stressed the need for greater cybersecurity resilience in American CI. In order to protect the financial services sector, this includes the technologies supporting financial activity.[12]  This classification can be done through another PPD, executive order, or by the Secretary of Homeland Security, who was given responsibility of designation in PPD-21. In the next National Infrastructure Protection Plan (NIPP), last written in 2013, FinTech firms should be included as critical infrastructure under the Financial Services sector, as they are increasingly taking up the same industry space.[13]

All FinTech related actors should join the Financial Services ISAC Financial Data Exchange

We recommend that all FinTech related actors should join the Financial Services ISAC Financial Data Exchange (FDX).

The FDX aims to create a common standard for secure access to financial data, and requires all members to uphold the same security and privacy standards decided upon by FDX-specific working groups, and in alignment with FS-ISAC standards. The FDX introduced an API framework, giving consumers control over their personal data by providing a consent page and authorization forms to ensure secure third party data sharing. This standardized practice between financial institutions and FinTech firms is more secure than current practices of screen scraping, which requires providers to store consumer login credentials, which puts consumers’ financial information at risk. As of October 2018, the Exchange had 30 full members and 40 new applicants, such as JP Morgan Chase and the Bank of America.[14]

The FDX is a pilot program which lacks enforcement mechanisms to ensure standards compliance. However, due to fragmented nationwide regulation and overlap between the state and federal level, the FDX acts as a private sector alternative to pursue standardization of practices. Further, regulation typically moves slowly in the financial landscape and lags behind innovation. There is a need for non-governmental actors to solidify best practices. This program has the potential to create harmonization through mass membership and gradual acceptance of FDX and FS-ISAC standards.

Conclusion

As Financial Technology becomes increasingly ubiquitous in overall financial activities, the need for data security across platforms rises. FinTech firms must protect the sensitive personal data of their clients and improve client control over this data.

Further, to protect stability of the U.S. financial sector and personal financial data of consumers, greater attention must be paid to new technologies as they come forward. With gradual standardization of regulatory practices around the country, the prospect of sensible nationwide regulation increases. Due to the traditionally lagging nature of regulation, it is necessary to utilize both private and public avenues to improve operational standards in the Financial Technology industry.

Endnotes

[1] Johnson, Alex. “Equifax Breaks Down Just How Bad Last Year’s Data Breach Was” 2018. NBC News. https://www.nbcnews.com/news/us-news/equifax-breaks-down-just-how-bad-last-year-s-data-n872496

[2] American Bankers Association. “Fintech Promoting Responsible Innovation,” May 2018. https://www.aba.com/Advocacy/Documents/fintech-treasury-report.pdf.; The Independent Community Bankers of America. “ICBA Policy Resolution: Fintech and Innovation,” 2019. https://www.icba.org/advocacy/policy-resolutions/fintech-and-innovation.

[3] Vishwanath, Siddharth, Amol Bhat, and Abhishek Chhonkar. “Security Challenges in the Evolving Fintech Landscape.” PwC, 2016. https://www.pwc.in/assets/pdfs/consulting/cyber-security/banking/security-challenges-in-the-evolving-fintech-landscape.pdf.

[4] Elson, Sarah. “All About Testing A Fintech Application,” February 28, 2018. https://blog.usejournal.com/all-about-testing-a-fintech-application-1b5c7ab55afe.

[5] Ng, Claudia. “Regulating Fintech: Addressing Challenges in Cybersecurity and Data Privacy,” February 22, 2018. https://www.innovations.harvard.edu/blog/regulating-fintech-addressing-challenges-cybersecurity-and-data-privacy.

[6] Tank, DLA Piper-Margo H. K., David Whitaker, Rew Grant, Edward Johnsen, Jeffrey L. Hare, Kate Lucente, Victoria Lee, and David D. Luce. “Fintech Regulation in the USA | Lexology.” Accessed April 4, 2019. https://www.lexology.com/library/detail.aspx?g=bf6638f5-b77c-457f-a0c7-aaf7e0483467.

[7] Ibid.

[8] Crosman, Penny. “Large U.S. Banks Scramble to Meet EU Data Privacy Rules.” American Banker, April 16, 2018. https://www.americanbanker.com/news/large-us-banks-scramble-to-meet-eu-data-privacy-rules.

[9] “Bill Text – AB-375 Privacy: Personal Information: Businesses.” Accessed April 4, 2019. https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.

[10]  Ng, Claudia. “Regulating Fintech: Addressing Challenges in Cybersecurity and Data Privacy,” February 22, 2018.

[11] “Financial Services Sector.” Department of Homeland Security, June 12, 2014. https://www.dhs.gov/cisa/financial-services-sector.

[12] “Emergency Services Sector Cybersecurity Initiative”. 2015. Department Of Homeland Security. Accessed May 22 2019. https://www.dhs.gov/emergency-services-sector-cybersecurity-initiative.

[13] “NIPP 2013: Partnering For Critical Infrastructure Security And Resilience”. 2014. Department Of Homeland Security. Accessed May 22 2019. https://www.dhs.gov/publication/nipp-2013-partnering-critical-infrastructure-security-and-resilience.

[14] Crossman, Penny. “Big Banks, Aggregators Launch Group to Hash out Data-Sharing Issues.” American Banker, October 18, 2018. https://www.americanbanker.com/news/big-banks-aggregators-launch-group-to-hash-out-data-sharing-issues.

This publication was made possible in part by a grant from Carnegie Corporation of New York. The statements made and views expressed are solely the responsibility of the author.