Sourcing alternative data, such as consumer financial transactions, likely will become more difficult for data brokers in the future as the US Congress has started showing concern over consumer data privacy and security.
Earlier this month, the US Senate introduced its Online Privacy Act and the Filter Bubble Transparency Act, which would establish individual privacy rights regarding personal information and require firms that gather data on more than one million users and earn more than $50 million in revenue to provide deeper transparency respectively.
Meanwhile, the House Financial Services’ Taskforce on Financial Technology held a recent hearing to address what new guard rails Congress might consider when addressing data privacy.
“It has been 20 years since the enactment of the Gramm-Leach-Bliley Act, which is a law predominantly governing the treatment of big data and privacy protection in all of the financial sphere,” said Rep. David Scott (GA-D) during the hearing. “But since that time, we have seen extraordinary technological development that has changed the way that consumers interact with financial services.”
When Ranking Member Tom Emmer (MN-R) asked whether Gramm-Leach-Bliley Act covered the growing number of fintechs that hold consumer data, Lauren Saunders, associate director at the National Consumer Law Center noted it probably did not.
“It covers traditional financial institutions like banks and credit unions and some other entities that are not banks or credit unions, but it is not nearly broad enough to cover the wide range of companies that do have our data and implicate data security and privacy concerns,” she testified.
Multiple expert witnesses called out the practice of applications screen scraping, the automatic collecting the text that appears on a website, for purposes outside of the service being provided.
“For example, online banking websites display customers’ account balances and transactions,” testified Don Cardinal, a managing director at industry body Financial Data Exchange. “This data can be retrieved through a permissioned application or a data aggregator by an automated login on the customer’s behalf and present that data in some other application.”
“It is widely accepted that the practice is sub-standard from a privacy and security perspective, which has motivated the financial industry to develop APIs,” agreed Seny Kamara, an associate professor of computer science at Brown University and chief scientist at Aroki Systems.
Financial institutions also feel the bite of the practice since the vast majority of logins to their websites are automated requests coming screen-scraping applications, according to Cardinal.
More fintech firms are moving away from screen scraping and implementing APIs to retrieve data between financial applications, but it is not a perfect solution.
”With an API -based design, applications can still access use, exploit, and abuse raw user data,” said Kamara.
The Financial Data Exchange seeks to address such concerns via its royalty-free standard for sharing financial data that limits the amount and type of data with which the financial applications can interact.
“It is guided by five core principles: control, access, transparency, traceability, and security,” said Cardinal.
Another method to improve consumer privacy is to minimize the amount of data applications can access. The National Institute of Standards and Technology recommends such a strategy for applications developed by the Federal Government.
Advancements in privacy technologies, such as secure multi-party computation, private set intersection, homomorphic encryption, and encrypted search algorithms, have enabled algorithms to search through encrypted files and query encrypted databases without decrypting data.
“This is not science fiction,” said Kamara. “These technologies already are in use today. By leveraging the advancements in cryptography, financial technologies could deliver on their promise to improve the financial health of their customers without having them sacrifice their privacy.”