By Carl White, Senior Vice President, Supervision
This post is part of a series titled "Supervising Our Nation’s Financial Institutions."
In February, we looked at some of the regulatory issues that have arisen with fintech firms entering banking. This month, we are examining some of the consumer issues that have surfaced with these innovative ways to bank.
Technology has revolutionized the way consumers interact with the financial system. Older innovations (such as the internet and mobile devices) and newer developments (such as big data and computer algorithms) have changed banks and what we think of as banking: making deposits, taking out loans and managing investments.
Agencies charged with consumer protection of financial activity have had to adapt as well. While consumers face a dizzying array of new choices—in products and providers—and the possibility of wider access and lower costs, potential pitfalls have emerged too. Two of the biggest are data security/privacy and the possibility of consumer confusion about the protections available, exacerbated by the speed at which products and providers are being launched.
Two federal agencies are primarily responsible for consumer protection in financial services:
Both agencies are charged with making sure consumers are unharmed by the practices of businesses under their purview without taking action that could harm market competition. The CFPB and the FTC devise and issue consumer protection rules for the financial firms they oversee; these rules include regulations on issues such as payments and data security, which are particularly important to fintech firms.
They also have enforcement actions in their toolbox when regulating fintech firms, since these agencies are responsible for implementing and enforcing consumer protection laws for nonbank financial companies. In recent years, the FTC has issued enforcement actions against fintech firms for unauthorized charges, fraudulent money transfers, and unfair and deceptive acts.
The giant strides made in digital banking are in no small part due to the tremendous amount of financial (such as loan payments history) and nonfinancial (such as social media) consumer data available to providers that assist with credit approvals, identity verification and marketing.
With so much personal data circulating, the risks of data breaches and loss of personal privacy increase too. In July, a popular neobankThe term neobank typically refers to companies that use applications—desktop or mobile—to offer financial services to customers. experienced a massive data breach that affected more than 7 million users. In addition to passwords, hackers were able to access names, birthdates, physical addresses and other pieces of personally identifiable information. Fortunately, more sensitive information such as social security numbers and credit card numbers were undisturbed.
Data sharing is another issue amplified by the emergence of digital banking. Numerous federal banking laws directly or indirectly govern “ownership” of consumer financial data and whether and how the data are to be shared with other entities. The CFPB is in the process of writing new rules about consumers’ rights to access their own financial data and the ability to share that information with third parties, including data aggregators. Data aggregators act as intermediaries, collecting data from consumer bank accounts and transmitting it to fintech firms. The agency was given responsibility for writing those rules as part of the Dodd-Frank Act of 2010, and it is striving to balance the rights of consumers against potential harm to financial institutions regarding legitimate competitive concerns.
Although the benefits of many of these new options—such as convenience, lower prices and personalization—may be readily apparent to consumers, some of the drawbacks may not be. Because fintech firms communicate with customers electronically via mobile device or the internet, accessing customer service when there’s a problem may be difficult. Costs, data sharing and contract terms such as forced arbitration may be “hidden in the small print,” in the same way they are for older products and services.
And regulations that apply in some aspects of fintech transactions may not apply to all of them. For example, a payment made on a person-to-person platform like Venmo or PayPal would not be covered by the Electronic Funds Transfer Act if the funds come from the app’s account balance rather than as a direct payment from the consumer’s bank account through the app.
Most of the consumer protection issues that arise in digital banking vary little from their less technologically oriented counterparts, and for the most part, the same consumer protection laws and regulations apply. Fintech firms that obtain bank charters and offer deposits insured by the Federal Deposit Insurance Corp. take on the added responsibility of complying with the Community Reinvestment Act (CRA), a 1977 law that requires banks to invest in the communities in which they collect deposits. The regulations implementing CRA are undergoing their first significant overhaul in several decades, and how to handle the digital transformation in banking is one of the more challenging issues confronting the federal banking regulators.
Regardless of structure or charter, however, fintech firms that offer banking services to consumers face a myriad of new regulations and a learning curve. As these firms adjust to this new regulatory regime, it will be increasingly important to ensure that consumers are aware of the differences in protections in place based on a firm’s structure so they can make financial decisions that best meet their needs.