The financial services industry’s use of big data and data aggregation tools has the potential to benefit millions of consumers but also could disproportionately affect the privacy and security of vulnerable populations.
That’s the take of experts who testified to the House Financial Services Committee’s Task Force on Financial Technology last month, hoping to convince lawmakers that more attention is needed on the issue.
Increased use of big data in the industry has led to the rapid development of new products and services. These systems generate “astounding” amounts of data, with 90 percent of the world’s data having been created in just the past two years, said Rep. Tom Emmer, R-Minn., the ranking member of the task force.
“As we have seen with the internet, information can be power. And when we are generating this amount of data, the owners and possessors of that data may gain that power. With that power may come increased responsibility, and it may impose an ethical duty to use the data properly,” he said at the Nov. 21 hearing.
Emmer noted that a broad, unspecific definition of big data could also include work underway to digitize services the financial services industry already offers to the public.
“This is the future, and there’s no going back from here,” Emmer said.
Data aggregation tools are increasingly used to access consumer bank account transaction information and other data in connection with a variety of financial products and services, said Lauren Saunders, associate director of the National Consumer Law Center.
Allowing these tools to access consumers’ account data has the potential to enable many beneficial products and services, including the use of cash flow data to improve access to affordable forms of credit, products encouraging savings and services to help consumers better manage their finances, she said.
At the same time, the detailed and sensitive data residing in consumers’ bank accounts can be used for less beneficial purposes, such as helping predatory lenders refine their tactics or allowing others to discriminate based on biased data fed into machine learning algorithms, Saunders said.
Ultimately, consumers can’t be confident about the use of big data tools unless there are industrywide regulations in place, such as strong federal privacy laws that do not preempt state-level laws, she said.
The financial industry is also using new data sources — such as authored, observational and metadata, often called alternative data — pulled from things as varied as utility bills, mobile device location data and text messages, said Seny Kamara, an associate professor at Brown University’s Department of Computer Science, where he researches cryptography.
Traditionally, financial applications shared data through a practice called screen scraping, where the app asks the user for their credentials (such as a login and password) so it can log into the user’s accounts to retrieve information. But this practice is substandard from a privacy and security perspective because users must trust the app to store and protect those credentials.
Kamara advocated the use of application programming interfaces, or APIs, as a better approach being developed by the financial industry. APIs are standardized interfaces between applications that allow for better interoperability and improved security. Specifically, API-based designs use a user-approved digital token to determine what pieces of data can be accessed and for how long, he said.
One of the problems with pulling data from alternative sources via big data tools is that it involves third parties, rendering the technology inscrutable to users behind a wall of proprietary code and “black box” artificial intelligence systems whose operation is difficult for even computer scientists to understand, said Chris Gilliard, a professor of English at Macomb Community College and Digital Pedagogy Lab adviser who researches, teaches and writes about digital privacy and surveillance.
The problem with many fintech tools is they impact marginalized communities through digital redlining and predatory inclusion, Gilliard said. Digital redlining is the use of technology to continue discriminatory practices against certain groups. He cited the example of Facebook Inc.’s advertisement targeting that could be used to prevent African Americans from seeing ads for housing despite laws prohibiting such conduct.
Predatory inclusion is a situation where members of marginalized groups are offered access to goods, services or opportunities from which they have been historically excluded, but under conditions that jeopardize the benefits of access. Gilliard cited the example of the cash advance application Earnin, which offers loans. Users can “tip” the app. Citing reports from The New York Post, he noted that if the service was deemed to be a loan, the $9 tip suggested by Earnin for a $100, one-week loan would amount to an annual interest rate of 469 percent.
One way the financial industry is trying to get around some of these problems is to move away from fintech applications using outdated approaches like screen scraping and to embrace APIs, said Don Cardinal, managing director of Financial Data Exchange. FDX is a consortium of financial industry companies with the goal of using APIs and other secure technologies to create an industry ecosystem of products that can safely share consumer data with the user’s permission.
To achieve this goal, FDX consists of industry committees and working groups focused on promoting and adopting the FDX API standard across the financial industry, from small to multinational organizations. The standard’s main goal is to provide consumers and businesses with control, access, transparency, traceability and security, Cardinal said.
Some witnesses also expressed concern that California’s Consumer Privacy Act, which goes into effect Jan. 1, will create a patchwork of rules that could affect financial institutions and how they deploy new tools and technologies and potentially impact consumer data privacy.
Duane Pozza, a partner with the legal firm Wiley Rein LLP, said the CCPA’s requirements are a moving target “and significant uncertainty remains about how to operationalize a complex and often unclear law, even though it will become effective in less than two months.”