US Congress Wrestles With Financial Technologies and Data Privacy

Published at: Nov. 23, 2019

On Nov. 21, the United States Congressional Task Force on Financial Technologies held a hearing on the role of big data in financial services. 

The last major legislation focused on the subject was the Gramm-Leach-Bliley Act of 1999, which formalized a financial service firm’s obligations to clients — specifically, how they share client information. Given the field’s expansion over the past 20 years, the Fintech Task Force’s posture on Thursday was that of an early exploration of options and opportunities for new and major legislation. 

The current conundrum

Obviously, the scene has changed remarkably since 1999. Financial services are more accessible than ever. Smartphones and powerful free apps have put financial capabilities previously reserved for industry professionals literally into the hands of everyday consumers. The flip side, as the task force seemed to acknowledge, is that many of those financial opportunities approach consumer data predatorily. The old axiom “if you are not paying for the product, the product is you” seemed to frame the conversation.

While the public eye was largely directed at the ongoing Trump impeachment hearings the same day, the members of the Fintech Task Force — led by chairman Stephen Lynch (D-MA) and ranking member Tom Emmer (R-MN) — questioned five expert witnesses who testified as to the state of the industry and appropriate measures to rein in big tech.

The five testifying

The witnesses espoused a range of views reflective of highly distinct professional backgrounds. Lauren Saunders, an associate director at the National Consumer Law Center, focused on minimizing firms’ legal right to use consumer data in ways beyond those that users would reasonably expect. She also expressed concern about the ways that machine learning was amplifying discriminatory financial practices in ways that would be harder to correct than in traditional systems. 

An associate professor of computer science at Brown University and chief scientist at Aroki Systems, Dr. Seny Kamara also believed that firms were running rampant over consumer rights. A cryptographer, Kamara showed a unique insight into ways that technology itself could limit financial service providers’ access to consumer data. He cautioned, however, against excess hope in the field, saying “It is easy to get carried away on a wave of technological optimism.”

Like Saunders, Dr. Christopher Gillard, an English professor at Macomb Community College and an advisor to the Digital Pedagogy Lab, was extremely concerned about the role of new technologies in reinforcing old discrimination. He referred to “opaque systems that offer consumers little power of redress” in the form of practices hidden from consumers under the auspices of proprietary code. Gillard further affirmed that “We must reject the notion that regulations stifle innovation.”

More optimistic in tone, Don Cardinal, managing director of the Financial Data Exchange (FDX), pointed to industry moves away from data practices like screen-scraping, in which customer login information is accessible to aggregators. He saw the industry as addressing the problems preemptively.

Similarly, Duane Pozza, a partner at law firm Wiley Rein, sought to define the concept of big data and emphasize its role in expanding financial services. He was particularly interested in cash-flow data, which Saunders had called out as a potential major overstep when it allows loan providers to access data on merchants and specific purchases rather than vaguer information on overall balances and transfers. Saunders said that such data enabled profiling and discrimination on a major and distopian scale. Pozza saw cash-flow data as a means of freeing credit seekers from the traditional gatekeepers of credit scores. 

Curiously bi-partisan issue

Though traditional party lines did come into play, with Republicans making slightly more mention of consumer choice and Democrats more frequently bringing up consumer protection, the assembled congresspeople all seemed to be in alignment that consumers had little choice and were unprotected. 

Chairman Lynch described the contracts users must agree to in order to access services: “Framed as privacy agreements, they’re actually lack-of-privacy agreements.” Lynch specifically called out the agreements of Mint, Venmo and Qapital, which according to him were, respectively 30, 40 and 10 pages long and filled with language that Lynch, an attorney, described as dense legalese. The consensus was that such problems are inescapable, with Rep. Ben McAdams (D-UT) opining that, as a consumer, he has no idea how many firms are using his data right now.

The shared atmosphere in the room was that consumers were being failed. It was a rare moment of consensus, with the major exception of witness Don Cardinal, who was frequently quick to point out how much progress the field has seen in recent years, as well as how much financial access has expanded to new demographics thanks to innovative companies. 

New laws for today’s data challenges

As always, solutions are trickier. Many members leaned into the prospect of more comprehensive legislation, along the lines of the European Union’s General Data Protection Regulation, or laws passed in recent years in California and New York — traditionally, the tech and finance capitals of the U.S., respectively. Instances of massive financial data breaches including Equifax and Capital One loomed large over the proceedings. The bulk of the hearing presumed the need to enact legislation in response to the clear failure of financial institutions to meet due diligence in protecting these treasure troves of customer information of the most sensitive nature

New York’s regulation 23 NYCRR 500 placed new burdens on cybersecurity for companies handling client financial data. It took effect on March 1, 2017, but has less to do with limiting the amount of customer data that a firm can access than with establishing requirements for the cybersecurity surrounding that data. On March 1, 2019, what is perhaps the most ambitious element of the regulation was the last to come into play. This final requirement obliges financial services companies to examine and issue reports on the cybersecurity effectiveness of third-party services that also have access to the data collected by the primary firms.

Passed in September 2018, the California Consumer Privacy Act (CCPA) will come into effect at the beginning of 2020. Given the portion of U.S. tech firms that are registered in the state, California’s status as the most-populous of the United States, as well as the law’s broad prescriptions for any action in any jurisdiction taken by firms operating in California, the CCPA will likely serve as either Congress’s template or cautionary tale for legislation on data privacy for years to come. Expect all eyes to be on its impacts on firms and its effectiveness at protecting consumers once the new year comes. 

The tech cure

It was, however, clear throughout the proceedings that many of the legislators involved lacked technical expertise. Ranking Member Emmer commented on this after the hearing, telling Cointelegraph that there was clearly a “steep learning curve that a lot of people in Congress have when it comes to this type of technology.” He continued: 

“This body tends to look like the people that you saw up here today as opposed to young people who are writing code, on the edge and always pushing into this new universe.”

As Dr. Kamara pointed out during questioning, “Services can be provided without having to give up data.” He continued: “We can minimize the amount of data collected down to 0 if we invest in the right technology.” 

Cointelegraph got the chance to follow up with Kamara on the subject after the hearing, during which time he highlighted the availability of technology “that allows us to process data without ever seeing it. So you can hold your data, you don’t ever have to release it to anybody, but I can still compute on your data and get some kind of signal from it.” When Cointelegraph asked him about zero-knowledge proofs as an example, Kamara responded that “you can do similar things for computation as well. So not just proving identity, or proving knowledge of something, but computing as well.” 

It was, however, clear throughout the hearing that Dr. Kamara was not suggesting that financial services providers be left to enact such technological practices out of the goodness of their hearts. In response to a question from Chairman Lynch as to why consumers were still vulnerable, Kamara answered: “Because companies never had any incentive to improve their privacy practices, they have never been invested in.”

Among other promising technological advances that received mention during the hearing were new application programming interfaces, or APIs. Don Cardinal, in particular, saw these mechanisms as providing built-in filtration, restricting the information available to companies to what is relevant to their particular line of work. 

Cardinal, whose work at Financial Data Exchange involves implementing FDX’s API, showed a particularly rosey outlook on the industry’s willingness to change its own practices internally. FDX’s press release on the event of the hearing featured the tagline “Industry Proves Quick to Adopt Secure Data Sharing Standard – Over Five Million U.S. Consumers on FDX API.”

Takeaways

Thursday’s hearing left little doubt that major federal legislation governing data usage is coming in the United States. Democrat outrage over new financial data practices targeting vulnerable groups through predatory lending and discriminatory algorithms met with Republican frustration with the obvious inability of even the most savvy of consumers to cope with the ways that their data are being manipulated beyond their control. Unless some improbably ambitious initiatives from both the private sector and existing regulators — especially the Federal Trade Commission — come into play to prune the overgrowth of customer data in the possession of fintech firms in advance, that legislation will be sweeping.

However, do not expect legislation yet. Congress is going to wait until they can assess the new California law as a case study, and then larger committees are going to need to get up to speed with the work of Fintech Task Force, which is still a young and small wing of the Financial Services Committee. Meanwhile, stay tuned.

Tags
Related Posts
Crypto, Congress and the Commission: What’s next for the ‘Wild West’?
The entire cryptocurrency industry is waking up to a new reality. Politicians and regulators have decided to wade into the space, which had flown mainly under their radar until now. A House committee chair is launching a working group; the Securities and Exchange Commission is seeking new authorities to regulate digital assets as securities; and the Senate-passed infrastructure bill includes $28 billion in tax revenues from crypto transactions. This last handful of weeks has arguably seen more regulatory activity around digital currencies since the name Satoshi Nakamoto first entered the popular lexicon. Anyone whose business deals in this asset class …
Bitcoin / Aug. 28, 2021
Blockchains Are an Excellent Solution for Privacy, Part 3
Some entrepreneurs have been trying to increase data privacy by combining encryption and blockchain technology. There are projects like Oasis Labs and Enigma that focus entirely on preserving users’ privacy. Meanwhile, others have been focusing on preventing data retention by companies. Thus, there is no way to guarantee that personal data is deleted in a company’s data system. Blockchain technology’s reliable consensus ensures that people’s data is used correctly. Protection against software and hardware attacks Companies like Oasis Labs, which designed the Ekiden system, run smart contracts outside the blockchain within a Trusted Execution Environment, or TEE, node to enable …
Blockchain / June 22, 2020
EU Financial Regulator Budgets Over 1 Mln Euro for FinTech and Crypto Supervision
The European Securities and Markets Authority (ESMA) has budgeted over 1 million euro for monitoring fintech and crypto assets, according to a document published Oct. 4. Founded in 2011 in Paris, the ESMA has an objective to develop a uniform rulebook for European Union (E.U.) financial markets, as well as provide market supervision. The authority has established Technical Committees in various industrial fields, including information technology (IT), and also works in the field of securities legislation and regulation. In its 2019 Annual Work Program, the ESMA cites a 1.1 million euro program and its objectives for the next year, which …
Bitcoin / Oct. 4, 2018
Bitcoin-Friendly US Senate Candidate Defeated in Republican Primary Elections
U.S. Senate candidate Austin Petersen, who is known for his Bitcoin (BTC) advocacy, lost the Republican primary election Aug. 7. According to unofficial results published by the Missouri Secretary of State, Petersen lost the battle to Attorney General Josh Hawley, who received 58.6 percent of the 663,553 votes. Hawley will go on to face to Democratic Missouri Sen. Claire McCaskill in the general election. Petersen tweeted: “Sorry I couldn't pull out a win for us, friends. My faults as a candidate are my own, and not the fault of our activists. I am not a perfect messenger. One day soon …
Bitcoin / Aug. 9, 2018
US lawmaker purchases exposure to Bitcoin through Grayscale shares
Illinois Representative Marie Newman has disclosed she purchased up to $50,000 in exposure to crypto through shares of Grayscale Bitcoin Trust. According to a financial disclosure report filed with the U.S. House of Representatives on Dec. 8, Congressperson Newman bought between $15,001 and $50,000 of GBTC between Nov. 9 and Dec. 4. In addition, she conducted four separate purchases of shares of Coinbase Global’s Class A stock between November and December, up to $215,000. Members of the U.S. House of Representatives and Senate are permitted to buy, sell and trade stocks and other investments while in office but required to …
Bitcoin / Dec. 9, 2021