Last summer, Equifax exposed the personal data of 143 million consumers. It was the latest in an ever-crowded line of data breaches stretching back more than a decade.
What’s different about this breach, however, is that it might spur change.
It might be the one to set a fire under the kiesters of Congress to get them to pass federal data security legislation, said Jason Kratovil, vice president of government affairs for payments at the Financial Services Roundtable in a panel discussion at the 2018 GAC.
There is no comprehensive federal law in the United States that regulates the collection and use of personal data. Instead, the U.S. relies on a sector by sector set of rules and regulations across different government agencies and industry groups that apply to particular categories of information; for example, The Federal Trade Commission Act, The Financial Services Modernization Act, and The Health Insurance Portability and Accountability Act).
States also can regulate the collection and use of personal data. California, for example, was the first state to enact a security breach notification law. Currently, Alabama and South Dakota are the only states that have not passed such a law for personal information, but both introduced legislation in the first two months of 2018.
At the federal level, Congressman Patrick McHenry introduced a bill in October 2017 that would require credit bureaus to stop using social security numbers by 2020. In February 2018, the House Financial Services Committee held a hearing with representatives across the financial services industry including the CEO of Summit Credit Union ($2.9B, Madison, WI), Kim Sponem examining current data security and breach notification regulations.
Standardizing privacy laws will be a complex process with several areas of importance, including customer notification standards, data ownership, and the right to be forgotten chief.
These issues have a tricky way of uniting both sides of the isle that can make [legislation] hard to defeat, Kratovil says.
In building federal data security laws, an obvious point of comparison lies in Europe, where two wide-ranging regulations the Payments Service Directive 2 (PSD2) and the General Data Protection Regulation will go into effect in 2018.
Michael Edwards, the vice president of advocacy and general counsel for the World Council of Credit Unions, says he has seen legislation modeled on these European Union directives coming into the States, specifically California.
That’s where a majority of the fintechs live. And as bank and credit union customers and members increasingly adopt and use third-party financial applications that aggregate personal financial information, questions of data ownership and accountability arise.
Malauzai’s February 2018 Monkey Insights, which analyzes trends in internet and mobile banking usage, focuses on Scrapegators: the vendors who scrape internet banking to feed data to other fintech applications. The report found:
- 8% of internet banking logins are scraping sessions.
- 90% of the activity is aggregating balance and transaction history information.
- Mint, Yodlee, and Intuit and the three largest scrapegators.
As these companies grow in sophistication and add greater abilities think originating ACH payments the question of liability grows in importance. According to Edwards, the EU’s PSD2 requires the financial institution, not the fintech, to reimburse the consumer in the case of fraud.
This is where there are operational concerns, he says. Especially if the credit union is on the hook for it.
Where U.S.-based financial institution’s have an opportunity to protect against potential liability concerns is through standardized and secure open APIs, says Brian Peters, the director of Financial Education Now.
Based on the principal that our consumers have different applications and will want to connect data in different ways, standardizing APIs across banks, credit unions, and vendors will create a long tail, he says. We have the same customer. The goal is to ensure they are protected.