View Full Library
Welcome everyone to our 1033 panel.
If the concept of 1033 is new to you, anyone, I won't shame you, but it's been hanging around for a while now, as many of the people on this panel know, I'm gonna get them all to introduce themselves, their current role and kind of what their area of interest is around data specifically.
And then we'll dive on into the question.
So, Tom, I am Tom Brown.
It's odd to be in a room with people from the financial services industry where they're not mostly either clients or portfolio companies, But so it goes.
I have been in the financial services industry for, at this point, almost three decades.
Started my career at Visa and as a outside counsel for Visa as an antitrust lawyer.
And took a winding path to the current role, which is a partner and general counsel at Nica, which is a FinTech focused venture fund.
I also retained an advisory relationship with Paul Hastings, where until I joined Nyca, I was the co-chair of the FinTech practice and the chair of the competition practice.
So that's me.
Why do you Care about data?
Why do I care about data?
Well, it turns out that I have been supporting and investing in companies in what we would call the FinTech space, going back to the early part of the last decade.
Companies like Chime Digit Ramp, Mercury, a bunch at Nyca.
And many of those businesses depend on access to account information that sits at other financial institutions.
And there was a moment in time, I believe it was, I believe it was 2014 if I recall correctly, when that the consumer permission to access to account information exploded in the financial services industry.
And there's an article in the Wall Street Journal by Robin Sedel that has Jamie Diamond's picture.
And the really, the only person quoted in the article is me, making the suggestion.
And I'm sure that Jamie Diamond has better things to do than to watch this video later.
But the thrust of my comment was that we should live in a world where consumers don't need the permission of a bank president to provide access to their account information to third parties.
And fortunately at that point in time, we lived in such a world because, 12 USC 5533 for the lawyers, in the room this is the statutory site requires financial institutions to allow consumers to access their data in electronic form.
And I know that Kelvin will shake his head at this, given the statutory text, also provide access to that information to third parties.
and so I have been on the front lines of this, ever since it's A decade ago already.
It is a decade. All right.
And I should have prefaced it with the expect some spicy, glad you guys are all together, Trying really hard, not together, like Kamala, like dirty looks and shaking heads and on The sidelines, dude, have to Okay.
Make it a presidential debate. I like it.
All right, Kelvin, tell us about your role, why you care about data.
Hey, everyone, my name's Kelvin Chen.
I currently lead policy for a trade organization for retail banks, the Consumer Bankers Association.
In prior roles, I was in-house at a couple of major banks.
I also, I was in the government, and so I was at the CFPB under Rich Cordray.
So under the Dems when they were working on some of the initial works aspects of this, I actually left the bureau partially because I disagreed with their approach to the rulemaking and went to the Federal Reserve Board, where some of the early work we did was to kind of lay down some markers and say, Hey, it's a little bit more complicated than you guys believe.
So I went over there in prior roles, I was at the FTC and was a litigator in New York.
And you care about data because… Oh, yeah.
You wanna prove everyone wrong?
No, no, I, I mean, I care about data because, so in my heart of hearts, like although I'm in the, the private sector, I'm a big believer in the federal government and good regulation, and the notion that if you do regulation correctly, you can build businesses on it.
If you build regulation poorly, you can snuff out a lot of innovation.
You can snuff out a lot of use cases.
And so, like at cocktail hour, I can talk to you about, talk to you about my favorite regs and how it's launched all new industries and safe ways, and how other other regulations have come to him and kind of snuffed regulation.
And in this case, I really worry that the bureau's gotten it wrong.
Starting with, and you know, Tom and I can debate this at length, but starting with how you read the two sentences that are in 1033 that are relevant, but down to like the millisecond prescriptions that they have in the rulemaking, I just think that the risk to market innovation and the risk to open banking, which we do strongly feel like the way, do strongly encourage the risk to further development of that ecosystem could be harmed by this rulemaking.
Awesome. Alright. Looking forward to getting into it.
And we have a very big treat today, having a data-driven FinTech OG in the room.
Jesse, introduce yourself.
You're OG if you've been doing this for 20 years.
Yeah, so the first 10 of which we would have people drag their OFX file over to our software to, you know, get access to their data.
I founded a company called YNAB and our goal is to have people love how they spend their money and they can't love how they spend if they don't know how they're spending.
And so we need, we need their data in our software as quickly as possible so that we can maintain the context that they need to, to make that precious exchange of, of money for something.
Our stance is that most people view money as a chore.
They want to distance themselves from it.
Yet here we all sit in this room trying to earn it at the same time.
And so it's this weird dissonance for everyone where you exert a lot of effort and energy and blood, sweat, and tears to earn the thing.
And then once it, once all that effort has become a dollar, you suddenly are uninterested in what happens to it next.
And so we're trying to convince people that they should take that same intentionality on earning and thread it all the way through to the spending.
And they have to be able to, in this day and age, they have to be able to get to their data to even have a basis of reality from which they can start making great spending decisions.
But I also have my favorite regulation. I'm just kidding.
I don't have favorite regulations at all.
I'll maintain silence for most of this panel, I'm sure.
But I'll just try and smile and nod and keep things, you know, cordial.
Keep It civil.
Thanks.
Thanks for being the referee here.
No, well, I think it is really important, you know, Jesse and YNAB, a you are the third party or data recipient or, you know, there was this sense at the beginning, it was like, oh, it's banks, you know, sharing money with FinTech, so it's bank to Jesse, and, you know, that's just, that's not the only use case.
Like the bank to bank use case is a very, very big one.
And often it is sort of small bank to large bank not necessarily the other way all the time.
So there is just a lot of stakeholders.
Third party, I think Kelvin, you're representing the data providers in terms of your consumer banker association, but they're also into data as well.
And they're also into, yeah.
And many of them and many people in the room as well.
You know, if you have data aggregation, if you account account verification, like you are a third party, even if you are a covered institution.
So, and then you have groups like MX where we are a data access platform.
We are enabling the movement of data in what is an incredibly complex ecosystem.
And so I'm just gonna shut down that we can learn from the rest of the world because, you know, Australia has four banks.
The UK has nine, like we have tens of thousands of participants in this economy.
It is far, far more complicated to move data around the ecosystem.
And if you are, you know, the CEO of a credit union who's here, you're not gonna be able to set up nodes individually yet to the 10,000 covered institutions and potentially 10,000 fintechs.
So the data access platforms are incredibly important to enable that.
So with all of that, let's jump on in, a little context.
The draft rule came out last October.
Comments were finalized by the end of December.
December, the bureau got 11,000 comments in, it was hotly debated.
We've had a lot of consultation this year, both as individual companies as well as I'm sure consumer bankers have been there.
We've been in there as a financial data exchange.
Like there's been a lot of engagement around, here's where the rule falls short, here's where like, here's where it could go further.
But the intent of the rule is very solid.
People should access, it should be private and secure.
There should be an interoperable standard that we're all complying to.
There should be third party risk management, but there's some real good key guidance points, and then there's a lot of gray areas.
So let's dig into the gray areas.
What areas do you expect to see change?
And then what do you hope to see change?
So it's two questions, expect and hope, and Jesse, you can do wishlist if wishlist, if you didn't read the whole 300 page rule, but I didn't even have chat GPT read the whole 300 pages.
It's a good way to do it.
For us being, I mean, we're, we're a small business.
We're bootstrapped, we reinvest profits.
And so for us I think we're highly sensitive to, and Kelvin would agree here, a bad regulation.
I could, I felt that because a bad regulation means only the, the most, well-funded the people that can just slog through and lobby and just kind of wear down the reg until they can get through.
We're like the guy trying to do something new in a neighborhood, you know?
And you've got like a maze of bureaucracy that even a bureaucrat can't navigate.
And so we always are just kind of sitting there hoping that whatever is left for us we can afford to navigate.
But I couldn't even begin to.
So my wishlist is have it be affordable for the, the smallest, you know, the one single guy in his garage that wants to spin something up, that's where the competition starts and have it be affordable for him.
And then of course, all the way up the chain.
That's our big, big wish with this.
Yeah, and I think Kelvin, it's interesting in that you represent institutions of all sizes.
Well, actually we're, we're basically 10 billion plus.
Oh boy.
Yeah.
So, But yet that's the small.
No, I'm just kidding.
Yeah.
So what do you expect to change? What do you hope will change?
So in turning, in terms of expect change, and this is like super pragmatic I expect the compliance timelines to change.
And that's, it's pragmatic, but hopefully it matters to folks in the room.
For folks that have been watching this, you're aware, one interesting thing about this rule is that basically everyone is covered, but the very largest institutions would have to implement within six months, which is crazy fast, right?
And so we, we basically sent a letter into the bureau saying, Hey, we've got people that are having to implement right now to a rule where they don't know what the rule will be.
Alright? You've got a standard setting organization that you haven't yet recognized, and we're trying to aim to that.
And indeed, the rule actually contemplates the launching of a bunch of other standards heading organizations that never were created.
Please give us more time.
The thing I would notice politically the bureau had a reason to have the short timeframe initially, because you only kind of cram industry into the short timeframes if you're trying to make the rule harder to challenge.
Because once a rule, once certain, like one person is compliant with the rule, then if a new CFPB comes in, they have to kind of go through more administrative hoops to propose a rule.
But the rule has come out so late in the year that even six months, we push it out.
And so basically they can extend the timeline at no additional risk to themselves from, from a political perspective.
So it's a very inside baseball way of saying, we expect there to be more time for the very bigs.
Should I go to wishlist? Yeah, let's do it.
I mean, wishlist, there's a lot.
And so one of my colleagues, he doesn't want the rule to exist.
There it is, speaking to the camera.
And for the record, he doesn't want the rule to exist.
Here's what I'd say about the rule.
And, this is a very, it's a yes or no question, a very different question that wasn't on the prep list.
You know, earlier we had a speaker show various Disney characters, right?
So like, there's a question as to whether you were like Dora or whether you were I forget the, like they had a dog..
It was Dumbo.
Okay, so, and a goldfish.
So the example here, as I would say, we're kind of Dumbo again, right?
What I, what I be a goldfish cowboy.
I don't know if like everyone's looking to this rule as if it's the feather that helps the industry fly, right?
And what I would say to the collected crowd here is, I don't know that you need the feather.
Like you can be pro open banking, you can be pro data sharing, pro-consumer access, and really wonder whether this feather was necessary or whether it, again, it impedes your ability to fly.
And the issues being right, because of all the, the major infirmities in the rule, like hardwired into this rule is a 99.5% uptime requirement and a 3,500 millisecond ping time requirement for all the data types that are there.
I used to be an engineer.
I haven't done engineering in quite some time, but it's, I would think that for all the data fields, maybe one data field could be 99%, 99% you know, uptime, maybe for another data field, you only need it within five seconds rather than three and a half seconds.
The point being is there should be some market driven conversations about where things should go, particularly as this rule evolves, it took over 10 years to write it.
Can you imagine having to go through another 10 years to say, oh, actually we need five more milliseconds for this to take place.
So, that's my answer to Tom's question.
I'm taking way too much time.
The on on the wishlist, we have a blog post up with all the things we're concerned about.
The thing that I do wonder is why the rule would need to go so heavily into payments.
So the rule is theoretically about consumer access to data.
It's captioned as such.
When you read the plain language, even as aggressively as Tom does, presumably it's about giving consumers like access to their data.
Chopra, the director at the CFPB has talked about this enabling a whole new open payments ecosystem, which again, may be a good thing in its own right, but I think that this is a very limited toolkit for getting there.
And there are all kinds of things that they haven't addressed, including how you take care of fraud and scams.
So they, where they'd be opening up a Pandora's box without really being there to help fix the solutions at the end.
All right, so Tom, expect to change. Hope to change.
So in terms of, in terms of what I expect to change, I think the, I think the timelines for implementation will shift.
and I'm skeptical that that much else will, the primary areas of sort of contention from a comment standpoint or scope.
So just to refresh, and we're gonna play some games with the statutory text since, Kelvin keeps alluding to it without quoting it.
‘Cause it's inconvenient for him.
I really do love each other for real.
Tom really is like a mentor that I just despise at times, but a mentor nevertheless, it's our first time on a panel together.
You've seen me do this to other people.
No, no, You blew me up at a 1033 panel. Yeah. I think I was in the audience though.
But it's never safe, it's never worse.
It's never safe when I'm around.
Um, so the primary areas of contention were scope.
So the text of the rule, just to go back to that, a covered person EEG bank shall make available to a consumer shall, by the way, is self-executing Covered persons includes non-bank financials, although not in this rule Upon request, blah, blah, blah, consumer financial product or service using the lang-, using the text of Dodd-Frank, whereas only credit cards are in scope for any lenders, right, only credit cards and certain reg e covered accounts including DDA accounts and digital wallets.
So if you look at the comments, one of the primary errors of contention was the scope of the rule.
Like why is it so narrow given that the text of the statute that is the thing that Congress passed and that the president signed is quite broad.
I don't expect that that will change.
But if it's going to change, it may change in areas of access to payroll information and some government benefits.
Uh, but again, I don't, I don't actually expect it to change.
In terms of hope for change, this is actually a really hard question.
Because there's sort of aspirational which probably adheres to something closer to the text of the statute, like the actual law as opposed to what comes from the executive branch.
Which the Supreme Court reminded us recently in Loper Bright, and I'll come back to why this is important, is not actual law.
Actual law is what Congress passes and what the Supreme Court says Congress has passed.
And so if you are, if you're aspirational, you sort of want a rule that adheres closer to the statutory text, if you're pragmatic, and this is, I'm gonna throw this out as a, as much as a question for the audience, as anything, I'm not sure you care at this point.
Because I think regardless of how the bureau, changes or adheres to its proposed rule in the final rule, the rule is going to be subject to litigation.
It'll almost certainly be challenged in the fifth Circuit, I think, so long as the people driving the challenge have an IQ above the ambient temperature in the room they will seek a preliminary injunction to suspend operation of the rule, pending resolution of the case.
I think they have a better than 50/50 chance of obtaining such a preliminary injunction.
And so if I'm operating against that backdrop, it's hard to feel like there's a lot at stake with the actual content.
I've gotta do a lawyerly disclosure here.
I can't comment on the likelihood of litigation here.
We've gotta see what the rule looks like.
Need to confirm, not right.
So just to be clear, Tom is speaking on his behalf, but nine and a half of the other panelists, Okay? There will be blood, there will be lawsuits, there will be lawsuits, I mean, and Loper Bright.
Alright, so this is the case from the Supreme Court last year that sometimes called the reversing Chevron decision.
And what's interesting, I think and important about that case, right in the context, and we're gonna do some basic civics here, right?
We all recall that we have, divided federal government three kind of coequal branches, but like one of the pigs is bigger than the other pigs.
and the big pig per the Constitution, like they go in order.
So article one of the Constitution is Congress, article two is the president, article three is the court.
And what the Loper Bright Court, what the Loper Bright decision essentially says is, okay, as between US court and executive in interpreting law, which is what Congress produces, we court are going to decide what law is not you, president.
And so that invites people who are unhappy with regulation to take that unhappiness to court.
And reasonable people can disagree about whether that is the optimal design for a constitutional system, but it is kind of consistent with the, the framer's design and certainly very, very, very consistent with Chief Justice Roberts Juris Putin.
We did promise this would be a PhD level class if no, almost– I thinking there's a test afterwards.
Yeah, there really is.
So from a core issue, and for, I'm gonna say everybody in the room, a lot of our, themes today have been just data, the use of data, getting insights, putting data to work, getting to know customers better.
The use of data has become standard for how businesses operate.
You know, both to service customers as well as to do product development, platform testing, research, marketing segmentation, all of those things.
The rule as drafted puts really strong limitation around what can be used under this term secondary data use.
So the primary use is, I'm applying for a mortgage, you're gonna have all my data can apply for the mortgage.
Whoever touches that data on the way through and finally receives the data can only do it in service of that mortgage use case the way that it's, this reasonably necessary use of data.
So from the from the perspective, like all your different perspectives, like what's your take on sort of secondary data restrictions as drafted and where you think it could go?
We don't really have enough time.
So first one question is like, why do I think that the rule came out that way?
And I think here, it's a reminder that personnel is policy and director Chopra has been concerned about surveillance capitalism since since he worked in the bureau with Kelvin, and The FTC and when he was a chair at the FTC.
And I think that aspect of the rule, which again, has little connection to the statutory text, is sort of directly connected to his policy priorities.
I think in terms of, in understanding them, they remind me a little bit of two what I would describe as overwrought statutory and regulatory frameworks.
One which is a subject of congressional testimony that I gave, I don't know, five, six years ago, the Fair Credit Reporting Act, which actually doesn't deal with fairness, but does deal with credit has a very, very, very specific statutory design, and which is immensely confusing and largely bypassed by many people that you would think it would apply to EG data brokers.
and then Graham Leach Bliley, which governs access and use of personal information in the financial services industry.
And, uh, the original congressional intent of which was to limit marketing of products to consumers who had provided PII to financial institutions.
Now as it turns out, once you give lawyers enough time to think about a regulatory framework, they can find ways to achieve the desired commercial objective without violating the underlying statutory text.
And I tend to think that the concerns that have been expressed related to the restrictions on secondary use will be resolved in ways that are sort of similar to how commercial entities have responded both to the Fair Credit Reporting Act and and GLB, which is to say the regulation as designed will likely not address director Chopra's concerns about surveillance capitalism because the commercial impulse to find ways to put products in front of consumers who don't otherwise have information about them is very strong.
Yeah, Absolutely.
So we are gonna open up for questions in 10 minutes and we'll do lightning rounds until then saying, Kelvin, from your constituents perspective and from yours and the CBAs, how are you thinking about secondary data?
So this is a great example of just how clumsy rule writing leads to potentially bad market outcomes.
To Tom's point, like I can understand the intent behind it, and I think we actually agree here, but we have a situation in which imagine I'm the new boss of the room, right?
And I say, okay, you guys can only do what the, what the primary purpose of the activity that you've got out there.
However, what you determine the primary purpose is isn't necessarily what you tell the consumers it is even in your tiny writing.
So even if you disclose it to the consumers, so no one knows what that primary purpose is there.
So you've got a potter steward. I know it when I see it.
And then we're gonna have a situation where, because of the way the, the bureau has supervisory authority as, as well as enforcement authority, I'm gonna say, okay, so I'm not gonna give you guidance.
I'm not gonna define what secondary use is.
Versus primary use is, I'm gonna live in Tom's house, so I'm gonna have a floor in Tom's house where I have a group of examiners that anytime Tom wants to do anything, they've gotta talk with Tom's gotta talk with the examiners, and they'll figure out what primary purposes are versus secondary purposes are.
And for Jesse, actually, this is a bad example.
'cause I guess Jesse is a FinTech, but for Jesse, go wild, right?
And like, you might not have me on my radar, and if you do it wrong, if I hear about it, I'll come after you, but you're not really on my radar.
That just doesn't lead to good results.
It doesn't lead to good innovation.
You can't do business that way or build products.
You can't get investment that way.
And so that just strikes me as just really poor form.
Yeah, I mean it's very meaningful for Jesse because he's gonna be the one who has to get consent to do the disclosures due record retention.
And it's a part of the role that hasn't really been discussed as much.
Not Jesse's lawyer but you know, Jesse is consumer facing, he's offering a PFM tool.
It's at least visible in the commentary to the rule that within the scope of that service that are broad permissions to provide consumers with information about ancillary products and services.
So like I think to Kelvin's point it, I'm sympathetic, you know, putting myself in the the shoes of the people commissioned to draft the rule, knowing a director Chopra's policy priorities as to why it's there.
I don't know.
My current instinct is that, that the significance that people are attaching to it will proven over time to be even assuming the rule becomes effective, as to which I'm very skeptical of lasting commercial significance.
I mean, here's an example, and this is just a, a small example, but, and maybe one showing my age.
And when Google was trying to have this same conversation with the FTCA generation ago about secondary use, and this is setting aside the fact of like what's disclosed and what's not disclosed, what, like Google was able to make the world's best spell checker from just detritus because of the misspelling.
Like, you misspell a word in the search and you're like, oh, that's not what I want.
And so then you do your next search and you get the right spelling out, then they immediately make the world's best spell checker because they now have bazillions of data inputs on how people misspell words, right?
That was just an exhaust that came off the data.
That's a universal consumer good that we, that we now kinda take for granted every time we're typing with our thumbs, right?
Like we can type with our thumbs now, but the second Secondary use restriction only, here's the thing, the secondary use restriction only applies to the information that you've received via aggregator.
It doesn't apply to the information that you are developing or using in connection with the service you're providing to the consumer.
So, I don't… I have a really hard time understanding how in practice that's going to be meaningful.
It may matter for aggregators, but it's not clear to me that aggregators are actually using information in ways that would offend the principle.
And to the extent that there may be use cases at the margin, there are ways of transforming data that would enable the designed outcome without triggering a secondary use concern related to the PII specifically I agree.
It's not clear, but my point is that it should be, I don't know, you're never gonna be up.
I mean, if your objective is to limit this is a rules versus principles problem.
Like you are never, and then we had a version of this conversation related to my favorite topic out in the, in the lobby before we went on.
And I'm not going to embarrass you by by pointing out the subject of that, but you can raise it if you want.
When you're talking about, when you're asking for prescribed rules, it is death by a thousand cuts with respect to implementation.
If we go back to where you started the conversation around like, oh, all the data elements and should it be 99% versus 99.5, or can we have 10 milliseconds versus five milliseconds?
The, the idea that we can imagine a regulator with enough information and and produce consensus to have that kind of dictate, like, that's just farcical.
I'm not asking for, they have 99.5 in the proposal.
Like, I don't want, that's anytime They're specific Want the market to solve This.
Yeah.
But I think you're getting into the, anytime you're specific, right? Like I think let's go to competition, okay?
Right. Because that was one of the big intents of the rule.
Yes, there was guardrails around time and response times and things like that, but at the core, this is also a competitive, which was also not in the language.
So Jesse, just how are you thinking about this?
Do you feel like this helps a competitive edge?
Do you see competitors coming onto the scene?
'cause data is more freely available that may have different business cases and different revenue streams that may make it more challenging for you?
How are you thinking about the competitive space?
We the com-, I mean, it definitely is warmed up quite a bit competitively.
And, I would say pre pre covid and then slightly post like 21, it was like fever pitch, and then things kind of started to go away.
Again, the, I'm only concerned for our ability to help the end user, and I am skeptical of regulation.
And it sounds like Tom and Kelman are both, it sounds like Tom's kind of saying, I don't think this regulation's gonna even matter that much necessarily.
Like people give lawyers enough time, and they'll navigate around it.
And you can see lots of examples of that.
And then I also hear Kelvin saying why even have the regulation?
And so I think the end result may be the same.
It may be what happens is we all just accept the cookies that pop up when it says accept cookies, and we've all just been conditioned to accept cookies.
That was a regulation, right?
I mean, that, that was supposed to make everyone aware of the fact that they were being followed.
And now instead, all they do is habitually accept that they're being followed.
And so I am skeptical of the regulation in general, but I am concerned that the regulation could be overly burdensome.
I act, I'm not legitimately concerned, like I'm more philosophically concerned that it would be overly burdensome for a small business like ours.
But yeah, you just, I believe regulation in the end decreases competition, and it's used by the private sector to build moats.
And I hope that that doesn't, that's not the case for FinTech where it's so hard to get in.
You can't have someone compete against Visa or MasterCard.
You can't have someone that builds out new payment rails, because the regs are so locked down tight that it's impossible. Yeah.
And, and remember, like half the DA accounts in this country already have access through secure APIs.
We've solved a lot as an industry, but what we haven't talked about is that that other 50% do they need the regulatory stick to move because that competitive carrot hasn't necessarily worked.
One anecdote, Jane, is when a large bank, broke badly with our data aggregation provider with MX, we put out a notice it was a significant, percentage of our users that were affected by this large bank, and we put out a notice to those users and said, Hey, this bank has pulled out and it's now broken for you.
We didn't see customers saying, I can't believe your app is broken.
We saw customers say, how do I switch banks? Yeah. Right.
And so I believe my hope is that the tiniest locus of control sitting with the consumer en mass is what actually moves the market.
And we've seen it in our little tiny space.
And I would hope that actually is awesome that they'll follow us and they'll leave a bank in a heartbeat.
My hope is that we can do things that let you leave banks easily, like switch all of your connections, all of your subscriptions, all of your things over to some other and make it more competitive that way.
And I do think this is what has changed between seconds, between 2014 and now.
Okay.
The market is in a very different spot in terms of hundred of consumer expectations.
And so technology, this is why I think 1033, the statutory language is important as I wrote, around Christmas, I really don't think that the rule is going to matter a great deal at this point. Mm-Hmm.
Alright. Hot takes. We did promise spicy PhD level.
All right.
Questions from the audience?
Oh you already, you don't have to stop. Not the brawl.
Well, listen, Sorry. Thanks.
Um, so if you're a small business like Jessie's, what's one, the one takeaway from today?
Like how would you tell them to, what would you tell them to do?
And this is for Tom and Kelvin.
So a small business non-bank.
At this point, all you can really do is watch and wait.
The opportunity for comment has passed.
I don't think it is in your individual interest to initiate litigation related to the content of the rule.
So that would be my suggestion.
I would just add, I wouldn't watch, I would just get to work serving The customer.
Yeah.
Keep hustling, right? Because from my perspective, again, I just don't know what the rule gives you other than kind of buffers and hard walls and things that can't change, the conceit.
And if I'm wrong about this, let me know.
But it's my understanding that it's basically like there's a lot of relations to be made.
There's a lot of like, like a lot to build.
Just keep hustling and let DC do what do DC does?
Well, and I mean, we're now weeks away from the final rule and there'll be a lot of hot takes.
So I think, uh, yeah, read widely 1, 1, 1 thing I would say, I don't think the outcome of the election will affect the rule.
This is a rule that has been in gestation for, at this point, 14 years has passed through the hands of many administrations, including, um, both the prior Trump administration and the Biden administration.
I think the outcome of this regulatory process will end up in litigation, But again, it's the right thing to do for customers.
That's, Melissa, you had a follow up? Sorry, I had A follow up.
And then how do you compare that suggestion with what a, a small community bank would do?
Should do, a small community bank should talk to their trade association, and I assume most of the path that Kelvin has blazed for banks slightly higher will be the path that, that they follow in where they're not currently supporting access.
I would expect them to want to continue to oppose supporting access.
And I would anticipate, if you're looking for a group of constituents who seem most likely to litigate the final content of the rule that would be my guess My version of that would be like, know your customers very well, right?
And so if your customers are demanding this, build towards that.
And if your customers, like every community bank serves a different pocket, they exist to serve particular needs, right?
Like, keep again on the theme of knowing what you're, like, keep doing what you're doing, like know what your customers need and, and prioritize.
'cause there's a lot that community banks have gotta build towards, Right? Yeah.
And I think related to that, 1033 has taken up a lot of the oxygen in the last year, but there's other coming rules or other things in process, like the lack of a federal privacy law, the fact we've got potentially a data broker Overdraft the broker deposits, The data broker rule coming.
Yeah.
There's a lot of intersections coming from different agencies that it's just, you know, as I've heard it describe, it's like a tsunami of rulemaking.
So it is a lot. Other questions.
Hey, I'd love to get the panel's take on enriched data and whether or not it will be covered or I've heard theories that it could be, is it confidential commercial information, I think is the name so anyone can answer So enriched from the data provider.
Yeah.
So you, well, you know, like we do merchant enrichment, MX does enrichment to take the raw transaction data and then uplift it and make it more useful at the firm.
Yeah, I think it all comes down to the reasonably necessary use of data that the fields that are in the financial data exchange spec are pretty much like raw data.
They're pretty binary.
So unless there is an explicit use case that doesn't work without enriched data, but there is no guidance.
You can catch me if I'm wrong, but there's no guidance in the role that says you have to do something to those fields in order to share, Except for the payment stuff.
They have a bunch of weird stuff about payment routing that's hyper specific on payments, and I don't know much of that is enriched or not. Sorry, go ahead, Tom.
I don't think it's super weird.
And it is hyper specific and it just relates to account and routing information.
But with that caveat, I think I would, I agree, with both Jane and Kelvin, the way I think about it sort of simplistically is there's above the line information, so the information that relates to covered accounts, and that is specifically delineated in the rule, and then there's below the line.
I think, I mean, it will be interesting to just sort of watch over the next five, 10 years, there's a clear market structure that the rule contemplates related to and an open standard.
And there will be this sort of, there will be a thousand flowers in the aggregation space.
Like yeah, I don't, I'm taking the under on that.
Like I, there will be, if the rule were to go into effect, I would anticipate a market structure that looks a lot like what you've seen in the fair credit reporting context where you'll end up having the rule in financial services, the rule of three, right?
There's a primary, there's a backup.
And because not every financial institution wants the same primary and backup, you need a third.
That feels like the ultimate market structure that would exist.
I think, you know, one other caveat on the advice for small businesses, like, it'd be really, really, really tough at this point to launch a de novo aggregator To, TOS point about market structure.
So when the rule came out I think everyone up here at like three in the morning, like reading the rule, and, and I, there's a guy in the rule making team that's like in your, okay, so the one's up here at least there's a guy in the role making team that that works outta Europe.
And so I figured he'd be the only person that might be willing to talk at three in the morning.
So I sent him a note saying, this is a George RR Martin fan fiction as to what you think the world should look like.
Which by the way, I think there's a comment, it might be in the official record, but the, they have envisioned a market structure that doesn't currently exist, which is the first time I've ever seen something so aggressive off of basically two, two sentences in a rule.
And with the notion of like, well, if we get halfway there, we'll see what happens.
There'll be another team to figure it out, which is just like an awful way of winging it.
And so we'll see what happens.
Okay. We have time for one last question.
Do you want, wait one second, river.
Thank you.
I think Tom touched on this a little bit, but I'd love to get the panel's take on kind of how does the regulation primarily impact the the aggregators themselves in terms of where the value that they bring, not just to the banks, but also to the fintechs.
Obviously providing those connections historically through screen scraping was sort of one of the reasons the aggregators existed.
Now that a lot of the traffic's moving to APIs, I'm curious how, you know, what do the aggregators connectivity products look like a few years from now?
It's still real hard.
Yeah, I was gonna say, if anyone thinks it's easy Yeah.
Integrating one point versus even your top 300, it's just not even a consideration. Yeah.
Should You go and then I go, Or, this is why I think that the ultimate market structure, if you imagine the world, a world where the rule goes into effect is one where you have a relatively small number of institutions of, of aggregators that have direct connections to financial institutions.
There may be some small number of bilateral connections between large institutions, whether bank or non-bank, but the screen scraping explicitly, right.
Is targeted by the rule.
It imagines screen scraping going Away.
Okay.
The rule, the rule doesn't actually prohibit screen scraping, which is like an absurd aspect of it if you're gonna have this rule, like if They basically, but it basically, It doesn't address screen scraping.
It does we're gonna agree to disagree on this.
I mean, it Doesn't explicitly but word search like scraping.
Sure.
Right? Like, it literally doesn't address the thing it's supposed to address.
Sure.
Well, I don't agree with that.
You know, the thing I would note also, and this kinda goes to the market structure point and so I had this corporations professor in law school that said, look, you gotta read the opinion, but then you also have to listen to the music, right?
Like, what was going on in that case to lower chancery.
And in this case, I think you have a, a director And the CFPB, but really a director that wanted to avoid accusations of creating a moat around the large aggregators.
And so he kind of envisions a world that, again, currently doesn't exist of more direct connections of limited secondary use for the aggregators, but because it's like they have half the tools to get there because it's a world that doesn't exist it'll really be kind of weird to see what happens in terms of the World's left.
And I think, you know, it is a market for value add, right?
If you are just taking data from point A to point B, like that's old already, right?
You know we do enrichment, we do software solutions, we do analytics, like there's a lot of things that we can do beyond just the, the data from point A to point B.
And I think the, just the complexity of the ecosystem here, I mean, you saw what was announced this morning, like investment data.
How long is it gonna be before the SEC and FINRA come to this party years, right?
And in the meanwhile, we've got APIs sharing investment data, so like the industry is gonna keep on moving forward.
And that is like one of the core roles of, you know, especially when you have, like we do 14 years under our belt of making these connections and moving data around, putting it to work.
I mean, ironically, investment data was shared long before, uh, 1250 12 USC 5533 existed because wealth managers and RIAs want complete visibility over the portfolios of their clients.
It's really the core account information that has been the primary area of contention.
And that ironically over the last 14 years that that has sort of faded.
Yeah.
And we have new, there are new sort of points of friction that the rule basically doesn't, doesn't address like screen scraping.
Yeah.
That Anyone who wants to for the roll afterwards, I wanna say that's The whole point of tokenization.
A giant thanks to Jesse, to Kelvin and to Tom.
I'm sure they'll be available to chat afterwards, but thank you all.
Thank you, Jane.
Test in Progress: Open Finance, 1033, and What It Means for the Data Economy
The promise of Open Finance is tremendous, but the regulatory and competitive landscape can get complicated. This session will dive into Open Finance as the first true test of a data economy. How can financial providers improve outcomes for consumers, get a handle on data exhaust, and ensure data is used for good, not selfish gain?
Learn More About MX
Watch Next
Jeffrey Ma, Kingpin of the Famous MIT Blackjack Team
How to Win with Data
Rebel
Finances, Feelings, and Fears
Bank of Hawaii, UCCU, J.P. Morgan Private Bank, BECU
Grow Engagement and Loyalty
Transcript
If the concept of 1033 is new to you, anyone, I won't shame you, but it's been hanging around for a while now, as many of the people on this panel know, I'm gonna get them all to introduce themselves, their current role and kind of what their area of interest is around data specifically.
And then we'll dive on into the question.
So, Tom, I am Tom Brown.
It's odd to be in a room with people from the financial services industry where they're not mostly either clients or portfolio companies, But so it goes.
I have been in the financial services industry for, at this point, almost three decades.
Started my career at Visa and as a outside counsel for Visa as an antitrust lawyer.
And took a winding path to the current role, which is a partner and general counsel at Nica, which is a FinTech focused venture fund.
I also retained an advisory relationship with Paul Hastings, where until I joined Nyca, I was the co-chair of the FinTech practice and the chair of the competition practice.
So that's me.
Why do you Care about data?
Why do I care about data?
Well, it turns out that I have been supporting and investing in companies in what we would call the FinTech space, going back to the early part of the last decade.
Companies like Chime Digit Ramp, Mercury, a bunch at Nyca.
And many of those businesses depend on access to account information that sits at other financial institutions.
And there was a moment in time, I believe it was, I believe it was 2014 if I recall correctly, when that the consumer permission to access to account information exploded in the financial services industry.
And there's an article in the Wall Street Journal by Robin Sedel that has Jamie Diamond's picture.
And the really, the only person quoted in the article is me, making the suggestion.
And I'm sure that Jamie Diamond has better things to do than to watch this video later.
But the thrust of my comment was that we should live in a world where consumers don't need the permission of a bank president to provide access to their account information to third parties.
And fortunately at that point in time, we lived in such a world because, 12 USC 5533 for the lawyers, in the room this is the statutory site requires financial institutions to allow consumers to access their data in electronic form.
And I know that Kelvin will shake his head at this, given the statutory text, also provide access to that information to third parties.
and so I have been on the front lines of this, ever since it's A decade ago already.
It is a decade. All right.
And I should have prefaced it with the expect some spicy, glad you guys are all together, Trying really hard, not together, like Kamala, like dirty looks and shaking heads and on The sidelines, dude, have to Okay.
Make it a presidential debate. I like it.
All right, Kelvin, tell us about your role, why you care about data.
Hey, everyone, my name's Kelvin Chen.
I currently lead policy for a trade organization for retail banks, the Consumer Bankers Association.
In prior roles, I was in-house at a couple of major banks.
I also, I was in the government, and so I was at the CFPB under Rich Cordray.
So under the Dems when they were working on some of the initial works aspects of this, I actually left the bureau partially because I disagreed with their approach to the rulemaking and went to the Federal Reserve Board, where some of the early work we did was to kind of lay down some markers and say, Hey, it's a little bit more complicated than you guys believe.
So I went over there in prior roles, I was at the FTC and was a litigator in New York.
And you care about data because… Oh, yeah.
You wanna prove everyone wrong?
No, no, I, I mean, I care about data because, so in my heart of hearts, like although I'm in the, the private sector, I'm a big believer in the federal government and good regulation, and the notion that if you do regulation correctly, you can build businesses on it.
If you build regulation poorly, you can snuff out a lot of innovation.
You can snuff out a lot of use cases.
And so, like at cocktail hour, I can talk to you about, talk to you about my favorite regs and how it's launched all new industries and safe ways, and how other other regulations have come to him and kind of snuffed regulation.
And in this case, I really worry that the bureau's gotten it wrong.
Starting with, and you know, Tom and I can debate this at length, but starting with how you read the two sentences that are in 1033 that are relevant, but down to like the millisecond prescriptions that they have in the rulemaking, I just think that the risk to market innovation and the risk to open banking, which we do strongly feel like the way, do strongly encourage the risk to further development of that ecosystem could be harmed by this rulemaking.
Awesome. Alright. Looking forward to getting into it.
And we have a very big treat today, having a data-driven FinTech OG in the room.
Jesse, introduce yourself.
You're OG if you've been doing this for 20 years.
Yeah, so the first 10 of which we would have people drag their OFX file over to our software to, you know, get access to their data.
I founded a company called YNAB and our goal is to have people love how they spend their money and they can't love how they spend if they don't know how they're spending.
And so we need, we need their data in our software as quickly as possible so that we can maintain the context that they need to, to make that precious exchange of, of money for something.
Our stance is that most people view money as a chore.
They want to distance themselves from it.
Yet here we all sit in this room trying to earn it at the same time.
And so it's this weird dissonance for everyone where you exert a lot of effort and energy and blood, sweat, and tears to earn the thing.
And then once it, once all that effort has become a dollar, you suddenly are uninterested in what happens to it next.
And so we're trying to convince people that they should take that same intentionality on earning and thread it all the way through to the spending.
And they have to be able to, in this day and age, they have to be able to get to their data to even have a basis of reality from which they can start making great spending decisions.
But I also have my favorite regulation. I'm just kidding.
I don't have favorite regulations at all.
I'll maintain silence for most of this panel, I'm sure.
But I'll just try and smile and nod and keep things, you know, cordial.
Keep It civil.
Thanks.
Thanks for being the referee here.
No, well, I think it is really important, you know, Jesse and YNAB, a you are the third party or data recipient or, you know, there was this sense at the beginning, it was like, oh, it's banks, you know, sharing money with FinTech, so it's bank to Jesse, and, you know, that's just, that's not the only use case.
Like the bank to bank use case is a very, very big one.
And often it is sort of small bank to large bank not necessarily the other way all the time.
So there is just a lot of stakeholders.
Third party, I think Kelvin, you're representing the data providers in terms of your consumer banker association, but they're also into data as well.
And they're also into, yeah.
And many of them and many people in the room as well.
You know, if you have data aggregation, if you account account verification, like you are a third party, even if you are a covered institution.
So, and then you have groups like MX where we are a data access platform.
We are enabling the movement of data in what is an incredibly complex ecosystem.
And so I'm just gonna shut down that we can learn from the rest of the world because, you know, Australia has four banks.
The UK has nine, like we have tens of thousands of participants in this economy.
It is far, far more complicated to move data around the ecosystem.
And if you are, you know, the CEO of a credit union who's here, you're not gonna be able to set up nodes individually yet to the 10,000 covered institutions and potentially 10,000 fintechs.
So the data access platforms are incredibly important to enable that.
So with all of that, let's jump on in, a little context.
The draft rule came out last October.
Comments were finalized by the end of December.
December, the bureau got 11,000 comments in, it was hotly debated.
We've had a lot of consultation this year, both as individual companies as well as I'm sure consumer bankers have been there.
We've been in there as a financial data exchange.
Like there's been a lot of engagement around, here's where the rule falls short, here's where like, here's where it could go further.
But the intent of the rule is very solid.
People should access, it should be private and secure.
There should be an interoperable standard that we're all complying to.
There should be third party risk management, but there's some real good key guidance points, and then there's a lot of gray areas.
So let's dig into the gray areas.
What areas do you expect to see change?
And then what do you hope to see change?
So it's two questions, expect and hope, and Jesse, you can do wishlist if wishlist, if you didn't read the whole 300 page rule, but I didn't even have chat GPT read the whole 300 pages.
It's a good way to do it.
For us being, I mean, we're, we're a small business.
We're bootstrapped, we reinvest profits.
And so for us I think we're highly sensitive to, and Kelvin would agree here, a bad regulation.
I could, I felt that because a bad regulation means only the, the most, well-funded the people that can just slog through and lobby and just kind of wear down the reg until they can get through.
We're like the guy trying to do something new in a neighborhood, you know?
And you've got like a maze of bureaucracy that even a bureaucrat can't navigate.
And so we always are just kind of sitting there hoping that whatever is left for us we can afford to navigate.
But I couldn't even begin to.
So my wishlist is have it be affordable for the, the smallest, you know, the one single guy in his garage that wants to spin something up, that's where the competition starts and have it be affordable for him.
And then of course, all the way up the chain.
That's our big, big wish with this.
Yeah, and I think Kelvin, it's interesting in that you represent institutions of all sizes.
Well, actually we're, we're basically 10 billion plus.
Oh boy.
Yeah.
So, But yet that's the small.
No, I'm just kidding.
Yeah.
So what do you expect to change? What do you hope will change?
So in turning, in terms of expect change, and this is like super pragmatic I expect the compliance timelines to change.
And that's, it's pragmatic, but hopefully it matters to folks in the room.
For folks that have been watching this, you're aware, one interesting thing about this rule is that basically everyone is covered, but the very largest institutions would have to implement within six months, which is crazy fast, right?
And so we, we basically sent a letter into the bureau saying, Hey, we've got people that are having to implement right now to a rule where they don't know what the rule will be.
Alright? You've got a standard setting organization that you haven't yet recognized, and we're trying to aim to that.
And indeed, the rule actually contemplates the launching of a bunch of other standards heading organizations that never were created.
Please give us more time.
The thing I would notice politically the bureau had a reason to have the short timeframe initially, because you only kind of cram industry into the short timeframes if you're trying to make the rule harder to challenge.
Because once a rule, once certain, like one person is compliant with the rule, then if a new CFPB comes in, they have to kind of go through more administrative hoops to propose a rule.
But the rule has come out so late in the year that even six months, we push it out.
And so basically they can extend the timeline at no additional risk to themselves from, from a political perspective.
So it's a very inside baseball way of saying, we expect there to be more time for the very bigs.
Should I go to wishlist? Yeah, let's do it.
I mean, wishlist, there's a lot.
And so one of my colleagues, he doesn't want the rule to exist.
There it is, speaking to the camera.
And for the record, he doesn't want the rule to exist.
Here's what I'd say about the rule.
And, this is a very, it's a yes or no question, a very different question that wasn't on the prep list.
You know, earlier we had a speaker show various Disney characters, right?
So like, there's a question as to whether you were like Dora or whether you were I forget the, like they had a dog..
It was Dumbo.
Okay, so, and a goldfish.
So the example here, as I would say, we're kind of Dumbo again, right?
What I, what I be a goldfish cowboy.
I don't know if like everyone's looking to this rule as if it's the feather that helps the industry fly, right?
And what I would say to the collected crowd here is, I don't know that you need the feather.
Like you can be pro open banking, you can be pro data sharing, pro-consumer access, and really wonder whether this feather was necessary or whether it, again, it impedes your ability to fly.
And the issues being right, because of all the, the major infirmities in the rule, like hardwired into this rule is a 99.5% uptime requirement and a 3,500 millisecond ping time requirement for all the data types that are there.
I used to be an engineer.
I haven't done engineering in quite some time, but it's, I would think that for all the data fields, maybe one data field could be 99%, 99% you know, uptime, maybe for another data field, you only need it within five seconds rather than three and a half seconds.
The point being is there should be some market driven conversations about where things should go, particularly as this rule evolves, it took over 10 years to write it.
Can you imagine having to go through another 10 years to say, oh, actually we need five more milliseconds for this to take place.
So, that's my answer to Tom's question.
I'm taking way too much time.
The on on the wishlist, we have a blog post up with all the things we're concerned about.
The thing that I do wonder is why the rule would need to go so heavily into payments.
So the rule is theoretically about consumer access to data.
It's captioned as such.
When you read the plain language, even as aggressively as Tom does, presumably it's about giving consumers like access to their data.
Chopra, the director at the CFPB has talked about this enabling a whole new open payments ecosystem, which again, may be a good thing in its own right, but I think that this is a very limited toolkit for getting there.
And there are all kinds of things that they haven't addressed, including how you take care of fraud and scams.
So they, where they'd be opening up a Pandora's box without really being there to help fix the solutions at the end.
All right, so Tom, expect to change. Hope to change.
So in terms of, in terms of what I expect to change, I think the, I think the timelines for implementation will shift.
and I'm skeptical that that much else will, the primary areas of sort of contention from a comment standpoint or scope.
So just to refresh, and we're gonna play some games with the statutory text since, Kelvin keeps alluding to it without quoting it.
‘Cause it's inconvenient for him.
I really do love each other for real.
Tom really is like a mentor that I just despise at times, but a mentor nevertheless, it's our first time on a panel together.
You've seen me do this to other people.
No, no, You blew me up at a 1033 panel. Yeah. I think I was in the audience though.
But it's never safe, it's never worse.
It's never safe when I'm around.
Um, so the primary areas of contention were scope.
So the text of the rule, just to go back to that, a covered person EEG bank shall make available to a consumer shall, by the way, is self-executing Covered persons includes non-bank financials, although not in this rule Upon request, blah, blah, blah, consumer financial product or service using the lang-, using the text of Dodd-Frank, whereas only credit cards are in scope for any lenders, right, only credit cards and certain reg e covered accounts including DDA accounts and digital wallets.
So if you look at the comments, one of the primary errors of contention was the scope of the rule.
Like why is it so narrow given that the text of the statute that is the thing that Congress passed and that the president signed is quite broad.
I don't expect that that will change.
But if it's going to change, it may change in areas of access to payroll information and some government benefits.
Uh, but again, I don't, I don't actually expect it to change.
In terms of hope for change, this is actually a really hard question.
Because there's sort of aspirational which probably adheres to something closer to the text of the statute, like the actual law as opposed to what comes from the executive branch.
Which the Supreme Court reminded us recently in Loper Bright, and I'll come back to why this is important, is not actual law.
Actual law is what Congress passes and what the Supreme Court says Congress has passed.
And so if you are, if you're aspirational, you sort of want a rule that adheres closer to the statutory text, if you're pragmatic, and this is, I'm gonna throw this out as a, as much as a question for the audience, as anything, I'm not sure you care at this point.
Because I think regardless of how the bureau, changes or adheres to its proposed rule in the final rule, the rule is going to be subject to litigation.
It'll almost certainly be challenged in the fifth Circuit, I think, so long as the people driving the challenge have an IQ above the ambient temperature in the room they will seek a preliminary injunction to suspend operation of the rule, pending resolution of the case.
I think they have a better than 50/50 chance of obtaining such a preliminary injunction.
And so if I'm operating against that backdrop, it's hard to feel like there's a lot at stake with the actual content.
I've gotta do a lawyerly disclosure here.
I can't comment on the likelihood of litigation here.
We've gotta see what the rule looks like.
Need to confirm, not right.
So just to be clear, Tom is speaking on his behalf, but nine and a half of the other panelists, Okay? There will be blood, there will be lawsuits, there will be lawsuits, I mean, and Loper Bright.
Alright, so this is the case from the Supreme Court last year that sometimes called the reversing Chevron decision.
And what's interesting, I think and important about that case, right in the context, and we're gonna do some basic civics here, right?
We all recall that we have, divided federal government three kind of coequal branches, but like one of the pigs is bigger than the other pigs.
and the big pig per the Constitution, like they go in order.
So article one of the Constitution is Congress, article two is the president, article three is the court.
And what the Loper Bright Court, what the Loper Bright decision essentially says is, okay, as between US court and executive in interpreting law, which is what Congress produces, we court are going to decide what law is not you, president.
And so that invites people who are unhappy with regulation to take that unhappiness to court.
And reasonable people can disagree about whether that is the optimal design for a constitutional system, but it is kind of consistent with the, the framer's design and certainly very, very, very consistent with Chief Justice Roberts Juris Putin.
We did promise this would be a PhD level class if no, almost– I thinking there's a test afterwards.
Yeah, there really is.
So from a core issue, and for, I'm gonna say everybody in the room, a lot of our, themes today have been just data, the use of data, getting insights, putting data to work, getting to know customers better.
The use of data has become standard for how businesses operate.
You know, both to service customers as well as to do product development, platform testing, research, marketing segmentation, all of those things.
The rule as drafted puts really strong limitation around what can be used under this term secondary data use.
So the primary use is, I'm applying for a mortgage, you're gonna have all my data can apply for the mortgage.
Whoever touches that data on the way through and finally receives the data can only do it in service of that mortgage use case the way that it's, this reasonably necessary use of data.
So from the from the perspective, like all your different perspectives, like what's your take on sort of secondary data restrictions as drafted and where you think it could go?
We don't really have enough time.
So first one question is like, why do I think that the rule came out that way?
And I think here, it's a reminder that personnel is policy and director Chopra has been concerned about surveillance capitalism since since he worked in the bureau with Kelvin, and The FTC and when he was a chair at the FTC.
And I think that aspect of the rule, which again, has little connection to the statutory text, is sort of directly connected to his policy priorities.
I think in terms of, in understanding them, they remind me a little bit of two what I would describe as overwrought statutory and regulatory frameworks.
One which is a subject of congressional testimony that I gave, I don't know, five, six years ago, the Fair Credit Reporting Act, which actually doesn't deal with fairness, but does deal with credit has a very, very, very specific statutory design, and which is immensely confusing and largely bypassed by many people that you would think it would apply to EG data brokers.
and then Graham Leach Bliley, which governs access and use of personal information in the financial services industry.
And, uh, the original congressional intent of which was to limit marketing of products to consumers who had provided PII to financial institutions.
Now as it turns out, once you give lawyers enough time to think about a regulatory framework, they can find ways to achieve the desired commercial objective without violating the underlying statutory text.
And I tend to think that the concerns that have been expressed related to the restrictions on secondary use will be resolved in ways that are sort of similar to how commercial entities have responded both to the Fair Credit Reporting Act and and GLB, which is to say the regulation as designed will likely not address director Chopra's concerns about surveillance capitalism because the commercial impulse to find ways to put products in front of consumers who don't otherwise have information about them is very strong.
Yeah, Absolutely.
So we are gonna open up for questions in 10 minutes and we'll do lightning rounds until then saying, Kelvin, from your constituents perspective and from yours and the CBAs, how are you thinking about secondary data?
So this is a great example of just how clumsy rule writing leads to potentially bad market outcomes.
To Tom's point, like I can understand the intent behind it, and I think we actually agree here, but we have a situation in which imagine I'm the new boss of the room, right?
And I say, okay, you guys can only do what the, what the primary purpose of the activity that you've got out there.
However, what you determine the primary purpose is isn't necessarily what you tell the consumers it is even in your tiny writing.
So even if you disclose it to the consumers, so no one knows what that primary purpose is there.
So you've got a potter steward. I know it when I see it.
And then we're gonna have a situation where, because of the way the, the bureau has supervisory authority as, as well as enforcement authority, I'm gonna say, okay, so I'm not gonna give you guidance.
I'm not gonna define what secondary use is.
Versus primary use is, I'm gonna live in Tom's house, so I'm gonna have a floor in Tom's house where I have a group of examiners that anytime Tom wants to do anything, they've gotta talk with Tom's gotta talk with the examiners, and they'll figure out what primary purposes are versus secondary purposes are.
And for Jesse, actually, this is a bad example.
'cause I guess Jesse is a FinTech, but for Jesse, go wild, right?
And like, you might not have me on my radar, and if you do it wrong, if I hear about it, I'll come after you, but you're not really on my radar.
That just doesn't lead to good results.
It doesn't lead to good innovation.
You can't do business that way or build products.
You can't get investment that way.
And so that just strikes me as just really poor form.
Yeah, I mean it's very meaningful for Jesse because he's gonna be the one who has to get consent to do the disclosures due record retention.
And it's a part of the role that hasn't really been discussed as much.
Not Jesse's lawyer but you know, Jesse is consumer facing, he's offering a PFM tool.
It's at least visible in the commentary to the rule that within the scope of that service that are broad permissions to provide consumers with information about ancillary products and services.
So like I think to Kelvin's point it, I'm sympathetic, you know, putting myself in the the shoes of the people commissioned to draft the rule, knowing a director Chopra's policy priorities as to why it's there.
I don't know.
My current instinct is that, that the significance that people are attaching to it will proven over time to be even assuming the rule becomes effective, as to which I'm very skeptical of lasting commercial significance.
I mean, here's an example, and this is just a, a small example, but, and maybe one showing my age.
And when Google was trying to have this same conversation with the FTCA generation ago about secondary use, and this is setting aside the fact of like what's disclosed and what's not disclosed, what, like Google was able to make the world's best spell checker from just detritus because of the misspelling.
Like, you misspell a word in the search and you're like, oh, that's not what I want.
And so then you do your next search and you get the right spelling out, then they immediately make the world's best spell checker because they now have bazillions of data inputs on how people misspell words, right?
That was just an exhaust that came off the data.
That's a universal consumer good that we, that we now kinda take for granted every time we're typing with our thumbs, right?
Like we can type with our thumbs now, but the second Secondary use restriction only, here's the thing, the secondary use restriction only applies to the information that you've received via aggregator.
It doesn't apply to the information that you are developing or using in connection with the service you're providing to the consumer.
So, I don't… I have a really hard time understanding how in practice that's going to be meaningful.
It may matter for aggregators, but it's not clear to me that aggregators are actually using information in ways that would offend the principle.
And to the extent that there may be use cases at the margin, there are ways of transforming data that would enable the designed outcome without triggering a secondary use concern related to the PII specifically I agree.
It's not clear, but my point is that it should be, I don't know, you're never gonna be up.
I mean, if your objective is to limit this is a rules versus principles problem.
Like you are never, and then we had a version of this conversation related to my favorite topic out in the, in the lobby before we went on.
And I'm not going to embarrass you by by pointing out the subject of that, but you can raise it if you want.
When you're talking about, when you're asking for prescribed rules, it is death by a thousand cuts with respect to implementation.
If we go back to where you started the conversation around like, oh, all the data elements and should it be 99% versus 99.5, or can we have 10 milliseconds versus five milliseconds?
The, the idea that we can imagine a regulator with enough information and and produce consensus to have that kind of dictate, like, that's just farcical.
I'm not asking for, they have 99.5 in the proposal.
Like, I don't want, that's anytime They're specific Want the market to solve This.
Yeah.
But I think you're getting into the, anytime you're specific, right? Like I think let's go to competition, okay?
Right. Because that was one of the big intents of the rule.
Yes, there was guardrails around time and response times and things like that, but at the core, this is also a competitive, which was also not in the language.
So Jesse, just how are you thinking about this?
Do you feel like this helps a competitive edge?
Do you see competitors coming onto the scene?
'cause data is more freely available that may have different business cases and different revenue streams that may make it more challenging for you?
How are you thinking about the competitive space?
We the com-, I mean, it definitely is warmed up quite a bit competitively.
And, I would say pre pre covid and then slightly post like 21, it was like fever pitch, and then things kind of started to go away.
Again, the, I'm only concerned for our ability to help the end user, and I am skeptical of regulation.
And it sounds like Tom and Kelman are both, it sounds like Tom's kind of saying, I don't think this regulation's gonna even matter that much necessarily.
Like people give lawyers enough time, and they'll navigate around it.
And you can see lots of examples of that.
And then I also hear Kelvin saying why even have the regulation?
And so I think the end result may be the same.
It may be what happens is we all just accept the cookies that pop up when it says accept cookies, and we've all just been conditioned to accept cookies.
That was a regulation, right?
I mean, that, that was supposed to make everyone aware of the fact that they were being followed.
And now instead, all they do is habitually accept that they're being followed.
And so I am skeptical of the regulation in general, but I am concerned that the regulation could be overly burdensome.
I act, I'm not legitimately concerned, like I'm more philosophically concerned that it would be overly burdensome for a small business like ours.
But yeah, you just, I believe regulation in the end decreases competition, and it's used by the private sector to build moats.
And I hope that that doesn't, that's not the case for FinTech where it's so hard to get in.
You can't have someone compete against Visa or MasterCard.
You can't have someone that builds out new payment rails, because the regs are so locked down tight that it's impossible. Yeah.
And, and remember, like half the DA accounts in this country already have access through secure APIs.
We've solved a lot as an industry, but what we haven't talked about is that that other 50% do they need the regulatory stick to move because that competitive carrot hasn't necessarily worked.
One anecdote, Jane, is when a large bank, broke badly with our data aggregation provider with MX, we put out a notice it was a significant, percentage of our users that were affected by this large bank, and we put out a notice to those users and said, Hey, this bank has pulled out and it's now broken for you.
We didn't see customers saying, I can't believe your app is broken.
We saw customers say, how do I switch banks? Yeah. Right.
And so I believe my hope is that the tiniest locus of control sitting with the consumer en mass is what actually moves the market.
And we've seen it in our little tiny space.
And I would hope that actually is awesome that they'll follow us and they'll leave a bank in a heartbeat.
My hope is that we can do things that let you leave banks easily, like switch all of your connections, all of your subscriptions, all of your things over to some other and make it more competitive that way.
And I do think this is what has changed between seconds, between 2014 and now.
Okay.
The market is in a very different spot in terms of hundred of consumer expectations.
And so technology, this is why I think 1033, the statutory language is important as I wrote, around Christmas, I really don't think that the rule is going to matter a great deal at this point. Mm-Hmm.
Alright. Hot takes. We did promise spicy PhD level.
All right.
Questions from the audience?
Oh you already, you don't have to stop. Not the brawl.
Well, listen, Sorry. Thanks.
Um, so if you're a small business like Jessie's, what's one, the one takeaway from today?
Like how would you tell them to, what would you tell them to do?
And this is for Tom and Kelvin.
So a small business non-bank.
At this point, all you can really do is watch and wait.
The opportunity for comment has passed.
I don't think it is in your individual interest to initiate litigation related to the content of the rule.
So that would be my suggestion.
I would just add, I wouldn't watch, I would just get to work serving The customer.
Yeah.
Keep hustling, right? Because from my perspective, again, I just don't know what the rule gives you other than kind of buffers and hard walls and things that can't change, the conceit.
And if I'm wrong about this, let me know.
But it's my understanding that it's basically like there's a lot of relations to be made.
There's a lot of like, like a lot to build.
Just keep hustling and let DC do what do DC does?
Well, and I mean, we're now weeks away from the final rule and there'll be a lot of hot takes.
So I think, uh, yeah, read widely 1, 1, 1 thing I would say, I don't think the outcome of the election will affect the rule.
This is a rule that has been in gestation for, at this point, 14 years has passed through the hands of many administrations, including, um, both the prior Trump administration and the Biden administration.
I think the outcome of this regulatory process will end up in litigation, But again, it's the right thing to do for customers.
That's, Melissa, you had a follow up? Sorry, I had A follow up.
And then how do you compare that suggestion with what a, a small community bank would do?
Should do, a small community bank should talk to their trade association, and I assume most of the path that Kelvin has blazed for banks slightly higher will be the path that, that they follow in where they're not currently supporting access.
I would expect them to want to continue to oppose supporting access.
And I would anticipate, if you're looking for a group of constituents who seem most likely to litigate the final content of the rule that would be my guess My version of that would be like, know your customers very well, right?
And so if your customers are demanding this, build towards that.
And if your customers, like every community bank serves a different pocket, they exist to serve particular needs, right?
Like, keep again on the theme of knowing what you're, like, keep doing what you're doing, like know what your customers need and, and prioritize.
'cause there's a lot that community banks have gotta build towards, Right? Yeah.
And I think related to that, 1033 has taken up a lot of the oxygen in the last year, but there's other coming rules or other things in process, like the lack of a federal privacy law, the fact we've got potentially a data broker Overdraft the broker deposits, The data broker rule coming.
Yeah.
There's a lot of intersections coming from different agencies that it's just, you know, as I've heard it describe, it's like a tsunami of rulemaking.
So it is a lot. Other questions.
Hey, I'd love to get the panel's take on enriched data and whether or not it will be covered or I've heard theories that it could be, is it confidential commercial information, I think is the name so anyone can answer So enriched from the data provider.
Yeah.
So you, well, you know, like we do merchant enrichment, MX does enrichment to take the raw transaction data and then uplift it and make it more useful at the firm.
Yeah, I think it all comes down to the reasonably necessary use of data that the fields that are in the financial data exchange spec are pretty much like raw data.
They're pretty binary.
So unless there is an explicit use case that doesn't work without enriched data, but there is no guidance.
You can catch me if I'm wrong, but there's no guidance in the role that says you have to do something to those fields in order to share, Except for the payment stuff.
They have a bunch of weird stuff about payment routing that's hyper specific on payments, and I don't know much of that is enriched or not. Sorry, go ahead, Tom.
I don't think it's super weird.
And it is hyper specific and it just relates to account and routing information.
But with that caveat, I think I would, I agree, with both Jane and Kelvin, the way I think about it sort of simplistically is there's above the line information, so the information that relates to covered accounts, and that is specifically delineated in the rule, and then there's below the line.
I think, I mean, it will be interesting to just sort of watch over the next five, 10 years, there's a clear market structure that the rule contemplates related to and an open standard.
And there will be this sort of, there will be a thousand flowers in the aggregation space.
Like yeah, I don't, I'm taking the under on that.
Like I, there will be, if the rule were to go into effect, I would anticipate a market structure that looks a lot like what you've seen in the fair credit reporting context where you'll end up having the rule in financial services, the rule of three, right?
There's a primary, there's a backup.
And because not every financial institution wants the same primary and backup, you need a third.
That feels like the ultimate market structure that would exist.
I think, you know, one other caveat on the advice for small businesses, like, it'd be really, really, really tough at this point to launch a de novo aggregator To, TOS point about market structure.
So when the rule came out I think everyone up here at like three in the morning, like reading the rule, and, and I, there's a guy in the rule making team that's like in your, okay, so the one's up here at least there's a guy in the role making team that that works outta Europe.
And so I figured he'd be the only person that might be willing to talk at three in the morning.
So I sent him a note saying, this is a George RR Martin fan fiction as to what you think the world should look like.
Which by the way, I think there's a comment, it might be in the official record, but the, they have envisioned a market structure that doesn't currently exist, which is the first time I've ever seen something so aggressive off of basically two, two sentences in a rule.
And with the notion of like, well, if we get halfway there, we'll see what happens.
There'll be another team to figure it out, which is just like an awful way of winging it.
And so we'll see what happens.
Okay. We have time for one last question.
Do you want, wait one second, river.
Thank you.
I think Tom touched on this a little bit, but I'd love to get the panel's take on kind of how does the regulation primarily impact the the aggregators themselves in terms of where the value that they bring, not just to the banks, but also to the fintechs.
Obviously providing those connections historically through screen scraping was sort of one of the reasons the aggregators existed.
Now that a lot of the traffic's moving to APIs, I'm curious how, you know, what do the aggregators connectivity products look like a few years from now?
It's still real hard.
Yeah, I was gonna say, if anyone thinks it's easy Yeah.
Integrating one point versus even your top 300, it's just not even a consideration. Yeah.
Should You go and then I go, Or, this is why I think that the ultimate market structure, if you imagine the world, a world where the rule goes into effect is one where you have a relatively small number of institutions of, of aggregators that have direct connections to financial institutions.
There may be some small number of bilateral connections between large institutions, whether bank or non-bank, but the screen scraping explicitly, right.
Is targeted by the rule.
It imagines screen scraping going Away.
Okay.
The rule, the rule doesn't actually prohibit screen scraping, which is like an absurd aspect of it if you're gonna have this rule, like if They basically, but it basically, It doesn't address screen scraping.
It does we're gonna agree to disagree on this.
I mean, it Doesn't explicitly but word search like scraping.
Sure.
Right? Like, it literally doesn't address the thing it's supposed to address.
Sure.
Well, I don't agree with that.
You know, the thing I would note also, and this kinda goes to the market structure point and so I had this corporations professor in law school that said, look, you gotta read the opinion, but then you also have to listen to the music, right?
Like, what was going on in that case to lower chancery.
And in this case, I think you have a, a director And the CFPB, but really a director that wanted to avoid accusations of creating a moat around the large aggregators.
And so he kind of envisions a world that, again, currently doesn't exist of more direct connections of limited secondary use for the aggregators, but because it's like they have half the tools to get there because it's a world that doesn't exist it'll really be kind of weird to see what happens in terms of the World's left.
And I think, you know, it is a market for value add, right?
If you are just taking data from point A to point B, like that's old already, right?
You know we do enrichment, we do software solutions, we do analytics, like there's a lot of things that we can do beyond just the, the data from point A to point B.
And I think the, just the complexity of the ecosystem here, I mean, you saw what was announced this morning, like investment data.
How long is it gonna be before the SEC and FINRA come to this party years, right?
And in the meanwhile, we've got APIs sharing investment data, so like the industry is gonna keep on moving forward.
And that is like one of the core roles of, you know, especially when you have, like we do 14 years under our belt of making these connections and moving data around, putting it to work.
I mean, ironically, investment data was shared long before, uh, 1250 12 USC 5533 existed because wealth managers and RIAs want complete visibility over the portfolios of their clients.
It's really the core account information that has been the primary area of contention.
And that ironically over the last 14 years that that has sort of faded.
Yeah.
And we have new, there are new sort of points of friction that the rule basically doesn't, doesn't address like screen scraping.
Yeah.
That Anyone who wants to for the roll afterwards, I wanna say that's The whole point of tokenization.
A giant thanks to Jesse, to Kelvin and to Tom.
I'm sure they'll be available to chat afterwards, but thank you all.
Thank you, Jane.
View Full Transcript