New Fintech Group Wants Cybersecurity Rules Scaled to Risk

By Gregory Roberts

A new financial-technology industry group is drafting a letter to federal bank regulators urging them not to squash screen scraping by casting the net too widely in a proposed rule on cybersecurity.

“Our concern is that the definition of external dependency management is so broad it could sweep a host of fintech players under prudential bank regulatory oversight,” Steve Boms, the vice president for government affairs for Envestnet|Yodlee, told Bloomberg BNA Jan. 23.

Envestnet|Yodlee is one of the charter members of the new group, Consumer Financial Data Rights (CFDR), and the company joined in the Jan. 19 announcement of its formation. Envestnet|Yodlee provides financial management and data aggregation services; other group members include companies involved in online platform lending, robo advice for investments and digital-currency payments processing.

The Office of the Comptroller of the Currency, the Federal Reserve Board and the Federal Deposit Insurance Corp. are taking comments through Feb. 17 on a proposed rulemaking on enhanced management of cyber risk for the institutions they supervise and the companies providing services to those institutions.

CFDR wants the regulators to apply cybersecurity rules tailored to the degree of risk to consumers and the financial system posed by the company involved, Boms said, so that a small fintech firm won’t face the same burden of regulation as its $100 billion bank partner.

CFPB Concerns

CFDR is concerned more broadly with the future of screen scraping, a catch-all term that refers to the online collection and aggregation of consumer data from bank and other other web sites by the kind of companies the group represents. That technology actually represents a small portion of the collection performed by his company, Boms said, with more than 70 percent realized through direct access to the banks via application program interfaces (APIs) and other tools.

The group’s overall position aligns with that of another bank regulator, the Consumer Financial Protection Bureau. The CFPB announced in November that it was seeking information from the public about “the challenges consumers face in accessing, using, and securely sharing their financial records.”

Consumers, the bureau said in announcing the inquiry, should be able to choose with whom to share the information and to control how it is used.

The CFPB also raised cybersecurity issues, saying it “has heard concerns from some financial institutions that providing third-party companies with access to records may compromise consumer privacy or put consumers’ funds and account relationships at risk.”

Banks also could face increased competitive pressure from fintech companies armed with the full array of consumer information now held by the banks.

To contact the reporter on this story: Gregory Roberts in Washington at gRoberts@bna.com

To contact the editor responsible for this story: Michael Ferullo at MFerullo@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.