Regulators Should Force Fintechs to Protect Consumers

fintech-3-16-16.pngWhen looking at the new competition arising from fintech companies, many bankers understandably feel that they are at an unfair disadvantage. Banks must deal with a constricting regulatory environment, but regulators don’t always apply the same standards to fintech companies. So bankers have lobbied regulators to take a more aggressive stance towards their new competitors.  [Editor’s note: The Consumer Financial Protection Bureau recently fined payment startup Dwolla $100,000 for “deceiving” customers about its security practices.]

Bankers are right to push regulators on this issue. Regulators must take a closer look at the growing fintech sector, create new standards and coordinate their efforts across multiple enforcement agencies.

The purpose of these oversight efforts should not be leveling the playing field between banks and new entrants. Instead, the purpose should be protecting customer data and keeping customers informed about how their information is used. Regulation that properly incentivizes innovation and benefits consumers needs to focus on security, privacy and transparency.

The Clearing House, which processes payments for banks, correctly pointed this out last year in a white paper that detailed some of the security lapses by alternative payments providers. For example, reports surfaced last spring that Venmo allows changes to important account information without notifying the user. This is a basic security blunder, and banks can be left on the hook for fraudulent transactions when new providers make such mistakes.

Setting Standards Based on Size, Access to Customer Information
To help fix this situation, regulators need to implement security standards for fintech companies based on their size and the type of customer information they touch. That means some fintech companies should be held to the same standards as banks—particularly those that offer account products—but others should not, depending on the sensitivity of the customer data they handle.

It also means that early stage startups shouldn’t be held to the same standards as larger, more mature fintech companies. An early stage startup with a minimum staff is not likely to have a security professional or the funds to hire one. So holding small startups to the same security standards as a large mobile wallet provider that processes billions of transactions per year will only strangle innovation.

Banks can play a key part in helping these early stage startups while also improving their own offerings. Many of these startups hope to partner with or be acquired by banks. As millennials grow up, those banks will increasingly compete with their peers based on their digital offerings. The ability to effectively partner with small, agile startups while ensuring security and compliance will be a competitive advantage for these institutions.

A bank that wants to partner with a promising startup can share some of its knowledge, staff and resources in security and compliance with the startup. Banks are usually cautious in launching new products in conjunction with startups anyway, typically starting with a small trial with a limited number of users before a full launch. That approach helps banks ensure security and compliance with the product and partner before a full launch with customers.

Effective Security Standards
While giving early-stage startups leeway on security makes sense, fintech companies with a threshold of customers using their products should face appropriate scrutiny and regular security audits because of their increased value and attack surface for hackers.

That means regulators will need to be more specific about their security guidance than they’ve been in the past. Regulators often shy away from mandating specific security measures, instead favoring general guidelines and benchmarking against industry peers. As the cyber threat grows bigger, regulators will need to require measures like tokenization and encryption for fintech companies handling sensitive customer information. Those fintech companies that offer account products or a direct connection to users’ existing bank accounts should be required to monitor and analyze user activity to prevent unauthorized logins and transactions.

These measures are likely to become industry standards in time anyway, but regulators shouldn’t hesitate to take a hand in speeding up that process. Regulators might prefer to wait and let the fintech market determine industry standards. Security is already a competitive advantage for fintech companies. Apple set the bar when it introduced Apple Pay and emphasized the security built into it. The fintech companies that don’t meet industry expectations for security won’t succeed in the long run. But regulators shouldn’t wait for fintech winners and losers to shake out to take action that could help protect customers’ information now.

Where the CFPB’s Faster Payment Vision Falls Short

NACHA-8-24-15.pngOn July 9, 2015, the Consumer Financial Protection Bureau released its “vision” for faster payment systems, consisting of nine “consumer protection principles.”  The principles build on concerns about payment systems raised by CFPB Director Richard Cordray in a speech last year. These well intentioned principles pose a number of practical problems and ignore the inherent interdependence of consumer and commercial benefits as payment systems evolve.

The CFPB’s nine principles stake out a bold policy stance aimed at ensuring that faster payment systems primarily benefit consumers. The principles are:

  • Consumer control over payments;
  • Data and privacy;
  • Fraud and error resolution protections;
  • Transparency;
  • Cost;
  • Access;
  • Funds availability;
  • Security and payment credential value; and
  • Strong accountability mechanisms that effectively curtail system misuse.

Release of these principles follows initiatives by the Federal Reserve System, The Clearing House, and most recently NACHA, through its same-day ACH rule approved in May, to promote the development of faster payment systems.

Practical Concerns with the CFPB’s Faster Payment Systems Principles
The CFPB’s principles undoubtedly deserve consideration, and few industry participants would disagree with them at a high level. Though reasonable in theory, certain goals articulated by the CFPB may prove impractical, counterproductive, or unduly optimistic in practice. Here are four examples:

Data and Privacy
The CFPB generally wants consumers to be “informed of how their data are being transferred through any new payment system, including what data are being transferred, who has access to them, how that data can be used, and potential risks[,]” and wants systems to “allow consumers to specify what data can be transferred and whether third parties can access that data.”

This amount of disclosure and degree of consumer control is unrealistic for routine payment transactions, unnecessary in light of current and evolving security measures and fraud and error resolution protections, and likely to thwart the goal of faster payment processing.

Transparency and Funds Availability
The CFPB expects faster payments systems to provide “real-time access to information about the status of transactions, including confirmations of payment and receipt of funds” and to give consumers “faster guaranteed access to funds” to decrease the risk of overdrafts and non-sufficient funds (NSF) transactions.

Here and throughout its principles, the CFPB expresses its desire for faster payment systems to benefit consumers immediately. Implicit in this goal is a rejection of staged implementation of consumer protections, as in NACHA’s same-day ACH rule where same-day funds availability for consumers follows same-day settlement of debit and credit transactions. Additionally, real-time access to information about transaction status seems costly and unhelpful until consumers can act upon such information in real time.

The CFPB envisions affordable payment systems with fees disclosed to allow consumers to compare costs of different payment options.

The CFPB’s vision of comparative cost disclosures across the ecosystem of available payment options is unrealistic given the existence of competing independent payment systems, multiple payment channels and devices, and varying degrees of intermediation. The total cost to consumers of using different payment systems depends upon many unpredictable variables, making comparative cost disclosures little more than rough, imprecise estimates.

The CFPB expects faster payment systems to be “broadly accessible to consumers,” including “through qualified intermediaries and other non-depositories.”

This principle focuses on unbanked and underbanked consumers. Although broad accessibility should be encouraged, it is difficult to imagine a safe and widely accepted payment system evolving in which banks would not be heavily involved in the origination and receipt of transactions. Indeed, payment systems that have evolved independent of banks—such as virtual currencies—pose substantial consumer protection concerns.

Implications of the CFPB’s Principles
CFPB Director Cordray emphasized that “the primary beneficiaries” of faster payment systems should be consumers and the CFPB’s principles reflect this view. Creating faster payment systems is an enormously complicated industry-driven undertaking, the cost of which is borne by industry participants. As such, faster payment systems must offer tangible benefits to industry participants, not just to consumers, if they are to succeed. The CFPB’s principles would be more effective if they expressly recognized the need to balance consumer and commercial benefits.

Further, the CFPB may intend to use its principles as a chokepoint for policing consumer protection features in evolving payment systems. We hope the CFPB’s adherence to these principles does not become rigid and overzealous or threaten to derail useful payment system improvements before they get off the ground.