The Coming Cybersecurity/ Data Sharing Clash

If you're not already doing so, you might want to sit down for this one: CUNA, NAFCU, ABA, CBA, ICBA, Financial Services Roundtable, and The Clearing House all found something they can agree on: the need for tighter cybersecurity.

In a letter sent to the co-chairs of the House Committee on Energy and Commerce and the Subcommittee on Digital Commerce and Consumer Protection, the trade groups wrote:

“Stopping breaches is critical for consumers, and also important to our members, who often have the closest relationships with those affected. Data breaches impose significant costs on financial institutions of all sizes, because our first priority is to protect consumers and ensure that they have no liability for fraud that typically follows a breach."

Good to see all seven associations agree on a "first" priority. wrote:

The letter points to the Data Security Act, under which all entities would have to protect sensitive personal and financial data, would have to notify consumers and impacted people in a timely manner, and must ensure companies are complying by oversight on the part of state and federal governments.

There's nothing like a common enemy to bring diverse interests together, and in this case, that common enemy are the retailers who get hit with the data breaches that cause headaches for the FIs.

There's another side to this story that few people are tying together: The calls for data portability-- or "open banking"--across FIs. The CFPB has been at the forefront of this movement in the US. In its Framework for Industry-Wide Collaboration report, it wrote:

“Further coordination among all of the stakeholders in [data sharing] -- financial institutions, data aggregators, fintech providers, regulators and consumers themselves -- will be critical to achieving a secure, inclusive and innovative financial data-sharing ecosystem that supports consumer financial health.”

Not surprisingly, the CFPB positioned its point of view as an "inclusiveness" benefit, which would be funny if it wasn't sad, because--by definition--the unbanked don't have accounts with financial institutions in which data could be shared.

Roughly 15 years ago, Yodlee introduced its account aggregation capabilities. The lesson of the past decade should be clear: Consumers really don't care that much about seeing their data in one place, they don't care that much about budgeting and expense categorization capabilities, and they care a lot more about data security than all of the supposed benefits of data sharing.

Calls for greater cybersecurity standards are on a collision path with regulatory directions for data sharing across FIs. The seven associations listed above should get together on the data sharing issues, as well.

Ron Shevlin
Director of Research
Cornerstone Advisors