Data Sharing and Privacy: Fintech Users’ Delusions and Deceptions
The Clearing House (TCH) recently conducted a consumer survey, asking respondents about their behaviors and attitudes regarding the sharing and use of their personal and financial data. TCH found that roughly half of consumers would like to:
- Provide explicit consent to every third-party that seeks to access their data;
- Control which of their financial accounts and data types can be accessed by any third-party; and
- Exercise control over third-party access, collection, use, and sharing of their financial data through a dashboard within their primary bank. In addition, three in 10 said they would like to control access to their data via a customer service representative within their primary bank.
Of the three in 10 consumers that use fintech apps, about half said they're aware of how these apps collect, use, store and share their data. Roughly a quarter said they're unaware of the apps' data-related activities, but I'm inclined to think that those that answered "neutral" belong in the "unaware" category.
Among those fintech app users, a little less than half believe that the apps they use can access their personally-identifiable information (PII) as well as their bank account balances and transaction history. A little more than a third believe their loan and investment information and history is available to the apps they use.
Fintech app users also weighed in on how they think fintech app providers are using their data. Roughly half think it's "for purposes specifically consented to by the user," and about four in 10 think the data is being used "as desired" or "to sell" by the third-parties.
Fintech app users have serious misconceptions about how their data is used and how fintech providers and banks "share" data. The reality about data privacy and sharing is that it's way too complex a situation to think that consumers could simply have a dashboard and check off who gets what.
The timing of the release of the TCH study at about the same time that Bloomberg ran its story on Google's so-called "secret" deal to purchase transaction data from Mastercard couldn't be better. Despite claims that no PII was shared between the two firms, Google was still able to match purchases to individual consumers' online behavior. Yet somehow, consumers are supposed to be relieved that no PII was shared.
Bottom line: Like it or not, the onus is on banks and credit unions--not the fintechs--to educate consumers on how data is "shared." I put the word in quotes because I'm not even sure it's the right word to use. Banks and credit unions need to educate their customers and members on:
- APIs. It's not realistic to expect consumers to understand what an API is (it is realistic to expect non-tech oriented bank and credit union execs to understand what it is, though). Banks and credit unions need to educate consumers on: 1) What is an API? 2) What data is included in the APIs the financial institution has created? 3) Who can access--and who is accessing--those APIs?
- Card networks. Despite all the advertising the networks do, consumers couldn't care less about them. They get their cards from banks and credit unions. That's who they think has their data. When Mastercard sells data to Google, consumers will get mad at the issuer, not the network.
- The realities of data sharing. Consumers told TCH that they want "control" over how their data is used, and many said that they want to exercise that control through their banks. I may be wrong, but I don't think that's a realistic request for the near future. Consumers want something else beyond control, however--they want transparency. Financial institutions should publish a quarterly "Data Sharing Report" detailing who accessed customer data, how often it was accessed, and how third-parties used the data.
Prediction: Data privacy laws will evolve to adopt a "real-property" model of privacy. As one law professor writes:
"Privacy describes the state of a domain that encompasses certain important personal interests extending above and beyond the mere economic. That domain includes both material objects (such as our bodies and certain real and personal property) and immaterial concepts (including certain liberties and our reputations). It is not that we “own” our privacy or private matters in the way that we own property; it is that rights to policing our private spheres are more readily understood on the model of rights in real property—that is, as rights to exclude others (or not) from the private domain, rights to alienate items within that domain, and rights to enjoyment of that domain. We should reject the view that privacy itself is a matter of control."
Director of Research