Cyber Monday shows that fintech companies need more regulation.
It’s hard to find the most shocking detail about FTX, the cryptocurrency exchange that imploded in such spectacular fashion. From borrowing billions of dollars from customer deposits to meet debt obligations, to using company funds to buy employees’ homes and “personal assets,” the story of FTX’s rapid demise is marked by blatant exploitation on behalf of the now-bankrupt exchange.
If these types of abusive practices seem intuitively illegal, that’s because they are under current US securities laws. But FTX (which was based in the Bahamas, except for its much smaller operation FTX US) and other crypto firms largely do not fall under securities laws. Instead, they live in a regulatory gray area. Although FTX is currently being investigated and prosecutors may find ways to hold its decision-makers accountable under US law, it may be more difficult than you expect. The fact is that crypto companies are not governed by the existing financial and securities regulations – and crypto is only the tip of the larger fintech iceberg.
Under the current US regulatory regime, fintech companies are seen more as technology companies than financial firms. The sector has therefore largely been governed by the same “regulation-lite” regime as the technology industry, in contrast to the much stricter regulation of the financial industry.
This has significant implications for, among other things, users’ sensitive financial data. Laws governing the financial services industry give users’ financial and banking information special protection and privacy rights, and recognize that consumer information is deeply personal and sensitive. The US approach to technology regulation, on the other hand, which trends more free market than its EU counterparts, has led to a regulatory regime that allows users’ data to be treated as a commodity – one that can be collected, privatized, aggregated , and sold by industry.
The impact of this regulatory approach is far-reaching, given how pervasive fintech companies are becoming. While cryptocurrency is still relatively niche, other fintech services, from Apple Pay to Zelle, are becoming increasingly integrated into our everyday lives. Although the word fintech conjures up something vaguely futuristic and aquatic to you, chances are you’ve used a fintech service at some point. Fintech refers to a rapidly growing sector of companies that use new technology to compete with traditional financial services firms, such as Acorns, Affirm, Square and Robinhood. As financial consumers have increasingly shifted their activities from analog to digital, with a recent survey showing that 78 percent of Americans now prefer to bank digitally, fintech companies have proliferated.
In this online financial frenzy, which is set to hit a peak during Cyber Monday sales, it’s easy to overlook one thing that’s being bought and sold: data about consumers.
What many users don’t realize when signing up for fintech services is how much sensitive financial data they’re handing over. Typically, when a customer links their bank account to a fintech app, it can access and collect financial data through provisions in their terms of service. A glance at the privacy policy of your typical fintech app reveals a laundry list of data points collected about you.
Take Fintech payment facilitator Plaid, for example. You may not have heard of it, but if you use Venmo or Coinbase, you’ve used Plaid. And Plaid collects, among other things, very detailed information about users’ bank accounts, credit accounts, loans and investments, as well as personal information such as social security numbers and geolocation. The volume and type of information scraped is far beyond what many customers would reasonably expect when signing up for fintech services like Venmo that uses Plaid as a payment processor. (In fact, Plaid recently paid $58 million to settle a lawsuit that alleged the company deceptively obtained more financial data than necessary.)
Because they are largely regulated as technology firms, fintech companies are able to monetize the data they collect by selling it to third parties, such as hedge funds, creating insights into customer behavior and facilitating target marketing. The industry is opaque, so it is difficult to quantify exactly how much data is being sold, and to whom. However, the American Bankers Association observes “Many data aggregators [including fintech firms] use the data for purposes other than the service that the customer sought. Access to all data allows the aggregator to make money by selling the information to other third parties, even if the customer neither knew about the potential use nor asked for additional services or marketing.”
This Faustian bargain is the tech industry’s bread and butter: You receive ostensibly “free” services in exchange for your data. Apart from the fact that the data fintech companies deal with is unique – it is particularly sensitive financial information and should be treated accordingly.
Data commodification can generally be disastrous. Yet fintech data practices are particularly insidious because the dissemination of highly sensitive financial information can have significant effects on individuals’ participation in society (for example, by massively increasing consumers’ exposure to fraud and identity theft). By transferring users’ financial data from the safer, legally protected home of the bank to the unruly data services market, these companies are exposing users to risks they probably aren’t even aware of.
This requires lawmakers to bring fintech under the umbrella of existing financial regulations, creating fintech regulation that emphasizes “fin” over “tech.” This will ensure, among a number of other benefits, that users’ financial data is subject to protection under the Gramm-Leach-Bliley Act’s Financial Privacy Rule. Also, regulating fintech companies federally, rather than by the current patchwork of state laws, would create a more consistent, coherent regulatory regime.
While the fintech sector has the potential to make our financial lives more convenient, efficient and fair, it needs to be properly regulated so that the risks presented to consumers do not outweigh the rewards. Closing the fintech loophole is necessary to correct the current ambiguity and create a more unified, common sense regulatory landscape. Otherwise, we can say goodbye to our financial privacy.
Future Tense is a partnership between Slate, New America, and Arizona State University that examines emerging technologies, public policy, and society.