Dodd-Frank Section 1033 promised consumer rights to data. 12 years later, the rule still isn't written but it's nonetheless proved foundational for fintech as we know it.
Hey friends -
Chime, Plaid, Mint. Just a few of the 10,000 or so fintechs in the US. Many only exist because of ~300 words buried in the 360,000-word Dodd-Frank Act. Section 1033: Consumer Rights to Access Information.
Somewhat confusingly, rulemaking under Section 1033 still hasn't happened because the Consumer Financial Protection Bureau (CFPB) still hasn't written the supporting regulations. It's so behind that Biden even gave the regulator a kick in an executive order last year. Notwithstanding the delays, the rule has proved foundational for how much of how fintech works today.
We're coming up on the 12th anniversary of Dodd-Frank and the first anniversary of the executive order this month. It's high time we look at Section 1033.
In this week's letter:
Dodd-Frank Section 1033: the battle for control of your financial data
Transparent health care prices, a Gorgosaurus for sale, and more cocktail talk
A personal favorite, the Hemingway Special Daiquiri
Total read time: 12 minutes, 42 seconds.
Just released this week, Funders & Founders Episode #5 with Stephan Cizmar, Co-Founder and General Partner at Lorimer Ventures. They’re an emerging pre-seed to Series A venture capital firm behind exciting companies like Formic (robots by the hour) and Emi (recruiting frontline workers).
We discuss everything from the values that underpin the firm to the thematic focuses that drive the investments. It’s a fun episode with a deeply thoughtful operator-investor.
Let's travel back in time to 2006. The dot-com crash is a memory, the good times are back, and many banks actually have usable websites. JP Morgan Chase is apparently the #1 consumer banking website and even my local regional People's United Bank has a recognizably modern consumer banking site.
The problem as the customer is that there's no way to stitch the two together. Finances done through Chase stay at Chase and finances done at People's stay at People's. If you want a single picture of you, you’re stuck.
Along comes Mint in 2006. Mint was the first of the big personal financial management websites. With Mint, you could track all of your financials in a single application no matter where they lived and set spending and saving goals. Mint was eventually acquired by Intuit, launched a mobile app, and remains a prominent player in the space today.
But before we get ahead of ourselves, let's revert back to what "Mint.com" was in 2006. It was a pretty graphs and analytics website that sat on top of Yodlee, a data aggregator started in 1999 and now owned by Envestnet. The system worked as follows:
Create a Mint account
Enter your bank credentials - emails and passwords - to connect all of your bank accounts
Mint passes your credentials to Yodlee
Yodlee logs into your bank accounts and scapes all of the data
Yodlee sends the data to Mint
Mint creates a single view of your personal finances
Wait a sec. Your passwords?! The things you use to authorize moving and spending money?! You wouldn’t hand your ATM card and PIN to a stranger on the street to fetch you money, so why would you hand it to an app?
It doesn't sound like a good idea.
Ultimately, it was a choice for the consumer. Millions decided that they were okay handing over their credentials.
Mint offered very real value. Managing finances across multiple banks, credit cards, and online brokerages was a hard challenge for anyone, made harder because the financial institutions didn't want to play nice. Refusing to share data prevented consumers from easily comparing fees or switching financial service providers. Concerns around data security were real but always secondary to profit.
Mint worked on behalf of consumers. It circumvented the banks' shenanigans to create a useful service. The company even offered the service for free, monetizing eyeballs through affiliate promotions like helping you find a new, higher-yielding savings account. But the security tradeoff to do so was stark.
For Mint to work, consumers had to hand over bank credentials to a third party who did who-knows-what with them. And it's not just Mint, it was the aggregators sitting under the covers - like Yodlee - that were invisible to most consumers. It was an arrangement that didn’t even begin to consider data rights. Once they got ahold of your data, what could they do with it?
To the credit of both Mint and Yodlee, it appears they've responsibly handled the tremendously sensitive data their customers entrusted them with for almost two decades. But that can't be the right answer. There must be a middle ground - a way to stitch together your personal financial picture and not hand over your entire bank account to unknown third parties.
Enter Dodd-Frank Section 1033.
Dodd-Frank Section 1033 is as underwhelming to read as it is momentous in its effect. In just over 300 words, it clearly stated that financial services companies will make a customer's data available to that customer upon request.
Among the important details:
The requested data needs to be made available in a usable, standardized, machine-readable, electronic form.
Data covers everything related to a "financial product or service that the consumer obtained" including all of the transactions, costs, and usage.
The financial institutions don't need to disclose "confidential commercial information" like how credit scores are calculated.
In short - your data is now your data and the banks have to give it to you. Or so the law says.
The reality is that we're now at this very weird halfway point. The CFPB has so far abdicated responsibility for actual rulemaking. The regulator issued non-binding principles in 2017, but that’s been about it. As an independent agency, the executive branch can't actually direct the CFPB to do rulemaking so the President wrote an angry letter instead.
In the meantime, to the chagrin of banks, an entire fintech industry emerged that leans on the as-yet-unwritten rules to facilitate data access. All the while, we still don't have robust data privacy rights so it's up to reading per-company terms and conditions to figure out what any given company is doing with your data.
It's a mess.
There are ultimately four constituents that matter - the consumer, fintech apps, data aggregators, and the financial institutions themselves. Each have different priorities and different risk tolerances. Needless to say, they conflict.
We, consumers, are straightforward. We want financial products and control of our data. We want to be able to selectively authorize companies to use and access our data to do stuff on our behalf. We want those parties to protect our data, tell us what they're doing with it, and share with us any data we create when using the services. When we no longer use the service, we want the companies to stop using our data.
The three other constituents are more complicated.
Fintech apps like Mint mostly want access to your data on an individualized basis to deliver you services. Any individual's experience with the product is mostly powered by just their data.
The story for fintech apps that actually charge users typically ends here because the user is the customer. "Free" fintech apps have a different customer - the financial services firms that want to advertise to you.
The "free" fintech apps monetize your eyeballs by selling aggregated, anonymized insights from multiple users, but generally don’t make individual user data available to third parties. This isn’t a moral high ground, it's just economics - your data is part of their secret sauce that they don't want others to access.
The result is that fintech apps' interests are mostly aligned with consumers. They're in conflict with the financial institutions that have to support data access but don't benefit at all from the services.
The main concern with fintech apps is the quantity of data they access. The more they know about you, the better a job they can do building products and services that you might like. They tend to try to access too much, too frequently. It makes them an attractive target for hackers.
By contrast, the interests of data aggregators like Plaid are poorly aligned with consumers. You're really just a secondary user, fintech apps are the primary. Those same apps are frequently the secondary customers, hedge funds and other data buyers are the primary.
That's not to say Plaid, Yodlee, and other aggregators don't provide value to consumers - they do. Plaid is the reason that you can now instantly connect your bank account to just about any service without waiting for a multi-day trial transaction to clear. The service in turn provides significant value to fintech apps that can focus on building products to serve you rather than integrating into banks.
The problem is that the economics of that banks-to-apps plumbing business aren't compelling. What generates money is unnecessarily accessing data while it flows through your systems to generate "insights" you can sell to others. As I highlighted in a previous letter:
Digital data sharing usually involves specialist intermediaries who should have no rights to your data - they're just the pipes - but that's rarely the case. Most of us rarely read the fine print in terms and conditions and few regulations prohibit them from accessing the data. So they do it.
I went on to beat up Plaid on one of the worst offenders despite the company's representations that they weren't engaged in such practices. A few months later, Plaid settled a 98 million person class-action lawsuit for $58 million for unauthorized access to user data without disclosing it to the users.
Despite the value they provide, the interests of data aggregators are fundamentally misaligned with consumers. It's different than Google which also monetizes your data but returns some of the value in the form of increasingly personalized search results and more relevant ads. With data aggregators, there's simply no benefit whatsoever to their accessing your data.
They're also in conflict with the banks. Like the fintech apps, banks benefit from dealing with just one integration partner rather than many, but they don't benefit from the data aggregator unnecessarily accessing the information. Jamie Dimon was particularly vocal on the matter in 2017:
"[There are] people who improperly use data that’s been given to them, like Plaid."
When you accuse the data aggregators of conflicts, they tend to throw temper tantrums. Bill Harris, the then CEO of Personal Capital and former CEO of Intuit, probably takes the cake for the worst take. In response to more concerns voiced by JP Morgan in 2017, Harris wrote a long piece where he called "baloney." Unfortunately, Personal Capital's track record from just a few months speaks louder:
After being contacted by the Journal, Personal Capital also added a new paragraph to its customer privacy disclosure that says outside firms might “be contractually allowed to rent, sell or otherwise make commercial use” of customer data.
Inevitably someone will write in to highlight that banks are also prolific customers of data aggregators. That's true but it's not the bank part of the bank that buys, it's the trading desks and private wealth management arms. They're buying and consuming signals on consumer spending, debt, and the like to inform investment strategies in the same way a hedge fund might. It's a separate and distinct contract. Look no further than JP Morgan which bought Yodlee data for years but didn't allow the firm access customer information until 2019. The additional agreement ensures consumers retain full control over with whom their data is shared.
Despite Jamie Dimon's comments, banks and other financial institutions aren't exactly blameless. Section 1033 and the fintech apps exist in large part because JP Morgan and others wouldn't share data. In many ways, fintech is a workaround of the banks' own makings.
Most of the bank objections to data sharing have been voiced in the name of security and data privacy. There's substantial truth to many of them - terms and conditions are difficult to understand, third parties don't always manage data safely, and third parties shouldn't have access to users' passwords.
But there's also a substantial undercurrent of misdirection. Yes, data should be secure and kept private. No, it's not the banks' role to determine what I do with my data.
The key problem for any bank is that they're at the wrong end of this entire setup. They bear the costs of making data available, give up the competitive advantage of exclusive access to data, and the benefits accrue to others. It's not surprising they're throwing up objections.
In a sense, banks are the most conflicted constituents because they'd rather this whole enterprise didn't exist. Their objections align with consumers only insofar as it's also beneficial to the bank. It can be hard to know where their acting as a responsible data steward ends and self-interest begins. The complexity breeds mistrust.
It's certainly not helped by a media that loves to pillory banks. In 2016, the New York Times stated:
But if you’re Jamie Dimon, this has to be utterly galling. A bunch of West Coast whippersnappers go into your site, figure out when your customers are spending money, tell a robot to take additional amounts out regularly and then invest the money someplace else. Your in-house financial advisers are left out of the picture. You’d stomp your feet and hurl insults, too.
The article then went on to quote Plaid about how they don't "take more data than they need." The NY Times could do well to learn that just because a bank's wrong doesn't make a fintech right.
You may have noticed that many of the quotes and links are from around 2017. That year, still waiting on Section 1033 rulemaking, the industry finally rallied around an uneasy middle ground. The solution’s not brilliant, but it's a lot better than the previous status quo.
The solution to the multi-constituent conflict was a consortium that more or less left everyone unhappy. It's a good indication that it's doing a decent job of finding a midway point in between the legitimate but conflicting priorities of consumers, fintech apps, data aggregators, and financial institutions.
Financial Data Exchange (FDX) is a non-profit industry standards body formed in 2017 dedicated to establishing a common, interoperable, and royalty-free technical standard for user-permissioned financial data sharing. That last part - user-permissioned - is absolutely critical.
Among the major improvements, FDX has helped push data aggregators and fintech apps away from requesting users' passwords. There's a new flow:
Fintech apps direct users to the data aggregators like Plaid
The data aggregator directs users to bank login services
Users log into the bank
The bank issues a token to the data aggregator that proves that the user logged in
The data aggregator makes that token available to the fintech app
The upside is twofold: (1) the password is only ever exchanged between the user and the bank, and (2) the token allows fine-grained control over data access. Whereas if you logged into the bank directly you may be granted super-user control over your account, when you log in through a data aggregator the token may grant read-only access. It's a nuance that makes all the difference in securing your account.
The downside is exactly the same - the bank retains fine-grained control over the token. They share only the data they choose to make available.
Industry participants that use FDX may not know exactly what data will be shared, but they do know how it will be shared. The consortium's standard defines over 660 unique financial data elements.
That's an enormous benefit to the industry. Over 200 financial institutions have joined as members, everyone from the big banks like Bank of America and JP Morgan to data aggregators like Plaid and fintech apps like Mint by Intuit. In its many implementations, the standard now supports over 2.9 billion data requests per month and over 22 million users. It's still growing data requests and users at a rate of over 100% a year.
The consortium is a giant leap forward but still leaves us with substantial room for improvement. Terms and conditions are nightmares for consumers to navigate because there's no data privacy standard, so most of us don't bother reading them at all. FDX creates an interoperable standard but still leaves negotiating access to data up to bilateral agreements between financial institutions and aggregators. That brings the same misaligned incentives right back to the forefront.
There's a real role for regulation to further the good that's already been accomplished with FDX. Giving users back control of their data shouldn't be an opt-in from banks, it should be mandatory. Consumer control of who the data aggregators share their data with is key. Data rights need to be standardized and enforced.
This isn’t even a novel idea. It's so common we even have a name for it - open banking. Even regulator-mandated open banking is no longer novel - Europe and the UK phased it in starting in 2018. The result has been a flurry of new fintechs.
The US is now playing catch up. Plaid is the canonical example. They're the de facto monopoly in the US for connecting fintech apps to banks because banks don't want to manage multiple vendors. That lack of competition inhibits innovation.
In Europe, there are many competitors with all varieties of business models. Just to take one, Nordigen connects to over 2000 banks for free. Like, actually free. They make money by up charging for premium features like better support. Good luck getting Plaid to offer a free tier.
We'll see where Section 1033 goes in the coming months. It appears Biden is serious with his executive order. CFPB Director Rohit Chopra has been vocal about the issue and the agency included it in its Spring 2023 rulemaking agenda. That's guidance that the regulator anticipates publishing new rules by May 31, 2023. I'm cautiously optimistic.
Thirteen years after Dodd-Frank, we might finally get our data back.
Where there's mystery, there's margin. "As of July 1, health insurers and self-insured employers must post on websites just about every price they’ve negotiated with providers for health care services, item by item." Will it happen? Maybe. Hospitals are required to do the same but the fines have been so paltry that most don't bother. (Kaiser Family Foundation)
As a debt collector that's worked with over 13 million consumers, TrueAccord has a better finger on the pulse than most on the current state of consumer financial affairs. Their 2Q22 update brings together a broad swath of data worth keeping an eye on. (TrueAccord)
How to Spend It, I'm a 5-year-old edition. Have a spare $7 million? Sotheby's is auctioning a Gorgosaurus later this month. 10 feet tall, 22 feet long, and weighing in at 2 tons, it's an apex predator that predated the T. Rex by 10 million years. (NPR)
A group of scientists accidentally created a bunch of angry hamsters. For over 40 years, repeated research has linked the hormone AVP with aggression. But when a group of researchers knocked out the AVP receptor expecting docile hamsters, they instead got a bunch of biting, chasing, scent-marking maniacs. And just when you think you've got it all figured out. (FreeThink*)
You know it’ll be good when its other name is the Papa Doble.
3.50oz Light Aged Rum
0.75oz Luxardo Maraschino Liqueur
1.0oz Grapefruit Juice
1.0oz Lime Juice
0.5oz Simple Syrup
Pour everything into a shaker. Add ice until it comes up over the liquid. Shake for ~20 seconds, until the outside of the shaker is frosted. Strain into a coupe glass and enjoy!
A man walks into a bar… seriously. Hemingway walked into El Floridita in Havana and the Hemingway Special Daiquiri was born. Always made as a double, it’s a wonderful riff on the classic Daiquiri. The drink here is the modern variation of the more sour original that I prefer. Per Hemingway’s specifications, the original dials back the maraschino and omits the sugar entirely to create a drink that lets both the fruit and the rum shine through. It’s a wonderfully refreshing sipper in the middle of a hot summer’s day.