Speaker 0
0:10 – 0:12
Welcome to Tech Talk. Bye.
Speaker 1
0:13 – 0:14
CT. Tea.
Speaker 2
0:16 – 2:05
Welcome to CDT's Tech Talk, where we dish on tech and Internet policy while also explaining what these policies mean to our daily lives. I'm Brian Wasilowski, and it's time to talk tech. Today, we'll be talking about privacy and data. First we'll take a look at how states are filling the void when it comes to shaping pro privacy policies for internet users with the federal government failing to address privacy and in some cases eroding existing protections for consumers And then we'll shift our focus to a sector where data can improve our lives the financial sector We would all likely welcome some support in managing our finances But as fintech becomes more prevalent and new services pop up who ultimately has control of our financial data? Is it the banks, or is it us, the consumers? For privacy advocates, twenty seventeen certainly has not been a banner year when it comes to federal privacy legislation to protect consumers and Internet users. There hasn't been much movement on pro privacy legislation. And when Congress and the administration have acted, it wasn't good, as we saw with the use of the Congressional Review Act to eliminate the broadband privacy protections from the FCC. But with privacy being eroded or ignored on the federal level, a number of states are stepping up to protect the privacy of their residents. CDT's data and privacy team has upped their state game accordingly. And two members of that talented team, Natasha Duarte and Vijay Kashau, join us today to share some of what is happening. Welcome to Tech Talk, Natasha and Vijay. Thanks, Brian. Happy to be here. And Vijay, first time guest. That's wonderful. Thank you. So I touched on it a bit, but tell me why states are really jumping into privacy, right now.
Speaker 3
2:07 – 2:46
So we sometimes, see privacy as a bipartisan issue and it can be. But, recently with consumer privacy, it hasn't been, so much of a bipartisan issue. We've seen a lot of, partisan, disagreement. And so there's been some gridlock on the federal level. And so we're also seeing that people actually really want privacy. What? I know. It's crazy. And so, states as they normally do, and there's an absence of action on the federal level, are stepping in, to try and give their residents privacy protections.
Speaker 0
2:47 – 3:07
Vijay, you had something to add to that? Yeah. So I'd say that, in in our experience with these state legislators, they're a little bit closer to the ground. And and as you mentioned, there's this strong popular sentiment in favor of privacy regulation right now. And because these senators, the state senators are generally more responsive to the needs of their constituents, they're actually taking action on it to fill in this void that you mentioned with the CRA.
Speaker 2
3:07 – 3:29
Yeah. No. There was some, really amazing headlines that came after, the broadband privacy rules were rolled back that I'm guessing a lot of, federal level folks did not really anticipate. So I'm not surprising perhaps that the state, state legislators are picking them up. But there's definitely pros and cons to this. Right? You know, acting on the state level. What are some of the pros? What are the cons on this?
Speaker 3
3:31 – 4:22
Yeah. So so one pro is that, states can sometimes sometimes act a little more, quickly. Things tend to happen more quickly, on the state level, and so they can respond more quickly to, what, their constituents are are telling them and and what, privacy protections are needed. Needed. And they can also, sometimes set, they can experiment a little more and and set a a higher standard for privacy, than we've had on the on the federal level and we haven't had, you know, really strong privacy rules on the federal level. Ever. Yeah. And, some of the cons obviously, it is harder for everyone to have multiple different standards to comply with in in different states. That's probably the main con.
Speaker 0
4:22 – 4:56
Yeah. Yeah. That kind of patchwork of state legislation that resulted in the absence of federal legislation, I think is going to be quite the challenge of states kind of, which is a good thing. States are adopting this legislation to the unique problems their states face, the unique concerns of their citizens, etcetera. But the result is this kind of patchwork of different standards and things that companies have to meet, which is definitely going to be a challenge moving forward. That makes sense. Are there any states that are, like, super amazing on privacy? Illinois, in particular. Illinois. Needle quite a bit. Yeah. Alright. Cool. So let's talk about, a little more specifics on the type of work that you both have been doing,
Speaker 2
4:56 – 5:08
on the state level. There's been, you know, certain privacy issues. Issues. And as you mentioned, certain states doing different things. Broadband privacy, obviously, that's the first one you all touched on and I touched on in the intro. That's a big one. Any states stepping up there?
Speaker 3
5:09 – 5:14
Yeah. So, I was actually here on the podcast,
Speaker 2
5:15 – 5:22
several months ago talking about The best day of your life. Right? Yeah. Well, maybe not. But maybe your best day of your CDT life.
Speaker 3
5:23 – 6:20
It was, we were talking about the victory that was the the FCC Broadband Privacy Rules. The FCC gave consumers, pretty strong, very thoughtful, protections for their privacy when they are, using their broadband connection to, surf the web. And, unfortunately, a few months later, Congress used a little known tool called the, Congressional Review Act to reverse the rules. That sort of left a gap in protections, that states have been trying to step up and fill. And, a couple states that we've seen, with very thoughtful and and strong attempts at that, Washington is one, Massachusetts is another. But really, we've seen, you know, dozens of states either have, a bill introduced or,
Speaker 2
6:20 – 6:38
have started a process of of drafting and trying to introduce a bill. Very cool. Definitely one that seems to be resonating then at the state level. Another one that y'all mentioned to me happening that people are acting on are are the Internet of things, you know, the kind of that term and and devices. What's what have you been doing in that space?
Speaker 0
6:39 – 7:28
Yeah. So California actually is taking the lead on this. They have a new bill that they've been working on and and revising in the past weeks called, the Teddy Baron Toaster Bill, which focuses on yeah. Focuses on Yeah, good name. Focuses on data collection, consent, and disclosure requirements for smart devices covering everything from teddy bears to toasters, as you might imagine. But notably, it doesn't cover connected cars, which is an area where the federal government has had some leadership through the Department of Transportation, the FTC is stepping up regulation there, and we haven't seen the states really make a big push on this as of yet. So, they are, however, responsive to the IOT and security issues that we've been seeing. So it's not only a privacy issue, but a security one as well for the states. If you look at something like the Mirai botnet we saw a few months ago that shut down Netflix among other major companies on the East Coast for quite a while,
Speaker 2
7:29 – 7:50
these states, particularly California, is stepping up to institute some kind of data security measures, to stop these botnets from happening. Okay. Do do either of you know who Teddy Ruxpin is? I've heard the name. Oh, gosh. You're all so young. Anyway, connected devices. Teddy was so ahead of his time. That's right. That's right. So, Vijay, you were also just in Springfield.
Speaker 0
7:51 – 8:58
What were you out there for? So you mentioned Illinois before, but what what are some of the things they're working on Right. Or you were out there for? Yeah. We've been working with a couple groups in Illinois to get a pair of bills passed. The first one that I went to Springfield, Illinois to testify on was a geolocation privacy bill. And this bill basically required notice and consent before apps could collect and use your precise geolocation information. So this isn't, you know, covering your address or something you might input into a web site, but rather when a map app or something like that wants to collect your information and use it for something that isn't a mapping purpose essentially. So if they wanted to sell it or to, you know, show you ads based on your current location, then they would have to actually get your consent to do that. And we think this is a good consumer protection bill so you can actually know what is being done with your data. Cool. And so we went and testified on that. Other states are also doing this as well, not only Illinois. This one is pretty popular. We've seen attempts in Hawaii, Nevada, and, I think there's maybe one more that I'm blanking on right now. But this is starting to pop up more and more frequently as, you know, devices become more ubiquitous, I guess. Okay.
Speaker 2
8:59 – 9:08
Now if you were to look into the future and we assume that states will continue to act more on privacy, any other issues that you anticipate, you know, states stepping up on?
Speaker 3
9:10 – 10:30
So so one area, that's sort of, controversial right now is, expanding the protections we're seeing, states trying to to push through for broadband providers extended to what we call edge providers. So like the the Google's and other Internet services of the world, and that gets into more complicated territory. We definitely think that there should be, strong privacy legislation that applies to everyone on the federal level. But in the absence of that, I do think states are going to, come into this space. And I I guess another area would be, data security. And we're also seeing that come up in the in the broadband context. The FCC rules had a data security component that a lot of states are adopting. And that's also a place where, standards on the federal level, have been fairly flexible, which is not necessarily a bad thing, but it is an area where states can start to, experiment with with higher standards and more specific standards. Alright. Well, oh, Vijay, you have more to add, please. Yeah. I I think one other area that we're just seeing to pop up now, are these right to know bills. Right to know comes from the, actually, the,
Speaker 0
10:30 – 10:57
environmental context where you have a right to know what chemicals you're breathing in the air, if there's a, you know, major factory or plant or something near you. And this is extending to data now. We've seen Illinois say that consumers should have a right to know what third parties are being given your data and what's being done with it. I think this is gonna become more popular because it's actually gaining some real popular momentum in Illinois. So hopefully we'll see other states or maybe even the federal government pass a law like this. Well, that sounds optimistic.
Speaker 2
10:58 – 12:14
But but way to go, Illinois. Alright. Well, thank you so much for the updates, Natasha and Vijay. Definitely keep it up. And as I joked before, if CDT, you know, starts to do more and more state stuff, we'll get you a Winnebago and send you on a 50 state tour. Looking forward to it. Thank you so much. Thank you. Thanks. Most Americans have a bank account, at least one credit card, perhaps more, and a loan or two for a car or that pricey college degree. These all come with interest rates and payment schedules and a lot of data about how much money we have and how we spend it. This is data that is often used to decide if we qualify for a new loan or receive financial aid for school. And this data is also potentially very valuable to businesses wanting to offer a range of services. InvestNet Yodlee is one such company that is leveraging this financial data to offer a variety of services in the fintech space. They are facing a number of challenges though, when it comes to consumers' financial data, including questions around who has control and responsibility for that data. Steve Baums, the vice president of government affairs at Yodlee, joins us today to talk through some of these issues. Welcome, Steve. Hello. So first, tell us about Yodlee in general. So for the folks who don't know Sure. And you also have this thing called screenless data capture. What the heck is that? Sure. So
Speaker 1
12:14 – 13:46
the best and easiest way to think about Yodlee is as the intermediary between fintech and the traditional banking sector. We're about twenty years old. So we're one of the first fintech companies out there. And the business case is when you, the consumer, a small business wants to use a fintech platform but wanna connect your bank, and the average American average American has about 15 different bank or payment accounts at seven different Wow. I'm below average, I think, now. So that's good. The idea is that we can connect those two. So screenless data capture is one way of connecting those two. That's where we, get the user's credentials, so username and password, and log in as them to capture the data and use it for the third party application. But only about 25% of our data comes from screenless data capture. The vast, vast, vast majority of our data comes from what we call direct feeds. So Yodlee's differentiator in the market is we've negotiated bilateral deals with hundreds, maybe thousands of different data sources so that we have direct connections to those banks where we don't need the username and password to access the data. We have prenegotiated contractual agreements to get that data instead. And are those, stronger when it turn comes to privacy and security if it you have those agreements? Privacy and security is always of paramount importance, right, for all the players in this ecosystem. So it's regardless of how we get the data, those are absolutely fundamental. We are regulated and supervised by the OCC. We're examined, because we're a third party vendor to so many large financial institutions, and we have a really, really, really strong, risk and,
Speaker 2
13:47 – 14:14
security governance program. Sure. That makes sense. So Yodlee has been in the market for twenty years, and that surprised me. That's, when you think about data and all that sort of stuff, I I guess, you know, maybe it dates me. But I because I didn't even realize that was possible for twenty years. But in fact, it has been. What have you seen change over, like, the course of the time that you've all been in business? Not that you've been with them the entire twenty years. Or you look far too young, but, Thank you so much. Well, so quite a bit. Right? As you can imagine, over twenty years, there's been this explosion within the financial technology sector.
Speaker 1
14:15 – 15:49
So what's changed is the immense number of offerings of products and services from technology companies in the financial world. As that's happened, we've also seen the, tenor and tone of the banks change as it relates to allowing their consumers to share this data. Okay. Part of it is from a security perspective to the point I think you alluded to earlier. Right? There are legitimate security concerns that banks have, both data and cybersecurity, about allowing these third party tools to leverage consumers' data to provide benefits to them. But part of it, frankly, is just competition. Right? So in many cases, fintech firms are competing directly against traditional banks to offer the same types of products and services that banks historically have provided for centuries. And so some of these products and services just for people? Everything. Right? So it it ranges from personal financial management tools. So, you know, you go along, you see a dashboard of all 15 of your accounts in one place. Your entire financial life is there. To, credit and lending products. Right? Think about your marketplace lenders or, our firms like Kabbage for small businesses and getting credit for them. To there are even applications now that can help you, mediate your way through a divorce. So if you can aggregate all of your finances in one place, you can all see it in one place, and then you can decide how to divide up. There are literally thousands and thousands and thousands of applications. The beauty is it's up to the consumer to decide which they want to use, and their data only comes in once they've said, yep. I'm gonna log on to, let's say, Personal Capital or Betterment. I wanna use this tool, and only then will the connection to their financial accounts be made once they input the information.
Speaker 2
15:49 – 16:37
Okay. Yeah. I know. As you're talking through that, I'm like, gosh. I really need to get my finances in order. And it would be great to talk after one one platform that would help me out. So I'll I'll ask you for advice on that later. So all this data, I mean, obviously, financial data is some of your more personal data. Certainly, if there's any sort of breach of that data, it could be catastrophic for folks. Who's liable in this case? Is it the banks? Is it is it Yodlee? Is it, you know, the other, you know, company in the mix that's trying to offer a service? How does that work? It's a really complicated question. Right? So let me start by saying a few things. As far as Yodlee is concerned, we don't have or collect personally identifiable information when we're connecting the fintech player to the bank. Okay. So what we have is an anonymized number. Right? So they don't know that it's Steve Balmes who's connecting his Capital One account. They know that user 1YZ
Speaker 1
16:37 – 17:39
four five is connecting a Capital One account to use personal capital. But even if that wasn't the case and there's a breach, for Yodlee, there's a few different things that mandate who's liable. The first is where did the breach actually happen? Right? If if it happened at Yodlee Sure. That's one scenario. If it happened at the bank, that's another scenario. If it happened to third party, personal capital, that's a third scenario. But because we're a little bit different, right, I went going back to the idea that three quarters of our data comes through direct fees and contractual relationships with with banks, each of those contracts stipulates the liabilities. Okay. So it's a little bit different for Yieldy than the rest of the players. The differential for us is that we have those relationships with banks. The majority of other players in the system, or at least most of the other players in the system, go through screenless data capture. So it's less collaborative with the banks, and it's more you give us your username and password. We will log in as you to your account. We will capture it, and we will spit it out. It's not less safe. It's a different form of doing it. But because we have the contractual arrangements, the liability provisions are clearly spelled out in each scenario. Okay.
Speaker 2
17:39 – 17:58
So before we start recording, we're talking a bit about travel, and you were saying that you are a road warrior when it comes to work and do business in The US, EU, and I believe other places. But let's focus on the The US and The EU. What's kind of the difference in how you have to operate in the two different, two different places? Because they obviously have very different,
Speaker 1
17:58 – 21:52
rules, regulations, policies around privacy. Yeah. So this this is a fascinating area. Right? And it was one that was really eye opening for me having come from the traditional bank world and done a little bit of work in the EU to now being really, really deeply involved in what's happening there. Generally speaking, we in The US are years behind the EU, in terms of thinking about data and privacy and how consumers can use their data to their advantage. In the EU, there are two, regulations that I would point out as really important. One is the second payment services directive, PSD two, which the European Banking Authority just finalized some of the standards a few weeks ago. And in the next couple of years, we'll go into full effect. The idea here is consumers own their own data. It's not the banks to decide what to do with. It's the consumers to decide what to do with. And it goes through a really, really descriptive and, prescriptive mandate into how banks must make the data available and what the roles and responsibilities in ecosystem are, you know, going back to your question about liability and how the data is collected, all of these things. But at the core is technology is a really important way that consumers can improve their finances, and banks should not stand in the way of allowing consumers to do that. The second I would say is GDPR, which is the data security European requirement, which is also gonna go into effect the next year and a half, year or so. And that's kind of the other side of the coin of PST two. It's this idea that in a really tech focused world where consumers are permissioning and using their data for any host of things, not just in the financial world, everywhere, there have to be some baseline understandings about data security, data privacy, consent, disclosure, and, letting consumers turn on and off the ability to use the data so that the flow they have control of the flow. It's not somebody doing it for them. Yeah. So those two things intertwined, create a really important fabric for how this environment should work, the fintech environment should work in the EU. And then you have other countries in the EU, well, I I suppose The UK is one foot in, one foot out, that even gone a step further and said, not only will we take these and implement them, we're gonna go a step further and have something called open banking, where we will create a standardized API by which all of this data has to be made available so the consumer can not only permission their data, but there's a standardized way that these fintech firms can get the data so that we are getting rid of all the drag in the system, and it's frictionless for the consumer. Contrast that to The US, right, where we have a really fragmented regulatory system that came about after two and a half centuries of securities laws and bank laws and technology laws and privacy laws. We also have 6,000 financial institutions in this country as opposed to a few dozen in Europe. It's really hard to get consensus here. And the regulators in The US and congress are really wrestling with what is our role here in the first place. And even if we have a role, we have to, I I, recognize that it's just a sliver of the entire ecosystem, which means it's kind of been a free for all. Right? The the market itself has been dictating the terms here. What we're seeing now is increasingly, financial institutions are recognizing fintech as competition, and they have the right here to say what data they will and will not share. Contrast it to the EU where they don't have that right, it means that it's a much more friction full Sure. Experience Yeah. For the consumer here, which is why Yodlee and 20 or so other, fintech companies, we call ourselves the, Consumer Financial Data Rights Coalition, are really evangelical about this idea that it's not the bank's data to decide whether to share or not. It's the consumers. And in an environment like in Europe, like in The UK, where consumers have the right to share their data to these technology tools, they can really take advantage of important, important, important, tools that can help them improve their financial well-being.
Speaker 2
21:53 – 23:10
So that was a really long answer to a really short question. That was really helpful. Do you think The US is is getting there? Do you think that there is, you know, potential for that to be the case? Because, obviously, the the talking point of, you know, it's the consumer's data, it's not the bank's data. It's probably gonna resonate with a lot of folks. But then you'll also get some people saying, well, even when a consumer has control of their data with stuff like financial data, it's hard to really take control of that just because you don't know what's out there. It's in different places. So you don't wanna lose control. So even though they may make some choices, it's easy to lose control if you put it out there too much. So how does The US get to kind of the vision where the consumer has true control is making those informed decisions and taking advantage of all this great fintech? So I think the the great news is that the regulators here in Congress have started a long process to figure this out. I can't tell you how much time it's it's gonna take or what it looks like when it's done. What? But they've started. And a few important developments really just in the past few months. Right? So the CFPB put out its request for information in November on, data access, which is really this idea of how consumers can get their data and what they can do with it in a financial sense once they have it. Then they put out a request for information on alternative uses of data, particularly in credit. So this idea that there's a real benefit to consumers in underwriting,
Speaker 1
23:10 – 24:47
underwriting, if they can take their transactional information and leverage it as another tool beyond just a credit score to get better pricing on credit products. The OCC, of course, has its proposed fintech charter, which is trying to bring into, preempted federal state supervision of, fintech, firms that are involved in bank type services. The FDIC, the OCC, and the Fed came out with a cybersecurity ANPR, late last year, early this year, which is really on cybersecurity, but has a whole section on what they call external dependencies, which is really fintech. So they're starting. And in the Hill, we've seen the innovation initiatives from, congressman McHenry and congressman McCarthy, which is all about trying to really grow the innovation that's happening in fintech and make it more available, both from a how do you finance it at the front end to how do you use APIs to to exponentially grow it. So they're starting. How this all ends up, of course, is still very much unknown. It will take years at this pace to get to, you know, any type of finality. And even then, as I said earlier, you've got 6,000 financial institutions in The US. You've got thousands and thousands of fintech players, aggregators like Yodlee who sit in the middle. It's not clear to us that you will get any cut and dry rules like we have in the EU, like PSTT or GDPR. But instead, what we think is if you just get to a place where it can be asserted that the consumer has the absolute right to share their data, the market can figure the rest of it out. Right? We've been doing this for twenty years. In the absence of all of that regulation Right. We can keep doing it. The only difference here is we need to make sure that the consumer's rights to their data are unfettered. That's great.
Speaker 2
24:47 – 25:12
So last question I'll ask here. Just and you alluded to or you talked touched on this a little bit earlier. What are some of the coolest trends that you're seeing in fintech? Things that might get, you know, consumers really excited about the the future of this beyond just the policy world? Yeah. Yeah. That's a great question. Right? So there's there's quite a few. I think the the most exciting really from where I sit are what I think of as, like, financial wellness applications.
Speaker 1
25:12 – 26:54
So tools that, can smooth income for seasonal workers or for low income workers who don't have a dependable paycheck. But if you have a year or two years of transaction data that shows, direct deposit into your account rather than have to figure out, do you pay the phone bill this month or the electricity bill or the rent or, you know, your kid's, tuition? They will say, we'll give you a dependable amount every two months or every month in your paycheck. It will equal over a year to what you will take home anyway, but it's smooth. So you will not have to make those choices every year. So there's a host of applications like that, fixed income optimization tools. Right? I alluded to the divorce reconciliation tool. It's it's limitless, really, when you think about it. It's and the the beauty of it is it's all dependent on a really, generally, simple transaction data that you have at your fingertips now. And, theoretically, you could have just printed out, right, and done with it, you know, in an Excel spreadsheet, kind of all this stuff on your own. But the ability to put it in categorized form, in dashboards, and to dice it and slice it and apply analytics to it empowers all of these tools to help you make sense of your finances. That's great. Yeah. No. I am I'm no Excel expert. So, you know, that that Excel solution is never a good one. Anything that makes it easier is better. I think the data that we have shows that before fintech, only about 2% of people actually had budgeting tools that they could track all their finances across all of the accounts that they had. So there's a huge, huge, huge benefit to this. Absolutely. Well, there are definitely a lot of potential benefits and some risks out there. So, hopefully, all sectors come together, figure this out. Steve, thank you so much for sharing your insights and being on Tech Talk. Thanks for having me.
Speaker 2
26:59 – 27:22
That's it for this episode of Tech Talk. If you'd like to find out more about CDC's work on data and privacy across sectors, be sure to visit cdt.org and we'd love getting feedback on the issues we talk about on the show so be sure to tweet any comments to us at sendem tech or leave a comment on SoundCloud Google Play or iTunes I'm Brian Wasilowski thanks for listening