Financial data now circulates through banks, FinTech platforms and intermediaries in ways that stretch beyond the structure of existing privacy law, banking and FinTech executives said Tuesday (March 17), raising questions about who controls that data and which entities are accountable as it moves across digital financial services.
At a House Financial Services Committee hearing titled “Updating America’s Financial Privacy Framework for the 21st Century,” testimony focused on how transaction data, account information and credentials are accessed through application programming interfaces (APIs) and aggregators to support payments, lending and financial management tools.
How Data Moves Through the Financial System
Laura MacCleery, senior director for policy and advocacy at UnidosUS, described a system in which consumer data is routinely accessed through intermediaries rather than directly by financial institutions.
“When a consumer connects an app to a bank account, the app generally does not communicate with the bank directly,” she testified. “An aggregator reaches into the account, pulls transaction data and delivers it.” MacCleery added that earlier models relied on collecting login credentials, which allowed aggregators to access accounts in ways that limited transparency and control.
Steven Boms, executive director of the Financial Data and Technology Association, emphasized that these same data flows underpin widely used financial tools. Consumers rely on services such as real-time fraud notifications, while small businesses use platforms that extend credit based on “actual sales history and cash flow rather than relying solely on traditional credit scores.”
What Data Is at Issue
Witnesses described financial data as extending beyond basic account records.
Advertisement: Scroll to Continue
Under the Gramm-Leach-Bliley Act (GLBA), institutions must protect nonpublic personal information, including transaction histories, balances and payment activity.
MacCleery testified that the data environment now includes additional elements such as “biometric, geolocation, and access credential definitions,” reflecting how digital platforms collect and use broader datasets.
Clara Kim, senior vice president, BSA/AML and sanctions, for the Bank Policy Institute, testified that banks collect and retain this data for specific purposes that are operational rather than optional, including efforts to “prevent fraud, money laundering, terrorist financing, and other illicit activity,” and to support underwriting and credit extension, including in underserved communities.
Banks, FinTechs and Uneven Oversight
A central issue at the hearing was whether all entities handling financial data operate under comparable rules.
MacCleery argued that they do not, stating that banks were subject to GLBA privacy requirements, federal supervisory examinations, security standards and state privacy laws, while “data aggregators were subject to…
Read More: Washington Eyes a National Framework for Financial Data Sharing
