It’s hard to find the most shocking detail about FTX, the cryptocurrency exchange that imploded in such spectacular fashion. From borrowing billions of dollars from customer deposits to meet debt obligations, to using corporate funds to purchase employee homes and “personal items”—the story of FTX’s rapid demise is punctuated by acts of blatant exploitation on behalf of the now-bankrupt exchange.
If these kinds of abusive practices intuitively seem like they should be illegal, that’s because, under current U.S. securities law, they are. But FTX (which was based in the Bahamas, except for its much smaller operation FTX US) and other crypto firms largely don’t fall under securities law. Instead, they dwell in a regulatory gray area. Though FTX is currently being investigated and prosecutors may find ways to hold its decisionmakers accountable under U.S. law, it might be harder than you would expect. The fact is that crypto companies aren’t governed by the existing financial and securities regulations—and crypto is just the tip of the larger financial-technology iceberg.
Under the current U.S. regulatory scheme, fintech companies are viewed more as tech firms than financial firms. The sector has therefore been largely governed by the same “regulation-lite” regime as the tech industry, as opposed to the much more stringent regulation of the financial industry.
This has significant implications for, among other things, users’ sensitive financial data. Laws governing the financial industry afford users’ financial and banking information special protection and privacy rights, recognizing that consumer financial data is deeply personal and sensitive. The U.S. approach to tech regulation, on the other hand, which trends more free market than its EU counterparts, has led to a regulatory scheme that allows for users’ data to be treated as a commodity—one that can be collected, privatized, aggregated, and sold by industry.
The impact of this regulatory approach is far-reaching, given how pervasive fintech companies are becoming. While cryptocurrency remains relatively niche, other fintech services, from Apple Pay to Zelle, are becoming increasingly integrated into our day-to-day lives. Even if the word fintech conjures up something vaguely futuristic and aquatic for you, chances are you have used a fintech service at some point. Fintech refers to a fast-growing sector of companies that use new technologies to compete with traditional financial-services firms, such as Acorns, Affirm, Square, and Robinhood. As financial consumers have increasingly moved their activities from analogue to digital, with a recent survey showing that 78 percent of Americans now prefer to bank digitally, fintech companies have proliferated.
In this online financial frenzy, which is set to hit its apex during the Cyber Monday sales, it is easy to overlook one thing that is being bought and sold: data about consumers.
Take Fintech payment facilitator Plaid, for example. You may not have heard of it, but if you use Venmo or Coinbase, you’ve used Plaid. And Plaid collects, among other things, highly granular information about users’ bank accounts, credit accounts, loans, and investments, as well as personal information like Social Security number and geolocation. The volume and type of information scraped is far beyond what many customers reasonably expect when signing up for fintech services like Venmo that use Plaid as their payment facilitator. (Indeed, Plaid recently paid $58 million to settle a lawsuit alleging the company deceptively obtained more financial data than necessary.)
Because they are regulated largely as tech firms, fintech companies are able to monetize the data they collect by selling it to third parties, like hedge funds, and creating insights into customers’ behavior, facilitating target marketing. The industry is opaque, so it is difficult to quantify exactly how much data is being sold, and to whom. The American Bankers Association, however, observes “Many data aggregators [including fintech firms] use the data for purposes beyond the service that the customer sought. Access to all data enables the aggregator to profit by selling the information to other third parties even though the customer neither knew about that potential use nor requested any additional services or marketing.”
This Faustian bargain is the bread and butter of the tech industry: You receive ostensibly “free” services in exchange for your data. Except the data that fintech firms deal in is singular—it is especially sensitive financial information and should be treated accordingly.
Data commodification generally can be disastrous. Nonetheless, fintech data practices are particularly insidious because dissemination of highly sensitive financial information can have significant effects on individuals’ participation in society (for example, by increasing consumers’ exposure to fraud and identity theft en masse). In transferring users’ financial data from its safer, legally-protected home at the bank to the unruly data services market, these companies are exposing users to risks they are likely not even aware of.
This calls for lawmakers to bring fintech under the umbrella of existing financial regulations, creating fintech regulation that emphasizes “fin” over “tech.” This would ensure, among numerous other benefits, that users’ financial data is subject to protection under the Gramm-Leach-Bliley Act’s Financial Privacy Rule. Moreover, regulating fintech companies federally, rather than by the current patchwork of state laws, would create a more consistent, cohesive regulatory scheme.
While the fintech sector has the potential to make our financial lives more convenient, efficient, and equitable, it needs to be appropriately regulated so that the risks presented to consumers do not outweigh the rewards. Closing the fintech loophole is necessary to redress current ambiguity and create a more unified, commonsense regulatory landscape. Otherwise, we can say laissez farewell to our financial privacy.