Facebook headquarters Facebook's headquarters. Photo by Jason Doiy/ALM.

 

In early August 2018, the Wall Street Journal first revealed that Facebook is looking to integrate its platform with its customers' financial accounts in a bid to offer new services to customers.

Such new services would require the social media company to tap into data housed at various banks and financial institutions. But while this has sparked concerns over Facebook's access to sensitive data, whether the integration will pose consumer privacy or security risks largely depends on how the integration is structured.

Little detail has been provided on the proposed integration, though Facebook spokesperson Elisabeth Diana told TechCrunch that “a critical part of these partnerships is keeping people's information safe and secure.” Speaking about the integration's providing a sort of bank-teller chatbot via Facebook Instant Messenger, she noted:  “The idea is that messaging with a bank can be better than waiting on hold over the phone—and it's completely opt-in. We're not using this information beyond enabling these types of experiences—not for advertising or anything else.”

To be sure, such a partnership would be legally required to be “safe and secure.” How Facebook can potentially access and use customers' financial data, after all, is heavily regulated by the federal Gramm-Leach-Bliley (GLB) Act. Kevin Coy, a partner in the privacy practice at Arnall Golden Gregory, noted that “GLB restricts the ability of financial institutions to share information” with other businesses and third parties, and requires financial institutions to inform consumers of changes affecting their data privacy.

But there are certain ways the law allows information to be shared. Financial institutions could disclose consumer financial data for several specific purposes, such as fraud prevention and compliance with legal processes. Outside of those scenarios, Coy noted the law allows “information to be shared with the consent of the individual.”

“So to the extent that this Facebook initiative would be driven by consumer consent, that could be a permissible basis under GLB,” he added.

What's more, GLB has provisions requiring financial institutions ensure that any shared financial information is properly secured by the recipient. “In addition to the privacy notice and choice provisions, GLB also has what's called a safeguards rule, which imposes data security requirements on financial institutions,” Coy said. “And one of the requirements under the safeguards rule is that financial institutions exercise oversight over their service providers.”

Should Facebook be classified as a service provider, financial institutions could then dictate exactly how the data they provide is to be secured. But even if Facebook isn't defined a service provider under the law, Coy still expects that “financial institutions looking at this arrangement would want to impose security obligations.”

In fact, some may still be legally required to ensure their data's safety with a third party.  “Under some states' laws, separate and apart from [the GLB] targeting the financial industry specifically, those institutions are required to safeguard personal information,” Coy added.

And some state laws go beyond what GLB requires. California's Financial Information Privacy Act, for example, requires consumers to first opt in before financial institutions can use their data for marketing purposes, and “seeks to regulate how consumer choice is exercised to make sure it is done in a consumer friendly fashion,” Coy said.

How banks will move to safeguard the data they could potentially share with Facebook will likely be a significant concern for many in light of how Facebook Messenger currently operates. “When you log into your online baking service, it requires two factor authentication, but you don't have that level of security in Facebook Messenger,” said Dan Goldstein, president of digital marketing agency of Page 1 Solutions and a personal injury attorney in Colorado.

Given Facebook's checkered privacy record, Goldstein believes financial institutions won't hesitate to place strict guidelines on how their data is handled. “It's very likely that the only way a way a major bank would do this would be with very clear guidelines and restrictions on who can access the data and how they can access the data.”

Should such an integration go through, there will also likely to be heavy scrutiny from all parties involved of how Facebook asks for and obtains consumer consent to tap into consumer financial data. “For consumers and financial institutions the question would be, is the consent Facebooks seek limited to [showing financial information] or would they have other activities embedded in that consent as well?” Coy said.

Facebook has had some experience with integrating its platform with financial institutions before. Facebook customers in Singapore, for example, can already interact with a Citibank chatbot to access their financial information, while worldwide customers can also link their Facebook messenger account to Paypal as well.

An expansion of these integrations, however, will likely been bring more attention to how Facebook uses and secures such financial data, and how it respects the privacy of its users.