On October 18, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) entered into the long simmering debate over consumer-authorized data sharing. This debate pits mainstream financial institutions, which are typically reticent to share customer data with third parties, against data aggregators and other fintechs. Those newer companies provide services directly to consumers—or to enhance the consumer experience—and rely on data from mainstream institutions in order to do so. Both sides are grappling with complex issues surrounding consumer information, including who owns consumers’ financial data, as well as how it can be used, shared, and kept secure.
The CFPB released a set of nine consumer protection principles to address those issues and “help safeguard consumer interests as the consumer-authorized aggregation services market develops.” While pointedly refusing to ease any existing regulatory burden currently on the banks to ensure safety and privacy, the Bureau has now articulated a yet-to-be fully defined set of requirements for traditional financial institutions to cooperate with demands for openness. Each consumer right embedded in these requirements implies a financial institution obligation, in some cases with considerable associated cost and operational disruption.
The release follows a November 2016 Request for Information where the CFPB asked stakeholders to weigh in on the challenges consumers face in accessing, using, and securely sharing their financial records. The CFPB also released a 12-page report that summarized stakeholder insight and informed development of the following principles:
- Access: Consumers should be able to obtain information about a financial product or service in a timely manner; authorize trusted third parties to obtain their information from account providers in a safe manner; and should not be deterred from accessing or granting access to their account information. Access should not require consumers to share their account credentials with third parties.
- Data Scope and Usability: Consumers may authorize data concerning transactions, usage, account terms and other aspect of consumer usage. Authorized access extends only to data necessary to provide the product or service selected by the consumer for an appropriate period.
- Control and Informed Consent: Consumers understand the implications of third-party access to their data, including authorized terms of access (frequency, data scope, and retention period), storage, use, disposal, and should not be coerced into granting third-party access. Consumers should be able to revoke authorizations in a timely manner.
- Authorizing Payments: Providers that access information and initiate payments may require consumers to authorize both types of services.
- Security: All parties that access, distribute, store, or otherwise handle consumer data, must adopt “strong protections and effective processes” that deter and protect against security breaches and prevent harm to consumers.
- Access Transparency: Consumers must be able to readily ascertain third parties that they have authorized to access their data, their use of such data, and the frequency of access.
- Accuracy: Data should be accurate and current, and consumers should be able to reasonably dispute and resolve any inaccuracies.
- Ability to Dispute and Resolve Unauthorized Access: Consumers should have a reasonable means to dispute and resolve unauthorized data access, regardless of whether they can identify the parties who gained or enabled such access.
- Efficient and Effective Accountability Mechanisms: Commercial participants are accountable for the risks, harms, and costs they introduce to consumers, and must have incentives to employ effective measures to prevent unauthorized data sharing.
Potential Next Steps by the CFPB:
The CFPB recognized that these principles are a reflection of its ongoing work in a fast-developing space. The stakeholder report provided insight into areas the CFPB may explore in more detail in the future, including:
- Enhanced disclosures concerning consumer data, particularly regarding scope of use, consumer authorization to access, share and transmit data, and a consumer’s ability to revoke that authorization;
- Clarification of the Bureau’s regulatory, supervisory and enforcement oversight over aggregators and account data users;
- Additional research concerning existing and emerging technologies for securing and protecting consumer data, including “read only” access and tokenization, among other things;
- Industry standards concerning vetting and credentials of third parties seeking access to consumer information;
- Clarification concerning the application of the Electronic Fund Transfer Act and Regulation E if unauthorized debits are made from consumers’ accounts when they use data aggregation services and, more generally;
- Clarification concerning allocation of liability amongst the various players involved in the sharing, use and transmission of consumer data.
Stakeholders expressed a range of views concerning the CFPB’s role in the aggregation services market. Some believe a formal CFPB rulemaking may be necessary to ensure consumers are protected as the market continues to develop. Others would like little to no CFPB involvement, preferring instead to let market participants develop appropriate solutions. A third group of stakeholders are advocating for an approach that falls someplace in the middle.
The Bureau understands the importance of monitoring developments in the data-sharing and aggregation arena. The services available to consumers to manage and control their financial information—and the technologies that facilitate seamless and secure transfer and use of data—are ubiquitous in financial services. Against that backdrop, recent data breach trends, and the increasing sophistication of criminals who seek confidential consumer information, the CFPB will most certainly continue to play a prominent role in protecting consumer data going forward.