With the growth of technology and the development of the fintech market, an unprecedented amount of consumer financial data has become available. While protections through the FTC Safeguard Rule and EFTA provide certain consumer protections, there are coverage gaps as the regulatory scheme has struggled to keep up with technological advancements.

In recognition of these competing forces and this growing market of consumer services, the CFPB issued a Request for Information in November of 2016 inquiring as to market practices related to consumer access to financial information and related data aggregation services. Last week, the CFPB published their findings, as well as their Consumer Protection Principles which are designed to “reiterate the importance of consumer interests to all stakeholders in the developing market for services based on the consumer-authorized use of financial data.” While the Principles are “not intended to alter, interpret, or otherwise provide guidance on the scope” of existing consumer protections under existing statutes and regulations or establish binding requirements or obligations relevant to the Bureau’s exercise of its rulemaking, supervisory or enforcement authority”, they appear to be the first step in filling some of the current regulatory gaps.

The CFPB Principles address nine general areas of concern:

  • Access. The Principles recognize the right of consumers to be “able, upon request, to obtain information about their ownership or use of a financial product or service” from the product or service provider. The Principles also support the consumer’s right to “authorize trusted third parties to obtain such information from account providers to use on behalf of consumers, for consumers benefit, and in a safe manner.”
  • Data Scope and Usability. The Principles set forth that the scope of data that may be made available should be broad; however, the data available to “third parties with authorized access” should be limited to that which is “necessary to provides the product(s) or service(s) selected by the consumer and only maintain such data as long as necessary.”
  • Control and Informed Consent. The Principles emphasize the consumer’s right to control data access and the need for terms as to access, storage, use and disposal to be clearly communicated and understood by the consumer. The Principles additionally emphasize the importance that the consumer understand and be provided with data sharing revocation terms that can readily and simply be invoked as to access, use and storage of data.
  • Authorizing Payments. The Principles advocate for separate and distinct authorizations for data access and payment authorization.
  • Security. The Principles recognize the gaps that potentially exist in the FTC Safeguard Rules and whether or not certain data aggregation providers are required to comply (as they may fall into a gap between covered financial service providers and vendors). With regard to security, the Principles recognize the need for market participants to securely access, store, use, and distribute data in formats and manners which protect against security breaches. The Principles further advocate for secure access credentials and effective processes that “mitigate the risks of, detect, promptly respond to, and resolve and remedy data breaches, transmission errors, unauthorized access, and fraud, and transmit data only to third parties that also have such protections and processes” in place.
  • Access Transparency. Consumers should be informed of or able to readily ascertain “which third parties that they have authorized are accessing or using information regarding the consumers’ accounts or other consumer use of financial services.” The Principles emphasize the ability of consumers to ascertain the “identity and security of each such party, the data they access, their use of such data, and the frequency at which they access the data.”
  • Accuracy. The Principles express the expectation that data that consumers access or authorize others to access is current.
  • Ability to Dispute and Resolve Unauthorized Access. The Principles set forth the expectation that consumers “have reasonable and practical means to dispute and resolve instances of unauthorized access and data sharing, unauthorized payments conducted in connection with or as a result of either authorized or unauthorized data share access, and failures to comply with other obligations , including the terms of consumer authorizations.”
  • Efficient and Effective Accountability Mechanisms. Commercial participants are held accountable for “the risks, harms and costs they introduce to consumers” and are “incentivized and empowered effectively to prevent, detect and resolve unauthorized access and data sharing, unauthorized payments” and “failures to comply with other obligations, including terms of consumer authorizations.

The Bureau’s Report as to the November RFI reflects consensus amongst stakeholders that market participants need to work together to develop data access and use practices that are based upon a shared set of standards and expectations that address consumer protection. Those engaged in fintech should carefully monitor developments in this area, as well as the CFPB’s developing position as to their role in regulating the same.