Financial industry groups responded to the Consumer Financial Protection Bureau's (CFPB) request for information on consumer access to their financial records.

What happened

Last November, the Bureau announced its intent to take a closer look at "the challenges consumers face in accessing, using, and securely sharing their financial records," asking for information about how much choice consumers are being given about the use of their records, how secure it is for them to share their records, and to what extent consumers have control over their records, releasing a Request for Information (RFI).

Industry groups have responded. The American Bankers Association (ABA) noted the timeliness of the CFPB's RFI, given that technology "has facilitated the creation of an unprecedented amount of consumer financial data." While the ABA "fully supports the customer's ability to access and share their financial data in a secure, transparent manner that gives them control," the group identified regulatory gaps and suggested steps to facilitate consumer access.

Three core principles should set the framework for how consumer data is treated, the ABA wrote: security (bank-level protection should be consistent for all consumer financial information, whether the data is at a bank or a third party); transparency (consumers should know how their data is being used); and control (consumers should have control over the access and use of their data, including what information is shared).

To effectuate these principles, the ABA recommended that the Bureau use existing regulatory authority and not promulgate new rules. For example, the CFPB should clarify that data aggregators are "financial institutions" subject to the requirements of the Gramm-Leach-Bliley Act (GLBA) and take steps to ensure such entities are subject to the same standards as depository institutions for safeguarding financial data and notifying customers about security breaches. Data aggregators should also be designated as "service providers" under the Electronic Funds Transfer Act (EFTA) and "larger participants" in the market for consumer financial data should be identified and subject to supervision by the CFPB, the ABA recommended.

In its comments, the Financial Services Roundtable (FSR) set forth "five core elements" that should be considered by the Bureau to determine its role in the evolving ecosystem. Security and privacy; data access and use transparency (with the group stating that customers should be required to provide express consent permitting a financial institution to share their account data with a third party); clarity of liability, particularly with regard to data aggregators under Regulation E; customer choice and control; and technology neutrality, the group explained.

The FSR also urged the CFPB to exercise "caution in pursuing any rulemakings that would certainly hamper these consumer-focused agreements, and likely stifle innovation."

While the Independent Community Bankers of America (ICBA) threw its support behind consumer access to financial information, the group expressed "profound concerns" that non-bank entities "do not take the same care in protecting consumer privacy and data that community banks do." Community banks are highly regulated but "protecting consumers' account data at banks is of limited value if it remains under protected or exposed by other users," the group told the Bureau.

"At a minimum, consumers must have the same GLBA-like privacy protections with permissioned third parties as they have with banks, including limitations on the use of consumer information and limitations on the disclosure of the consumer's information to third parties," ICBA wrote.

The group also shared its worries that the Bureau would develop rules dictating how community banks share information with third parties, with the banks shouldering both financial and reputational risks, emphasizing that community banks should not have to bear the cost and risk of ensuring safe third party access.

Finally, Financial Innovation Now (FIN), an alliance of technology leaders, weighed in, similarly taking the position that regulation by the CFPB is unnecessary. "We are concerned that regulation would run the risk of creating a framework that likely would restrict market developments or innovations and not easily adapt to the pace of technological innovation and consumer expectations," the group wrote.

Instead, FIN said that consumers' interest would most effectively be promoted by empowering them to permission access to financial account data "securely and easily, using whatever secure application or technology they wish," according to industry-developed standards that are regularly reviewed and updated and do not mandate a specific type of technology.

To read the ABA's comment, click here.

To read the FSR's comment, click here.

To read the ICBA comment, click here.

To read the FIN comment, click here.

Why it matters

Industry groups were united in their stance that no new regulation is required from the CFPB in order to ensure consumer access to financial records. While the comments provided different suggestions as to how the Bureau should address the safety and security of consumer financial data, the core principles of consumer choice and data security remained consistent for all the groups.