The Consumer Financial Protection Bureau (CFPB) recently released a set of Consumer Protection Principles aimed at the Fintech field. The Principles describe obligations when sharing or aggregating consumer financial information. The CFPB regulates and enforces consumer financial laws, and issued this release as part of its review of the Fintech industry. These Principles follow a request for information that the CFPB issued late last year, as well as insights from stakeholders that the CFPB summarized at the time it released the Principles.
In the Principles, the CFPB recognized that many in the Fintech industry have been providing consent-based data aggregation services. These include tools that give financial advice, provide financial management, or do bill payment for the consumer. While recognizing the importance of these tools, the CFPB outlined nine principles Fintech companies should follow to provide consumers with adequate privacy protection: (1) Access, (2) Data Scope and Usability, (3) Control and Informed Consent, (4) Authorizing Payments, (5) Security, (6) Access Transparency, (7) Accuracy, (8) Ability to Dispute and Resolve Unauthorized Access, and (9) Efficient and Effective Accountability Mechanisms.
Many of these principles follow a fairly typical path, such as giving consent and control, and notice, as well as providing security and transparent access. Others are specific to the type of services being offered. For example, when a consumer grants a third party access to his or her information, the third party should “only access the data necessary to provide” the service. In the Principles, the CFPB clarifies that consumers should give separate consent for services that give third parties both access and the ability to authorize payment. The Principles further emphasize the importance to consumers of being able to dispute unauthorized access or sharing.