The Congressional Research Service ("CRS") reviewed the potential benefits and risks of data sharing in the context of a potential CFPB rulemaking on consumer-authorized access to financial data as required under Section 1033 of Dodd-Frank ("Consumer Rights to Access Information").

In a new Insight report, the CRS explained that financial products and services that rely on consumer data, such as data aggregation sharing services, can provide consumers with access to improved and innovative offerings, allowing them to manage their money, receive product recommendations or apply for loans. The CRS highlighted that methods of collecting financial account data, particularly web scraping (i.e., scanning websites and extracting data) and application program interfaces ("APIs"), have advantages but also drawbacks. For example, (i) APIs are typically more secure from a cybersecurity standpoint but require companies to negotiate agreements for data access; and (ii) web scraping gives companies easier access to data, but it is less secure.

As to a rulemaking under Section 1033, the CRS concluded that "data access could facilitate competition and innovation in consumer financial services, depending on how data sharing practices develop and how the regulatory framework is structured." CRS referenced additional rulemaking developments in the ongoing effort to clarify standards around consumer-authorized access to financial data. These include:

  • the CFPB's November 2020 advanced notice of proposed rulemaking to solicit information from the public to inform the rulemaking regarding standards around consumer-authorized access to financial data; and

  • the Biden administration's July 2021 Executive Order 14036 ("Promoting Competition in the American Economy"), which includes a provision that encourages the CFPB director to consider a rulemaking on the "portability" of consumer financial transaction data.

The CRS also raised additional questions for the agency including consideration of:

  • the extent to which the CFPB should determine data sharing standardization, given the potential impact on market competition (standardized formats of consumer-accessed data could be beneficial for consumers, but may represent a burden on industry or limit innovation);

  • the extent to which the CFPB should facilitate certain cybersecurity standards to protect against fraud;

  • how to ensure consumers are informed of their access rights and potential risks; and

  • the possible authorization by consumers of the use of their data for unknown purposes (e.g., marketing).