As previously covered in InfoBytes, on November 17 the CFPB launched an inquiry into the benefits and risks associated with consumers authorizing third-parties to access their financial and account information held by financial service providers. In response to the Bureau’s Request for Information (Dkt No. CFPB-2016-0048), consumer and industry groups have offered their thoughts and positions concerning the issue. A summary of several comment letters is included below:
American Bankers Association (ABA). The ABA submitted a comment letter in which it noted that “technology is fundamentally changing the way financial services are being delivered,” but urged the CFPB, subject to certain enumerated regulatory limitations, to “fairly address both the opportunities and risks” in order to “give consumers innovative services that they can trust.” Among other things, the ABA discussed the need for the Bureau to clarify data aggregator responsibility for maintaining the privacy and security of consumer financial data. Specifically, the ABA recommended that the CFPB: (i) impose breach notification obligations; (ii) confirm liability assignments under Regulation E; (iii) subject larger data aggregators to supervisory oversight; and (iv) educate consumers about the choices, responsibilities, and risks presented.
Financial Services Roundtable (FSR). FSR and its technology policy division responded with a letter highlighting the importance of innovation and collaboration and outlining five core elements the group believes should be considered in assessing this “evolving ecosystem.” These elements are: (i) security and privacy; (ii) data access and use transparency; (iii) clarity of liability; (iv) customer choice and control; and (v) technology neutrality. FSR also encouraged the CFPB to avoid unnecessary rulemaking or standard-setting that would “blunt innovation.”
Independent Community Bankers of America (ICBA). The ICBA urged the CFPB, subject to certain enumerated regulatory limitations, to carefully consider the privacy, regulatory burden, data security, and legal implications posed by third-party account access. Among other things, the ICBA expressed concern that “non-bank entities” do not take the same care in protecting consumer privacy and data as community banks and stated that community banks “must be able to protect customer data without having to meet new regulatory mandates which increase the risk of breach and/or consumer loss.” ICBA’s letter also stated that consumers’ rights to have access to their own information should be balanced with ensuring that consumer privacy is not needlessly threatened.
Americans for Financial Reform (AFR). AFR and a coalition of consumer groups set forth the organizations’ position that “the digital economy should ensure consumers can access and use records about themselves, and that consumers can choose to authorize third-parties to access such data on their behalf to support their financial health and facilitate competition among financial services providers.” Among other things, the letter stressed the need for “standards to enforce compliance with Section 1033 to benefit consumers who utilize online data aggregation and other applications.” Additionally, the letter urged the CFPB to confirm that consumers “retain their legal protections vis-a-vis account-holding institutions if unauthorized charges are made to their accounts when they use data aggregation services.”
Financial Innovation Now (FIN). FIN expressed the organization’s belief that regulation of permissioned access to consumer financial account data is “not necessary at this time.” Rather, FIN argued for “standards for permissioned access to consumer financial account data,” which could be “developed by industry, regularly reviewed and updated.” Ultimately, FIN pushed for consumer access to consumer financial account data “securely and easily, using whatever secure application or technology they wish, without charges or restrictions that unreasonably favor any one application or technology over another.”