The Consumer Financial Protection Bureau (CFPB or Bureau) recently released a set of consumer protection principles for protecting consumers when they authorize third party companies to access their financial data to provide certain financial products and services. The Bureau states that these principles, which all stakeholders that provide, use, or aggregate consumer-authorized financial data should consider, “are intended to help foster the development of innovative financial products and services, increase competition in financial markets, and empower consumers to take greater control of their financial lives.”
Many companies, including fintech firms, banks, and other financial institutions, get authorization from consumers to access their account data that reside in separate organizations to provide a variety of products and services. Consumer-authorized access to consumer financial account data in electronic form may enable consumer-friendly innovation in financial services. Companies that consumers authorize to access their digital financial records can aggregate and use those records to offer new products and services aimed at making it easier, cheaper, or more efficient for consumers to manage their financial lives. Examples of such “data-aggregation” products and services include fraud screening and identity verification, personal financial management, and bill payment. At the same time, this kind of expanded access to consumer financial records raises a number of concerns, particularly with respect to data security, privacy, and unauthorized access. The Bureau “advocates strongly for consumer control of the consumer’s data and transparency,” while emphasizing the importance of data security and privacy.
The principles articulate the Bureau’s “vision for realizing a robust, safe, and workable data aggregation market that gives consumers protection, usefulness, and value.” The principles, which are intended to be read together, relate to:
- data access;
- data scope and usability;
- control of the data and informed consent;
- payment authorizations;
- data security;
- transparency on data access rights;
- data accuracy;
- accountability for access and use; and
- disputes and resolutions for unauthorized access.
These principles build upon the CFPB’s 2016 Request for Information (RFI) to gather feedback from a wide range of stakeholders concerning consumer-authorized data access. Based on the RFI, as well as other stakeholder outreach, the Bureau “understands that some key industry stakeholders are working on improvements to consumer-authorized data access. These improvements relate to the agreements, systems, and standards involved in consumer-authorized data access.”
The Bureau states that it “will continue to closely monitor developments in this market and will also continue to assess how these principles may best be realized.” The Bureau notes that these principles “do not establish binding requirements or obligations relevant to [the agency’s] exercise of its rulemaking, supervisory, or enforcement authority. In addition, they are not intended to alter, interpret, or otherwise provide guidance on existing statutes and regulations that apply in this market.” Lastly, the Bureau states that these principles “are not intended as a statement of [the agency’s] future enforcement or supervisory priorities.”