On October 18 2017 the Consumer Financial Protection Bureau (CFPB) released a set of consumer protection principles designed to protect consumer interests in the market for services built around consumer-approved use of financial information. The principles are targeted at so-called 'data aggregation' or 'screen scraping' services that collect customer information in order to provide financial planning or other services. Over the past few years, data aggregation services and banks have struggled to develop the right model for sharing customer account data. The principles issued by the CFPB seek to provide a potential data-sharing model for banks and data aggregation services while protecting consumer interests.
In recent years, financial technology (fintech) companies have developed products and services that make it easier for consumers to manage their own finances, including financial planning services, transaction verification tools, payment applications and fraud-screening. These products and services rely on consumer-authorised access to financial data about those consumers stored by other financial institutions. To collect this data, fintech firms have often resorted to screen scraping, in which the company uses the consumer's bank account login credentials to login on behalf of the consumer and download the available financial data. Screen scraping does not involve a formal data-sharing agreement with the bank, and it therefore raises significant concerns from all parties involved. Banks are often concerned about the effect of these services on their systems, the commercial value of their data and the security of the information, for which the bank could potentially be held responsible. Fintech companies worry that banks will block them from accessing the consumer data on which the viability of their business depends. These concerns have created obstacles to innovation by placing banks and fintech firms in an ill-defined adversarial position. Further, sharing login credentials with third parties raises significant issues of consumer privacy, choice and transparency.
The CFPB, which is the primary federal regulator of consumer financial products and services, has acknowledged that this type of consumer-authorised access and aggregation:
"holds the promise of improved and innovative consumer financial products and services, enhanced control for consumers over their financial lives, and increased competition in the provision of financial services to consumers."
Its new principles reflect its view of the positive potential for new data aggregation services while emphasising the need to develop a workable industry model that addresses consumer privacy, limits data security risks, promotes transparency and consumer choice and protects the accuracy of financial data.
In view of these issues, the CFPB developed the principles with guidelines for ensuring consumer protection in the aggregation services market. Before issuing the final principles, the CFPB solicited input from a variety of stakeholders, from individual consumers and account data holders to trade associations and aggregators. Although the CFPB's principles are not binding, they signal increased momentum for a workable model of data sharing between banks and fintech companies. They may also demonstrate the CFPB's expectations of market participants and its broader viewpoints about consumer privacy and consent. The nine principles cover the areas set out below:
- Access – consumers should be able, on request, to obtain (in a timely manner) information about their ownership or use of a financial product or service from the product or service provider.
- Data scope and usability – financial data subject to consumer and consumer-authorised access should be available in forms that are readily usable by consumers and consumer-authorised third parties. Third parties with authorised access should access only the data necessary to provide the products or services selected by the consumer, and only maintain such data as long as necessary.
- Control and informed consent – authorised terms of access, storage, use and disposal should be fully and effectively disclosed to the consumer and should be consistent with the consumer's reasonable expectations. Consumers should be able to readily and simply revoke authorisations to access, use or store data, and revocations should be implemented in a timely and effective manner.
- Separate authorisation credentials – authorisations to access consumer data are separate and distinct from payment authorisations and should appropriately be treated as such. The consumer should be able to grant a third party access to information without having to share the credentials that would allow the third party to move funds.
- Security – consumer data should be accessed, stored, used and distributed securely. Consumer data should also be maintained in a manner that deters and protects against security breaches and prevents harm to consumers, including using controls to secure access credentials. All parties with access to the data should use strong protections and effective processes to mitigate the risks of, detect, promptly respond to and resolve and remedy data breaches, transmission errors, unauthorised access and fraud. Security practices should be adapted to new risks and threats.
- Access transparency – consumers should be informed which third parties are accessing or using information regarding the consumers' accounts or other consumer use of financial services.
- Accuracy – consumers should be able to expect that the data accessed by themselves or third parties is accurate and current. Consumers should have a reasonable means to dispute and resolve inaccuracies.
- Ability to dispute and resolve unauthorised access – consumers should have a reasonable and practical means to dispute and resolve instances of unauthorised access and data sharing.
- Efficient and effective accountability mechanisms – commercial participants in consumer financial data sharing should be accountable for the risks, harms and costs that they introduce to consumers, and they should make efforts to prevent, detect and resolve unauthorised access and data sharing.
Industry reactions to the principles has generally been positive, as banks and fintech companies continue to work out formal agreements to share data. Several data-sharing agreements between large banks and fintech companies have been publicly announced during the past year, prevising the potential for continuing innovation in the market for data aggregation services. Rather than using screen scraping, these agreements contemplate data sharing via application programming interface, which allows for direct and more secure delivery of data from the bank to the fintech firm. The CFPB principles provide useful guidance for the development of these agreements and greater certainty around potential regulator expectations with respect to consumer privacy.
Nevertheless, a theme of the principles is a broad entitlement of the consumer to benefit from services that rely on access to information, with a substantial burden imposed on companies to enable these services. In particular, the principles seem to imply a duty on the part of existing data holders to develop mechanisms to make the data available to consumers and third parties when the data holders may have no incentive to undertake the significant development and ongoing costs. This theme of imposing broad burdens on holders of consumer information to facilitate a third-party service could be troubling in the data aggregation area, as well as if applied more broadly. The principles also impose duties on the companies obtaining the data to use the information for the benefit of the consumers.
The CFPB's release of consumer protection principles combines the bureau's supervision of consumer financial products and services with an increasing focus on data security matters. In 2016 the CFPB brought its first data security enforcement action under the authority granted by the Dodd-Frank Wall Street Reform and Consumer Protection Act against online payments company Dwolla Inc, for deceptive representations with respect to its data security practices. The Dodd-Frank Act authorises the CFPB to take action against institutions engaged in unfair, deceptive or abusive acts or practices or that otherwise violate federal consumer financial laws. Under the terms of the CFPB order against Dwolla, the company was required to stop misrepresenting its data security practices, train employees properly and fix security flaws. In addition, Dwolla was required to pay a $100,000 civil money penalty.
As stated, the consumer protection principles issued by the CFPB with respect to the aggregation services market are not made under rulemaking authority and do not reflect the bureau's enforcement priorities. That said, industry stakeholders should consider the potential impact of the principles in connection with data aggregation services and financial services more broadly and within the context of the existing legal requirements. These requirements may include:
- the CFPB's Regulation P under the Gramm-Leach-Bliley Act (requiring annual notice of privacy policies and certain consents for sharing consumer information);
- the Federal Trade Commission's and the banking agencies' Safeguards Rules (requiring comprehensive written information security policies);
- the Fair Credit Reporting Act (requiring reasonable protections for consumer report information); the Fair and Accurate Credit Transactions Act (FACTA) disposal rule (requiring reasonable procedures for the disposal of consumer report information); and
- the FACTA red flags rule (requiring certain protections against identity theft).
When reviewing and considering how to implement the CFPB's recently issued principles, companies should consult with legal counsel to ensure that they comply with all applicable legal requirements.
For further information on this topic please contact Colleen Theresa Brown, Edward R McNicholas, Alan Charles Raul or John K Van De Weert at Sidley Austin LLP by telephone (+1 202 736 8000) or email (c[email protected] [email protected], [email protected] or [email protected]). The Sidley Austin website can be accessed at www.sidley.com.
David E Teitelbaum, partner, assisted in the preparation of this update.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.