On November 17, 2016, the Consumer Financial Protection Bureau (CFPB) announced a request for information (RFI) to better understand the benefits and risks associated with market developments that rely on access to consumer financial records. The Bureau indicated that the information it obtains in response to its request may help shape industry best practices for delivering consumer benefits and minimizing consumer harm, and also could serve as a foundation for future CFPB guidance.
The Bureau’s RFI comes in the wake of the CFPB’s first report on its Project Catalyst and CFPB Director Cordray’s speech at the October 2016 Money 20/20 conference. During his remarks, the Director conveyed strong support for the ability of consumers to access their financial data and “grave concerns” about reports that financial institutions are seeking to limit such access. Although banks and other institutions have expressed privacy- and information security-related concerns about providing consumer financial information to third parties, Director Cordray emphasized the importance of consumers being able to obtain their information and suggested that the focus should be on ensuring that the information remains secure, rather than on limiting access.
Although the CFPB, OCC and other agencies have expressed significant interest in supporting fintech development in a way that both incentivizes innovation and protects consumers (see our recent article here), so far U.S. regulators have made very little progress toward creating a regulatory framework to facilitate technological advances. The Bureau’s RFI could be a meaningful step in the right direction.
In the RFI, the CFPB noted that Section 1033 of the Dodd-Frank Act requires a covered person to make available to a consumer, upon request, information about financial products or services that the consumer obtained from such covered person, in an electronic form usable by the consumer. That section also appears to give the CFPB rulemaking authority to implement its mandate.
Since the late 1990s, market participants have been developing and offering services that leverage electronic data to help consumers to manage their finances, create automated savings plans, set budgets and analyze spending activity, etc. Because many consumers have financial accounts with multiple institutions, some of these market participants have developed their own technology to access data from consumer financial account providers, while others have relied on third-party account aggregators to perform this function. Although the financial services that rely on consumer financial account data obtained from multiple institutions can provide substantial benefits to consumers, they also can present risk, particularly in connection with privacy and information security. With an eye toward developing future guidance and/or regulation on these issues, the Bureau’s RFI seeks information about current market practices as well as recommendations about how such practices should change over time.
Because information obtained through the RFI is likely to strongly influence the CFPB’s future involvement in facilitating and regulating third-party access to consumer financial account data, fintech innovators and other stakeholders should consider participating in the process. Responses to the RFI are due February 20, 2017 (90 days after the RFI’s scheduled publication in the Federal Register). Mayer Brown is actively engaged in these issues and available to assist with developing comments to the RFI.