US Consumer Financial Protection Bureau guidelines for third-party financial data sharing
12 November 2017
On October 18, the U.S. Consumer Financial Protection Bureau (CFPB) published nine principles for the protection of consumers in the emerging financial data aggregation industry. The CFPB, which is charged with ensuring consumer access to fair and transparent financial services, emphasized that the principles are not intended as guidance on existing laws and regulations and are not indicative of the CFPB’s future enforcement priorities. That said, the guidelines provide a useful look into “the Bureau’s vision for realizing a robust, safe, and workable data aggregation market.”
The CFPB also released an 11-page summary of stakeholder insights that it received from the industry in response to a November 2016 Request for Information. The Bureau differentiates among “aggregators” (companies that collect financial information), “account data users” (companies that use aggregators to offer financial products and services), and “account data holders” (the financial institutions, such as banks, that hold account data on consumers). The stakeholder insights provide a broad picture of the differing perspectives and priorities of these market players.
The Consumer Protection Principles
- Access – Consumers should have on-demand access to account information and should be able to authorize access for trusted third parties without sharing their personal account credentials.
- Data Scope and Usability – Consumers should be able to authorize access to a breadth of information, which should be available in a usable format. Third party access should be limited to the scope necessary for that party and its intended services, and third parties should not maintain that data for longer than necessary.
- Control and Informed Consent – Customers should receive detailed terms of access and use, which should be understandable, not overly broad, and consistent with the consumer’s reasonable expectations. Consumers should be able to easily revoke any authorization and require third parties to delete personally identifiable information.
- Authorizing Payments – Authority to access data should be distinct from authority to make payments, and parties that access financial information and make payments should obtain separate authorizations for each of those services.
- Security – Consumer data should be used and stored securely, and all parties that handle consumer data should use strong and continuously adapting protections and processes to prevent, detect, and respond to security incidents. They should only transmit data to third parties who have similarly secure protections in place.
- Access Transparency – Consumers should be able to easily find out who has access to their account information, including the level and frequency of that access.
- Accuracy – Data should be accurate and current, and consumers should have dispute mechanisms to resolve any inaccuracies.
- Ability to Dispute and Resolve Unauthorized Access – Consumers should have “reasonable and practical” mechanisms to dispute unauthorized access, unauthorized payments, or failure by any party to comply with any of its obligations regarding consumer information. Parties should be able to receive remedies without being required to show the identity of the unauthorized user, and any responsible parties should be held accountable.
- Efficient and Effective Accountability Mechanisms – Stakeholders should be incentivized to provide safe consumer access and avoid misuse of consumer information. They should be accountable for the risks and costs they cause for consumers and should be “incentivized and empowered” to prevent and detect unauthorized activity.
CFPB Dipping its Toe in the Enforcement Waters
Although these principles outline the CFPB’s vision for consumer protection, the Bureau remains vague about its own role. It calls for commercial parties to be held accountable for consequences that impact their consumers, but is silent on how this accountability might look in practice. In the stakeholder insight summary, the CFPB mentions differing views among industry members about the extent of its role in regulating the financial data aggregation industry.
Some stakeholders take the view that the CFPB should avoid any expanded role in this space and should allow industry members to develop their own standards for protecting consumer information. Other stakeholders and consumer advocates envision a more active Bureau that seeks to expand its regulatory authority by using its rulemaking power under Section 1033 of the Dodd-Frank Act, which regulates customer access to financial data. Other stakeholders asked the Bureau to clarify the extent to which the financial data aggregation industry falls under the Electronic Fund Transfer Act (EFTA) (sometimes known by its implementing Regulation E), which provides protection to consumers with regard to electronic funds transfers.
Since its launch in 2011, the CFPB has been a potential player in the data security enforcement game. Last year, it made headlines when it announced its first ever data security-related enforcement action, fining mobile payment company Dwolla $100,000 for deceiving its customers about the security protocols and measures in place to protect customer’s financial information. Despite a moderate hullaballoo in the legal spaces that pay attention to such developments, the Bureau has been fairly silent on data security since then. Speculation and predictions that the Bureau may soon rival the FTC in terms of aggressively bringing enforcement actions in this space gave way to a more passive CFPB. Earlier this year, in a speech at a popular fintech conference, Director Richard Cordray brought up the Bureau’s efforts to seek out stakeholder insight, promising that the CFPB would “continue to analyze these issues and closely follow developments.” But while the CFPB certainly mentions the various regulatory vehicles by which it could more aggressively enforce data privacy standards, it appears to be in no rush to start wielding those powers.
Supporting the Market, Focusing on the Consumer
The CFPB is clearly a fan of the data aggregation market. In the preface to the Principles, the Bureau writes that this market “holds the promise of improved and innovative consumer financial products and services [and] enhanced control for consumers over their financial lives.” The Bureau goes on to say that this “consumer-friendly innovation,” comes with significant challenges, which can be best met by making consumer interests and security the priority for all stakeholders in the market. The common refrain throughout the principles is the need to give the consumers more control, more insight, and more security. The principles exhorte companies to provide clear, tailored, and understandable terms of access and to give consumers the on-demand ability to view and adjust any third party access to their account information.
Dispute Resolution Mechanisms
The principles propose increased avenues for consumers to resolve disputes and impose consequences on parties responsible for violating consumer protection standards. Under the principle of Accuracy, consumers should have the means to dispute and resolve data inaccuracy issues, “regardless of how or where inaccuracies arise.” Under the Ability to Dispute and Resolve Unauthorized Access, consumers are to have practical to dispute any instance of unauthorized access, unauthorized payments, or any other relevant obligation. While obviously not binding, these principles indicate that the CFPB sees an industry role to detect, investigate, and remedy instances of unauthorized access or inaccurate data. Consumers should expect their financial data to be accurate and protected, and it is the obligation of the stakeholders to make that happen.
Evolving Security Practices
The stakeholders generally agree that data security should be “a core and shared focus” for the industry, and the Bureau holds the data aggregation industry to a high standard. Many of the access and transparency principles would likely require concerted software development efforts for many institutions and companies, and the implementation of robust procedures for investigating and resolving disputes. The Security principle requires companies to “deter and protect against security breaches,” to only transmit data to third parties with similarly strong security practices, and to actively adapt security practices to new threats. These principles seem quite sensible at first glance—any security researcher would tell you that these are important practices for any company handling customer data, especially data as attractive a target as financial account information.
The stakeholders differ in their security views, however. The stakeholder insights demonstrate the tensions between established entities, like banks and credit unions, and the growing fintech market that relies on access to account data held by these entities. The more established account holders express concern that some of the market players are held to lower data security standards than banks and credit unions and do not adequately invest in security. Smaller companies, on the other hand, worry that these security concerns are a pretext to block or otherwise limit the data shared with third parties. They are also concerned that a more assertive CFPB could lead to data sharing rules that place an excessive burden on small market participants.
The Consumer Protection Principles don’t contain any headline-grabbing revelations, but they give a better look into the CFPB’s perspective on data security and how a financial data aggregation industry can provide competitive services while protecting the security and privacy of its customers. These principles further emphasize that the Bureau, if not yet an active player in data security-related enforcement, is closely watching the space and recognizes its potential role in regulating and investigating the industry. If and when the CFPB decides to become more active in its oversight of financial data sharing, this will likely be a helpful guide to better understand their rulemaking and enforcement priorities and principles.
By Jake Reed and Keren Livneh.