CyberLex
CyberLex Insights on cybersecurity, privacy and data protection law

U.S. Consumer Financial Protection Bureau Sets Out Principles for Consumer-Authorized Data Sharing and Aggregation

Posted in Big Data, FinTech, Open Banking
Kirsten Thompson

On October 18th, 2017 the U.S. Consumer Financial Protection Bureau (“CFPB”) outlined the principles to be followed (“Principles”) when consumers authorize third party companies to access their financial data to provide certain financial products and services. These principles will be of particular note to the Fintech sector, in which a significant number of companies incorporate into their business model some kind of aggregation or sharing of consumer financial information.

The CFPB refers to this is as the “consumer-authorized data-sharing market” and has stated its two-fold goal as intending to “help foster the development of innovative financial products and services, increase competition in financial markets, and empower consumers to take greater control of their financial lives”, while at the same time ensure protection for consumers “that provide, use, or aggregate consumer-authorized financial data”.

The Principles line up quite closely with the ten Fair Information Principles that underlie Canadian federal privacy legislation (PIPEDA). Absent (or diluted) from the CFPB Principles are the Fair Informaiton Principles regarding “Limiting Use, Disclosure and Retention”, “Limiting Collection” and “Identifying Purpose”. The CFPB Principles also attempt to address many of the same issues that arise in the mandatory “Open Banking” regime in the EU and the UK, but in a much less fulsome manner.

Background

Under the Dodd-Frank Act, the CFPB was empowered  to implement and enforce consumer financial law “for the purpose of ensuring that all consumers have access to markets for consumer financial products and services and that markets for consumer financial products and services are fair, transparent, and competitive.”[1] The CFPB was to exercise its authorities so that “markets for consumer financial products and services operate transparently and efficiently to facilitate access and innovation.”[2]

Increasingly, companies have been  accessing consumer account data with consumers’ authorization and providing services to consumers using data from the consumers’ various financial accounts. Such “data aggregation”-based services include the provision of financial advice or financial management tools, the verification of accounts and transactions, the facilitation of underwriting or fraud-screening, and a range of other functions. This type of consumer-authorized data access and aggregation holds the promise of improved and innovative consumer financial products and services, enhanced control for consumers over their financial lives, and increased competition in the provision of financial services to consumers.

The CFPB’s interest in consumer data (and specifically Open Banking) was telegraphed by the Director of the CFPB  his remarks at the 2016 Money 20/20 conference when he stated that the CFPB was “gravely concerned” that financial institutions were limiting or shutting off access to financial data, rather than “exploring ways to make sure that such access…is safe and secure.” (see our blog post on this here).

However, there are also challenges to this sharing of data – privacy, security and regulatory compliance being just a few. The CFPB notes that a range of industry stakeholders are working, through a variety of individual arrangements as well as broader industry initiatives, on agreements, systems, and standards for data access, aggregation, use, redistribution, and disposal. However, the CFPB believes that consumer interests must be the priority of all stakeholders as the aggregation services-related market develops.

The CFPB issued a Request for Information in 2016 to gather feedback from wide range of stakeholders, including large and small banks and credit unions, their trade associations, aggregators, “fintech” firms, consumer advocates, and individual consumers.

The CFPB has now released its set of Consumer Protection Principles intended to reiterate the importance of consumer interests. They are, however, non-binding and not intended to alter, interpret, or otherwise provide guidance on existing statutes and regulations that apply.

1) Access

Consumers should be able, upon request, to obtain information in a timely manner about their ownership or use of a financial product or service from their product or service provider. Further, consumers should generally be able to authorize trusted third parties to obtain such information from account providers to use on behalf of consumers, for consumer benefit, and in a safe manner.

The CFPB expects that financial account agreements and terms of use will, among other things, “not seek to deter consumers from accessing or granting access to their account information.” Notably, “[a]ccess does not require consumers to share their account credentials with third parties”, which suggests that screen scraping mechanisms cannot be made mandatory.

2) Data Scope and Usability

The scope of data that can be consumer-authorized for access should be broad, according to  the CFPB, and may include “any transaction, series of transactions, or other aspect of consumer usage; the terms of any account, such as a fee schedule; realized consumer costs, such as fees or interest paid; and realized consumer benefits, such as interest earned or rewards.” With this scope of information made available, consumers will be able to compare fees the cost of banking at a particular company or institution.

3) Control and Informed Consent

The CPFB suggests that authorized terms of access, storage, use, and disposal are fully and effectively disclosed to the consumer, understood by the consumer, not overly broad, and consistent with the consumer’s reasonable expectations in light of the product(s) or service(s) selected by the consumer. While no explanation accompanies the statement, the CPFB states that firms should take steps to ensure “[c]onsumers are not coerced into granting third-party access.”

Furthermore, consumers must be able to readily and simply revoke authorizations to access, use, or store data. Similarly, consumers should be able to require “third parties to delete personally identifiable information.”

4) Authorizing Payments

The CPFB reminds firms that authorized data access, in and of itself, is not payment authorization. A separate and distinct authorization to initiate payments must be obtained s. Providers that access information and initiate payments may reasonably require consumers to supply both forms of authorization to obtain services.

5) Security

The sharing of information can raise security concerns and the CFPB advises that consumer data are to be maintained “in a manner and in formats that deter and protect against security breaches and prevent harm to consumers.” Login and other access credentials are to be secured and “all parties that access, store, transmit, or dispose of data use strong protections and effective processes to mitigate the risks of, detect, promptly respond to, and resolve and remedy data breaches, transmission errors, unauthorized access, and fraud”. Further, firms should transmit data only to third parties that also have such protections and processes.

6) Access Transparency

Consumers should be informed of which of their authorized third parties are accessing or using information regarding their accounts. This can include the identity and security of each such party, the data they access, their use of such data, and the frequency at which they access the data.

7) Accuracy

Consumers should expect the data they access or authorize others to access or use to be accurate and current and firms should have reasonable means to dispute and resolve data inaccuracies, regardless of how or where inaccuracies arise.

8) Ability to Dispute and Resolve Unauthorized Access

Consumers should also have reasonable and practical means to dispute and resolve instances of unauthorized access and data sharing, unauthorized payments conducted in connection with or as a result of either authorized or unauthorized data sharing access, and failures to comply with other obligations, including the terms of consumer authorizations. Interestingly, the CFPB advises that consumers “are not required to identify the party or parties who gained or enabled unauthorized access to receive appropriate remediation.”

9) Efficient and Effective Accountability Mechanisms

The CFPB advises that commercial participants should be accountable for the risks, harms, and costs they introduce to consumers. It is of the view that this helps align the interests of the commercial participants, and suggests such participants be “incentivized” and empowered to prevent, detect, and resolve unauthorized access and data sharing, unauthorized payments conducted in connection with or as a result of either authorized or unauthorized data sharing access, data inaccuracies, insecurity of data, and failures to comply with other obligations, including the terms of consumer authorizations.

Canada

The situation in Canada is not dissimilar, with various stakeholders and regulators on the one hand recognizing a need for innovation driven by consumer data access and on the other, the need to protect consumers and their data.

For instance, in March of 2011, the Financial Consumer Agency of Canada (“FCAC”) issued a statement, warning Canadians to be aware of the possible risks of disclosing their online banking and credit card information to financial aggregation services. Aside from the obvious data security and privacy risks, the FCAC cautioned that using such a service could also violate the terms and conditions (see our blog post on this here).

[1] 12 U.S.C. 5511(a).

[2] 12 U.S.C. 5511(b)(5)

For more information about our firm’s Fintech expertise, please see our Fintech group’s page.