The ABA observes that while larger institutions have the resources to develop secure portals and the ability to impose privacy and data security requirements through contractual provisions negotiated with aggregators, community banks typically lack the resources to negotiate directly with aggregators. Accordingly, the ABA makes a series of recommendations for how the CFPB can use existing regulatory authorities to close regulatory gaps and ensure that consumer financial data is accorded baseline privacy and security protections regardless of where the data resides. Such recommendations include:
- The CFPB should clarify that data aggregators are “financial institutions” subject to the requirements of the Gramm-Leach-Bliley Act that apply to financial institutions under the FTC’s Safeguards Rule and the CFPB’s Regulation P. Clarification that aggregators fall within Regulation P would mean that aggregators would be required to provide disclosures to consumers about how they collect, store, and share consumer data and how it is safeguarded. With regard to the safeguards rule, in addition to urging the CFPB to work with the FTC to clarify the rule’s coverage of data aggregators, the ABA also urges the CFPB to encourage the FTC to revise the rule to require notice to consumers when a breach occurs and to require notice to the financial institutions that created the data involved.
- The CFPB should clarify that data aggregators providing electronic fund transfer services are “service providers” under the EFTA and are liable for unauthorized electronic fund transfers.
- The CFPB should subject data aggregators to CFPB supervision by adopting a rule to define “larger participants in the market for consumer financial data.”
- The CFPB should prescribe rules to ensure that the features of data aggregation products and services are adequately disclosed by using its authority under Dodd-Frank Act Section 1032 to “prescribe rules to ensure that the features of any consumer financial product or service…are fully, accurately, and effectively disclosed to consumers in a manner that permits consumers to understand the costs, benefits, and risks associated with the product or service, in light of the facts and circumstances.”
In addition to the above regulatory actions, the ABA urges the CFPB to launch a consumer education campaign to inform consumers about the risk, responsibilities, and choices associated with the use of data aggregation products and services.
The ABA’s letter was among 71 comment letters submitted on the RFI. Commenters included a variety of financial institutions, other trade associations, data aggregation companies, and consumer groups.
On March 16, 2016 from 12:00 p.m. to 1:00 p.m., Ballard Spahr attorneys will hold a webinar, “CFPB Launches Inquiry Into Challenges Consumers Face in Using and Securely Sharing Access to Their Digital Financial Records.” Click here to register.