The CFPB has released a set of “Consumer Protection Principles” for participants “in the developing market for services based on the consumer-authorized use of financial data.” According to the CFPB, the principles “do not themselves establish binding requirements or obligations relevant to the Bureau’s exercise of its rulemaking, supervisory, or enforcement authority” and “are not intended as a statement of the Bureau’s future enforcement or supervisory priorities.” Rather, the CFPB describes the principles as “express[ing] the Bureau’s vision for realizing a robust, safe, and workable data aggregation market that gives consumers protection, usefulness, and value” and are intended “to help safeguard consumer interests as the consumer-authorized aggregation services market develops.”
In November 2016, the CFPB issued a request for information about market practices related to consumer access to financial information. The RFI contained a series of questions about current market practice related to “consumer-permissioned access,” a term used by the CFPB to refer to consumer access to consumer financial account and account-related information, whether directly or through a third-party acting with the consumer’s permission. According to the CFPB, the principles were informed by the 72 comments it received in response to the RFI as well as other stakeholder feedback. In addition to the principles, the CFPB also released a separate document containing a discussion of “insights gained from that feedback.”
The principles address the following nine topics:
- Access. Consumers should be “able, upon request, to obtain information about their ownership or use of a financial product or service from their product or service provider” and to be “generally able to authorize trusted third parties to obtain such information from account providers to use on behalf of consumers, for consumer benefit, and in a safe manner.”
- Data Scope and Usability. The financial data subject to consumer and consumer-authorized access should include “any transaction, series of transactions, or other aspect of consumer usage; the terms of any account, such as a fee schedule; realized consumer costs, such as fees or interest paid; and realized consumer benefits, such as interest earned or rewards.”
- Control and Informed Consent. The authorized terms of access, storage, use, and disposal should be “fully and effectively disclosed to the consumer, understood by the consumer, not overly broad, and consistent with the consumer’s reasonable expectations in light of the product(s) or service(s) selected by the consumer” and for consumers to be able to “readily and simply revoke authorizations to access, use, or store data.”
- Authorizing Payments. Providers that access information and initiate payments should be able to reasonably require consumers to provide separate and distinct authorizations for these activities.
- Security. “All parties that access, store, transmit, or dispose of data use strong protections and effective processes to mitigate the risks of, detect, [should] promptly respond to, and resolve and remedy data breaches, transmission errors, unauthorized access, and fraud, and transmit data only to third parties that also have such protections and processes.”
- Access Transparency. Consumers should be informed of or able to readily ascertain the “identity and security of each [third party the consumer has authorized to access or use the consumer’s account information], the data they access, their use of such data, and the frequency at which they access the data is reasonably ascertainable to the consumer throughout the period that the data are accessed, used, or stored.”
- Accuracy. Consumers should have “reasonable means to dispute and resolve data inaccuracies, regardless of how or where inaccuracies arise.”
- Ability to Dispute and Resolve Unauthorized Access. Consumers should have “reasonable and practical means to dispute and resolve instances of unauthorized access and data sharing, unauthorized payments conducted in connection with or as a result of either authorized or unauthorized data sharing access, and failures to comply with other obligations, including the terms of consumer authorizations.” Consumers should not be “required to identify the party or parties who gained or enabled unauthorized access to receive appropriate remediation.”
- Efficient and Effective Accountability Mechanisms. Commercial participants should be “accountable for the risks, harms, and costs they introduce to consumers” and “likewise incentivized and empowered effectively to prevent, detect, and resolve unauthorized access and data sharing, unauthorized payments conducted in connection with or as a result of either authorized or unauthorized data sharing access, data inaccuracies, insecurity of data, and failures to comply with other obligations, including the terms of consumer authorizations.”
The CFPB’s discussion of the RFI comments and other feedback it received includes a description of the varying views expressed by stakeholders regarding the CFPB’s role in the aggregation services market. In the RFI, the CFPB cited to Section 1033 of the Dodd-Frank Act when describing the regulatory framework applicable to consumer-permissioned access to account information. Section 1033 requires that “[s]ubject to rules prescribed by the Bureau, a covered person shall make available to a consumer, upon request, information in the control or possession of such person concerning the consumer financial product or service that the consumer obtained from such covered person, including information related to any transaction, or series of transactions, to the account including costs, charges, and usage data.”
The CFPB states that a number of stakeholders, primarily account data holders, questioned Section 1033’s applicability to consumer-authorized data access, as opposed to consumer’s direct access, and encouraged the CFPB not to engage in Section 1033 rulemaking. The American Bankers Association, which submitted a comment letter in response to the RFI, was among the stakeholders expressing those views. Rather than using Section 1033, the ABA suggested that the CFPB should use other existing regulatory authority to address any regulatory gaps, such as by clarifying that data aggregators providing electronic fund transfer services are “service providers” under the EFTA and are liable for unauthorized electronic fund transfers. The CFPB noted that, because there was disagreement among stakeholders as to “how the relevant EFTA and Regulation E provisions apply to consumers when they are using aggregation services,” it had been urged to provide clarification.
The ABA had also commented that the CFPB should subject data aggregators to CFPB supervision by adopting a rule to define “larger participants in the market for consumer financial data.” In its discussion, the CFPB states that, in addition to account data holders, consumer advocates urged the CFPB to take steps to expand its supervisory authority to include aggregators and account data users.
The CFPB expressed a desire to continue its engagement with stakeholders to help it determine the best approach for ensuring appropriate consumer protections for users of aggregation services. Market participants and other stakeholders that want to engage with the CFPB on these issues may do so by sending an email to firstname.lastname@example.org.