On February 26, 2020, the CFPB held a symposium on Consumer Access to Financial Records and Section 1033 of the Dodd-Frank Act. Section 1033 addresses consumers’ rights to access information about their own financial accounts, and permits the CFPB to prescribe rules concerning how a provider of consumer financial products or services must make a consumer’s account information available to him or her, “including information related to any transaction, or series of transactions, to the account including costs, charges, and usage data.”

This symposium is the fourth in a series of symposia announced by the Bureau in 2019 designed to assist the Bureau in its policy development process (including potential future rulemakings). The first symposium was held on June 25, 2019 and focused on the Dodd-Frank Act’s prohibition on unfair, deceptive or abusive acts or practices, specifically the meaning of abusiveness. In January 2020, the Bureau issued a policy statement to clarify the meaning of abusiveness. Click here to listen to our podcast on the CFPB’s policy statement.

In November 2016, the Bureau issued a request for information (RFI) about market practices related to consumer access to financial information. In its response to the RFI, the CFPB indicated that a number of stakeholders questioned Section 1033’s applicability to consumer-authorized data access by third parties, as opposed to a consumer’s direct access, and encouraged the CFPB not to engage in any Section 1033 rulemaking. After examining the dynamic market and consumer protection issues created by data access challenges, the CFPB declined to pursue prescriptive rulemaking. Instead, in October 2017, the CFPB released a set of “Consumer Protection Principles” to guide participants “in the developing market for services based on the consumer-authorized use of financial data” that were designed to flexibly support innovation while providing consumers with sufficient data protection.

The Bureau’s symposium was designed to elicit a variety of perspectives about the current and future state of the market for services based on consumer-authorized use of financial data either directly by the consumer or indirectly by third parties. The symposium featured opening remarks by Director Kathleen Kraninger and three panels consisting of representatives from the banking industry, fintech companies, data aggregators and consumer advocacy groups.

In her introduction, Director Kraninger stated that three drivers are currently precipitating increased focus on consumer-authorized access to financial information: (1) the range of market participants has expanded greatly; (2) the extent to which personal data is being used to deliver consumer financial products has increased in scope and scale; and (3) technology now allows significant data sharing with third parties.

The first panel assessed the current landscape of holders of consumer data and the benefits and risks of consumer-authorized data access. The panel, which was moderated by Paul Watkins, Assistant Director in the Bureau’s Office of Innovation, consisted of the following members:

  • Becky Heironimus, Managing Vice President of Customer Platforms, Data Ethics and Privacy, Capital One
  • John Pitts, Policy Lead, Plaid
  • Natalie Talpas, Senior Vice President, Product Group Manager, Digital, PNC
  • Christina Tetreault, Senior Policy Counsel, Consumer Reports
  • Nick Thomas, Co-founder and Chief Technology Officer, Finicity

The panelists discussed the benefits and challenges posed by consumers accessing their own data by using applications and services provided by financial data aggregators (“aggregators”) and other service providers accessing and relying on financial account information maintained at a financial institution (“account data users”). Panelists noted the dynamic, evolving market and the need to move from aggregators using consumer credentials and “screen scraping” to use of tokens and application programming interfaces (API). API provides a more secure method for data aggregation, yet has had limited adoption to date, in part because of expense. Panelists stated that the migration process will take time and industry standards will need to be developed for API usage.

Panelists agreed that consumers should be permitted to access and control their data with informed, meaningful consent and that financial institutions should provide transparency concerning use of consumer data (Wells Fargo’s Control Tower was cited as an example). Financial institutions when using consumer data for new purposes should also demonstrate that such use is consistent with consumer financial protection laws (i.e., provide a use case) and justify the amount of time such data is kept. Technical standards and common security protocols are also needed to protect consumer access to data.

The second panel, consisting of data aggregators and data participants, discussed market developments in consumer-authorized data access. Will Wade-Gery, Senior Advisor in the Bureau’s Office of Innovation, moderated the panel, which included the following members:

  • Steven Boms, Executive Director, FDATA North America
  • Lila Fakhraie, Senior Vice President, Digital Banking APIs, Wells Fargo Bank
  • Jason Gross, Co-Founder & CEO, Petal
  • Melissa Koide, CEO, FinRegLab
  • James Reuter, CEO & President, First Bank Holding Company

Panelists expressed their views that, in general, the market is migrating to significantly better, more efficient technology that will create more data access, control and transparency for consumers. Panelists also discussed the proliferation of bilateral data access agreements between financial institutions and third parties, which will continue to be put in place until the industry is sufficiently mature to develop multilateral agreements. The group was optimistic about the future of API and other technology, as well as key stakeholders moving forward together collaboratively (such as the Financial Data Exchange (FDX), a consortium of banks, fintechs, consumer groups, and aggregators working to develop a common standard for customer data sharing in the financial services industry).

Panelists noted that the U.S. is not as far along in data privacy developments as the UK, Europe and Canada, citing reasons such as ambiguity in proprietary data, data field availability, and data connectivity failures. Multi-factor authentication can present barriers to access to data for consumers, so migrating to API will be a necessary evolution. Major banks and The Clearinghouse are investing in Akoya, a network created by Fidelity, to accelerate movement toward APIs. Akoya’s API network creates a safer, more transparent way for consumers to grant access to personal financial data to third parties. The network acts as bridge between financial institutions and data recipients and is available to the entire financial services industry, including small banks.

The group discussed a recent set of studies by FinRegLab concerning deeper use of API in cash-flow based underwriting for consumer credit products. The studies showed that API data is as predictive as credit bureau attributes and allows financial institutions and fintechs to better predict ability to repay. Some panelists expressed their belief that as cash flow-based underwriting becomes more mainstream, access to credit will increase for consumers and small businesses. The banking representative cautioned that more than just API data must go into the underwriting process.

The third panel addressed the future state of the market, as well as considerations for policymakers on how to ensure consumer data is safeguarded while ensuring that consumers have continual access to their data. That panel, which was moderated by Thomas Devlin, Managing Counsel in the Bureau’s Research, Markets and Regulation Division, consisted of the following members:

  • Jane Barratt, Chief Advocacy Officer, MX
  • Thomas P. Brown, Partner, Antitrust and Competition and Global Banking and Payment Systems Practices, Paul Hastings LLP
  • Brian Knight, Director of Innovation and Governance, Mercatus Center
  • Dan Murphy, Policy Manager, Financial Health Network
  • Natalie Williams, General Counsel, Responsible Banking and Data, JPMorgan Chase
  • Chi Wu, Staff Attorney, National Consumer Law Center

The panel focused its discussion on areas of ambiguity in Section 1033 of the Dodd-Frank Act and whether Congress needs to amend the law or whether the CFPB should engage in a rulemaking. Among other things, panelists stated that both banks and non-banks find uncertainty in Section 1033’s language that a covered institution “shall make available to a consumer, upon request, information…concerning the consumer financial product or service” – both in terms of how and the extent to which an institution may share a consumer’s data with fintechs, aggregators and account data users. Although the CFPB could provide clarification in a rulemaking, panelists did not believe the Bureau should mandate particular data access standards. Alternatively, it was suggested that Congress could amend the law. However, the panelists’ consensus was that it would be more useful for the CFPB to issue guidance in the form of supervision and examination procedures. Industry representatives commented that the CFPB should subject aggregators and account data holders to the Bureau’s supervision by adopting a rule to define “larger participants” in the market for consumer financial data and expanding its supervisory and examination authority to include aggregators and account data holders to level the playing field. The consumer advocate argued for a balanced approach between supervision and rulemaking. Some panelists also suggested that Regulation E should be amended to allocate liability to aggregators.

Each of the panelist’s written statements are available on the CFPB’s website at consumerfinance.gov/about-us/events.