CFPB Outlines Principles for Consumer-Authorized Financial Data Sharing and Aggregation

Written By Eamonn Moran

The Consumer Financial Protection Bureau (CFPB or Bureau) recently released a set of consumer protection principles for protecting consumers when they authorize third party companies to access their financial data to provide certain financial products and services. The Bureau states that these principles, which all stakeholders that provide, use, or aggregate consumer-authorized financial data should consider, “are intended to help foster the development of innovative financial products and services, increase competition in financial markets, and empower consumers to take greater control of their financial lives.”

Many companies, including fintech firms, banks, and other financial institutions, get authorization from consumers to access their account data that reside in separate organizations to provide a variety of products and services. Consumer-authorized access to consumer financial account data in electronic form may enable consumer-friendly innovation in financial services. Companies that consumers authorize to access their digital financial records can aggregate and use those records to offer new products and services aimed at making it easier, cheaper, or more efficient for consumers to manage their financial lives. Examples of such “data-aggregation” products and services include fraud screening and identity verification, personal financial management, and bill payment. At the same time, this kind of expanded access to consumer financial records raises a number of concerns, particularly with respect to data security, privacy, and unauthorized access. The Bureau “advocates strongly for consumer control of the consumer’s data and transparency,” while emphasizing the importance of data security and privacy.

The principles articulate the Bureau’s “vision for realizing a robust, safe, and workable data aggregation market that gives consumers protection, usefulness, and value.” The principles, which are intended to be read together, relate to:

  • data access;
  • data scope and usability;
  • control of the data and informed consent;
  • payment authorizations;
  • data security;
  • transparency on data access rights;
  • data accuracy;
  • accountability for access and use; and
  • disputes and resolutions for unauthorized access.

These principles build upon the CFPB’s 2016 Request for Information (RFI) to gather feedback from a wide range of stakeholders concerning consumer-authorized data access. Based on the RFI, as well as other stakeholder outreach, the Bureau “understands that some key industry stakeholders are working on improvements to consumer-authorized data access. These improvements relate to the agreements, systems, and standards involved in consumer-authorized data access.”

The Bureau states that it “will continue to closely monitor developments in this market and will also continue to assess how these principles may best be realized.” The Bureau notes that these principles “do not establish binding requirements or obligations relevant to [the agency’s] exercise of its rulemaking, supervisory, or enforcement authority. In addition, they are not intended to alter, interpret, or otherwise provide guidance on existing statutes and regulations that apply in this market.” Lastly, the Bureau states that these principles “are not intended as a statement of [the agency’s] future enforcement or supervisory priorities.”

We will provide additional updates on this topic and related privacy and data governance issues as further developments occur.

Latest Thinking

View more Insights
Insights Center
Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their