Written By Eamonn Moran
The Consumer Financial Protection Bureau (CFPB or Bureau) recently released a set of consumer protection principles for protecting consumers when they authorize third party companies to access their financial data to provide certain financial products and services. The Bureau states that these principles, which all stakeholders that provide, use, or aggregate consumer-authorized financial data should consider, “are intended to help foster the development of innovative financial products and services, increase competition in financial markets, and empower consumers to take greater control of their financial lives.”
Many companies, including fintech firms, banks, and other financial institutions, get authorization from consumers to access their account data that reside in separate organizations to provide a variety of products and services. Consumer-authorized access to consumer financial account data in electronic form may enable consumer-friendly innovation in financial services. Companies that consumers authorize to access their digital financial records can aggregate and use those records to offer new products and services aimed at making it easier, cheaper, or more efficient for consumers to manage their financial lives. Examples of such “data-aggregation” products and services include fraud screening and identity verification, personal financial management, and bill payment. At the same time, this kind of expanded access to consumer financial records raises a number of concerns, particularly with respect to data security, privacy, and unauthorized access. The Bureau “advocates strongly for consumer control of the consumer’s data and transparency,” while emphasizing the importance of data security and privacy.
The principles articulate the Bureau’s “vision for realizing a robust, safe, and workable data aggregation market that gives consumers protection, usefulness, and value.” The principles, which are intended to be read together, relate to:
- data access;
- data scope and usability;
- control of the data and informed consent;
- payment authorizations;
- data security;
- transparency on data access rights;
- data accuracy;
- accountability for access and use; and
- disputes and resolutions for unauthorized access.
These principles build upon the CFPB’s 2016 Request for Information (RFI) to gather feedback from a wide range of stakeholders concerning consumer-authorized data access. Based on the RFI, as well as other stakeholder outreach, the Bureau “understands that some key industry stakeholders are working on improvements to consumer-authorized data access. These improvements relate to the agreements, systems, and standards involved in consumer-authorized data access.”
The Bureau states that it “will continue to closely monitor developments in this market and will also continue to assess how these principles may best be realized.” The Bureau notes that these principles “do not establish binding requirements or obligations relevant to [the agency’s] exercise of its rulemaking, supervisory, or enforcement authority. In addition, they are not intended to alter, interpret, or otherwise provide guidance on existing statutes and regulations that apply in this market.” Lastly, the Bureau states that these principles “are not intended as a statement of [the agency’s] future enforcement or supervisory priorities.”
We will provide additional updates on this topic and related privacy and data governance issues as further developments occur.
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.