On October 18, the Consumer Financial Protection Bureau (the “CFPB”) released the Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation (the “Principles”). The Principles represent a cautious step forward by the CFPB in providing guidance on how institutions holding customer accounts (such as banks) should share information with service providers, including “fintech” companies that obtain customer authorization to access their account information in order to provide services to such customers. Such data aggregation-based service providers can provide useful products and services to consumers, such as fraud screening, identity verification, personal financial management and bill payment, and promote competition in the financial services market. With respect to fraud screening and identity verification services in particular, in the aftermath of the recent Equifax breach, the appeal of such services is obvious. However, with additional sharing of data comes additional risks—the increase in data access points, albeit consumer-authorized, presents new challenges from a cybersecurity and privacy perspective, increasing the possibility of consumers inadvertently losing control of their information.
The CFPB offers the Principles as a set of ideals, setting forth a “common understanding of consumer interests” and expressing its “vision for realizing a robust, safe, and workable data aggregation market.” It covers data access, data scope and usability, consumer control and informed consent, authorized payments, data security, access transparency, accuracy of data, consumer ability to dispute and resolve unauthorized access and accountability mechanisms. Although the Principles are explicitly “not intended to alter, interpret or otherwise provide guidance on” the scope of existing statutes and regulations that may already apply to certain actors in this market and do not “establish binding requirements or obligations relevant to the Bureau’s exercise of its rulemaking, supervisory or enforcement authority,” its promulgation nevertheless adds to an already complicated regulatory environment. Based on the CFPB’s press announcement, the Principles should be considered by “all stakeholders that provide, use, or aggregate consumer-authorized financial data.” Financial companies in the U.S. are generally already subject to regulations relating to data privacy and security promulgated under the Gramm-Leach-Bliley Act or applicable state regulations, but the scope of such regulations does not cover all fintech companies in the financial data aggregation service space. For fintech companies that are not subject to existing federal data privacy and security regulations, the Principles provide a very broadly drafted, non-binding roadmap for their business practices. For companies that are already currently subject to existing regulations, the Principles add another layer of consideration to their current obligations.
The Principles attempt to strike a balance between protecting consumers with respect to data privacy and security, on the one hand, and supporting innovative and consumer-beneficial fintech products and services, on the other hand. The Principles indicate support for data sharing procedures that enable consumers to take advantage of such products and services and that foster competition, and demonstrate bias against obstacles to data sharing that benefit account holding institutions (that may be reluctant to share data with third parties) but are not reasonably predicated on the consumer’s own interests. For example, the “Access” principle suggests that an account holding institution should defer to a consumer’s choice to authorize third parties to obtain account information for use on their behalf and that account holding institutions should support such access and not seek to deter consumers from granting such access. The “Data Scope and Usability” principle further suggests that financial data subject to consumer-authorized access should be made available in forms that are readily usable by consumer-authorized third parties.
Other principles are largely intended to protect consumers’ data privacy and security, including, for example, advocating for proper disclosure of the terms of the authorized data access (without, however, specifically addressing the potentially limited effectiveness of disclosure, particularly as such disclosures multiply). The Principles also state broadly that “commercial participants are accountable for the risks, harms, and costs they introduce to consumers,” but stops short of elaborating on the important issue of allocation of liability between an account holding institution and a service provider that is granted access, if the consumer were to suffer losses due to a breach at or through the service provider.
Regulatory authorities must balance their interest in spurring competition and enabling technologies that are valuable to consumers with their goals of achieving adequate data protection and consumer control over their own information. They must also decide whether it is prudent to prescribe regulatory requirements or allow industry to develop a consensus approach and effectively self-regulate, in part in reliance on market pressures. Here, the CFPB has taken a cautious approach (consistent with the broader regulatory approach to fintech thus far in the United States), providing non-binding principles and suggesting that it is taking a “wait-and-see” stance for the moment. The CFPB’s non-binding, principles-based approach can be contrasted with the more prescriptive regulatory approach adopted by the European Union with its Second Payment Services Directive (“PSD2”). Beginning in January 2018, PSD2 will make it mandatory for banks to grant access (subject to customer consent) to their customers’ online bank account to third party providers (“TPPs”) such as fintech companies. The potential privacy and data security concerns associated with requiring banks to open up customer data are likely to be mitigated to some extent by the strong customer authentication and secure communication protocols established by the Regulatory Technical Standards to be finalized by the European Banking Authority. Industry participants will remain concerned, however, about ensuring that their use, transfer and receipt of customer data is compliant with strict European privacy laws, including the European Union’s General Data Protection Regulation (“GDPR”), which comes into effect in May 2018.
The CFPB’s approach can also be contrasted with that of the United Kingdom’s Competition and Markets Authority (“CMA”), which issued reforms in 2016 designed to introduce greater competition in the UK retail banking market. One of the principal reforms mandated by the CMA was requiring the UK’s nine largest banks to create and fund an Open Banking Implementation Entity that would develop “open data APIs,” offering standardized information on UK banking products, and “read/write APIs,” offering standardized APIs on which TPPs can build web and mobile applications to access customer data in accordance with PSD2.
The Principles therefore represent a carefully calibrated step forward in U.S. regulatory efforts to address consumer privacy and data protection in the context of fintech and the rapidly evolving relationship between consumers, financial institutions and fintechs and other service providers. In contrast to some jurisdictions, U.S. regulators continue to take a cautious approach to new regulation in this space rather than pursuing a comprehensive, highly-prescriptive approach. While this gives industry time to continue working towards a self-regulatory solution that will be flexible and market-based, it leaves open for the moment questions about an uneven playing field for different market participants and whether consumer information is adequately protected by current market practices.
The full text of the Principles is available here.
The CFPB’s summary report of the stakeholder insights that informed the Principles is available here.