On October 18, 2017, the Consumer Financial Protection Bureau (CFPB) published guidelines for financial institutions to use when authorizing third-party access to consumers’ financial information. These guidelines are targeted at protecting consumers who give their consent to allow other companies to access their account information. Companies—including fintech firms, banks, and other financial institutions—often use information from consumers’ financial accounts when providing certain products and services, including, for example, financial advice or financial management tools, fraud screening and identity verification, management of personal finances, and bill payment.
In November 2016, the CFPB issued a Request for Information about third-party access to consumer data. The results of that Request showed that consumer-authorized financial data sharing continues to present challenges to consumer protection as the technologies that use consumers’ account information develop. CFPB Director Richard Cordray stated that the CFPB’s consumer protection principles for the consumer-authorized data-sharing market “express [the CFPB’s] vision for realizing an innovative market that gives consumers protection and value.” The principles issued by the CFPB relate to data access, data scope and usability, control of the data and informed consent, payment authorizations, data security, transparency on data access rights, data accuracy, accountability for access and use, and disputes and resolutions for unauthorized access.
According to the CFPB, the principles enumerated in its guidance “are intended to help foster the development of innovative financial products and services, increase competition in financial markets, and empower consumers to take greater control of their financial lives.” Critically, though, the guidance does not purport to establish any binding requirements or obligations.
The principles fall into the following categories:
- Access. Consumers should be able to obtain information about their ownership or use of a financial product or service from the provider of that product or service, and that information should be provided in a timely manner. Consumers should be able to authorize third parties to obtain that information from account providers to use for the consumers’ benefit and in a safe manner.
- Data Scope and Usability. The financial data to which consumers may allow third-party access should include: any transaction, series of transactions, or other aspect of consumer usage; the terms of any account; and realized consumer costs and benefits. Information should be available in readily-usable form, and third parties should be allowed access only to the data required to provide the requested product or service and should maintain that data only as long as necessary.
- Control and Informed Consent. Authorized terms of access, storage, use, and disposal of consumer financial information should be fully disclosed to the consumer in a clear manner and should align with the consumers’ reasonable expectations regarding the product or service the consumer will receive. Consumers should never be coerced into granting third-party access to information. Consumers should be able to immediately and easily revoke consent for third-party access to information, and, if the consumer so requests, such revocation should include deletion of the consumers’ personally identifying information.
- Authorizing Payments. All consumer data should be accessed, stored, and distributed securely. Consumer data should be maintained in a manner and format that protects against security breaches and other consumer harm.
- Security. Parties that utilize consumer financial data employ adaptive protections and processes to combat security threats; only transmit data to parties with similar protections and processes; access, store, use, and distribute consumer data and access credentials securely; and maintain consumer data so as to deter and protect against security breaches.
- Access Transparency. Consumers should be kept apprised of when authorized third parties are accessing their financial information. Information provided to the consumer should include the identity and security of the party accessing the information, the data accessed, the purpose for which the party is using the data, and the frequency of data access.
- Accuracy. The data accessed by authorized third parties should be accurate and current, and consumers should be able to easily dispute inaccurate data.
- Ability to Dispute and Resolve Unauthorized Access. Consumers should be able to easily dispute instances of unauthorized access and data sharing related to their account information.
- Efficient and Effective Accountability Mechanisms. Companies that grant access to consumer account information and companies that use consumer account information should be accountable for the risks to consumers.
As technologies that require access to consumers’ financial information continue to develop, it is important that consumer financial services providers keep abreast of principles articulated by the CFPB and other agencies regarding data sharing.