As more consumers are choosing to share their financial data to take advantage of innovative fintech products, the financial services industry faces critical questions: Who gets to decide whether financial data is shared? How should that sharing occur? And who is responsible for keeping the information safe?
After soliciting industry comments almost a year ago, the Consumer Financial Protection Bureau has given its initial answers to those questions. It released a set of nine “Consumer Protection Principles” last week designed to help banks, fintech companies, credit unions, credit card companies, and other financial service providers navigate the sharing of consumers’ financial data when consumers request it.
The first principle – “Access” – answers the initial question of who gets to decide in the consumer’s favor. The CFPB says the data belongs to the consumer, so each consumer has the right to request that their information be shared with third parties of their choosing. Nor can providers try to dodge the issue entirely by restricting access, as the CFPB advises that providers should “not seek to deter consumers from accessing or granting access” to their information.
Additionally, that information should be “made available in a timely manner,” according to the first Consumer Protection Principle. Although the CFPB does not set parameters for what’s timely and what’s not, this signals to financial service providers the CFPB’s expectation that they will promptly respond to consumer requests, both to share information and close the spigot by revoking authorization.
The principle of “Access Transparency” could potentially require financial service providers to make changes to their customers’ online portals. The CFPB says that consumers should be able to easily figure out which third parties are accessing information about their accounts. This includes “the identity and security of each such party, the data they access, their use of such data, and the frequency at which they access the data.”
Another principle about how the sharing should occur focuses on the “Scope and Usability” of data. For financial service providers, it specifies that the information should be “made available in forms that are readily usable by consumers and consumer-authorized third parties.” For fintech companies and other third parties on the receiving end, the CFPB says they should only access the data “necessary to provide the product(s) or service(s) selected by the consumer and only maintain such data as long as necessary.”
The principles make clear that financial service providers and fintech companies all have a role to play in data security too. Specifically, the “Security” principle expects that the information will be maintained and shared in a way that protects against breaches and prevents harm to consumers. Emphasizing the shared responsibility on this front, the guidance says:
“All parties that access, store, transmit, or dispose of data use strong protections and effective processes to mitigate the risks of, detect, promptly respond to, and resolve and remedy data breaches, transmission errors, unauthorized access, and fraud, and transmit data only to third parties that also have such protections and processes. Security practices adapt effectively to new threats.”
You can find the rest of the principles here. While they provide a roadmap for navigating data sharing, it’s important to note that the principles are not binding, although the CFPB notes that they “may accord” with existing statutes and regulations covering some of these areas.
Furthermore, the CFPB itself acknowledges this is a work in process, saying it will “continue to assess how these principles may best be realized.” As the principles evolve, look for more updates from Parker Poe. For additional perspective on the potential ramifications of the Consumer Protection Principles, I encourage you to consult with counsel.