The Consumer Financial Protection Bureau (CFPB) has published principles for data sharing and aggregation regarding individual consumers. As data become ubiquitous there is a looming concern about who owns or controls personal information. In an age of rampant cybersecurity issues, setting guidelines for what banks and Fintechs can or cannot do with an individuals information is very important.
CFPB Director Richard Cordray stated;
“Today, the Bureau released its consumer protection principles for the consumer-authorized data-sharing market. These principles express our vision for realizing an innovative market that gives consumers protection and value.”
The CFPB says it recognizes that while consumer-authorized data sharing promises great benefits to consumers, there are many consumer protection challenges to be considered as these technologies continue to develop. The CFPB has published 9 principles which are bulleted below:
- Access – Consumers are able, upon request, to obtain information about their ownership or use of a financial product or service from their product or service provider. Such information is made available in a timely manner. Consumers are generally able to authorize trusted third parties to obtain such information
- Data Scope and Usability – Financial data subject to consumer and consumer-authorized access may include any transaction, series of transactions, or other aspect of consumer usage; the terms of any account, such as a fee schedule; realized consumer costs, such as fees or interest paid; and realized consumer benefits, such as interest earned or rewards.
- Control and Informed Consent – Consumers can enhance their financial lives when they control information regarding their accounts or use of financial services.
- Authorizing Payments – Authorized data access, in and of itself, is not payment authorization.
- Security – Consumer data are accessed, stored, used, and distributed securely.
- Access Transparency – Consumers are informed of, or can readily ascertain, which third parties that they have authorized are accessing or using information regarding the consumers’ accounts or other consumer use of financial services.
- Accuracy – Consumers can expect the data they access or authorize others to access or use to be accurate and current.
- Ability to Dispute and Resolve Unauthorized Access – Consumers have reasonable and practical means to dispute and resolve instances of unauthorized access and data sharing
- Efficient and Effective Accountability Mechanisms – The goals and incentives of parties that grant access to, access, use, store, redistribute, and dispose of consumer data align to enable safe consumer access and deter misuse.
The principles as published by the CFPB are available below.
Financial Innovation Now (FIN), an advocacy group that represents big tech and its participation in Fintech, applauded the CFPB’s release of principles to ensure that consumers can safely access their financial data.
Brian Peters, Executive Director of Financial Innovation Now, stated;
“We applaud the efforts of the CFPB to ensure that consumers are empowered to access their own finances securely and easily, using the technology of their choosing. FIN members are creating technologies that enable consumers to better manage their financial lives and we believe the Bureau’s principles are currently the right approach to fostering greater industry collaboration towards the development of future-flexible, standards-based technologies that promote consumer access.”
The UK is another regime where the discussion on financial data ownership and utilization is quite robust. The Open Banking initiative expects to kick in by the beginning of next year. The UK will create a regime where all financial data is owned by the consumer and not any and all financial services firms. In a world that will soon be dominated by distributed ledger technology (DLT or Blockchain) consumer control of data may be easier to accomplish but it also makes data access by financial firms simpler to accomplish. It will be interesting to see if Congress steps in to create law that fundamentally protects individuals ownership of data – something big banks may be loathe to concede.