The CFPB announced its plan to issue an advance notice of proposed rulemaking (“ANPR”) on consumer-authorized access to financial records. The announcement follows a symposium on the topic, which was hosted by the Bureau this past February. Concurrent with this announcement, the CFPB also released its long-awaited summary report of the symposium proceedings.
The Bureau’s increased attention to the topic stems from Section 1033 of the Dodd-Frank Act, which was enacted in 2010, and which was intended to help ensure that consumers have access to and the ability to leverage their financial records. Section 1033 states in part that “[s]ubject to rules prescribed by the Bureau, a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person . . . in an electronic form usable by consumers.” Up until this point, the Bureau notes that its approach to the topic, including the enforcement of Section 1033, has largely been to identify and promote consumer interests—in access, control, security, privacy, and other areas—and to allow the market to develop without direct regulatory intervention. However, the Bureau’s recent activities appear to be signaling a more involved and regulated approach.
While recognizing that companies or other third parties that consumers grant permission to access their digital financial records can aggregate and use those records to offer new products and services aimed at making it easier, cheaper, or more efficient for consumers to manage their financial lives, the Bureau warns that “this kind of expanded access to consumer financial records raises a number of concerns, particularly with respect to data security, privacy, and unauthorized access.” Thus, according to the Bureau, its proposed rulemaking efforts on the topic will allow it to:
- Solicit stakeholder input on ways that the Bureau might effectively and efficiently implement the financial access rights described in Section 1033 of the Dodd-Frank Act.
- While noting that different market participants have helped authorized data access become more secure, effective, and subject to consumer control, the Bureau warns that it also “sees indications that some emerging market practices may not reflect the access rights described in Section 1033.”
- Seek information regarding the possible scope of data that might be subject to protected access as well as information that might bear on other terms of access, such as those relating to security, privacy, effective customer control over access and accessed data, and accountability for data errors and unauthorized access.
- Inquire into whether—and if so, how—issues of regulatory uncertainty with respect to Section 1033 and its interaction with other statutes within the Bureau’s jurisdiction, such as the Fair Credit Reporting Act (FCRA), may be impacting this market to the potential detriment of consumers; and seek information that may help resolve such uncertainty.
Additionally, based on the symposium report, we anticipate that the Bureau will be focusing its rulemaking efforts on evaluating the following key subject categories and issues:
- Data access and scope;
- The issues to be evaluated under this category will depend on whether consumers access the data via first-party access (where consumers directly access the data in their accounts) or third-party access (where consumers authorize or “permission” third parties to access data on their behalf).
- Credential-based access and “screen scraping”;
- This is related to the different methods for accessing consumer data. For example, “credential-based access” refers to the practice of a third party accessing a consumer’s permissioned financial data by obtaining the consumer’s credentials and logging into the consumer’s online financial account management portal as though it were the consumer. Similarly, “screen scraping” is a practice whereby the third party retrieves a consumer’s permissioned financial data by using proprietary software to convert the data presented in a consumer’s online financial account management portal into standardized machine-readable data able to be utilized by third parties. In contrast, an API (application programming interface) is a set of rules or software instructions that allow different types of machines to communicate. The Bureau notes that “credential-based access” and “screen-scrapping” practices are the predominant means by which third parties currently access and retrieve permissioned customer data, however, it also notes that there is a shift towards substituting APIs as both a means of data access and retrieval. The report notes that symposium participants agreed that this industry move to API would benefit consumers and all market participants.
- Disclosure and informed consent;
- A large issue that will need to be evaluated will be regarding the adequacy of consumer disclosure and consent management programs. Consumer advocates at the symposium criticized the visibility, informativeness, and consistency of disclosures offered by companies seeking consumer authorization for permissioned data sharing. To counter this criticism, fintech participants at the symposium generally defended their practices and noted relevant recent improvements, including improvements to consumer-facing data sharing controls and dashboards, as potentially useful tools for aligning treatment of consumer data with consumer preferences.
- According to some participants, there may be significant privacy risks with permissioned data sharing, even if disclosures and informed consent programs are refined and improved. Some participants even suggested that the Bureau should limit certain “secondary uses” of consumer-permissioned data.
- Transparency and control;
- The question of how much control consumers should have over the data they permission will likely be a large issue. Participants generally agreed that there needs to be a focus on consumers’ ability to monitor and regulate data flows, revoke access, and request retroactive deletion of data.
- Security and data minimization;
- As noted above, the transition from credential-based access and screen scrapping to API authentication and access will likely lead to improved security. However, some participants also advocate for additional oversight, including cybersecurity oversight, of aggregators and handlers of consumer-permissioned data. Generally, a robust data minimization program would also mitigate some of the security risks that are associated with permissioned data sharing.
- Accuracy, disputes, and accountability; and
- Participants discussed issues associated with the use and distribution of inaccurate data, the applicability of the FCRA to credit-related uses of permissioned data, and the potential liability that stakeholders will face for unauthorized access/use of the shared data.
- Legal issues
- Among the legal issues that will be relevant to the Bureau’s actions will be:
- Whether Section 1033 of the Dodd-Frank Act is “self-executing.” For example, the report brings to light the question of “whether the core mandate of section 1033(a) on covered persons to make information available to consumers has been effective since the passage of the Dodd-Frank Act or would only be effective upon the Bureau issuing rules.”
- Whether consumer rights to data can be extended to third parties for purposes of Section 1033. For example, would agents of consumers be considered consumers? Would data aggregators and fintechs acting on behalf of consumers also be deemed consumers?
- Whether Section 1033 gives any authority to the Bureau to allow for data field exclusions from a consumer’s right to access, or for the denial of data access to third parties relating to security concerns.
- Which party or stakeholder will be liable for the unauthorized access to or misuse of the data.
- How far does the Gramm-Leach-Bliley Act (and its implementing regulations) go to regulate parties involved in data sharing stream.
- If the Bureau decides to move forward with its rulemaking initiative, whether the Bureau will issue a larger participant rule for the data aggregation market.