CFPB’s Data-Sharing Principles Spark Discussion
The Consumer Financial Protection Bureau’s (CFPB) recently published Consumer Protection Principles on consumer-authorized financial data sharing and aggregation outline nine non-binding tenets that address the issue of steadily increasing amounts of useful consumer data. This data creates new product and service opportunities—along with significant security and privacy challenges—for the financial services industry.
Not surprisingly, the CFPB supports consumer control over data, but its use of “principles” versus “guidance” is an acknowledgement that this could prove difficult to achieve.
The CFPB’s principles represent ideal conditions for consumers, as they would have available and timely access to their data, the scope of which would cover a broad range of transactions that consumers could limit as needed. Consumers would understand what they are authorizing and have full control to grant or revoke that authorization, which would be distinct from payment authorization. Consumer data would be secure, transparent and accurate. Finally, consumers would be able to dispute and resolve unauthorized access and benefit from efficient and effective accountability mechanisms.
Making these conditions a reality will require significant coordination from all involved parties, which the CFPB surveyed through a Request for Information in late 2016. Based on its analysis of the comments received, the CFPB hopes to inform this discussion through its principles, which it says “express the Bureau’s vision for realizing a robust, safe, and workable data aggregation market that gives consumers protection, usefulness, and value.”
There are many obstacles to reaching this end-state vision, notably these five challenges:
Multiple Laws Versus One Law
The United States first recognized consumer rights, with regard to financial information, in 1970 with the passing of the Fair Credit Reporting Act (FCRA). Under the FCRA, credit-reporting agencies must maintain and protect accurate consumer information, and consumers have the right to dispute inaccuracies in that data. Changing times at the end of the 20th century led to the Gramm-Leach-Bliley Act (GLBA), which requires all financial institutions to protect the privacy of their customers and to ensure the security and confidentiality of their financial information. In 2001, the USA PATRIOT Act expanded the definition of “financial institution,” thereby broadening the reach of many regulations, including GLBA.
Now a question looms: Has technology outpaced the abilities of FCRA and GLBA to protect consumer data? Not only has digitization increased the amount of consumer data being generated and stored, it has unleashed a whole new industry—data aggregation—where consumer data is collected, used and sold. To this point, the American Bankers Association (ABA) notes that banks “dedicate tremendous resources to safeguarding financial data.” On the contrary, it warns that, “current practices in the data aggregation market, however, may leave consumers exposed.”
Crowdfund Insider, which reports on fintech, speculates that Congress may eventually “create law that fundamentally protects individuals’ ownership of data.” This would follow the European Union (EU), which has historically led the way in data security, so much so that the European Data Protection Supervisor claims EU data protection laws to be the “gold standard all over the world.” Passage of the General Data Protection Regulation (GDPR) in 2016 follows this pattern. This law applies to all companies processing consumer personal data in the EU. When fully implemented in May 2018, consumers will have full control to grant, move and revoke authorization of their data as desired.
For now, the CFPB and other U.S. regulators appear content to rely on existing regulations to protect consumer data in this country. This wait-and-see approach is likely to gauge the success and impact of the GDPR’s implementation next year.
A Tense But Symbiotic Relationship
When GLBA was passed, smartphones and mobile banking didn’t exist. Now, digitization allows banks to offer cutting edge products and services through which they can deepen customer relationships and increase fee revenue. But there is a catch. In 1999, traditional financial institutions were consumers’ only option. Today, consumers can just as easily bank with fintechs as with conventional banks.
Not only has this development caused massive disruption in the financial services market, it has also created a tense but symbiotic relationship between traditional banks and fintechs. As the ABA described, “Technology focused startups are building products that rely on access to consumer financial data.” So fintechs need banks to provide them access to that information, while banks need fintech innovation to keep pace with consumer demand for greater convenience and speed in banking.
While advocates like the ABA question the security of data outside the traditional bank environment and call for GLBA standards to be more specifically applied to companies creating third-party banking apps, fintechs have a beef of their own. American Banker reports that, “A recently formed group representing 31 data aggregators and fintech companies, called Consumer Financial Data Rights, says banks still aren’t forking over as much data as they should.”
Some larger financial institutions like JPMorgan Chase and Wells Fargo are attempting to resolve this situation by developing data-sharing agreements with established fintechs. American Banker argues that these one-off data sharing deals aren’t enough because they limit consumer choice by excluding smaller institutions and other data aggregators or third-party apps without the clout to reach such agreements.
The CFPB principles “reiterate the importance of protecting consumers to all stakeholders that provide, use, or aggregate consumer-authorized financial data.” But without the teeth of binding regulation, it is unclear if these competing interests will heed the CFPB’s call to work together to protect consumers.
Consumer Ignorance and Nonchalance
Speaking of consumers, the Equifax breach likely made them more concerned about the safety of their personal financial data, but they still appear either unaware or nonchalant to the fact that they routinely grant non-bank third parties access to their financial information.
The CFPB principles address this. In noting what the CFPB got right with data-sharing principles, American Banker says, “First and foremost, we need to make sure that consumers understand what they are agreeing to when they give third parties access to their financial information.”
Disclosures written in plain language might increase consumer awareness, but that only works if consumers actually read the “Terms and Conditions” before downloading the latest financial app. As the ABA describes, many consumers appear more interested in convenience than data security, accepting “a Faustian bargain, in which their desire for technology-driven convenience is exchanged—often unknowingly—for increased potential of catastrophe, by handing over the keys to their financial vault.”
Transparency Is Easier Said Than Done
Mirroring the GDPR, the CFPB principles advocate for consumers’ ability to see all parties with access to their information, and to limit or revoke that access at any time. It is unclear from the CFPB exactly what this would look like, but Crowdfund Insider says that distributed ledger technology (DLT) may hold the key. TechTarget describes DLT as “a digital system for recording the transactions of assets in which the transactions and their details are recorded in multiple places at the same time.” One of the more well-known examples of DLT is Blockchain, which Bitcoin uses.
Although it may provide some answers, DLT may also create problems. Crowdfund Insider explains that DLT “also makes data access by financial firms simpler to accomplish.” Easier access could mean an explosion in the number of data aggregators and fintechs entering the scene. And the more firms that have consumer financial data, the harder it may be for consumers to track or control it.
Technology Continues to Evolve
Technology itself is the fifth challenge. Our current quandary is a product of technology outpacing regulatory and industry policy, and it shows no sign of slowing down to let regulations catch up. In fact, its evolution continues and the pace of change appears to quicken with each new advancement. The CFPB’s issuance of principles versus guidance reflects that reality. American Banker lauds the CFPB for this approach, noting that, “By issuing principles, the CFPB creates space for the industry to lead the development of solutions, while providing needed clarification about regulators’ expectations.” Regardless of this pragmatism, this will be a delicate balancing act for the foreseeable future.
The Current Reality of Data Sharing for Community Banks
Although the CFPB’s data-sharing principles do not place direct obligations on financial institutions, including community banks, they remind us of two important facts:
First, banks are still subject to existing vendor management guidance, which makes them ultimately responsible for any work handled by third parties. In many cases, data aggregation is expanding the vendor circle out to a fourth or even fifth party. Community banks need to be aware of this situation and address it in their third-party due diligence and contract negotiations.
Second, community banks are in a unique position to help educate consumers about data aggregation and build awareness about the importance of protecting their personal data through greater vigilance.
Data sharing is the wave of the future, a fact that both community banks and consumers will have to face. Ultimately, both will have to decide whether to be a part of the problem or part of the solution.
Amber Goodrich, compliance strategist for CSI Regulatory Compliance, has more than 10 years of financial industry experience. She is a Certified Regulatory Compliance Manager (CRCM) and Certified Bank Secrecy Act (BSA) Professional (CBAP).