WASHINGTON — The Consumer Financial Protection Bureau released non-binding principles Wednesday for third parties that use consumer financial data to help guide the development of innovative but safe fintech solutions.
The guidance said consumers should have greater ability to obtain information about their financial data from providers, while providers should collect information in a manner that does not expose consumers to data breaches, among other principles.
“These principles express our vision for realizing an innovative market that gives consumers protection and value,” CFPB Director Richard Cordray said in a press release.
Yet the agency, which last year launched an inquiry to gather information about data sharing and aggregation practices, was careful to state that the principles were not binding.
“The Principles do not themselves establish binding requirements or obligations relevant to the Bureau’s exercise of its rulemaking, supervisory, or enforcement authority,” the guidance said. “In addition, the Principles are not intended as a statement of the Bureau’s future enforcement or supervisory priorities.”
The guidance is directed at companies — that include both fintech firms and more traditional lenders like banks — that seek out consumers’ financial information in order to find services or products that they think might be of interest to the consumer.
While many third-party apps already receive consumers’ financial data, a debate continues over whether banks are legally required to share financial data with apps, and which methods are safest for protecting consumers from harm.
Fintechs have been arguing that banks do not share as much information and as efficiently as needed to make products work effectively as they would like. But banks and others have expressed concern about whether third parties are using or selling unauthorized information to outside parties, and whether even aggregated data can be reverse-engineered to become identifiable data.
The guidance suggests that consumers should be able to obtain information “about their ownership or use of a financial product or service” from providers, and use agreements should not “seek to deter consumers from accessing or granting access to their account information” nor require consumers to share account credentials with third parties.
Terms of access should be “fully and effectively disclosed” to consumers, the guidance said, and consumers should not be “coerced” into granting access and should be able to “readily and simply revoke authorizations.”
Third parties authorized by the consumer, meanwhile, should only collect information “necessary to provide the product(s) or service(s) selected by the consumer” and should only maintain that data “as long as necessary,” the guidance said. Data access cannot be construed as payment authorization, the guidance said, and “separate and distinct consumer authorizations” are required for any payments.
Data and access credentials should be “maintained in a manner and in formats that deter and protect against security breaches,” the CFPB said, and should have a “reasonable and practical means” of allowing consumers to dispute unauthorized access.