CFPB sets stage for long fight on data-sharing rule
The Consumer Financial Protection Bureau has spent significant time on long-running policy battles — like regulating payday lenders and proper mortgage underwriting — but analysts predict a new rulemaking still in its early phase could soon dominate the agenda.
In seeking to write a rule around how much control consumers have over their own financial data, the agency is tackling one of the thorniest issues affecting banks, fintechs and data aggregators.
Unlike other regulations affecting single industries, the consumer data rule could be all-encompassing. And the agency is embarking on the project ahead of an expected change of leadership. Many observers say it could be one of the most consequential rulemakings under the incoming Joe Biden administration.
“The CFPB is looking at this as touching every market they cover,” said John Pitts, policy lead at Plaid, a San Francisco data aggregator, and a former deputy assistant director of intergovernmental affairs at the CFPB.
The bureau released an advance notice of proposed rulemaking last month seeking comment on more than 100 questions related to the sharing of consumer data, potential risks to consumers and how data is accessed by third parties.
Broadly speaking, fintechs and aggregators want access to a consumer's bank account data through screen scraping or application programming interfaces to help provide a service, and advocates of consumer access say the bank has to abide.
“This is not a partisan issue, this is an issue where a greater degree of choice and consumer control has the ability to change financial services in a way that benefits consumers,” said Pitts.
But some banks and others worry about consumers giving third parties too much control, the potential for security and privacy breaches, and a bank's proprietary information about fees and other pricing getting released in the exchange.
Dan Murphy, a policy manager at the Financial Health Network, a Chicago nonprofit that serves unbanked and underbanked consumers, said many consumers provide fintechs and aggregators access to their data without quite understanding to what they are consenting.
“The absence of meaningful ways to view, modify, or revoke consent is problematic, and limits consumers’ ability to control their data,” Murphy wrote in a letter to CFPB Director Kathy Kraninger in February. “Consumers’ ability to understand the terms of their consent is particularly hampered by some data aggregators’ practice of using banks’ branding to make it appear as if the consumer is on their bank’s website. This practice should be discontinued."
The CFPB's rulemaking is intended to implement section 1033 of the Dodd-Frank Act, which gave consumers the right to access their own bank account and transaction data in a usable electronic format. The bureau recently published its 34-page ANPR in the Federal Register, giving stakeholders until Feb. 2 to comment. The agency is expected to follow the notice with a more formal proposal.
But the bureau is focusing on the rulemaking just as the agency's current leadership is on shaky ground. With Biden's election victory, Kraninger is widely expected to be replaced as a result of a recent Supreme Court decision enabling presidents to fire CFPB directors at will.
"The bureau’s priorities could shift quickly" on consumer data access under new leadership, said Isaac Boltansky, director of policy research at Compass Point Research and Trading, in a recent note.
The core of any CFPB rule will likely focus on what guardrails, if any, should be constructed to limit what data can be shared.
“The question has always been who owns the data but there is a better way of doing this than everyone poking around in consumer data without the consumer knowing,” said Elan Amir, CEO of MeasureOne, a San Francisco provider of consumer-permissioned academic data. “The position of the institutions may be that it's their data and the customer cannot share it with another party and they don’t want to give the consumer the reins to share [the data] without the institutions’ consent.”
Although the CFPB’s notice was the first step toward a formal rulemaking, the bureau has spent several years engaging industry and consumer groups. The bureau first issued a request for information in 2016 on consumer-authorized access to financial data and followed up with a statement of principles in 2017.
In February, the CFPB held a symposium where bankers, fintechs and aggregators faced off on the problems of screen scraping, one of the most common methods of collecting consumer data.
According to Boltansky's note, a representative of JPMorgan Chase made a compelling case at the symposium for the CFPB to issue guidance on obtaining consent from consumers for data unrelated to products and services that customers have requested.
Consumers often give third-party fintechs access to their data simply by sharing online or mobile banking usernames and passwords. Fintech or data aggregators then log in to a consumer’s account and copy the latest data.
Currently nearly 100 million consumers in the U.S. use at least one finance app that takes data from their bank account, with 90% of the data coming from screen scraping and less than 10% coming from an API provided by a financial institution to a data aggregator.
Some analysts have suggested that the CFPB would prefer for the industry to set its own standards for data sharing through APIs.
“Networks or consortia of data holders have begun to acquire or partner with data aggregators to offer access solutions to data holders as well as to their traditional data user clients,” the bureau’s ANPR states. “These moves may herald a broader move towards multilateral standards for data access, much as network standards function in two-sided payment card markets.”
Screen scraping remains controversial. Banks claim that it poses a security risk by giving fintechs access to sensitive customer data such as account numbers.
“Consumers often do not fully understand what data is being taken, where it is being sent, or how it is being used,” the American Bankers Association said in a statement last year.
Banks want the CFPB to designate a list of a data entries that are considered proprietary and therefore cannot be shared, such as pricing, interest rates or fee information.
Competition among financial products is at the core of the CFPB’s proposal. The bureau cited several examples of how authorized data access can improve existing products. The bureau cited mortgage lenders that now routinely verify a potential borrower’s assets and income as an example of data sharing that ensures data accuracy and reliability while providing a benefit to the consumer.
“Authorized data access holds the potential to intensify competition and innovation in many, perhaps even most, consumer financial markets,” the CFPB said in the advance notice.
Pitts, at Plaid, said the CFPB also clarified in the ANPR's first footnote that consumers can allow a third party to retrieve data on their behalf, an issue that some thought was an open question.
Quyen Truong, a partner at the law firm Stroock & Stroock & Lavan, said the bureau’s likely goal of fostering innovation and consumer rights while addressing security concerns highlights “the challenge of regulation.”
“It’s a tightrope because rules that emphasize privacy and data security could be deemed to hinder consumer access to information,” Truong said. Most banks and financial firms "are concerned about the unintended consequences around the development of a new regulatory framework.”