OCC did its part to secure customer data. Now it’s CFPB’s turn.
The Office of the Comptroller of the Currency recently made clear that banks aren’t necessarily entering third-party relationships when they allow customers to use fintech apps powered by aggregators.
This presents a potential benefit for consumers, banks, aggregators and fintechs — but only if everyone works together to get it right. If not, it could create compliance burdens that limit consumer choice.
Consumers have the right and ability to control, access and share their own financial information with the apps they choose. This has been true since the Dodd-Frank Act of 2010. But the question remained as to how companies should manage that new reality.
The OCC’s updated guidance on data aggregators answered half the question by directing banks on how to keep themselves safe. Now, the onus is on the Consumer Financial Protection Bureau to complete the answer by clarifying consumer rights for consumer-permissioned data. This way, the bank guidance is balanced with consumer protection and choice.
The OCC released FAQs March 5 on banks’ relationships with data aggregators, the companies consumers rely on to use thousands of financial technology applications. The FAQs set principles around aggregator security practices that the industry should welcome.
If implemented well, those practices will help banks modernize risk management for the digital financial ecosystem and ensure that all consumers have access to innovative financial products and services.
Consumer choice drives data-sharing with fintech apps. Recognizing this, the OCC clarified that if banks aren’t receiving a direct service or benefit from the aggregators that power these apps, the level of risk for banks is actually lower than typical business arrangements.
Yet, the FAQs also recognized that the relationship between banks and aggregators must be secure and sound for consumer protection. The OCC advised banks that they should follow certain principles in evaluating aggregators for security, even if there is not a business relationship with them. Plaid agrees wholeheartedly.
A practical example of how the OCC’s FAQs will make it easier on bank and aggregator relationships is through so-called white lists.
A common request aggregators make to banks is that the bank “white lists” the aggregator’s IP addresses, so that it is clear when requests come through them. White-listing helps everyone: connections are higher-quality for fintechs, and banks can more easily identify and block rogue actors.
Yet some banks were unsure that the OCC would approve. The FAQs make clear that the OCC will look for banks to conduct “ongoing monitoring of data-sharing activities,” which white-listing permits.
Scaling diligence obligations to hundreds of banks could risk new compliance burdens. The best way to avoid this is through a set of common standards with which banks can evaluate aggregators' data-sharing security.
For example, Plaid is currently in a pilot program with The Clearing House and some of the nation's most innovative banks to test out an approach for doing this. And the OCC's encouragement of such programs is a step in the right direction.
Despite the positive opportunities the OCC’s FAQs signal, the OCC is silent on how to protect consumer choice and freedom. Without clear rules that protect consumer rights, the OCC’s guidance that “safeguarding of sensitive customer data should be a key focus” may lead to unbalanced implementations that block consumer choice.
The implications for failing to get this balance right are severe. According to the Financial Data Exchange, 50-100 million consumers could lose access to their favorite financial apps. Community bank and credit union customers would be hit the hardest.
Fortunately, Congress mandated an agency to protect consumer financial data access. Two weeks ago, the CFPB held a symposium on consumer data access, in which stakeholders across the spectrum called on the agency to take action.
To amplify these efforts, Plaid also proposed simple guidelines to strengthen a consumer’s right to access and share their financial information available when they log into their bank.
Now is the time for the CFPB to build on the OCC’s work and further define what rights consumers have, and the necessity of consumer choice and freedom.
As the agency charged with protecting consumer financial data access, the CFPB should take a step to round out the OCC’s FAQs with rules that ensure that the proper balance between safe and secure access, and consumer choice is met.