Success of CFPB data-sharing guidance relies on how it is enforced
The financial technology revolution, which is being led by entrepreneurs rethinking everything from the way people save to how they apply for a mortgage, has the potential to put consumers in control of their own financial lives — so long as their various financial accounts can work seamlessly together with the third-party app the consumer wishes to use. Nearly all fintech apps rely on consumers’ ability to access their financial account information to get tailored budgeting, saving, investing advice and more.
This month, the Consumer Financial Protection Bureau took an important step toward making that potential a reality with its release of consumer-authorized data-sharing and aggregation principles. In the principles, the bureau reiterated consumers’ right to share data, recognizing that connectivity is the underlying magic fueling the consumer fintech revolution. The guidelines will promote innovation, competition and consumer control.
But the CFPB’s principles are just that — nonbinding statements of CFPB policy. While the ball is largely in the industry’s court to work toward new data-sharing technical standards, regulators still have an important role to play too.
First, data sharing can be risky, as the CFPB went to great lengths to make clear. Why? Data sharing often requires consumers to provide their bank account usernames and passwords to third parties. In the guidance, the CFPB clarified that granting consumers access to their data does not necessarily mean sharing login credentials. At the same time, the bureau made it equally clear that if banks and others want to prevent the sharing of credentials, they need to find another, more secure way to provide access. Both banks and data aggregators should have an incentive to eliminate the use of credentials.
However, some banks have shown in the past that they will leverage control over consumer data for anti-competitive purposes. So while the CFPB was careful to note that the release of its principles should not be interpreted as a shift in enforcement priorities, the bureau should still exercise existing authorities to protect the core of these data-sharing principles. Where the terms of data access do not support innovation, competition and consumer control, the CFPB should use the supervisory process or, in egregious cases, bring enforcement actions under its authority to prevent “unfair, deceptive, or abusive” acts and practices.
Second, the CFPB should work with the Federal Trade Commission and banking regulators to provide additional guidance on its principles related to informed consent. In the guidelines, the CFPB rightly stated that the terms of data access should be “consistent with the consumer’s reasonable expectations.” In other words, all potential uses of consumers’ data should be clearly and conspicuously disclosed in an easy-to-read way. Too often, that is not the case today. From Google to Facebook to Equifax, there is a growing concern about the ways that our data is collected and sold. Financial account data access operates on an opt-in basis; however, additional affirmative consent should be required when a consumer's data is being used for any purpose other than the service he or she signed up for.
Third, banking regulators could update their third-party vendor risk management guidelines to clarify the kinds of due diligence banks are required to conduct on parties with whom they share data. But regulators must tread carefully here. Data aggregation is not a traditional vendor relationship and simply applying current guidance would run counter to the CFPB’s principles by allowing banks — not consumers — to control which third parties can access data, overriding consumer consent.
In an April speech, Federal Reserve Gov. Lael Brainard indicated that the Fed may indeed revisit its vendor risk management guidance. But her remarks made it seem like revisiting the guidance won’t necessarily benefit consumers.
In her prepared remarks, Brainard cited the terms and conditions that developers agree to when producing apps for Apple’s App Store or Google’s Android platform as informative examples of third-party vendor risk management. However, this framework should not be imported into consumer data access. Apple is not like the bank in this analogy. Further, when an app developer agrees to Apple’s terms and conditions, it is seeking access to Apple’s data, so it’s appropriate for Apple to assert some amount of control. When a consumer grants a fintech app permission to access financial account information, it’s the consumer’s information.
Fourth, there is the issue of liability. Some banks have asserted in their terms and conditions that if bank customers provide their login credentials to a third-party app, they lose their right to protection against unauthorized transactions. Consumer advocates have, naturally, taken the opposite view. Without wading into those choppy waters, bank regulators and the CFPB could still clarify that consumers will be fully protected in a security breach if banks had provided data access in a manner not involving login credentials.
This is an area where more regulation could actually facilitate innovation — and where the U.S. risks falling behind Europe. The revised Payment Services Directive, which Europe is readying to take effect next year, requires banks to make account information available through secure portals to foster a more innovative and competitive financial ecosystem.
Bringing PSD2 to the U.S. would be difficult, and imposing a one-size-fits-all standard on the nearly 6,000 banks in the United States (to say nothing of the thousands of other financial institutions) would be unwise. But those challenges should not stop regulators from setting minimum standards and requiring banks to provide full data access without the use of login credentials.
The CFPB’s data-sharing guidance is a great start in driving bank innovation. But the bureau and other regulators must follow it up with additional steps to make sure consumers are the real winners of the fintech revolution.