CFPB Signals Interest in Regulating the Use of Consumer Financial Data

Thumbnail for 1302

The Consumer Financial Protection Bureau’s (CFPB) recently-released Request for Information Regarding Consumer Access to Financial Records (RFI) suggests that the agency is considering making a new rule to set requirements and protections for the use of consumers’ financial information.  In publishing the RFI, the CFPB notes that the Dodd-Frank Act “provides for consumer rights to access financial account and account-related data” and grants the CFPB rulemaking authority to ensure “that markets for consumer financial products and services operate transparently and efficiently to facilitate access and innovation.”  Accordingly, the CFPB stated that, with this RFI, it is “launching an inquiry into the challenges consumers face in accessing, using, and securely sharing their financial records.”

The RFI concerns the recent increase of services and companies that aggregate consumers’ financial records (which are created whenever a consumer uses his or her various financial accounts to make deposits, withdraw or transfer funds, or make payments).  Aggregators use these data to provide analysis or other services to consumers, such as budgeting and financial advice, cash flow management, and tax advice.  These services help consumers make informed financial decisions and help them better communicate and problem-solve with their financial providers.  Financial services companies also frequently use aggregated consumer financial data for things like making targeted product recommendations, loan application verification, credit decisioning, and fraud and identity theft detection.  In the RFI, the CFPB expresses the view that greater access to consumer data by data aggregation companies benefits consumers because it allows companies to innovate and compete to provide even easier, cheaper, and more useful services to consumers.  The CFPB notes that it is concerned that financial services providers may currently be limiting access to financial records in a way that prevents third-party companies from using the information to create new services and products for consumers.

But discussion of increasing access to consumers’ financial information often gives financial services providers heartburn because of the significant risks associated with such an increase.  And the RFI acknowledges several of the concerns that financial services providers have raised in the past:  worries about whether account aggregators have appropriate security and privacy procedures in place to keep consumers’ information safe; whether aggregators will have greater access to consumers’ information than they need for the specific product being provided; whether aggregators will use consumers’ information for purposes other than for the requested product or will share the information with other entities that do not have permission to use the data; whether there could be Fair Credit Reporting Act (FCRA) implications involved with sharing financial information; and whether financial services providers will be liable for data breaches or unauthorized transactions involving data they provided to data aggregators.

The RFI states that, in light of the potential benefits and concerns raised in connection with increasing access to consumers’ financial account information, the CFPB wants to know more about how access to data can be facilitated while safeguarding the security of the data and consumers’ ability to control when and how the data are used.  To that end, the RFI poses to stakeholders twenty specific questions relating to current market practices and how practices could be changed.  The questions include queries about the types of products and services currently available that rely on access to consumer data, the obstacles and risks facing financial services providers in granting third-party aggregators access to consumer data, and what industry standards currently exist or should exist to enable safe access to the data.  Tellingly, the RFI also asks whether current industry standard practices are in line with Dodd-Frank’s requirements for ensuring consumers’ access to their financial records; and if current standard practices are insufficient, then how they are insufficient and how the imposition of new standard practices might affect the industry.

The tone of the RFI and the questions it asks suggest that the CFPB is considering implementing a rule that would require granting greater access to consumer data – a change that would have significant impacts on financial services providers.  Industry members who may be affected by such a rule should therefore review the RFI and consider submitting a response to ensure that the CFPB is aware of the opportunities and the challenges facing the industry with such a change.  The comment period for the RFI ends on February 21, 2017.